IVXS UK Limited (“ComplyAdvantage”) Terms of Service

1 Interpretation

1.1 In this Agreement:

“Affiliate” means an entity or person that, directly or indirectly, Controls, is Controlled by, or is under common Control with a party;

“Agreement” means the Order Form, together with these Terms of Service and any appendices and (where context requires) documents referred to herein;

“Applicable Law” means as applicable and binding on each of the Client, ComplyAdvantage and the Services: (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of, (b) any binding court order, judgment or decree, or (c) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

“Applicable Privacy Law” means, as applicable and binding on each the Client, ComplyAdvantage and the Services, all laws relating to the processing of Personal Data, privacy, and security, including without limitation the EU General Data Protection Regulation 2016/679 (“GDPR“) as implemented in each jurisdiction, the Data Protection Act 2018 (“UK GDPR”), the California Consumer Privacy Act, Californian Civil Code §§ 1798.100 (“CCPA”) and all amendments, and all other applicable or replacement international, regional, federal or national data protection laws, regulations and regulatory guidance;

“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Applicable Privacy Law from time to time;

“Authorised User” means any employee of the Client authorised by the Client to access and use the Services (wholly or in part), using their own unique identifier provided by ComplyAdvantage;

“Billing Information” means the information given on the Order Form which defines the billing currency, billing frequency and payment period;

“Business Days” means any day other than a Saturday or Sunday or public holiday in England on which banks are physically open for the transaction of general banking business in London;

“Business Purpose” has the meaning given to it in the CPRA;

“CCPA” means the California Consumer Privacy Act, Californian Civil Code §§ 1798.100, as amended by the CPRA;

“Charges” means ComplyAdvantage’s fees for the Services, as agreed between the parties and set out in the Order Form, together with such other additional fees as may be agreed between the parties from time to time;

“Client” means the person so named on the Order Form;

“Client Data” means data belonging to or provided by the Client;

“Client Personal Data” means the Personal Data contained within the Client Data of which ComplyAdvantage is a Processor on behalf of the Client;

“ComplyAdvantage Data” means all data held within ComplyAdvantage databases, other than Client Data, which is accessible to the Client through use of the Services;

“Confidential Information” means information that is proprietary or confidential (however recorded, preserved or disclosed) disclosed by one party to the other in connection with this Agreement;

“Contract Year” means the period between the Services Start Date (or an anniversary thereof) and the day immediately preceding the next anniversary of the Services Start Date, inclusive;

“Control” means the possession, directly or indirectly, of the power or right to direct or cause the direction of the management or policies of another entity, whether through the ownership of share capital and/or voting securities, by contract or otherwise, it being understood that beneficial ownership of over 50 per cent or more of the voting securities of another entity/person shall in all circumstances constitute Control of such other entity;

“Controller” has the meaning given to it in the GDPR;

“CPRA” means the California Privacy Rights Act;

“Data Subject” has the meaning given to it in the GDPR;

“Data Subject Request” means a request made by a Data Subject to exercise any rights of data subjects under Applicable Privacy Law;

“Effective Date” means the date of the final signature of the Original Order Form;

“Facilitation of Tax Evasion” means each of (a) being knowingly concerned in, or taking steps with a view to, Tax Evasion by another person, (b) aiding, abetting, counselling or procuring Tax Evasion by another person, and (c) any other actions which would be regarded as facilitation of Tax Evasion under applicable national, federal and/or state laws;

“Initial Term” means the period between the Service Start Date and the Services End Date, inclusive;

“Intellectual Property” means any and all patents, copyrights (including future copyrights), design rights, trade marks, Trademark, service marks, domain names, trade secrets, know-how, database rights, and all other intellectual property rights, whether registered or unregistered, and including applications for any of the foregoing and all rights of a similar nature which may exist anywhere in the world;

“Material” means any documentation, content, designs, drawings, pictures or other images (whether still or moving), sounds and other records of any information belonging to ComplyAdvantage whether in written, verbal, electronic or other tangible or intangible form, each as made available to the Client through the Services or any other means;

“Order Form” means the ordering document which contains relevant commercial information, including without limitation details defining the specific services to be provided by ComplyAdvantage, the agreed Authorised User numbers, permitted search volumes, available datasets, pricing, and agreement length;

“Original Order Form” means the first Order Form signed between the parties;

“Personal Data” has the meaning given to it in the GDPR;

“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Client Personal Data;

“Personal Information” has the meaning given to it in the CPRA;

“Persons Associated” means any employee, agent or representative of the relevant party or other third-party who supplies services to, or on behalf of, the relevant party;

“Processing” has the meaning given to it in the GDPR;

“Processor” has the meaning given to it in the GDPR;

“Products” means the Services and the Materials;

“Sanctioned Country” means Cuba, Iran, North Korea, Syria, Russia, the Crimea region of Ukraine and the so-called regions of Donetsk People’s Republic and Luhansk People’s Republic of Ukraine, and any other country, region or territory which is the subject or target of any territory-, region- or country-wide Sanctions;

“Sanctioned Person” means any person or entity: (a) listed on, or owned or controlled (as such terms, including any applicable ownership and control requirements, are defined in any applicable Sanctions laws or in any related official guidance) by one or more person or entity listed on, a Sanctions List, (b) that is, or is part of, a government of a Sanctioned Country, (c) that is operating from, or incorporated under the laws of, a Sanctioned Country, or (d) that is otherwise the subject or target of any Sanctions, or that is acting on behalf of any person or entity listed in parts (a) to (d) above, for the purpose of evading or avoiding, or facilitating the evasion or avoidance of, any Sanctions;

“Sanctions” means economic or financial sanctions, restrictive measures, trade embargoes or export control laws imposed, administered or enforced from time to time by any Sanctions Authority;

“Sanctions Authority” means (a) the United Nations Security Council or any of its sanctions sub-committees, (b) the United States, (c) the European Union or any member state thereof, (d) the United Kingdom, (e) the respective governmental institutions of any of the foregoing including, without limitation, OFAC, the US Department of Commerce, the US Department of State, OFSI and the UK Foreign, Commonwealth and Development Office, and (f) any other governmental institution with responsibility for imposing, administering or enforcing economic or financial sanctions, restrictive measures, trade embargoes or export control laws with jurisdiction over the Client or any of its affiliates;

“Sanctions List” means any of the lists of designated or sanctioned individuals or entities (or equivalent) issued by any Sanctions Authority, each as amended, supplemented or substituted from time to time;

“Sell” has the meaning given to it in the CPRA;

“Service” or “Services” means the software made available to the Client by ComplyAdvantage, whether through a web-based interface or via an application programming interface, provided under this Agreement as set out in the Order Form and further described in Appendix III, including ComplyAdvantage’s website at ComplyAdvantage.com, or other websites that ComplyAdvantage choose to operate and provide Services through;

“Service Provider” has the meaning given to it in the CPRA;

“Services End Date” means the latest date specified as such on the Order Form;   

“Services Start Date” means the earliest date specified as such on the Order Form;

“Share” has the meaning given to it in the CPRA;

“Sub-Processor” means another Processor engaged by ComplyAdvantage to carry out processing activities in respect of the Client Personal Data;

“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Applicable Privacy Law;

“Tax” means any taxes of any nature chargeable under any jurisdiction, to include without limitation value added, sales, goods and services, and withholding tax;

“Tax Evasion” means any fraudulent activity intended to divert funds from the public revenue of any government as well as any statutory tax evasion offence of any territory, where tax includes all taxes, levies and contributions imposed by governments in any territory;

“Test Account” means an account or environment for evaluation and testing purposes, access to which is provided alongside the Client’s production account;

“Trademark” means the registered and unregistered trade marks and logos and any future registration of any marks or any similar mark or branding of a party or of any of its Affiliates or third parties provided or used under this Agreement, anywhere in the world; and

“Working Hours” means 9.00am to 5.00pm UK time on Business Days.

1.2 Subject to clause 18, any reference in these terms to ‘writing’ or related expressions includes but shall not be limited to a reference to email, communications via websites and comparable means of communication.

1.3 Except where the context requires otherwise:

1.3.1 the singular includes the plural and vice versa; a reference to one gender includes all genders; words denoting persons include a natural person, corporate or unincorporated body (whether or not having separate legal personality); a reference to a ‘company’ includes any company, corporation or other body corporate, wherever and however incorporated or established; and a reference to a ‘party’ includes that party’s personal representatives, successors and permitted assigns; and

1.3.2 any words that follow ‘include’, ‘includes’, ‘including’, ‘in particular’ or any similar words and expressions shall be construed as illustrative only and shall not limit the sense of any word, phrase, term, definition or description preceding those words.

1.4 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time. A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.

1.5 Where and to the extent that the Client is subject to the Applicable Operational Resilience Law or Applicable Outsourcing Guidelines (as defined in Appendix IV (Regulatory Appendix)), Appendix IV (Regulatory Appendix) shall apply to the Services.

2 Term

2.1 This Agreement is made and shall come into force on the Effective Date. The provision of the Services shall commence upon the Services Start Date and shall continue for the Initial Term, renewing thereafter for successive terms of 12 months each (each a “Renewal Term”) unless terminated by either party by no less than 30 days’ notice prior to the end of the Initial Term or a Renewal Term, or if this Agreement is terminated earlier in accordance with its terms.

3 Supply of the Services

3.1 ComplyAdvantage shall provide the Services to the Client with reasonable skill and care on the terms and conditions of this Agreement, including the service levels set out in Appendix I (Service Level Agreement).

3.2 Where the Services contain links to other sites and resources provided by third parties, these links are provided for the Client’s information only. ComplyAdvantage has no control over the availability or content of such other sites or resources and accepts no responsibility or liability for them or for any loss or damage that may arise from the Client’s use of third-party sites or resources.

3.3 The Client recognises that ComplyAdvantage is always finding ways to improve the Services and add features and agrees that ComplyAdvantage may change the Services from time to time with no warranty, representation or other commitment given in relation to the continuity of any functionality of the Services, provided that any such changes do not alter the fundamental nature of the Services.

3.4 Where ComplyAdvantage gives the Client access to a Test Account, the Client acknowledges and agrees that:

3.4.1 the Test Account shall not be used for production or ‘live’ purposes;

3.4.2 use of the Test Account in any Contract Year shall not exceed ten per cent of the total quantity purchased in respect of that Contract Year. Any volume used in excess of this limit shall be considered as chargeable use and deducted from purchased quantities or charged accordingly;

3.4.3 no warranties or service level commitments shall apply with respect to the Test Account;

3.4.4 any data stored within a Test Account may be deleted upon reasonable notice to the Client, but no more frequently than once per six months; and

3.4.5 ComplyAdvantage may, immediately upon written notice, suspend the Client’s access to the Test Account if it reasonably deems the Client to have breached the terms of this Agreement.

