MASTER SaaS AGREEMENT

“Confidential Information” means all confidential and proprietary information of a party ("Disclosing Party") disclosed to the other party ("Receiving Party"), whether orally or in writing, that is designated as “confidential” or the like, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the terms and conditions of the Agreement (including pricing and other terms reflected in a Purchase Order), the Opkey Products business and marketing plans, technology and technical information, product designs, and business processes. "Confidential Information" shall not include information that (i) is or becomes amatter of public knowledge through no act or omission of the Receiving Party;(ii) was in the Receiving Party’s lawful possession prior to the disclosure without restriction on disclosure;(iii) is lawfully disclosed to the Receiving Party by a third party that lawfully and rightfully possesses such information without restriction on disclosure; (iv) the Receiving Party can document resulted from its own research and development, independent .of receipt of the disclosure from the Disclosing Party; or (v) is disclosed with the prior written approval of the Disclosing Party.

“Customer Data” means the Customer specific configurations and rules implemented in the Opkey Products, and any Customer content processed by the Opkey Products (e.g., email text and attachments) that is not Personal Data.

“Customer Environment” means the computing environment separately procured, prepared, and maintained by Customer for the access and use of the Opkey Product(s), as further specified below in Section 3.1.2.

“Customer Equipment” means Customer’s computer hardware, software and network infrastructure used to access Software.

“Data Subject(s)” means any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural, or social identity.

“Documentation” means Opkey’s technical description of the Opkey Product(s) describing the specifications and use of the Opkey Products, including any Software provided, as updated from time to time.

“Error” means a failure of the Opkey Product(s) to substantially conform to the Documentation, that Opkey can replicate, or Customer can duplicate.

“Error Correction” means revisions, modifications, alterations, and additions to the Opkey Product(s), installed by Opkey in the Hosted Environment as bug fixes or workarounds to resolve Errors.

“Extension Term(s)” means each additional one-year (or other agreed upon period) Subscription Term for which the Subscription Term for an Opkey Product is extended pursuant to Section 7.

“Hosted Environment” means Opkey, or its third party’s technical environment required to operate and provide access to the relevant Opkey Product(s), as further specified below in Section 3.1.2.

“Initial Term” means the initial Subscription Term for an Opkey Product that is defined on the Order and applicable Purchase Order.

“Licenses” means the type and quantity of the Opkey license identified in Opkey’s sales quote; Customer needs a License in order to legally use an Opkey Product.

“Managed Services” means on-going active management provided by Opkey to Customer on a subscription basis to manage either Opkey Products or third-party products licensed separately by Customer, as specifically set forth in an applicable Opkey managed services document corresponding to such Managed Services.

“Opkey Intellectual Property” means all Intellectual Property Rights in the Services, Software, Documentation, Hosted Environment, and all other Confidential Information provided by Opkey hereunder

“Opkey Product(s)” means the Service or Software licensed and/or purchased by Customer pursuant to an Order and Purchase Order.

“Order” means the details of a Customer order (i) on anorder form or schedule provided by Opkey and signed by Customer, (ii) on Customer’s purchase order provided to and accepted by Opkey, or (iii) placed on Customer’s behalf by an authorized Opkey reseller and accepted by Opkey. For the purposes of (iv), all terms and conditions of this Agreement shall apply as between Customer and Opkey, except with respect to invoicing and payment terms.

“Personal Data” means data about an identifiable individual that is protected by privacy laws where the individual resides. Examples of personal data include name, religion, gender, financial information, national identifier numbers, health information, email addresses, IP addresses, online identifiers, and location data. Opkey’s protection of Personal Data is described in Section 5.

“Personnel” means, with respect to Customer, each of Customer’s and/or Customer’s Affiliate’s employees and independent contractor(in each case, not a competitor of Opkey) under obligations (a) of confidentiality and nondisclosure, and (b) to protect Opkey Intellectual Property, and any other individuals with access to components of the Service designated for external use, which Customer authorizes to use the Services purchased; with respect to Opkey, each Opkey employee or subcontractor under obligations of confidentiality and nondisclosure which performs on behalf of Opkey hereunder. For the avoidance of doubt, each party shall be responsible for its Personnel’s compliance with this Agreement.

“Privacy Laws” means laws, as applicable to Personal Data in the context and jurisdiction of the Processing, concerning the regulation of the collection, retention, processing, data security, disclosure, trans-border dataflows, use of website cookies, email communications, use of IP addresses and metadata collection.

 “Process(ing)(ed)” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, as described in this Agreement.

“Professional Services” means the installation, implementation, data migration, configuration, or advisory services provided by Opkey to Customer.

“Professional Service Fees” means, in U.S. dollars, the fees identified on each Order on a fixed fee or time and material basis for Professional Services to be performed.

“Purchase Order” means an ordering document for an Opkey Product issued by Customer or Reseller that contains at least the following information: product name, license quantity, Subscription Term, price, and billing contact, all corresponding to the Opkey or reseller quote.

