1.                   SERVICES AND SUPPORT

1.1                Subject to the terms of this Agreement, The Company (Kora Sustainability Ltd, referred to as The “Company”) will use commercially reasonable efforts to provide Customer the Services. As part of the registration process, The Customer will identify an administrative username and password for Customer’s Company account. The Company reserves the right to refuse registration of or cancel passwords it deems inappropriate.

1.2                Subject to the terms hereof, Company will provide Customer with reasonable technical support services in accordance with our commitment to provide support in accordance with Kora’s standard practice.

2.                   RESTRICTIONS AND RESPONSIBILITIES

2.1                Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services (“Software”); modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third party; or remove any proprietary notices or labels.  With respect to any Software that is distributed or provided to Customer for use on Customer premises or devices, Company hereby grants Customer a non-exclusive, non-transferable, non-sublicensable license to use such Software during the Term only in connection with the Services.

2.2                Customer represents, covenants, and warrants that Customer will use the Services only in compliance with Company’s standard published policies then in effect (the “Policy”) and all applicable laws and regulations.  Customer hereby agrees to hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and legal fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Customer’s use of Services. Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.

2.3                Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”).  Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account or the Equipment with or without Customer’s knowledge or consent.

3.                   CONFIDENTIALITY; PROPRIETARY RIGHTS

3.1                Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party).  Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service.  Proprietary Information of Customer includes non-public data provided by Customer to Company to enable the provision of the Services (“Customer Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information.  The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law. 

3.2                Kora shall own all rights, titles, and interests in and to the Customer Data, as well as any data that is based on or derived from the Customer Data and provided to Customer as part of the Services.  Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing.     

3.3                Notwithstanding anything to the contrary, Company shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and  Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business.  No rights or licenses are granted except as expressly set forth herein.  

4.                   PAYMENT OF FEES

4.1                Customer will pay Company the then applicable fees described in the Order Form for the Services and Implementation Services in accordance with the terms therein (the “Fees”).  If Customer’s use of the Services exceeds the Service Capacity set forth on the Order Form or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein.  Company reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Service Term or then‑current renewal term, upon thirty (30) days prior notice to Customer (which may be sent by email). If Customer believes that Company has billed Customer incorrectly, Customer must contact Company no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit.  Inquiries should be directed to Company’s customer support department.

4.2                Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Company thirty (30) days after the mailing date of the invoice.  Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service.

5.                   TERM AND TERMINATION

5.1                Subject to earlier termination as provided below, this Agreement is for the Initial Service Term as specified in the Order Form and shall be automatically renewed for additional periods of the same duration as the Initial Service Term (collectively, the “Term”), unless either party requests termination at least thirty (30) days prior to the end of the then-current term.

5.2                In addition to any other remedies it may have, either party may also terminate this Agreement upon sixty (60) days’ notice (or without notice in the case of nonpayment), if the other party materially breaches any of the terms or conditions of this Agreement.  Customer will pay in full for the Services up to and including the last day on which the Services are provided. Upon any termination, Company will make all Customer Data available to Customer for electronic retrieval for a period of thirty (30) days, but thereafter Company may, but is not obligated to, delete stored Customer Data. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.

6.                   WARRANTY AND DISCLAIMER

Company shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Implementation Services in a professional and workmanlike manner.  Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.  However, Company does not warrant that the Services will be uninterrupted or error free; nor does it make any warranty as to the results that may be obtained from use of the Services.  EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND IMPLEMENTATION SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

7.                   LIMITATION OF LIABILITY

Notwithstanding anything to the contrary, except for bodily injury of a person, Company and its suppliers (including but not limited to all equipment and technology suppliers), officers, affiliates, representatives, contractors and employees shall not be responsible or liable with respect to any subject matter of this agreement or terms and conditions related thereto under any contract, negligence, strict liability or other theory: (a) for error or interruption of use or for loss or inaccuracy or corruption of data or cost of procurement of substitute goods, services or technology or loss of business; (b) for any indirect, exemplary, incidental, special or consequential damages; (c) for any matter beyond company’s reasonable control; or (d) for any amounts that, together with amounts associated with all other claims, exceed the fees paid by customer to company for the services under this agreement in the 12 months prior to the act that gave rise to the liability, in each case, whether or not company has been advised of the possibility of such damages.

8.                   MISCELLANEOUS

If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.  This Agreement is not assignable, transferable or sublicensable by Customer except with Company’s prior written consent.  Company may transfer and assign any of its rights and obligations under this Agreement without consent.  This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein.  No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Company in any respect whatsoever.  In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.  All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.  This Agreement shall be governed by the laws of the England and Wales without regard to its conflict of laws provisions.  The parties shall work together

WHEREAS

1. (A)The Company acts as a Data Controller and Data Processor.

2. (B)The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

3. (C)The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

   1. Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning.

      1. 1.1.1.“Agreement” means this Data Processing Agreement and all Schedules;

      2. 1.1.2. “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;

      3. 1.1.3. “Contracted Processor” means a Subprocessor;

      4. 1.1.4.“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

      5. 1.1.5.“EEA” means the European Economic Area;

      6. 1.1.6.“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

      7. 1.1.7.“GDPR” means EU General Data Protection Regulation 2016/679;

      8. 1.1.8.“Data Transfer” means:

         1. 1.1.8.1.a transfer of Company Personal Data from the Company to a Contracted Processor; or

         2. 1.1.8.2.an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

      9. 1.1.9.“Services” means the climate technology services (as defined in Exhibit A of the order form) the Company provides.

      10. 1.1.10.“Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

   2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1. Processing of Company Personal Data

   1. Processor shall:

      1. 2.1.1.comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

      2. 2.1.2.not Process Company Personal Data other than on the relevant Company’s documented instructions.

   2. The Company processes the Client’s Personal Data as aligned to the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1, and using sufficient controls as outlined in Annex 2.

2. Processor Personnel

   1. Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

1. Security

   1. Taking into account state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in relation to the Company Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

   2. In assessing the appropriate level of security, Processor shall take into account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

1. Data Subject Rights

   1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

   2. Processor shall:

      1. 5.2.1.promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

      2. 5.2.2.ensure that it does not respond to that request except on the documented instructions of the Company or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Laws, inform the Company of that legal requirement before the Contracted Processor responds to the request.

1. Personal Data Breach

   1. Processor shall notify Client without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

   2. Processor shall co-operate with the Client and take reasonable steps as directed by the Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

1. Data Protection Impact Assessment and Prior Consultation Processor

Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

1. Deletion or return of Company Personal Data

   1. Subject to this section, 9 Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

1. Audit rights

   1. Subject to this section 10, the Processor shall make available to the Client on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client’s Personal Data by the Contracted Processors.

   2. Information and audit rights of the Client only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

1. Data Transfer

   1. The Processor may not transfer or authorise the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

1. General Terms

   1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
      (a) disclosure is required by law;
      (b) the relevant information is already in the public domain.

   2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

1. Governing Law and Jurisdiction

   1. This Agreement is governed by the laws of England and Wales.

   2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of England and Wales.

Annex 1: Technical and Organisational measures

1. Physical Access Controls

Data Processor shall take reasonable physical access measures to prevent unauthorised persons from gaining access to personal data.

2. Access Controls

Data Processor shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented access authorization processes, documented change management processes, the logging of access on several levels, restricting direct database and application access rights,  and implementing an access management policy.

3. Transmission Controls

Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

4. Input Controls

Data Processor shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered/modified within data processing systems.

5. Training and Awareness

Data Processor shall ensure that staff with access to Personal Data are trained on data protection and privacy topics.