3.5 The Client’s Affiliates may access and make use of the Services, provided that the Client remains the sole point of contact for invoicing, communication, notices, and claims under this Agreement. The Client undertakes to ensure (“se porte fort”) that its Affiliates comply with the provisions of this Contract and therefore :

3.5.1 the Client remains liable to pay the Charges in full, including with respect to the usage and overage of the Client’s Affiliates;

3.5.2 the Client shall be liable for all acts and omissions of its Affiliates as though they were a party to this Agreement;

3.5.3 where an Affiliate suffers any loss or other liability arising out of or in connection with this Agreement, all related claims shall be brought by the Client on behalf of such Affiliate and all such losses or liabilities shall be deemed incurred by the Client and shall be recoverable by the Client to the same extent as such losses would be recoverable by the Client under this Agreement;

3.5.4 neither the Client nor any Affiliate shall be entitled to recover twice in respect of the same loss or other liability; and

3.5.5 the Client shall ensure in accordance with article 1204 of the French Civil Code that no Affiliate shall bring any claim against ComplyAdvantage other than as permitted by this clause 3.5.

4 Warranties

4.1 Each party warrants that:

4.1.1 it has full capacity and authority to enter into and to perform this Agreement;

4.1.2 this Agreement is executed by a duly authorised representative of that party; and

4.1.3 there are no contractual limitations, actions, suits or proceedings or regulatory investigations pending or, to that party’s knowledge, threatened against or affecting that party before any court or administrative body or arbitration tribunal that might affect the ability of that party to meet and carry out its obligations under this Agreement.

4.2 ComplyAdvantage warrants that:

4.2.1 it will perform and procure the performance of its obligations under this Agreement in compliance with Applicable Law;

4.2.2 it has, and will continue to have, all rights, consents and regulatory approvals necessary to provide the Services;

4.2.3 the ComplyAdvantage Data will, upon delivery thereof, be as current, accurate and complete as may be achieved using the source data and data processing methods normally employed by ComplyAdvantage in the ordinary course of its business; and

4.2.4 it will discharge its obligations under this Agreement in accordance with the level of skill, care, prudence, supervision, diligence, foresight, quality control and quality management which ComplyAdvantage’s industry would regard as generally accepted processes, techniques and materials and those which would be adopted by a professional supplier of services of the same or a similar nature to the Services.

4.3 The Client warrants (“porte fort”) in accordance with article 1204 of the French Civil Code that any of its Affiliates accessing and using the Services shall comply with clause 3.5.3.

4.4 Subject to clauses 3.1, 4.2 and Appendix I (Service Level Agreement):

4.4.1 ComplyAdvantage does not warrant that the supply of the ComplyAdvantage Data and the Services shall be free from interruption;

4.4.2 the ComplyAdvantage Data is taken from third party sources (including those which are public) over which ComplyAdvantage has no control and, consequently, ComplyAdvantage cannot warrant for its accuracy, currency, completeness, usefulness, fitness for purpose or timeliness;

4.4.3 ComplyAdvantage does not warrant that the ComplyAdvantage Data or Services have been designed, built, developed or tested for the specific use of the Client; and

4.4.4 ComplyAdvantage does not warrant that the Services shall meet any regulatory or other legal obligations of the Client.

4.5 Except as expressly stated in this Agreement, all statutory warranties, representations, conditions and all other terms of any kind whatsoever are, to the fullest extent permitted by Applicable Law, excluded from this Agreement.

5 Charges & Payment

5.1 The Client shall pay the Charges for the Services in accordance with this Agreement. All payments shall be made in advance according to the Billing Information, unless expressly stated otherwise on the applicable invoice. Sums shall be paid in full without set off or deduction by electronic funds transfer (and not by cheque) to the account nominated on the invoice. ComplyAdvantage reserves the right to make first provision of the Services subject to receipt of payment for the first payment period of this Agreement.

5.2 ComplyAdvantage shall first invoice the Client in respect of the Services such that the due date for payment shall be no earlier than the Services Start Date.

5.3 ComplyAdvantage may:

5.3.1 upon the commencement of each Contract Year after the first Contract Year, alter the Charges upwards or downwards by the same amount as the upward or downward movement in the Syntec Index recorded over the previous 12 months plus two per cent; and

5.3.2 upon the commencement of each Renewal Term, increase the Charges by up to five per cent of the then current Charges (including as raised under clause 5.3.1).

5.4 All Charges quoted to the Client for the provision of the Services are exclusive of any Tax. Where ComplyAdvantage is required by Applicable Law to collect Taxes in respect of the provision of the Services, ComplyAdvantage shall invoice the Client for the same unless the Client can appropriately evidence exemption.

5.5 No payment shall be deemed to have been made until ComplyAdvantage has received such payment in cleared funds from the Client.

5.6 If the Client requires a purchase order number on invoices, it shall provide a purchase order number on (or promptly upon execution of) the relevant Order Form. If the Client does not provide a purchase number before the establishment of the invoice, the Client shall pay any related invoices without a purchase order number and may not withhold or delay the payment of an invoice due to the absence of, or Client’s delay in providing, a purchase order number. Any terms provided by Client on a purchase order are void.

5.7 If the Client fails to pay ComplyAdvantage any Charges by the due date set out on any relevant invoice (subject to any separate agreement in writing between the parties from time to time) then:

5.7.1 without prejudice to its other rights and remedies ComplyAdvantage shall be entitled to charge interest on the outstanding amount at the prevailing rate of interest applied by the European Central Bank to its most recent refinancing operation, plus 10 percentage points accruing daily and compounded quarterly, from the later of due date for payment and 30 days from the date of the Client’s receipt of the invoice, until the outstanding amount is paid in full and ComplyAdvantage shall apply a fixed indemnity for debt recovery of €40 to the outstanding amounts; and

5.7.2 ComplyAdvantage may disable the Client’s account and temporarily suspend the provision of the Services from the date falling seven days after ComplyAdvantage gives notice that the sums are overdue until such time as any outstanding invoices have been settled in full in cleared funds, whereupon the Services shall be reinstated. Suspension is without prejudice to ComplyAdvantage’s right to terminate this Agreement in accordance with clause 15 (Term, Suspension & Termination).

6 Data Protection

6.1 Processor and Controller

6.1.1The parties acknowledge that the Client is the Controller and ComplyAdvantage is the Processor in respect of the Client Personal Data.

6.1.2 ComplyAdvantage shall Process the Client Personal Data in compliance with: 

a) its obligations under Applicable Privacy Law; and

b) the terms of this Agreement.

6.1.3 The Client warrants and represents that it has complied with Applicable Privacy Law in the collection and transfer to ComplyAdvantage of the Client Personal Data.

6.1.4 Nothing in this clause 6 (Data Protection) shall require ComplyAdvantage to check or monitor the accuracy, contents or use by the Client of any Client Personal Data and, accordingly, ComplyAdvantage has no liability or responsibility whatsoever howsoever arising directly or indirectly to the Client for the accuracy, contents or Client’s use of such Personal Data.

6.1.5 The Client shall ensure that its customers (or other Data Subjects it intends to screen using the Services) are made aware that their Personal Data shall be shared with third party suppliers for the Client’s legal and compliance purposes.

6.1.6 The Client shall not send to ComplyAdvantage any Personal Data which is not reasonably necessary for ComplyAdvantage to provide the Services.

6.2 Instructions and Details of Processing

6.2.1 Unless required to do otherwise by Applicable Privacy Law, ComplyAdvantage shall (and shall take steps to ensure each person acting under its authority shall) Process the Client Personal Data only in accordance with the Client’s documented instructions (the “Processing Instructions”). The Processing Instructions may be given through the Client’s use of the Services or in writing.

6.2.2 If ComplyAdvantage is required by Applicable Law to Process Client Personal Data other than in accordance with the Processing Instructions and unless prohibited by Applicable Law, ComplyAdvantage shall notify the Client of any such requirement before undertaking such Processing of the Client Personal Data.

6.2.3 If ComplyAdvantage becomes aware of a Processing Instruction that, in ComplyAdvantage’s opinion, infringes Applicable Privacy Law, ComplyAdvantage shall notify the Client of the same. The Client acknowledges that ComplyAdvantage neither has the complete information upon which to seek full legal opinion with respect to the Processing Instruction nor has the lawful ability to Process the Client Personal Data contrary to the Processing Instruction; accordingly and to the maximum extent permitted by mandatory law, ComplyAdvantage shall have no liability howsoever arising (whether in contract or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with ComplyAdvantage’s Processing in accordance with such a Processing Instruction following the Client’s receipt of notice under this clause.

6.2.4The categories of Data Subjects involved in the Processing by ComplyAdvantage as Processor are those persons required to undergo customer due diligence as part of the Client’s sanctions and anti-money laundering procedures.

6.2.5 The types of Client Personal Data to be processed by ComplyAdvantage as Processor under this Agreement are the Client Personal Data specified in Appendix II (Data Protection).

6.2.6 Client shall update the Processing Instructions accordingly prior to using the Services to Process any Client Personal Data relating to a category of Data Subjects or type of Client Personal Data not specified herein.

6.3 Technical and Organisational Measures

6.3.1 At its own cost and expense, ComplyAdvantage shall implement and maintain such technical and organisational measures:

a) as are appropriate to protect against a Personal Data Breach which in any event shall be no less protective than those set out at Appendix II (Data Protection); and

b) taking into account the nature of the Processing, to assist the Client insofar as is possible in the fulfilment of their obligations to respond to data subject requests relating to the Client Personal Data.

6.4 Sub-Processors and Staff

6.4.1 The Client grants to ComplyAdvantage specific authorisation to appoint the Sub-Processors listed at https://complyadvantage.com/sub-processors-list/ in connection with ComplyAdvantage’s performance of the Services.

6.4.2 The Client grants to ComplyAdvantage general authorisation to appoint additional or replacement Sub-Processors for ComplyAdvantage’s performance of the Services, provided that ComplyAdvantage gives reasonable advanced notice of its intention to appoint each new Sub-Processor, and the Client may object to any such appointment within two weeks of notice. 