“Reseller” means a third-party authorized by Opkey to resell Opkey Products directly to Customer.

“Scheduled Downtime” means any downtime scheduled to perform system maintenance, backup and upgrade functions for the Hosted Environment, and any other downtime incurred as a result of a Customer request.  

“Service” means any Opkey Product licensed on a hosted basis as software-as-a-service.

“Service Levels” means the service level commitments from Opkey with respect to the maintenance and support of the Service.

“Total Time” means the total number of minutes in the applicable month.

“Software” means any Opkey software programs licensed by Opkey to Customer, together with all the Software Updates.

“Software Update(s)” means each Software update and enhancement that Opkey generally makes available at no additional charge to its customers who are current in payment of applicable Fees, or otherwise provides to Customer under the Agreement.

“SOW” means each statement of work, engagement letter or other writing signed by Opkey and Customer that describes the Professional Services and/or Managed Services provided by Opkey. Each SOW shall reference the Agreement and will be subject to the terms and conditions hereof.

“Subscription Term” means the term during which Customer receives a license to use the applicable Opkey Product(s).

“Taxes” means any direct or indirect local, state, federal or foreign taxes, levies, duties, or similar governmental assessments of any nature, including value-added, sales, use or withholding taxes.

“Term” means the Initial Term and any Extension Term applicable to each Order and Purchase Order.

“Unscheduled Downtime” means any time outside of the Scheduled Downtime when the Service is not available to perform operations.  Unscheduled Downtime is measured in minutes.  

“Uptime Percentage” means Total Time minus Unscheduled Downtime, divided by Total Time.

“User” means Customer's and its Affiliates' employees, agents, subcontractors, consultants, or other individuals authorized hereunder to use the Opkey Product.

“Work Product” means all work product developed or created by Opkey during the course of providing support, Managed Services or Professional Services to Customer. Notwithstanding anything herein to the contrary, Work Product shall not include any Customer Confidential Information, Customer Data, or Personal Data

Customer License: Subject to the terms of the Agreement, Opkey grants to Customer a worldwide, royalty-free, non-exclusive, time-limited, non-transferable (except to a successor-in-interest as permitted hereunder),limited license to access and/or use (as applicable) the Opkey Products during the Term in the quantities of Licenses specified in the applicable Purchase Order and subject to any limitations set forth in the corresponding applicable quote, solely for Customer’s own internal business purposes. Customer may authorize subcontractors and/or Affiliates to access and/or use the Opkey Products, subject to the number of Licenses authorized by the Agreement and the terms and conditions of the Agreement; provided Customer is liable for all acts and omissions of the subcontractors and/or Affiliates. Customer may use the Documentation in connection with the License granted hereunder.

Passwords:  All access codes and passwords are personal to the individual to which it is issued. Customer and its Personnel are responsible for maintaining the confidentiality and security of all access codes and passwords issued and ensuring that each access code and password is only used by the individual authorized. To the extent Opkey assigned Customer with administrative rights to create access codes and passwords for its Personnel, Customer shall be responsible for issuing such passwords.

Use of Services:  Customer shall be solely responsible for the actions of its Personnel while using the Services and the contents of its transmissions through the Services (including, without limitation, Customer Data), and any resulting charges. Customer agrees to: (i)abide by all local, state, national, and international laws and regulations applicable to Customer's use of the Services, including without limitation all laws and administrative regulations (including, all U.S. and applicable foreign) relating to the control of exports of commodities and technical and/or Personal Data, and shall not allow any of its Personnel or Data Subjects to access or use the Service in violation of any export embargo, prohibition or restriction, including  but not limited to any party on a U.S. government restricted party list; (ii) provide any required notifications to Data Subjects, and obtain all rights and requisite consents from Data Subjects in accordance with all applicable Privacy Laws and other laws in relation to the collection, use, disclosure, creation and processing of Personal Data in connection with this Agreement and the use and delivery of the Services; (iii) not use the Services for illegal purposes; (iv) not knowingly upload or distribute in any way files that contain viruses, corrupted files, or any other similar software or programs that may damage the operation of the Hosted Environment, Services or another's computer; (v) not knowingly interfere with another customer's use and enjoyment of the Services or another entity's use and enjoyment of similar services; (vi) not knowingly engage in contests, chain letters or post or transmit "junk mail," "spam," "chain letters," or unsolicited mass distribution of email through or in any way using the Services; (vii) not interfere or disrupt networks connected to the Hosted Environment or Services; (viii) not post, promote or transmit through the Services any unlawful, harassing, defamatory, privacy invasive, abusive, threatening, offensive, harmful, vulgar, obscene, tortuous, hateful, racially, ethnically or otherwise objectionable information or content of any kind or nature; and (ix) not transmit or post any material that encourages conduct that could constitute a criminal offense or give rise to civil liability.  In addition, Customer agrees not to use a Opkey Product, or permit it to be used, for purposes of: (i) product evaluation, benchmarking or other comparative analysis intended for publication outside the Customer organization without Opkey's prior written consent; (ii) infringement of the intellectual property rights of any third party or any rights of publicity or privacy; (iii)violation of any law, statute, ordinance, or regulation (including, but not limited to, the laws and regulations governing export/import control, unfair competition, anti-discrimination, and/or false advertising or misuse of Opkey Products in violation of this subsection (iii)); (iv) propagation of any virus, worms, Trojan horses, or other programming routine intended to damage any system or data; and/or (v) filing copyright or patent applications that include the Opkey Products and/or Documentation or any portion thereof.