6.4.3 Where the Client objects to the proposed appointment of a Sub-Processor under clause 6.4.2, ComplyAdvantage shall consider the reasons given for such objection and take such steps as it deems reasonable to address them. If such steps do not reasonably satisfy the Client, ComplyAdvantage may elect to continue to provide the Services without the proposed appointment or, where ComplyAdvantage does not elect to do so, the Client may terminate the Services immediately upon written notice to ComplyAdvantage.

6.4.4 ComplyAdvantage shall: 

a) prior to the relevant Sub-Processor carrying out Processing activities in respect of Client Personal Data, appoint each Sub-Processor under a written contract enforceable by ComplyAdvantage containing materially the same obligations relating to the Processing of Client Personal Data as under this Agreement; 

b) ensure each such Sub-Processor complies with all such obligations; and

c) remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

6.4.5 All persons authorised by ComplyAdvantage to Process Client Personal Data shall be bound by written contractual obligations to keep the Client Personal Data confidential, except where disclosure is required in accordance with Applicable Law, in which case ComplyAdvantage shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement prior to disclosure.

6.5 Assistance with Client’s Compliance and Data Subject Rights

6.5.1ComplyAdvantage shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of Processing and the information available to ComplyAdvantage), to the Client in ensuring compliance with the Client’s obligations under Applicable Privacy Law (and the Client shall pay to ComplyAdvantage such costs as are reasonable in the circumstances) with respect to:

a) the security of Processing;

b) data protection impact assessments (as such term is defined in Applicable Privacy Law);

c) prior consultation with a Supervisory Authority regarding high-risk Processing;

d) responding to Data Subject Requests; and

e) notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach.

6.6 International Data Transfers

6.6.1 ComplyAdvantage shall ensure that all international transfers of Client Personal Data shall be made only in accordance with Applicable Privacy Law, including, where required, subject to Appropriate Safeguards.

6.6.2Subject to clause 6.6.1 above, the Client agrees that ComplyAdvantage may transfer the Client Personal Data internationally to Sub-Processors appointed in accordance with clause 6.4 of this Agreement. The provisions of this Agreement shall constitute the Client’s Processing Instructions with respect to transfers in accordance with clause 6.2 above.

6.7 Records

6.7.1ComplyAdvantage shall maintain records of Processing activities, in accordance with Applicable Privacy Law binding on ComplyAdvantage.

6.7.2ComplyAdvantage shall, in accordance with Applicable Privacy Law, make available to the Client such information as is reasonably necessary to demonstrate ComplyAdvantage’s compliance with the obligations of data processors under Applicable Privacy Law, and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose, subject to the Client:

a) giving ComplyAdvantage reasonable prior notice of such information request, audit or inspection being required by the Client;

b) ensuring that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);

c) ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to ComplyAdvantage’s business, the Sub-Processors’ business and the business of other clients of ComplyAdvantage; and

d) paying ComplyAdvantage’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.

6.8 Personal Data Breach Notification

6.8.1ComplyAdvantage shall notify the Client of any Personal Data Breach without undue delay after becoming aware, and in any case within such timeframes required by Applicable Privacy Law. Such notification shall contain, where available:

a) a description of the nature of the Personal Data Breach;

b) information regarding a point of contact for further updates regarding the Personal Data Breach;

c) a description of the likely consequences of the Personal Data Breach;

d) a description of the measures taken or proposed to be taken to address or mitigate the effects of the Personal Data Breach.

6.8.2 Where the information set out at clause 6.8.1(a) to (d) is not available at the time of initial notification, ComplyAdvantage shall provide updates upon such information becoming available.

6.9 Deletion or Return of Client Data

6.9.1 ComplyAdvantage shall:

a) delete; or

b) return part or all of the Client Personal Data to the Client in such form as the Client reasonably requests,

within a reasonable time after the Client’s written request, unless storage of any data is required by Applicable Law, whereupon ComplyAdvantage shall inform the Client of any such requirement.

6.10 Californian Data Protection Compliance

6.10.1 To the extent that the Client sends Personal Information to ComplyAdvantage, this clause 6.10.1 shall apply to ComplyAdvantage’s Processing of the Personal Information. In its Processing of the Personal Information, ComplyAdvantage shall comply with the requirements of the CCPA, including any amendments and implementing regulations which become effective on or after the Effective Date. ComplyAdvantage shall provide at a minimum the level of privacy protection as required by the CCPA. ComplyAdvantage shall (a) grant the Client the right to take reasonable and appropriate steps to ensure that ComplyAdvantage uses the Personal Information in a manner consistent with the Client’s own obligations under the CCPA, (b) notify the Client if ComplyAdvantage determines that it can no longer meet its obligations under the CCPA, and (c) grant the Client the right, upon reasonable written notice, to take reasonable and appropriate steps to stop and remediate any unauthorised use of the Personal Information. ComplyAdvantage shall inform the Client of any consumer requests concerning the Personal Information made pursuant to Applicable Law which ComplyAdvantage is obliged to comply with and shall provide all information necessary for the Client to comply with such a request. ComplyAdvantage shall Process the Personal Information only for the purposes provided for by this Agreement and ComplyAdvantage acknowledges that the Client discloses the Personal Information to ComplyAdvantage for these purposes only. ComplyAdvantage shall not (w) Sell or Share Personal Information disclosed by the Client, (x) retain, use or disclose Personal Information disclosed by the Client for any purpose other than the provision of Services under this Agreement, including retaining, using or disclosing such Personal Information for a commercial purpose other than that purpose or as otherwise permitted by the CCPA, (y) retain, use or disclose Personal Information disclosed by the Client outside of the direct business relationship between ComplyAdvantage and the Client, or (z) combine Personal Information that ComplyAdvantage receives from or on behalf of the Client with Personal Information received from or on behalf of any other person, including such Personal Information ComplyAdvantage collects, provided that ComplyAdvantage may combine Personal Information to perform the Business Purposes defined in the regulations adopted pursuant to paragraph 10 of subdivision (a) of the Californian Civil Code §§ 1798.185, except as provided for in paragraph 6 of subdivision (e) of the Californian Civil Code §§ 1798.140 and in regulations adopted by the California Privacy Protection Agency.

6.11 Survival of Data Protection Provisions

6.11.1 Clause 6 shall survive termination (for any reason) or expiry of this Agreement and continue until ComplyAdvantage no longer holds any Client Personal Data.

7 ComplyAdvantage Data

7.1 ComplyAdvantage Data is made available only for the Client’s use as part of the Services and must not be made public by the Client unless required by Applicable Law. By making the ComplyAdvantage Data public or using it other than for the purposes for which it is provided, the Client may be in breach of the Applicable Privacy Law and/or this Agreement.

7.2 The Client shall not use the ComplyAdvantage Data for pre-employment screening, credit referencing or any other purpose that may constitute a “Consumer Report” in the Fair Credit Reporting Act 15 U.S.C. § 1681 (as amended from time to time) or any equivalent regulation under Applicable Law. The Client will indemnify ComplyAdvantage on demand for any direct damages and losses incurred by ComplyAdvantage as a result of or arising from the Client’s breach of this clause 7.2.

7.3 The Client shall ensure that all ComplyAdvantage Data and Materials are kept secure and shall use appropriate security practices and systems applicable to the use of the ComplyAdvantage Data and Materials to prevent, and take prompt and proper remedial action against, unauthorised access, copying, modification, storage, reproduction, display or distribution of the ComplyAdvantage Data and the Materials. Such appropriate security practices shall not be of a standard lower than the steps that the Client takes to protect the Client Data or Confidential Information of a similar nature.

7.4 If the Client becomes aware of any misuse of any ComplyAdvantage Data or the Materials, or any security breach in connection with this Agreement that could compromise the security or integrity of the ComplyAdvantage Data or the Materials or otherwise adversely affect ComplyAdvantage or if the Client learns or suspects that any password or other security feature has been revealed to or obtained by any unauthorised person, the Client shall, at the Client’s expense, promptly notify ComplyAdvantage and fully co-operate with ComplyAdvantage to remedy the issue as soon as reasonably practicable.

7.5 The Client’s obligations regarding the retention and protection of the ComplyAdvantage Data and Materials survive termination of this Agreement for any reason.

7.6 Client understands and acknowledges that:

7.6.1 ComplyAdvantage gives no opinion and makes no recommendation in relation to persons appearing in the ComplyAdvantage Data or any persons whose data has been processed by ComplyAdvantage in provision of the Services; and

7.6.2 results derived from the Client’s use of the Services should not be used to draw any automatic conclusion, or relied upon in isolation to make a decision, relating to any person flagged or not flagged in the course of the Client’s use of the Services.

8 Service Data and Analytics

8.1 Depending on the configuration of the Services or, as may be agreed between the parties from time to time, Client shall share either via the Services or such other means as the parties may agree, the following data for the corresponding uses:

8.1.1 Data relating to terrorism, criminal and associated suspicious activity – Where Client has identified potential terrorist, fraudulent, criminal or associated suspicious activity via the ComplyAdvantage Service, e.g. through blocking a transaction or adding one of its customers or other third parties to a blacklist, Client may opt in for ComplyAdvantage to use the data relating to such activity, including any relevant information relating to a transaction or a customer or other third party, for fraud and crime prevention purposes as part of the Services.

8.1.2 Analytics – Subject to the terms of this Agreement, ComplyAdvantage may analyse and process both Client Data in order to distil behaviours, trends and patterns (“Analytics”), and the results and learnings of such Analytics. ComplyAdvantage uses these Analytics to improve risk assessments given to clients as part of the Services, for fraud and crime prevention purposes, and to develop, improve the ComplyAdvantage service and to produce anonymised or pseudonymised and aggregated statistical reports and research.

8.1.3 System usage – ComplyAdvantage shall use the number of Authorised Users, and data relating to the volume and categories of Client Data processed through the Services, to calculate and verify the Charges. ComplyAdvantage may analyse Authorised Users’ login metadata (including IP address, concurrent logins, and similar indicators) for security purposes to monitor Client’s compliance with clause 10 (Client’s Obligations).

9 Requests for Information

9.1 ComplyAdvantage shall respond to ‘Know Your Supplier’ (“KYS”) requests for information from the Client, to include such follow-up queries as are reasonable under the circumstances. ComplyAdvantage agrees to share reasonable documentation and evidence as part of such responses. The Client shall ensure that all information obtained or generated through a KYS request is kept strictly confidential and acknowledges that such information shall be considered ComplyAdvantage’s Confidential Information.

9.2 Upon reasonable advance written notice, ComplyAdvantage shall provide to the Client, or a competent financial regulatory authority with jurisdiction over the Client, appropriate reports or findings relating to its provision of the Services to the Client.