Restrictions: Customer specifically agrees to limit the use of the Opkey Products to those parameters set forth in the applicable Order and an accompanying Purchase Order. Without limiting the foregoing, Customer specifically agrees not to: (i) resell, sublicense, lease, time-share or otherwise make a Opkey Product (including the Documentation)available to any third party (except Affiliates and subcontractors); (ii) attempt to gain unauthorized access to, or disrupt the integrity or performance of, a Opkey Product or the data contained therein (including but not limited to hacking or penetration testing Opkey’s systems); (iii) modify, copy or create derivative works based on a Opkey Product; (iv) decompile, disassemble, reverse engineer or otherwise attempt to derive source code from a Opkey Product, in whole or in part; and/or (v) access a Opkey Product for the purpose of building a competitive product or service or copying its features or user interface.

Receiving Party shall not (i) disclose any Confidential Information of the Disclosing Party to any third party, except as otherwise expressly permitted herein, or (ii) use any Confidential Information of Disclosing Party for any purpose outside the scope of the Agreement, except with Disclosing Party's prior written consent. The Receiving Party shall not make Confidential Information available to any of its employees or consultants except those that have agreed to obligations of confidentiality at least as restrictive as those set forth herein and have a “need to know” such Confidential Information. The Receiving Party agrees to hold the Disclosing Party’s Confidential Information in confidence and to take all precautions to protect such Confidential Information that the Receiving Party employs with respect to its own Confidential Information of a like nature, but in no case shall the Receiving Party employ less than reasonable precautions. The Agreement will not be construed to prohibit disclosure of Confidential Information to the extent that such disclosure is required to by law or valid order of a court or other governmental authority; provided, however, to the extent permitted by law, the responding party shall give prompt written notice to the other party to enable the other party to seek a protective order or otherwise prevent or restrict such disclosure and, if disclosed, the scope of such disclosure is limited to the extent possible.

The Receiving Party will return all copies of the Disclosing Party’s Confidential Information upon the earlier of (i) the Disclosing Party’s request, or (ii) the termination or expiration of the Agreement. Instead of returning such Confidential Information, the Receiving Party may destroy all copies of such Confidential Information in its possession; provided, however, the Receiving Party may retain a copy of any Confidential Information disclosed to it solely for archival purposes, provided that such copy is retained in secure storage and held in the strictest confidence for so long as the Confidential Information remains in the possession of the Receiving Party.

The parties acknowledge and agree that the confidentiality obligations set forth in this Agreement are reasonable and necessary for the protection of the parties’ business interests, that irreparable injury may result if such obligations are breached, and that, in the event of any actual or potential breach of this Confidentiality provision, the non-breaching party may have no adequate remedy at law and shall be entitled to seek injunctive and/or other equitable relief as may be deemed proper by a court of competent jurisdiction.

Limited Use of Personal Data:  Opkey and its subsidiaries are authorized to access and process Personal Data solely in accordance with the terms of the Agreement.  Opkey and its subsidiaries shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the Personal Data and will ensure access is strictly limited to those individuals who need to access the relevant Personal Data in the performance of Opkey’s obligations under the Agreement.

Data Safeguards:  Pursuant to the attached Schedule C, Opkey shall, either directly or through its third-party service provider, implement and maintain reasonable administrative, physical, and technical safeguards to guard against unauthorized access to the Customer Data white it is retained within the Hosted Environment. Opkey reviews its security precautions on a regular basis and modifies them as required by legal, regulatory, and other requirements.

Data Privacy:  In addition to all other obligations in this Agreement with respect to Customer Data, each party agrees to comply with its obligations under Privacy Laws, and in the context of any Processing of Personal Data through the provision of the Services, support and/or Professional Services, the parties shall comply with Schedule D. Customer hereby consents to Opkey, its Affiliates, and Personnel of each, Processing Personal Data in relation to Customer’s Personnel and contacting the same for legitimate purposes, including without limitation, the administrative functions connected with Orders and invoices, its contractual rights and obligations under this Agreement, the provision of the Services, support and/or Professional Services. Customer understands and acknowledges that in connection with the Processing of Personal Data pursuant to this Agreement, Opkey may share Personal Data with its Affiliates, and its Personnel, and Opkey and/or its Affiliates may Process such Personal Data in any jurisdiction in which Opkey or its Affiliates or subcontractors maintain facilities.