10 Client’s Obligations

10.1 The Client shall not:

10.1.1 use the Services in any way so as to bring the Services or ComplyAdvantage into disrepute;

10.1.2 use the Services in any way which is unlawful, harmful, threatening, abusive, harassing, tortious, indecent, obscene, libellous or menacing;

10.1.3 use the Services in any way which infringes the Intellectual Property, proprietary or personal rights of any third party, including Data Subjects;

10.1.4 misuse the Services by introducing viruses, trojans, worms, logic bombs or other material which is technologically harmful, gain or attempt to gain unauthorised access to the Services, the server on which the Services are stored or any server, computer or database connected to the Services, including through penetration testing, or attack the Services via a denial-of-service attack or a distributed or malicious denial-of service attack;

10.1.5 access or attempt to access the Services in order to build or enable a third party to build a product or services which competes or can potentially compete with the Services;

10.1.6 attempt to extract ComplyAdvantage Data in bulk;

10.1.7 use the ComplyAdvantage Data and Materials or release any ComplyAdvantage Data or Materials to third parties except as authorised in writing by ComplyAdvantage or as permitted under this Agreement;

10.1.8 take any actions to decrease artificially or disguise the Client’s usage of the Services in order to avoid being charged for the Client’s true usage levels;

10.1.9 make any part of the ComplyAdvantage Data or of the Services available to anyone who is not an employee of the Client, except as permitted under this Agreement or authorised by ComplyAdvantage in writing; or

10.1.10 alter any part of the Services.

10.2 A breach of clause 10.1 constitutes a material breach of this Agreement and may result in the withdrawal or suspension of any rights to use the Services pursuant to clause 15 (Term, Suspension & Termination).

10.3 The Client shall keep its password and other access details for the use of the Services confidential and restricted to those members of staff who need to know such details and shall ensure all such staff are aware of the confidential nature of such information and treat it accordingly. The Client shall notify ComplyAdvantage immediately if it believes that such information is no longer secret. The Client is solely responsible for all activities that occur under the Client’s password or account. The Client shall not permit any person to access the Services for any unauthorised purpose that would constitute a breach of this Agreement if such a breach was carried out by the Client and remains responsible in full for any such unauthorised use.

10.4 The Client shall take all reasonable steps to ensure that nobody other than Authorised Users accesses the ComplyAdvantage Data or Services using Authorised User accounts. Authorised User accounts may not be shared between individuals.

11 Intellectual Property

11.1 The Client acknowledges and ComplyAdvantage warrants that:

11.1.1 ComplyAdvantage is as between the Client and ComplyAdvantage the proprietor of the Intellectual Property in the Products; and

11.1.2 the Intellectual Property in the Products, and their Use as permitted in this Agreement, do not infringe the Intellectual Property rights of any third party.

11.2 ComplyAdvantage hereby grants to the Client a worldwide, non-exclusive and non-transferable licence to use the Intellectual Property in the Products for the duration of this Agreement strictly in accordance with its terms. The Client shall not be entitled to use the Intellectual Property in the Products for any other purpose. In particular and without limitation, the Client shall have no right to copy, translate, reproduce, adapt, reverse engineer, decompile, disassemble, or create derivative works of the Services or the Materials except as permitted by Applicable Law. Further, the Client shall have no right to sell, rent, lease, transfer, assign, or sub-licence the Materials or its rights under this Agreement without ComplyAdvantage’s prior written consent or otherwise expressly permitted by this Agreement.

11.3 The Client grants to ComplyAdvantage a worldwide, for the whole duration of protection of the copyright law, irrevocable and royalty-free licence to use any feedback provided by or on behalf of the Client to ComplyAdvantage in relation to the Services.

11.4 Subject to clauses 11.5 and 11.6:

11.4.1 the Client may use ComplyAdvantage’s Trademarks for the limited purpose of identifying ComplyAdvantage as a supplier of the Client; and

11.4.2 ComplyAdvantage may use the Client’s Trademarks for the limited purpose of identifying the Client as a customer of ComplyAdvantage.

11.5 Where either party makes use of the other party’s Trademark, it shall comply with all reasonable branding guidelines provided by the other party.

11.6 Neither party shall use any mark or name confusingly similar to the other party’s Trademarks in respect of any of its services or use the other party’s Trademarks as part of any corporate business or trading name or style.

11.7 If the Client becomes aware that any third party alleges that the Intellectual Property in the Products is invalid or that use of such Intellectual Property infringes any Intellectual Property rights of another party the Client shall as soon as reasonably possible give ComplyAdvantage full particulars in writing thereof and shall make no comment or admission to any third party in respect thereof.

11.8 If the Products or a portion thereof becomes the subject of third-party intellectual property claim affecting ComplyAdvantage’s ability to continue providing the Products, ComplyAdvantage shall either:

11.8.1 procure for the Client the right to continue to use the Products; or

11.8.2 modify or replace the Products to make them non-infringing,

or, if ComplyAdvantage reasonably determines that the options in parts 11.8.1 or 11.8.2 of this section are not viable, ComplyAdvantage shall notify the Client and either party may terminate this Agreement with immediate effect by giving written notice to the other party.

11.9 Wherever possible under Applicable Law, ComplyAdvantage shall have the conduct of all proceedings relating to the Intellectual Property in the Products and shall in its sole discretion decide what action if any to take in respect of any matter arising under clause 11.7 or any action to bring any infringement by a third party of such Intellectual Property to an end. The Client shall reasonably assist ComplyAdvantage upon ComplyAdvantage’s reasonable request in any proceedings brought by or against ComplyAdvantage.

12 Confidentiality

12.1 Each party (the “Receiving Party”) may receive or be given access to Confidential Information by or on behalf of the other party (the “Disclosing Party”) in order to perform its obligations under this Agreement. Confidential Information shall not include information that:

12.1.1 is or becomes publicly known other than through any act or omission of the Receiving Party;

12.1.2 was in the Receiving Party’s lawful possession before the disclosure;

12.1.3 is lawfully disclosed to the Receiving Party by a third party without breach of restriction on disclosure; or

12.1.4 is independently developed by the Receiving Party, where such independent development can be shown by written evidence.

12.2 The Receiving Party shall hold the Disclosing Party’s Confidential Information in confidence and, unless required by Applicable Law, not make the Disclosing Party’s Confidential Information available to any third party or use the Disclosing Party’s Confidential Information other than in connection with the exercise and performance of the Receiving Party’s rights and obligations under this Agreement.

12.3 Each party shall:

12.3.1 disclose the Disclosing Party’s Confidential Information only to those of its and its Affiliates’ officers, employees, agents, sub-contractors, and contractors to whom and to the extent to which such disclosure is necessary for the purposes contemplated under this Agreement; and

12.3.2 procure that such persons are made aware of and comply with the obligations of confidentiality in this Agreement as if they were a party to this Agreement.

12.4 Where and to the extent required to do so by Applicable Law, the Receiving Party may disclose the Disclosing Party’s Confidential Information, provided that the Receiving Party:

12.4.1 gives the Disclosing Party written notice of such requirement; and

12.4.2 provides such reasonable assistance to the Disclosing Party with any action the Disclosing Party wishes to take against the required disclosure,

in each case, to the extent the Receiving Party is lawfully permitted to do so.

12.5 The Receiving Party shall protect the Disclosing Party’s Confidential Information and ensure that such Confidential Information is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement. The measures applied by the Receiving Party under this clause shall be no less protective than the Receiving Party uses to protect its own information of a similar degree of confidentiality and in any case not less than a reasonable standard.

12.6 Notwithstanding the foregoing clause, the Client may:

12.6.1 disclose to its regulator and other supervisory authorities; and

12.6.2 retain following the termination or expiry of this Agreement for any reason,

details and results of its use of the Services where necessary for the Client’s or the Client’s Affiliates’ legal and compliance purposes, subject to the Client’s ongoing compliance with this clause 12 (Confidentiality).

12.7 The Client acknowledges that the Products and the ComplyAdvantage Data constitute ComplyAdvantage’s Confidential Information and ComplyAdvantage acknowledges that the Client Data constitute the Client’s Confidential Information.

12.8 This clause shall remain in force for five years following the termination or expiration of this Agreement for any reason, unless agreed otherwise in writing between the parties.

13 Limitation of Liability

13.1 This clause 13 sets out the entire financial liability of ComplyAdvantage (including any liability for the acts or omissions of its employees, subsidiaries, agents and sub-contractors) to the Client:

13.1.1 arising under or in connection with this Agreement;

13.1.2 in respect of any use made by the Client of the Products and the ComplyAdvantage Data or any part of them; and

13.1.3 in respect of any representation, misrepresentation (whether innocent or negligent) or statement arising under or in connection with this Agreement.

13.2 Except to the extent that ComplyAdvantage is not in compliance with its obligations relating to the provision of the Services:

13.2.1 the Client assumes sole responsibility for results obtained from the use of the Products and the ComplyAdvantage Data or any part of them, and for conclusions drawn from such use; and

13.2.2 ComplyAdvantage shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to ComplyAdvantage by the Client in connection with the Services, or any actions taken by ComplyAdvantage at the Client’s direction.

13.3 Nothing in this Agreement limits or excludes the liability of ComplyAdvantage:

13.3.1 for death or personal injury caused by ComplyAdvantage’s negligence;

13.3.2 for fraud, fraudulent misrepresentation, gross negligence (faute lourde) or wilful misconduct (dol); or

13.3.3 any other liability that cannot be limited or excluded under Applicable Law.

13.4 ComplyAdvantage shall not be liable for any loss of profits, loss of business, depletion of goodwill or similar losses or loss or corruption of data or information, or pure economic loss, or for any indirect loss costs, damages, charges or expenses however arising under this Agreement.

13.5 Subject to clause 13.3, ComplyAdvantage’s total aggregate liability arising in connection with the performance or contemplated performance of this Agreement in any Contract Year shall be limited to one half of the Charges (excluding any one-off implementation costs) paid by the Client during such Contract Year.

13.6 This clause 13 shall survive the termination or expiry of this Agreement for any reason.

14 Force Majeure

14.1 Neither party shall be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances ComplyAdvantage shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 14 days, the other party may terminate this Agreement by giving seven days’ written notice.

15 Term, Suspension & Termination

15.1 ComplyAdvantage may suspend the provision of the Services to the Client if:

15.1.1 permitted by clause 5.7; or

15.1.2 the Client commits any material breach of this Agreement and fails to remedy the breach within seven days of being required by written notice to do so.

15.2 The period during which ComplyAdvantage may suspend the Services in accordance with this Agreement shall continue until the circumstances giving rise to ComplyAdvantage’s right to suspend the Services ceases to subsist or until this Agreement is terminated.

15.3 Where ComplyAdvantage suspends the provision of Services as permitted by clause 15.1, the Client shall not be relieved of any its payment obligations under this Agreement.

15.4 A party may terminate this Agreement immediately by giving written notice to the other party if:

15.4.1 the other party of this Agreement commits a material breach and fails to remedy the breach within 30 days after being required by written notice to do so;

15.4.2 the other party commits any irremediable material breach of this Agreement; or

15.4.3 For purposes of this clause 15.4 any serious or repeated breach by ComplyAdvantage of Clause 4 ‘Warranties’ and 6 ‘Data Protection”, 12 ‘Confidentiality’ or 18 “Compliance”  shall be deemed a “material breach” by ComplyAdvantage and any serious or repeated breach by Client of Clause 5 ‘Charges and Payment’, 6 “Data Protection”,  7 “ComplyAdvantage Data”, 10 ‘Client’s Obligations’, 11 ‘Intellectual Property’, 12 ‘Confidentiality’ and 18 ‘Compliance’ shall be deemed a “material breach” by Client.

15.4.4 to the extent permitted by Applicable Law, the other party becomes insolvent or bankrupt, enters into an arrangement with creditors, has a receiver or administrator appointed or its directors or shareholders pass a resolution to suspend trading, wind up or dissolve that party other than for the purposes of amalgamation or reconstruction or it ceases, or threatens to cease, trading.

15.5 ComplyAdvantage reserves the right to terminate this Agreement immediately upon written notice if it deems the Client (directly or through a third party) has built or is building a product or services which competes with the Services provided by ComplyAdvantage.

15.6 Any termination of this Agreement for any reason shall be without prejudice to any other rights or remedies a party may be entitled to at law or under this Agreement and shall not affect any accrued rights or liabilities of either party nor the coming into force or the continuance in force of any provision of this Agreement which is expressly or by implication intended to come into or continue in force on or after such termination.

16 Effects of Termination

16.1 In addition to the provisions of clause 15 (Term, Suspension & Termination), upon termination or expiry of this Agreement for whatever reason:

16.1.1 there shall be no refund of any element of the Charges to the Client, save for refunds pro-rata where the Client has terminated properly under clause 15.4;

16.1.2 all unpaid Charges shall become immediately due to ComplyAdvantage (in whole or in part on a pro rata basis where part of a periodic charge which is charged in arrears is due), save in instances where the Client has terminated properly under clause 15.4, in which case only the Charges due in relation to the period and usage prior to the effective date of termination shall become payable under this subclause;

16.1.3 ComplyAdvantage shall retain the Client Data for 30 days following such termination or expiry, after which ComplyAdvantage shall be under no obligation to retain any data with respect to the Client’s use of the Services and the Client instructs ComplyAdvantage to destroy any Client Personal Data. During such period, the Client may instruct ComplyAdvantage to return or destroy the Client Data;

16.1.4 subject to clause 12.6, the Client shall destroy any Materials then in its possession or control;

16.1.5 the Client shall immediately cease using the Services and the Intellectual Property of ComplyAdvantage; and

16.1.6 all licences granted under this Agreement shall immediately terminate.

17 Transfer & Sub-contracting

17.1 ComplyAdvantage may at its reasonable discretion and upon reasonable prior written notice to the Client assign, transfer or deal in any other manner with all or any of its rights only under this Agreement or any part thereof to a third party. This clause 17.1 shall not permit ComplyAdvantage to assign, transfer or deal in any other manner with any of its obligations under this Agreement without the express written consent of the Client.

17.2 Save as permitted by clause 17.1 and ComplyAdvantage’s ability to appoint Sub-Processors under clause 6.4,  neither party may assign, sub-contract, sub-licence or otherwise transfer any rights or obligations under this Agreement or any part thereof (except in connection with the sale or transfer of all, or substantially the whole, of its assets) without the prior consent in writing of the other party, such consent not to be unreasonably withheld or delayed. Subject to requiring any such Affiliate to comply with the terms of this Agreement as regards confidentiality restrictions and the right to use and process such information and results, the Client may share any information and results obtained from using the Services with any Affiliate of the Client.

18 Compliance

18.1 Each party warrants that neither it, nor any of its Affiliates, nor any of their respective directors, officers, or any other person acting on their behalf is or has been:

18.1.1a Sanctioned Person; and/or

18.1.2in breach of any Sanctions law.

18.2 Each party shall ensure that any of its agents, consultants, contractors, subcontractors or other persons engaged in the performance of this Agreement do so only on the basis of a written contract which imposes on and secures from such persons terms equivalent to those imposed on the parties in this clause. Each party shall be responsible for the observance and performance by such persons of such terms and shall be directly liable to the other party for any breach of such terms.

18.3 The parties shall, for the duration of this Agreement:

18.3.1 comply with all applicable laws, statutes and regulations relating to anti-bribery and anti-corruption (the “Relevant Requirements”);

18.3.2not engage in any activity, practice or conduct which would constitute an offence under the Relevant Requirements;

18.3.3 establish, maintain and enforce its own policies and procedures to ensure compliance with the Relevant Requirements; and

18.3.4notify the other party in writing if it becomes aware of any breach of this clause 18.3 or has reason to believe that it has received a request or demand for any undue financial or other advantage in connection with the performance of this Agreement.

18.4 Each party undertakes:

18.4.1not to engage in Tax Evasion or the Facilitation of Tax Evasion of any kind in any territory; and

18.4.2 to implement reasonable procedures to prevent the Facilitation of Tax Evasion by Persons Associated with the relevant party.

18.5 Each party undertakes, warrants and represents that:

18.5.1it shall comply with all applicable anti-slavery and human trafficking laws, statutes and regulations in force from time to time;

18.5.2 neither it nor any of its officers, employees, agents or subcontractors has:

a) been convicted of any offence involving slavery and human trafficking or been the subject of any investigation, inquiry or enforcement proceedings regarding any offence or alleged offence; or

b) is aware if any circumstances within its supply chain that could give rise to an investigation relating to an alleged offence or prosecution of or in connection with slavery and human trafficking;

18.5.3it shall notify the other party immediately in writing if it becomes aware or has reason to believe that it, or any of its officers, employees, agents or subcontractors have breached or potentially breached any of its obligations under this clause 18.5. Such notice shall set out full details of the circumstances concerning the breach or potential breach of its obligations.

18.6 Any breach of this clause 18 shall be deemed an irremediable material breach of this Agreement and each party shall immediately notify the other as soon as it becomes aware of a breach.

19 Communication & Notices

19.1 A notice given to a party under or in connection with this Agreement:

19.1.1 shall be in writing and in English or accompanied by an accurate translation into English;

19.1.2 shall be sent to the party for the attention of the contact and at the email address given in clause 19.2, with an option to send a hard copy to the address given in clause 19.2, or such other address or email address as that party may notify in accordance with clause 19.3; and

19.1.3 is deemed received as set out in clause 19.4 if prepared and sent in accordance with this clause.

19.2 The addresses and email addresses for service of notices are:

19.2.1 ComplyAdvantage

a) Address: 2nd Floor, Fetter Yard, Fetter Lane, London, EC4A 1AD, United Kingdom

b) For the attention of: the Client’s account manager or customer success manager

c) Email address: the Client’s account manager or customer success manager, with a copy to [email protected]

19.2.2 the Client

a) Address: such address as is given on the Order Form

b) For the attention of: such primary contact as is given on the Order Form

c) Email address: such email as is given for the primary contact on the Order Form

19.3 A party may change its details given in the table in clause 18.2 by giving notice, the change taking effect for the party notified of the change at 9.00am in the place of receipt on the later of:

19.3.1 the date, if any, specified in the notice as the effective date for the change; or

19.3.2 the date five Business Days after deemed receipt of the notice.

19.4 A notice shall be deemed to have been received at the time of the successful transmission of the email. Where an email is sent other than between 9.00am and 5.00pm Monday to Friday on a day other than a public holiday in the place of receipt, it shall be deemed received at 9.00am on the next such day.

19.5 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

20 Governing Law and Jurisdiction

20.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of France.

20.2 Subject to clause 20.3 below, any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity or termination and including non-contractual disputes or claims, shall be referred to and finally resolved by arbitration under the Centre for Mediation and Arbitration Rules, which Rules are deemed to be incorporated by reference into this clause. The number of arbitrators shall be one. The seat, or legal place, of arbitration shall be Paris, France. The language to be used in the arbitral proceedings shall be English.

20.3 Claims for injunctive relief, emergency or precautionary measures (“mesures conservatoires ou provisoires”)  or with Intellectual Property as their subject matter, are exempt from the requirements of clause 20.2.

20.4 The parties irrevocably agree that if the arbitration provided for in clause 20.2 is determined for any reason to be unenforceable or inapplicable to any dispute, or if clause 20.3 applies to the matter, then the competent courts of Paris, France shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims), save that ComplyAdvantage may elect to bring proceedings against the Client in the courts of any jurisdiction where Client or any of its assets may be found or located.

21 General

21.1 Except where otherwise expressly stated herein, this Agreement constitutes the entire agreement between the parties relating to the subject matter of this Agreement and supersedes any previous agreement or understanding whatsoever whether oral or written relating to the subject matter of this Agreement.

21.2 Unless otherwise stated, in case of conflict between the main body of this Agreement and other documents forming part of it, the order of precedence is:

21.2.1 the Order Form

21.2.2 clauses 1-21 of this Agreement

21.2.3 any other appendices attached to this Agreement.

21.3 Except as expressly provided otherwise, no variation of the provisions of this Agreement shall be valid unless confirmed in writing by the authorised signatories of both parties on or after the date of the last required signature on this Agreement.

21.4 Each party warrants to the other that they have the power and authority to enter into this Agreement and perform its obligations under this Agreement.

21.5 This Agreement shall not be deemed to create any partnership or employment relationship between the parties.

21.6 A person who is not party to this Agreement shall have no rights to enforce any term hereunder.  The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this Agreement are not subject to the consent of any other person, including any Affiliate of ComplyAdvantage.

21.7 No act, failure or delay to act, or acquiescence by ComplyAdvantage or the Client in exercising any of its rights under this Agreement shall be deemed to be a waiver of that right or in any way prejudice any right of ComplyAdvantage or the Client under this Agreement, and no waiver by ComplyAdvantage of any breach of this Agreement by the Client shall be considered as a waiver of any subsequent breach of the same or any other provision. Any waiver or relaxation whether partly or wholly of any of the terms or conditions of this Agreement shall be valid only if in writing and signed by or on behalf of ComplyAdvantage and shall apply only to a particular occasion and shall not be continuing and further shall not constitute a waiver or relaxation of any other terms or conditions of this Agreement.