Fees: Fees for the Opkey Products will be the Fees and other fees set forth in the Purchase Orders(collectively, the “Fees”). The Fees stated in each Purchase Order shall be effective during the Initial Term specified in that Purchase Order; the Fees and other fees for each Extension Term shall be defined in the applicable Purchase Order or, in the absence of any such terms regarding Fees for Extension Terms, by mutual agreement of the parties.

Taxes: Customer will be liable for payment of all Taxes that are levied upon and related to the performance of obligations or exercise of rights under the Agreement.  Opkey may be required to collect and remit Taxes from Customer, unless Customer provides Opkey with a valid tax exemption certificate. The amounts received by Opkey, after the provision for any Tax or withholding required by any country, will be equal to the amounts specified on the Purchase Order. In no event will either party be responsible for any taxes levied against the other party's net income.

Order: The details of a Customer order (i) on an order form or schedule provided by Opkey and signed by Customer, (ii) on Customer’s purchase order provided to and accepted by Opkey, or (iii) placed on Customer’s behalf by an authorized Opkey reseller on and accepted by Opkey. For the purposes of (iii), all terms and conditions of this Agreement shall apply as between Customer and Opkey, except with respect to invoicing and payment terms.  Order documents may also include terms and conditions for shipments, delivery, title, risk of loss payment if applicable.

Payment: Time is of the essence in all payment terms.  Unless otherwise agreed between Customer and Reseller, all Fees due under an Order and Purchase Order shall be due and payable within thirty (30) days of receipt of invoice without reduction, deduction or off-set by Customer for any reason whatsoever. Except as otherwise expressly permitted herein, all Fees owed are non-cancellable and non-refundable for the Term. Any payment not received from Customer by the due date may accrue (except for amounts then under reasonable and good faith dispute pursuant to Section 6.5) interest at the rate of one and one-half percent (1.5%) of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid. Opkey may decline to make any shipments of Opkey Products and/or provide Managed Services and/or Professional Services if, in Opkey’s reasonable opinion, circumstances exist which raise doubt as to Customer’s ability or willingness to pay as provided herein. Failure to make timely payment may result in immediate termination of access to the Opkey Products and/or cessation of provision of Managed Services and/or Professional Services. Upon default by Customer, Opkey will have all remedies available at law or in equity. No refunds will be made except as expressly provided for pursuant to warranties under Section 2.2 herein for the applicable Opkey Product, Managed Services and/or Professional Services and as provided under the intellectual property indemnity under Section 8 herein.  Customer shall reimburse Opkey for all costs of collection, including reasonable attorneys' fees.  This Section is without prejudice toany other rights and remedies available to Opkey under this Agreement or at law.

Disputed Invoices: Customer shall have the right to withhold payment of any invoiced amounts that are disputed in good faith until the parties reach agreement with respect to such disputed amounts, and such withholding of disputed amounts shall not be deemed a breach of the Agreement, nor shall any interest be paid thereon. In such case, Customer shall promptly (and in no event more than ten (10) business days from receipt of invoice) provide written notice to Opkey of any such dispute prior to withholding such payment, specifying in reasonable detail the nature of the dispute and the amount withheld, and shall pay all undisputed amounts set forth on such invoice in accordance with this Section. The parties will negotiate in good faith to attempt to resolve such disputes within thirty(30) days of submission of such dispute by Customer.

Overage: Measured on a monthly basis, any actual usage of the Service which exceeds the number of licenses subscribed to by Customer under an Order or Orders applicable to the Service.

Unless otherwise set forth in an Order, the Initial Term applicable to each Order (including follow-on orders) commences on  the later of: (i) the date Opkey processes the applicable Purchase Order for a Opkey Product evaluated by the Customer, or (ii) for all other Opkey Product orders, the date Opkey sends to Customer an email indicating that the Opkey Products are available for use (to the extent each of the foregoing applies to Customer’s engagement). Upon expiration of the Initial Term and any Extension Term(s) under each Purchase Order, the Subscription Term applicable to such Order and Purchase Order shall automatically renew for subsequent Extension Terms unless otherwise agreed by the parties or either party gives the other notice of non-renewal at least ninety (90) days prior to the end of the relevant Subscription Term.

In the event Customer (i) fails to pay Opkey any undisputed amounts past due, or (ii) is in breach of Section 3.2, Opkey shall have the right to immediately suspend without notice any or all related Services provided to Customer hereunder.

Either party may terminate the Agreement or any Order and Purchase Order (i) immediately upon written notice if the other party commits a non-remediable material breach; or (ii) if the other party fails to cure any remediable material breach within thirty (30)days of being of notified in writing of such breach, unless such breach is for non-payment and then within five (5) days of such notice.  If Opkey is the breaching party, any refunds hereunder shall be a pro-rata refund of any remaining prepaid Fees applicable to those Opkey Product(s).

Either party may terminate this Agreement immediately by written notice if no Order and Purchase Order is in effect.