21.8 The rights and remedies provided in this Agreement are cumulative and not exclusive of any rights and remedies provided by law.

21.9 If any provision of this Agreement is held by any court or other competent authority to be unlawful, invalid or unenforceable in whole or in part, the provision shall, to the extent required, be severed from this Agreement and rendered ineffective as far as possible without modifying the remaining provisions of this Agreement, and shall not in any way affect any other circumstances of or the validity or enforcement of this Agreement.

Appendix I: Service Level Agreement

The following section provides information on service availability, monitoring of in-scope Services and related components. Unless otherwise indicated on the Order Form, the Client’s selection is ‘Professional’ as indicated in the table below. ‘Premium’ is available only for the Mesh platform.

		Professional	Plus	Premium
Availability target		99.50%	99.90%	99.99%
Underwriting of availability target	Service credits	No	1% of monthly Charges per 0.1% below the availability target up to a maximum of 5% in a month	1% of monthly Charges per 0.1% below the availability target up to a maximum of 10% in a month
	Termination rights	No	If ComplyAdvantage misses the availability target in 4 consecutive months or 6 months in a rolling 12-month period	If ComplyAdvantage misses the availability target in 3 consecutive months or 5 months in a rolling 12-month period
Maintenance windows		First 15 minutes per month do not count as unavailability	Included in availability target	Included in availability target
Support hours		Working Hours	24x7x365 for P1s 24×5 for P2s and P3s Working Hours for P4s	24x7x365 for P1s 24×5 for P2s, P3s and P4s
Target response times	P1	1 Working Hour	1 hour	30 minutes
	P2	3 Working Hours	1 hour	30 minutes
	P3	5 Working Hours	3 Working Hours	3 Working Hours
	P4	8 Working Hours	5 Working Hours	5 Working Hours
Target resolution times	P1	8 Working Hours	4 hours	2 hours
	P2	24 Working Hours	16 Working Hours	4 hours

Scheduled maintenance notice periods
Length of planned maintenance	Notice
5 minutes	24 hours
10 minutes	5 Business Days
30 minutes	10 Business Days
Over 30 minutes	20 Business Days

Support email addresses:

[email protected] – incidents and issues raised by this address will be P1 tickets until reviewed by a member of the support team.

[email protected] – incidents and issues raised by this address will be P3 tickets until reviewed by a member of the support team.

Definitions:

“Business Days” refers to the definition in the Terms of Service;

“P1” means an incident or issue which renders the Services are completely unavailable with no possible workaround and the impact on your core business operations is critical;

“P2” means an incident or issue which significantly negatively impairs the performance of the Services or where their functionality is significantly reduced, there is no practical workaround available and the impact on your core business operations is severe;

“P3” means an incident or issue which causes the Services to perform or function other than as expected, there is a workaround available and the impact on your core business operations is moderate;

“P4” means an incident or issue which causes the Services to perform or function other than as expected, there is a workaround available and the impact on your core business operations is low; and

“Working Hours” refers to the definition in the Terms of Service.

Plus SLA entitlements

The Client is entitled to the rights and commitments set out in the ‘Plus’ or ‘Premium’ columns only if indicated on the Order Form. Where the Client wishes to exercise its rights in relation to ComplyAdvantage’s underwriting of the availability target, within a reasonable time of the end of the calendar month and in any case such time not to exceed 21 days, the Client must notify ComplyAdvantage in writing setting out the dates and times during which it considers downtime to have occurred so that ComplyAdvantage can verify such periods of downtime and the parties’ respective responsibilities therefore. ComplyAdvantage may request further information from the Client to assist with the verification. Where the foregoing conditions relating to the service credits are fulfilled, the service credits shall either be applied as credit towards the Client’s next invoice or paid in cash to the Client within 30 days of the end of the then current Contract Year, at ComplyAdvantage’s election. Where the conditions in the ‘Termination rights’ row of the table above are fulfilled, the Client shall be entitled to terminate this agreement immediately upon written notice to ComplyAdvantage and ComplyAdvantage shall pay to the Client a prorated refund of the Charges paid for Services not yet used.

Appendix II: Data Protection

Technical and Organisational Measures

Ongoing confidentiality, integrity, availability and resilience of processing systems

System architecture	We maintain a highly available system configuration ensuring low levels of downtime and minimising the risk of data loss.
Encryption	Data is encrypted in transit using HTTPS for web & API requests, and AES-256 at rest.
Update testing	New deployments to production systems are subject to code review, manual and automated testing, and a product team review before being rolled out.
Vulnerability testing	We conduct regular vulnerability scans of our production systems and system architecture.
System security	A web application firewall and intrusion detection system are in place. Cloud deployment with best-in-class security systems.
Access control	We maintain records of security privileges of ComplyAdvantage individuals with access to client data and adopt a policy of least privilege. Security privileges are reviewed periodically and as part of starter/mover/leaver checks.
User authentication	Client access is via email address and password, and we can restrict access to specified IP ranges upon request to add an additional layer of authentication.

Restoring availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Disaster recovery

Client data is backed up daily and distributed across redundant hosting providers, providing additional resilience and a recent recovery point in the unlikely event of system failure.

Regular testing, assessing and evaluating of these measures’ effectiveness

Information security management

Responsibility for information security is shared between the technical and operational teams, the leadership of which regularly reviews and improves existing practice, with internal audits, penetration testing, and ISO 27001 certification (BSI certificate IS 692029).

Information on processing activities

Data Protection Officer’s details	[email protected]
Subject matter	Personal data is processed for the purpose of providing anti-money laundering and sanctions compliance services.
Duration of Processing Activities	For the duration of ComplyAdvantage’s provision of the Services, unless the Client instructs ComplyAdvantage otherwise in accordance with the terms of the Agreement.
Nature and Purpose of the Processing Activities	Nature of data processing: providing and using anti-money laundering and sanctions compliance/case management tool. Processing activities: access; collection; recording; retrieval; use; modification; hosting; storage; making available; monitoring (service delivery); deletion; destruction.
Types of Personal Data	The types of Personal Data to be processed by ComplyAdvantage under this Agreement as Processor are: ● Name, date of birth, customer reference number, case management and disposition actions taken, client KYC, risk level and compliance, information tags used by the Client, TMS data. ComplyAdvantage may also process as part of the Services information relating to data subjects: 1. criminal convictions and offences where a profile returned for a search contains adverse media or published government warning lists relating to such convictions or offences. We use the exemptions under Schedule 1, paragraphs 10-12 of the Data Protection Act 2018 as the legal basis for processing this category of Personal Data; and 2. political opinions as revealed by the position held by a politically exposed person (PEP), where such opinions are made manifestly public by the nature of the position held (Art. 9(2)(e)). Additional types of Personal Data to be processed for Clients using Transaction Monitoring and/ or Transaction Screening Services: ● Payment message information including bank account numbers, transaction value and currency, expected customer behaviour profile/ grouping, transaction dates and times, system alerts related to data subject, address and country of residence, nationality.
Categories of Data Subject	Those persons required to undergo customer due diligence as part of the Controller’s sanctions and anti-money laundering procedures.
Data Transfer Method	HTTPS/TLS-encrypted API and web interface SFTP
Sub-Processors	Sub-Processor list is available at this address: https://complyadvantage.com/sub-processors-list/

Appendix III: Service Description

1 Overview

The Services leverage advanced technologies to provide real-time insights and streamline compliance workflows. The key functional capabilities of the Services are detailed below; paragraphs 2.1 to 2.4 (inclusive) detail products available within the Services and the Client’s access to them will depend on which products are purchased by the Client.

2 Key Functional Capabilities

2.1 Entity Screening Platform. The Entity Screening Platform provides the following capabilities:

2.1.1 screening of entities, including people, companies and organisations, vessels and aircraft, against an intelligence database of sanctions, watchlists, politically exposed persons (“PEPs”), and adverse media data;

2.1.2 advanced matching algorithms to minimise false positives and enhance detection accuracy; and

2.1.3 Client-customisable screening configurations to align with the Client’s specific risk appetite and regulatory requirements.

2.2 Entity Ongoing Monitoring Platform. The Ongoing Monitoring Platform provides the following capabilities:

2.2.1 monitoring of entities previously screened through the Entity Screening Platform to detect changes in the intelligence database; and

2.2.2 automated case creation for any modifications in the intelligence database related to entities previously screened through the Entity Screening Platform.

2.3 Transaction Monitoring Platform. The Transaction Monitoring Platform provides the following capabilities:

2.3.1 analysis of transaction data supplied by the Client to identify suspicious activities indicative of money laundering or terrorist financing or other activities of interest to the Client based on rules and thresholds set by the Client; and

2.3.2 Client-customisable rules and segments to align with the Client’s specific risk appetite and regulatory requirements.

2.4 Transaction Screening Platform. The Transaction Screening Platform provides the following capabilities:

2.4.1 screening of transaction data supplied by the Client against an intelligence database of sanctions and PEPs data;

2.4.2 advanced matching algorithms to minimise false positives and enhance detection accuracy; and

2.4.3 Client-customisable screening configurations to align with the Client’s specific risk appetite and regulatory requirements.

2.5 Case Management Tools. The Case Management Tools include:

2.5.1 tools to support the Client’s handling of alerts and remediation processes;

2.5.2 tools to facilitate collaboration within the Client’s organisation, including audit trails capturing actions and decision-making processes;

2.5.3 prioritisation by indicating an entity’s risk level to focus on high-risk cases; and

2.5.4 interactive dashboards providing visibility into risk and performance metrics, supporting informed decision-making.

2.6 Risk Scoring Tool. The Risk Scoring Tool is available only on the ComplyAdvantage Mesh platform and includes:

2.6.1 customisable risk scoring calculations; and

2.6.2 risk scoring models that assess entity risk based on multiple data points, configured by the Client to align with the Client’s specific risk appetite and regulatory requirements.

2.7 Integration and Security. The Services ensure integration and security through:

2.7.1 providing an API allowing integration with the Client’s existing systems and workflows; and

2.7.2 compliance with leading industry security standards, including ISO 27001 and SOC 2 certifications, ensuring secure data management and storage. The security standards are further detailed in Appendix II (Technical and Organisational Measures) and such other documents as may be supplied to the Client upon request from time to time, including the ComplyAdvantage Information Security Policy.

3 Support Services and Implementation

The Services include technical assistance and guidance to the Client on the configuration, development and implementation of the functionality available through ComplyAdvantage personnel.

Appendix IV

REGULATORY APPENDIX

(the “Regulatory Appendix”)

1 Interpretation

1.1 Pursuant to clause 1.5 of the Agreement, this Regulatory Appendix applies if and to the extent that the Client is subject to Applicable Operational Resilience Law or Applicable Outsourcing Guidelines. Where the Client is subject to neither, this Regulatory Appendix shall not apply and the Client shall have no right to rely upon the provisions herein.

1.2 In this Regulatory Appendix, capitalised terms which are used but not defined have the meanings given to them in the Agreement, and the following expressions shall have the following meanings in this Regulatory Appendix:

“Applicable Operational Resilience Law” means, as applicable and binding on the Client, any laws relating to the digital operational resilience of financial institutions, including without limitation DORA, and all amendments and replacement law and regulatory guidance;

“Applicable Outsourcing Guidelines” means, as applicable and binding on the Client, any laws relating to the outsourcing of business and operational functions of financial institutions, including without limitation the EBA Guidelines and the MAS Guidelines, and all amendments and replacement laws and regulatory guidance;

“Auditor” means a representative of the Client or of the Regulator appointed to conduct an On-Site Audit;

“BCP” means a formal business continuity plan;

“BRRD” means Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms, and its related EU and local implementation regulations;

“Critical ICT Service” means an ICT Service that supports a Critical or Important Function;

“Critical or Important Function” means a function, the disruption of which would materially impair the financial performance of the Client, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of the Client with the conditions and obligations of its authorisation, or with its other obligations under Applicable Law applicable to it;

“Disruption” means the occurrence of one or more events that materially impacts the ability of ComplyAdvantage to provide the Services in compliance with the agreed service levels or Applicable Law;

“DORA” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector, and its related EU and local implementation regulations;

“EBA Guidelines” means the European Banking Authority’s final report on outsourcing arrangements published on 25 February 2019 which came into force on 30 September 2019;

“ICT-Related Incident” means a single event or a series of linked events unplanned by the Client that compromises the security of the network and information systems of the Client and has an adverse impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the Client to its customers;

“ICT Service” means a Service which is a digital and data service provided by ComplyAdvantage through its ICT systems to one or more internal or external users on an ongoing basis, excluding traditional analogue telephone services;

“MAS Guidelines” means the Monetary Authority of Singapore’s (i) Guidelines on Outsourcing (Banks) which came into force on 11 December 2024 and (ii) Guidelines on Outsourcing (Financial Institutions other than Banks) which came into force on 11 December 2024 and were revised on 24 January 2025;

“On-Site Audit” means an on-site audit of ComplyAdvantage as necessary for the purposes of gathering information relevant to the Client’s compliance with Applicable Operational Resilience Law or Applicable Outsourcing Guidelines;

“Regulator” means any regulatory, resolution or supervisory authority to which the Client is subject or which is entitled by any Applicable Law applicable to the Client to supervise, regulate or investigate the matters dealt with in this Regulatory Appendix; and

“TLPT” means threat-led penetration testing, a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat.

1.3 Notwithstanding any order of precedence in the Agreement, this Regulatory Appendix supplements the Agreement and to the extent of any conflict or inconsistency between the terms and conditions of this Regulatory Appendix and any other terms and conditions of the Agreement (including any appendices to it), then unless expressly stated otherwise, the terms and conditions of this Regulatory Appendix shall take precedence.

1.4 Unless stated otherwise, a reference to a clause number refers to a clause of this Regulatory Appendix.

1.5 Notwithstanding any other clause, the terms of this Regulatory Appendix shall only apply to the part of the Services to which clause 1.1 applies.

1.6 In the event that the Client, acting reasonably and in good faith, determines that an ICT Service constitutes a Critical ICT Service, the Client shall notify ComplyAdvantage in writing and the parties shall meet to discuss and agree such determination. If the parties agree that the Service constitutes a Critical ICT Service, certain provisions, as identified as applicable to Critical ICT Services, of this Regulatory Appendix shall apply.

2 Business Continuity and Disruption

2.1 ComplyAdvantage shall maintain a BCP that shall include plans for emergency response and management, business recovery and disaster recovery in the event of a Disruption. Upon the written request of the Client, ComplyAdvantage shall make a summary of the BCP available to the Client for review. The parties acknowledge and agree that the BCP comprises ComplyAdvantage’s Confidential Information for the purposes of the Agreement. ComplyAdvantage shall regularly test the BCP and provide confirmation of such tests upon request.  The BCP shall address at least: (i) the backup and restoration of operating systems and applications supporting processing at an alternate facility; (ii) the backup and recovery of critical data; and (iii) the operational recovery of the provision of the Services within the defined recovery time objective, unless otherwise communicated. In the event that ComplyAdvantage facilities supporting the provision of the Services are inoperable, ComplyAdvantage shall, so far as is practicable, endeavour to treat all its customers equally.

2.2 ComplyAdvantage shall promptly upon becoming aware inform the Client of a Disruption or of circumstances likely to result in a Disruption.

2.3 In case of a Disruption, ComplyAdvantage shall implement the BCP and shall continue to perform any obligations that are not affected by the Disruption in accordance with the Agreement.

2.4 ComplyAdvantage shall provide reasonable and proportionate assistance to the Client when an ICT-Related Incident that is directly related to the ICT Service provided to the Client by ComplyAdvantage occurs.

2.5 With respect to Critical ICT Services:

2.5.1 ComplyAdvantage shall have in place reasonable ICT security measures, tools and policies that provide an appropriate and reasonable level of security for the provision of the Critical ICT Services to the Client;

2.5.2 without undue delay after becoming aware, ComplyAdvantage shall notify the Client of any development that is likely to have a material impact on ComplyAdvantage’s ability to effectively provide the Critical ICT Service in line with the service levels set out in Appendix I of the Agreement (Service Level Agreement); and

2.5.3 where required by a Regulator and Applicable Operational Resilience Law, ComplyAdvantage shall reasonably participate and fully cooperate in the Client’s TLPT, which may, if directed by ComplyAdvantage, be by engaging an external tester to perform pooled TLPT testing, provided in each case that (i) the Client provides ComplyAdvantage with reasonable advance written notice of such TLPT (which shall in any event be no less than 30 days’ notice); (ii) such testing occurs no more than once in any three year period; (iii) such testing does not put ComplyAdvantage in breach of any Applicable Law or contractual requirements to other ComplyAdvantage customers; and (iv) the Client applies effective risk management controls to mitigate the risks and impact on data, damage to assets and disruption to the functions, services and operations of other ComplyAdvantage customers.

3 Sub-Contracting

3.1 ComplyAdvantage shall not sub-contract the whole or any part of its obligations under the Agreement, except for:

3.1.1 in respect of Sub-Processors, in accordance with the data protection and privacy provisions of the Agreement; and

3.1.2 in respect of any sub-contractor providing a Critical or Important Function (or material parts thereof) to ComplyAdvantage other than Sub-Processors (a “Critical or Important Subcontractor”), where the Client does not object to such sub-contracting in accordance with clause 3.5 or where the provisions of clause 3.6 apply.

3.2 The use of any Critical or Important Subcontractors by ComplyAdvantage to provide the Services shall not limit or restrict the obligations of ComplyAdvantage under the Agreement in respect of the provision of the Services and ComplyAdvantage shall remain fully liable for all the acts and omissions of each sub-contractor as if they were its own.

3.3 ComplyAdvantage shall oversee the activities of its Critical or Important Subcontractors so as to procure that all material contractual obligations of ComplyAdvantage under the Agreement shall continue to be met notwithstanding the sub-contracting.

3.4 If ComplyAdvantage intends to appoint additional or replacement Critical or Important Subcontractors, including material changes to the current arrangements in place with Critical or Important Subcontractors, ComplyAdvantage shall give reasonable advanced notice of its intention to make each such change and the Client may object to any such appointment within two weeks of notice.

3.5 Where the Client objects to the proposed change in accordance with clause 3.4, ComplyAdvantage shall consider the reasons given for such objection and take such steps as it deems reasonable to address them. If such steps do not reasonably satisfy the Client, ComplyAdvantage may elect to continue to provide the Services without the proposed change or, where ComplyAdvantage does not elect to do so, the Client may terminate the Services upon written notice to ComplyAdvantage.

3.6 Subject to clause 3.7, where ComplyAdvantage sub-contracts a Critical ICT Service, or material part thereof, to a Critical or Important Subcontractor after the Effective Date, ComplyAdvantage shall:

3.6.1 following the Client’s reasonable request, provide the Client with information reasonably required by the Client to support and enable the Client to effectively monitor ICT risk, in accordance with Article 28 paragraphs (3) and (9) of DORA;

3.6.2 assess all risks, including ICT risks, associated with the location of the Critical or Important Subcontractor and its parent company and the location where the Critical ICT Service is provided from;

3.6.3 use reasonable endeavours to ensure its agreements with Critical or Important Subcontractors performing a Critical ICT Service set out the location of data processed or stored by such Critical or Important Subcontractor in relation to the performance of such Critical ICT Service;

3.6.4 use reasonable endeavours to ensure the continuity of any Critical ICT Service throughout the chain of sub-contractors in case of failure by a sub-contractor performing such Critical ICT Service to meet its contractual obligations;

3.6.5 use reasonable endeavours to ensure its Critical or Important Subcontractors supporting the provision of Critical ICT Services are subject to appropriate obligations relating to business contingency plans;

3.6.6 use reasonable endeavours to ensure it specifies in its contractual arrangements with Critical or Important Subcontractors the ICT security standards and any additional security features, where relevant, to be met by such sub-contractor to ensure an appropriate level of security for the provision of Critical ICT Services; and

3.6.7 notify the Client if ComplyAdvantage changes, or is notified of a Critical or Important Subcontractor changing, the region or country where the sub-contracted Critical ICT Services are to be provided from;

3.6.8 use reasonable endeavours to ensure that such sub-contractor shall grant to any Auditors appropriate and proportionate rights of audit, information and access which may include, for example, a summary of an audit report undertaken by ComplyAdvantage on such sub-contractor and which may be similar to the rights of access and audit as the Auditors have in relation to ComplyAdvantage pursuant to clause 5.

3.7 Where a Critical or Important Subcontractor is a cloud provider or a provider that offers any other standardised service, ComplyAdvantage shall contract with such sub-contractor on the basis of its standard financial services terms that are offered to all of their clients on a similar basis.