Upon termination or expiration of the Agreement, all Software licenses, Service access, Managed Services access and/or Professional Services fulfillment granted under this Agreement shall automatically terminate with immediate effect. In the event of the termination or expiration of the Agreement, the provisions of the Agreement which by their nature extend beyond the expiration or termination of the Agreement shall survive, and any accrued rights to payment shall remain in effect beyond such termination or expiration until fulfilled.

Opkey Indemnity: Opkey, at its sole expense, shall defend, indemnify, and hold harmless Customer from any action based upon a claim that the Service used as permitted infringes any valid third-party U.S. patent, copyright, trade secret, or other proprietary right, and shall reimburse Customer for all damages, costs, and expenses (including reasonable attorneys’ fees) awarded against Customer pursuant to any such actions (“Claim”).  If the Service becomes, or in Opkey’s opinion is likely to become, subject of such a Claim of infringement, Opkey shall been titled, at Opkey’s sole option, to either procure the right for Customer to continue to use the Service or replace or modify it so that it becomes non-infringing.  If neither of the fore going is commercially and reasonably available to Opkey, Opkey may terminate the Service and return to Customer a pro rata refund of any remaining prepaid Fees applicable to those Services. Opkey shall have no obligation or liability hereunder for any claim resulting from: (i) modification of the Service(a)by any party other than Opkey, or (b) by Opkey in accordance with Customer’s designs, specifications, or instructions; (ii) use of the Service other than as granted in this Agreement; or (iii) use of the Service in conjunction with other products or services not provided by Opkey or necessary for the operation of the Service, where such infringement would not have occurred but for such use; or (iv) use of a version of the Service other than the then-current version where Customer has requested the prior version remain in use.

Process: Opkey’s obligations under this Section 9 are conditioned upon the following: (i)Customer first providing written notice of the Claim to Opkey within thirty(30) days after Customer becomes aware of or reasonably should have been aware of the Claim (provided, however, the failure to provide such notice will only relieve Opkey of its indemnity obligations hereunder to the extent Opkey is prejudiced thereby); (ii) Customer tendering sole and exclusive control of the Claim to Opkey at the time Customer provides written notice of such Claim to Opkey; and (iii) Customer providing reasonable assistance, cooperation and required information with respect to defense and/or settlement of the Claim, including Customer providing Opkey with access to documents and personnel at Opkey’s request and expense. Customer may at its sole expense participate in the Claim, except that Opkey will retain sole control of the defense and/or settlement. Opkey shall not agree to any settlement of a Claim that includes an injunction against Customer or admits Customer liability without Customer’s prior written consent, which consent shall not be unreasonably withheld, conditioned, or delayed.

Customer Indemnity: Customer, at its sole expense, shall defend, indemnify, and hold harmless Opkey from any action based upon a claim resulting from breach of Sections 3.2 by Customer, its Affiliates or Personnel of either, and shall reimburse Opkey for all damages, costs, and expenses (including reasonable attorneys’ fees) awarded against Opkey pursuant to any such actions.

Ownership: Customer retains all title, intellectual property and other ownership rights in all Customer’s Confidential Information, Customer Data, and all data that Customer makes available for processing by the Opkey Products. Customer warrants and covenants that Customer has the right to provide Customer Data and Personal Data to Opkey hereunder.  Opkey retains all title, intellectual property and other ownership rights throughout the world in and to the Opkey Products, Documentation, any Professional Services and Managed Services and the Work Product and any modifications to, and derivative works of, the foregoing. Opkey hereby grants to Customer anon-exclusive, non-transferable, fully paid-up license to use the Work Product in connection with the Opkey Product licensed under the Agreement and solely for Customer’s internal business purposes. Professional Services and/or Managed Services (and any resulting Work Product from either offering) are not provided on a “work made for hire” basis.

No Implied Rights: There are no implied rights and all rights not expressly granted herein are reserved. No license, right or interest in any Opkey trademark, copyright, patent, trade name or service mark is granted hereunder. Customer shall not remove from any full or partial copies made by Customer of the Software, Software Updates and Documentation any copyright or other proprietary notice contained in or on the original, as delivered to Customer.

Injunctive Relief: Each party acknowledges that the Opkey Products contain valuable trade secrets and proprietary information of Opkey, that in the event of any actual or threatened breach of the scope of any of the licenses granted hereunder, such breach shall constitute immediate, irreparable harm to Opkey for which monetary damages would be an inadequate remedy, and that injunctive relief is an appropriate remedy for such breach in addition to whatever remedies Opkey might have at law or under this Agreement.

Opkey Authorization and License: During the Term of the Agreement, Customer hereby (i) grants to Opkey and its service providers a worldwide, limited term license to collect and process certain Customer’s Confidential Information and Customer Data, and (ii) authorizes Opkey to collect and process certain Personal Data in accordance with this Agreement.

EXCEPT FOR (i) INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS,(ii) DAMAGES RESULTING FROM EITHER PARTY’S GROSS NEGLIGENCE, FRAUD OR WILL FULMISCONDUCT, (iii) DAMAGES RESULTING FROM EITHER PARTY’S MATERIAL BREACH OF THE CONFIDENTIALITY SECTION, (iv) CUSTOMER’S BREACH OF THE CUSTOMER RESPONSIBILITIES SECTION, OR (v) CUSTOMER’S PAYMENT OBLIGATIONS, EACH PARTY’S AGGREGATE LIABILITY UNDER THE AGREEMENT SHALL IN NO EVENT EXCEED THE ANNUALIZED FEES PAID FOR THE APPLICABLE OPKEY PRODUCT.

EXCEPT FOR (i) DAMAGES RESULTING FROM EITHER PARTY’S MATERIALBREACH OF THE CONFIDENTIALITY SECTION, OR (ii) CUSTOMER’S BREACH OF THE CUSTOMER RESPONSIBILITIES SECTION, IN NO EVENT SHALL EITHER PARTY OR ITSLICENSORS OR SUPPLIERS HAVE ANY LIABILITY TO THE OTHER OR ANY THIRD PARTY FORANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA,BUSINESS INTERRUPTION, OR COVER DAMAGES OR LOSSES, ARISING OUT OF OR INCONNECTION WITH THE AGREEMENT, HOWEVER CAUSED AND WHETHER IN CONTRACT, TORT ORUNDER ANY OTHER THEORY OF LIABILITY AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE LIMITATION OF LIABILITY AND EXCLUSION OF CERTAIN DAMAGES STATED HEREIN WILL APPLY REGARDLESS OF THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. BOTH PARTIES HEREUNDER SPECIFICALLY ACKNOWLEDGE THAT THESE LIMITATIONS OF LIABILITY ARE REFLECTED IN THE PRICING.

Consent: Wherever in this Agreement consensus, approval, acceptance, or other consent is required, such consent shall not be unreasonably withheld, conditioned, or delayed; however, it shall not be considered unreasonable for Opkey to withhold its consent if such consent could jeopardize the confidentiality of or Opkey’s property interests in and to Opkey Intellectual Property or other business interests of Opkey.

Publicity: Neither party may issue press releases or otherwise publicize the parties’ relationship without the other party’s prior written consent.

Independent Contractors: Relationship with Third Parties. The parties are independent contractors, and no partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties is created hereby. There are no third-party beneficiaries to this Agreement.

Notices: All notices or other communications required hereunder shall be made in writing and shall be deemed to be effectively given: (a) if made available to Customer’s Personnel by Opkey posting such notice to the Service, and  if emailed, the first business day after sending the notice (provided email shall not be sufficient for notices of termination, alleged breach or an indemnifiable claim); or (b) if hand delivered, when received, and if mailed for overnight delivery, when delivery by the overnight carrier is made, in each instance at the applicable address set forth on the signature page.  Such addresses may be updated by a party from time to time by providing notice to the other party in accordance with the terms of this Section.  Each party may change its notices address by giving notice in the manner set forth herein.

Waiver: No failure or delay in exercising any right hereunder shall constitute a waiver of such right. Except as otherwise provided, remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect.

Force Majeure: Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations) due to circumstances beyond such party's reasonable control, including acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (excluding those involving such party's employees), service disruptions involving hardware, software or power systems not within such party's possession or reasonable control, and denial of service attacks.

Assignment: Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including then-current Orders) upon written notice, without consent of the other party, to its successor in interest in connection with a merger, reorganization, or sale of all or substantially all assets or equity not involving a direct competitor of the other party.

Export Restrictions: Each party agrees to comply with (a) all applicable regulations of the United States Department of Commerce and (b) the United States Export Administration Act, as amended from time to time, and with all applicable laws and regulations of other jurisdictions with respect to the importation and use of the Opkey Products and Opkey’s Confidential Information and any media.

Headings: Language. All headings used herein are for convenience of reference only and will not in any way affect the interpretation hereof. The English language version of this Agreement controls. It is the express wish of both parties that this Agreement, and any associated documentation, be written and signed in English.  Nothing in this Agreement shall make either party the agent of the other for any purposes whatsoever.  No exclusive rights are granted by Opkey under this Agreement.  All rights or licenses not expressly granted to Customer herein are reserved to Opkey, including the right to license the use of the Services and any Software to other parties.  Any reference to a law or statute in this Agreement shall be deemed to include any amendment, replacement, re-enactment thereof for the time being in force and to include any by-laws, statutory instruments, rules, regulations, orders, notices, directions, consents, or permissions (together with any conditions attaching to any of the foregoing) made in respect thereof.

Counterparts: This Agreement and any Order hereunder may be executed by facsimile and in counterparts.

Entire Agreement; Integration: This Agreement constitutes the entire agreement of the parties and supersedes all prior or contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter. No amendment or waiver of any provision of this Agreement shall be effective unless inwriting and signed by the party against whom the amendment or waiver is to be asserted.  Notwithstanding any language to the contrary therein, any purchase order issued by Customer or Reseller shall be deemed a convenient order and payment device only and no terms (other than product name, license quantity, price, subscription term, and billing contact) stated in any purchase order shall be incorporated into this Agreement, and all such other terms shall be void and of no effect. 