4 Requests for Documentation

4.1 Upon the written request of the Client or a Regulator, ComplyAdvantage shall share with the Client or a Regulator documentation and evidence reasonably required to satisfy the requirements of the Client’s or the Regulator’s due diligence required by Applicable Law. Such documentation may include, without limitation:

4.1.1 written reports of ComplyAdvantage’s performance with respect to agreed service levels and details of failures thereto;

4.1.2 summaries of any reports derived from ComplyAdvantage’s testing, assessment and evaluation of the effectiveness of its information security management; and/or

4.1.3 third-party security audit certifications (including non-conformities) held by ComplyAdvantage from time to time, such as ISO27001 and SOC2 Type II.

4.2 ComplyAdvantage may redact sections of any documents and evidence provided in order to maintain the confidentiality of trade secrets or the confidential information of persons other than the Client.

5 Client On-Site Audits

5.1 Where the Client is not, acting reasonably, satisfied with the results and explanation of any non-conformity or irregularity in the documentation and evidence shared under clause 4, the Client may conduct an On-Site Audit. On-Site Audits conducted by the Client shall be subject to the terms of this clause 5.

5.2 The Client shall provide ComplyAdvantage with no less than 30 days prior written notice of an On-Site Audit, except to the extent that such length of notice is not possible due to an emergency or crisis situation or where a shorter timescale is prescribed by a Regulator, such notice to include the purpose and scope of the On-Site Audit.

5.3 The Client shall provide ComplyAdvantage a detailed itinerary of the On-Site Audit no less than 14 days prior to the proposed commencement of the On-Site Audit.

5.4 Pursuant to an On-Site Audit, ComplyAdvantage shall provide any Client Auditors access to any business premises from which the Services are provided, including to:

5.4.1 observe relevant devices, systems, networks, information and data used for providing the Services; and

5.4.2 take copies of relevant documentation to the extent that such documentation is critical to ComplyAdvantage’s operations in connection with the provision of Critical ICT Services.

5.5 In relation to an On-Site Audit:

5.5.1 the Client shall ensure that Auditor access shall be scheduled during Working Hours at a time specified by ComplyAdvantage, provided that ComplyAdvantage shall use reasonable endeavours to provide access as soon as possible in any emergency or crisis situation;

5.5.2 no more Client Auditors may attend an On-Site Audit than is reasonably necessary and the Client shall provide details of the identity of Client Auditors. ComplyAdvantage may refuse access to Auditors who are not employees of the Client, such refusal not to be exercised unreasonably, and ComplyAdvantage shall cooperate with the Client if any problem with a particular Auditor is identified. A refusal pursuant to this clause shall not be deemed unreasonable if an Auditor is an employee, consultant or advisor to a direct competitor of ComplyAdvantage;

5.5.3 while on any premises the subject of an On-Site Audit, all Auditors shall be under ComplyAdvantage supervision and escort; and

5.5.4 any On-Site Audit shall be limited to reviewing the provision of the Services applicable to the Client only and shall not include any review of any information related to the provision of any services to any other customers of ComplyAdvantage.

6 Cooperation with Regulators

6.1 To the extent lawfully permitted, the Client shall provide ComplyAdvantage written notice of any Regulator requests of which it is aware which may affect ComplyAdvantage. The Client gives irrevocable consent to ComplyAdvantage in relation to ComplyAdvantage’s cooperation and compliance with the instructions of a Regulator, including where such cooperation and compliance requires the disclosure of the Client’s Confidential Information to a Regulator.

6.2 ComplyAdvantage shall cooperate and comply with the instructions of a Regulator acting within their lawful powers, including persons appointed by them, such cooperation to include granting a Regulator the right to an On-Site Audit.

7 BRRD

7.1 Where BRRD applies to the Client, ComplyAdvantage shall:

7.1.1 be bound by the information gathering and investigatory powers of any competent and resolution authorities under Article 63(1)(a) of BRRD and Article 65(3) of Directive 2013/36/EU; and

7.1.2 comply with all laws applicable to it related to that resolution and, if so requested in writing, shall discuss in good faith with the designated resolution authority (but without prejudice to any rights that ComplyAdvantage has under the Agreement) any concerns in respect of the ongoing provision to such Client of the Services. For the avoidance of doubt and to the extent not prohibited by BRRD, the Client shall remain obligated to pay the undisputed agreed Charges for the Services provided by ComplyAdvantage during or after a resolution event. If the Client does not pay such Charges during or after the resolution event, ComplyAdvantage may terminate the Agreement in accordance with its terms.

8 ICT Security Awareness Programmes and Digital Operational Resilience Training

8.1 The Client shall notify ComplyAdvantage annually in January of the Client’s ICT security awareness programmes and digital operational resilience training it expects ComplyAdvantage to participate in for the forthcoming year. ComplyAdvantage shall identify the relevant persons at an appropriately senior level to participate in such training, provided that:

8.1.1 the Client provides ComplyAdvantage with reasonable advance notice of the dates of such training; and

8.1.2 such training occurs no more than once per year.

9 Termination

9.1 ComplyAdvantage shall suspend or terminate all or part of the provision of the Services to the Client to the extent and at the time required do so by a specific direction of a Regulator in respect of the Client. Where not prohibited by Applicable Law, ComplyAdvantage shall notify the Client of any suspension or termination pursuant to this clause promptly following its receipt of such a direction of a Regulator.

9.2 The Client may suspend or terminate its use of all or part of the Services immediately upon written notice to ComplyAdvantage where the Client is required do so in order to comply with a specific direction of a Regulator explicitly requiring such suspension or termination.

9.3 The Client may terminate this Agreement in part to the extent it relates to the relevant and affected ICT Service by giving Comply Advantage written notice if:

9.3.1 the Client identifies and notifies ComplyAdvantage in writing of circumstances through its monitoring of ICT third-party risk that have negatively and materially altered the performance of the ICT Services, including material changes that materially and adversely affect the arrangement or the situation of ComplyAdvantage, and in each case, ComplyAdvantage has failed to take steps to remedy the issue within 30 days of receiving written notice of same;

9.3.2 the Client’s Regulator is no longer able to effectively supervise the Client as a result of the conditions of, or circumstances related to, the provision of the relevant ICT Service;

9.3.3 ComplyAdvantage subcontracts a Critical or Important Function in material breach of the provisions of this Regulatory Appendix;

9.3.4 ComplyAdvantage is in significant breach of Applicable Law applicable to it; or

9.3.5 the Client identifies and notifies ComplyAdvantage in writing of evidenced and demonstratable material weaknesses in ComplyAdvantage’s ICT risk management and, the way ComplyAdvantage ensures the availability, authenticity, integrity and confidentiality of the Client’s Confidential Information and ComplyAdvantage has failed to take steps to remedy such weaknesses within 30 days of receiving written notice of the same.

10 Post-Termination and Transfer Assistance

10.1 Upon the written notice of the Client, ComplyAdvantage shall continue to provide the Services for 90 days following the date of termination of the Agreement (the “Exit Period”). ComplyAdvantage may consent to extent the Exit Period up to 180 days, such consent not to be unreasonably withheld, conditioned or delayed. Written notice of the Client pursuant to this clause shall be given:

10.1.1 where the Client terminates the Agreement, at the time of notice to terminate the Agreement; or

10.1.2 where ComplyAdvantage terminates the Agreement, without undue delay after receipt of notice to terminate the Agreement.

10.2 During the Exit Period and in any other period approaching termination of part or all of the Services, ComplyAdvantage shall provide such reasonable assistance as the Client requests to help facilitate the transfer of the Services to the Client itself or an alternative provider of similar services, including without limitation:

10.2.1 ensuring that Client Data held or processed by ComplyAdvantage in the course of providing the ICT Services can be accessed promptly and shall be recovered and returned to the Client in an easily accessible format, including in the case of the insolvency, resolution or discontinuation of business operations of ComplyAdvantage; and

10.2.2 responding to reasonable requests for information with respect to such a transfer of services from the Client, provided that ComplyAdvantage shall not be required to disclose trade secrets or other competitively sensitive information.

10.3 During the Exit Period, the parties shall continue to be bound by the terms of the Agreement.

10.4 ComplyAdvantage shall invoice the Client in respect of the Exit Period at the same rate as the then current Charges, pro-rated for the length of the Exit Period.

10.5 Notwithstanding the foregoing, where ComplyAdvantage terminates the Agreement for breach by the Client, ComplyAdvantage may withhold provision of the Services during the Exit Period and condition further performance upon:

10.5.1 payment of any undisputed fees then owed;

10.5.2 prepayment of fees for further services; or

10.5.3 receipt by ComplyAdvantage of an officer’s certificate from the Client certifying ongoing compliance with the terms of the Agreement during the Exit Period.

11 Insurance

11.1 ComplyAdvantage shall put in place and maintain for the duration of the Agreement, and for a period of two years afterwards, appropriate insurance policies in relation to the risks set out below with a reputable insurance company in respect of the performance by ComplyAdvantage of its obligations under the Agreement. Such risks are:

11.1.1 general liability insurance;

11.1.2 cyber and technology insurance; and

11.1.3 employer’s liability insurance.

11.2 ComplyAdvantage shall provide the Client with certificates from its insurers upon the Client’s written request from time to time confirming that ComplyAdvantage has valid insurances which comply with this clause 11.

12 Costs

12.1 ComplyAdvantage may charge the Client for ComplyAdvantage’s reasonable costs incurred in:

12.1.1 participating in the Client’s TLPT;

12.1.2 participating in the Client’s ICT security awareness programmes and digital operational resilience training; and

12.1.3 the Client’s On-Site Audits,

provided that, prior to incurring such costs, ComplyAdvantage shall use reasonable endeavours to identify such costs and supply the Client with written particulars of the same.

13 General

13.1 ComplyAdvantage shall provide the Services from Ireland, the United Kingdom and the locations listed at https://complyadvantage.com/sub-processors-list/. ComplyAdvantage shall provide the Client with 30 days’ written notice in the event ComplyAdvantage envisages a change to this location.

13.2 To the extent required by Applicable Law, ComplyAdvantage shall maintain a legal entity identifier (“LEI”) for the duration of the Agreement. As of the Effective Date, the LEI associated with ComplyAdvantage is 254900VBEUEJAX6XPW79 (IVXS UK Limited).

13.3 The Client shall treat the existence and details of this Regulatory Appendix as ComplyAdvantage’s Confidential Information. The Regulatory Appendix may be disclosed by the Client to a Regulator.