Uptime: Opkey will use commercially reasonable efforts to ensure that the Hosted Environment will be available 24 hours per day, 7 days per week, excluding any Scheduled Downtime. In addition to any other notification requirements, Opkey will provide Customer with a minimum of seven (7) days advance notice of Scheduled Downtime, and Opkey may post a notice on the application log-in screen to notify Customer administrator of any Scheduled Downtime that will exceed two (2) hours.  The duration of any downtime is measured, in minutes, as the amount of elapsed time from when the Hosted Environment is not accessible or does not permit Customer to log on, to when the SaaS Services permits Customer to log on and access the Hosted Environment.  

Service Level Credits: If Opkey does not meet the Uptime Percentage levels specified below, Customer will be entitled, upon written request, to a service level credit (“Service Level Credit”) tobe calculated, with respect to the applicable Hosted Environment, as follows:
a. If Uptime Percentage is at least 99.95% of the month’s minutes, no Service Level Credits are provided; or
b. If Uptime Percentage is 99.75% to 99.94% (inclusive) of the month’s minutes, Customer will be eligible for a credit of 5% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey; or
c. If Uptime Percentage is 99.50% to 99.74% (inclusive) of the month’s minutes, Customer will be eligible for a credit of 7.5% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey; or
d. If Uptime Percentage is less than 99.50% of the month’s minutes, Customer will be eligible for a credit of 10.0% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey

Bug Fixes and Feature Requests.

Exceptions: Customer’s right to receive Service Level Credits, and the inclusion of any minutes in the calculation of Unscheduled Downtime are conditioned on: (i) prompt payment by Customer of all Fees, (ii)Customer performing all Customer obligations (including, without limitation, establishing and maintaining the Customer Environment), (iii) Customer’s compliance with Section 3 of Schedule A, (iv) Customer agreeing to use of the most current version of the SaaS Service, and (v) the Unscheduled Downtime not being caused by the failure of any non-Opkey third party vendors, the Internet in general, any emergency or force majeure event, or issues caused by the Customer Environment or Customer specific configurations not expressly contemplated in the Documentation.  

Generally for Services: During any Term, Customer shall have access to technical support through Opkey’s standard telephone, email and/or web support services during the support hours applicable to the specific Services subscribed to by Customer. The contact information for technical support Personnel, support hours applicable to the Services, and Error type classifications and response times will be provided to Customer by Opkey.

On-Premise Components: With respect to on-premise components, if any, except as may be specified in an Order, Customer shall be responsible for the installation and configuration of any on-premise components in the Customer Environment. Opkey shall provide technical support for such on-premises components through standard telephone, email and/or web support services during the support hours applicable to the on-premise components, which will be provided to Customer by Opkey.

Encryption Standards:  Encryption algorithms that are publicly or commercially available, with key lengths sufficient to prevent commercially reasonable attempts to decrypt through brute force the encrypted information.

Hosted Services: Any Service or hosting services subscribed toby Customer from Opkey.

Industry Standard(s): Are the generally accepted standards applicable to the performance obligations of a party with respect to a product or service. Industry Standards can include in part or in whole frameworks published by the National Institutes for Standards and Technology (NIST), International Organization for Standardization, ISACA, Payment Card Industry Security Standards Council and other internationally recognized standards organizations.

Opkey Personnel: Each Opkey employee or subcontractor under obligations of confidentiality and nondisclosure performing on behalf of Opkey hereunder.

Access Controls: Opkey implements Industry Standard access control methodologies, which rely on policy, process, and logical controls to help prevent unauthorized access to systems and data under Opkey’s control. These access controls include no less than the following:

Data Controls: In its performance obligations, Opkey does not require access to Customer systems or data, and Customer shall take commercially reasonable efforts to prevent Opkey from accessing Customer systems and data. Where Customer provides Customer Data to Opkey for Professional Services or Support purposes, Customer shall take commercially reasonable efforts to redact or remove Personal Data prior to providing that Customer Data to Opkey. Where possible, such services shall be delivered via screen share or telephone with no data transferred to Opkey. If it is necessary to transfer Customer Data to Opkey, the following shall apply:

Operational Controls: Opkey shall maintain operational controls sufficient to enable Opkey’s satisfaction of its performance obligations in this Section 2, including, without limitation, the following:

Availability Controls: Opkey will maintain contingency planning policies and procedures defining roles and responsibilities on proper handling of contingency events. This shall include a business continuity and disaster recovery plan intended to facilitate the restoration of critical operations and processes which would allow for Opkey’s continued performance of its obligations hereunder. Such plan shall be periodically reviewed, updated, and tested by Opkey.

Application Controls:  Opkey shall implement and conform its software development practices to applicable Industry Standards relative to the functionality to be performed by the specific Opkey product offering. Opkey shall maintain software development practices which satisfy the following:

Access Controls: Customer shall have access to Customer Data maintained within their applicable production instance. Customer shall be responsible for maintaining user access and security controls for users accessing the Hosted Services. Opkey shall be responsible for restricting all other access to Customer Data residing within the production instance. For the avoidance of doubt, Opkey has no obligation to verify that any user using Customer’s account and password has Customer’s authorization. Opkey shall provide access on a need to know basis and shall review access rights of Opkey Personnel at least annually. Opkey’s access controls shall include no less than the following:

Data Controls:  In its performance obligations with respect to Hosted Services, Opkey does require access to Customer Data, and the following additional terms and conditions shall apply:

Operational Controls:  In its performance of Hosted Services, Opkey shall maintain operational controls sufficient to enable Opkey’s satisfaction of its performance obligations in this Section 3, including, without limitation, the following:

Availability Controls:  With respectto Hosted Services:

“Adequacy Decision” means, for a jurisdiction with Privacy Laws that have data transfer restrictions, a country that the Supervisory Authority or other body in such jurisdiction recognizes as providing an adequate level of data protection as required by such jurisdiction’s Privacy Laws such that transfer to that country shall be permitted without additional requirements.

“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, and in the context of this Schedule shall mean the Customer.

 “Data Processing Instructions” means this Agreement and any additional instructions provided by Customer and accepted by Opkey during the Term of the Agreement

“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller, and in the context of this Schedule shall mean Opkey and references in this Schedule to Opkey include references to Opkey Affiliates where such Opkey Affiliates are Subprocessors.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

"Restricted Transfer" means: (i) a transfer of Personal Data from Customer to Opkey; or (ii) an onward transfer of Personal Data from Opkey to a Subprocessor, in each case, where such transfer outside of jurisdiction of Customer would be prohibited by Privacy Laws in the absence of an approved method of transfer, including through (a) an Adequacy Decision, (b) Standard Contractual Clauses, or (c) by the terms of other recognized forms of data transfer agreements or processes.

 "Standard Contractual Clauses" means the contractual clauses approved by a Supervisory Authority pursuant to Privacy Laws which provides for multi-jurisdictional transfer of Personal Data from one jurisdiction to another where such transfer would otherwise be a Restricted Transfer.

"Subprocessor" means any third party (including any third party and any Opkey Affiliate) appointed by or on behalf of Opkey to undertake Processing in connection with the services.

 “Supervisory Authority” means anindependent public authority which is established in a jurisdiction underPrivacy Laws with competence in matters pertaining to data protection.

Opkey will not (a) Process Personal Data other than on Customer’s documented instructions (set out in this Schedule or as otherwise set forth in the Agreement or an Order) unless Processing is required by a Supervisory Authority; or (b) sell Personal Data received from Customer or obtained in connection with the provision of the services to Customer.

Customer on behalf of itself and each Customer Affiliate instructs Opkey: (a) to Process Personal Data; and (b) in particular, transfer Personal Data to any country or territory; in each case as reasonably necessary for the provision of the services and consistent with this Schedule.

The Data Processing Instructions set out the subject matter and other details regarding the Processing of the Personal Data contemplated as part of the services, including Data Subjects, categories of Personal Data, special categories of Personal Data, Subprocessors and description of Processing.  

Opkey shall ensure that persons authorized to undertake Processing of the Personal Data have (a) committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in respect of the Personal Data; and (b) undertaken appropriate training in relation to protection of Personal Data.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Opkey shall in relation to the Personal Data implement appropriate technical and organizational measures designed to provide a level of security appropriate to that risk in the provision of the services, such technical and organizational measures are set out in Schedule D.

In assessing the appropriate level of security, Opkey shall take account in particular of the risks that are presented by Processing.

Opkey shall only appoint Subprocessors which enable Opkey to comply with Privacy Laws. Customer authorizes Opkey to appoint Subprocessors in accordance with this Section 5 subject to any restrictions or conditions expressly set out in this Agreement.  Subprocessors appointed as at the effective date of this Schedule are set out in the Data Processing Instructions or as otherwise specified in an Order. Opkey shall remain liable to Customer for the performance of that Subprocessor’s obligations subject to this Agreement.

Not with standing the notice requirements set out in Section 15.5 of Schedule B, before Opkey engages any new Subprocessor, Opkey shall give Customer notice of such appointment, including details of the Processing to be undertaken by the proposed Subprocessor. In addition to any other notifications, Opkey may provide such notice by updating the list of Subprocessors in the Data Processing Instructions. Customer may notify Opkey of any objections (on reasonable grounds related to Privacy Laws) to the proposed Subprocessor or Data Processing Instructions (“Objection”), then Opkey and Customer shall negotiate in good faith to agree to further measures including contractual or operational adjustments relevant to the appointment of the proposed Subprocessor or operation of the services to address Customer’s Objection. Where such further measures cannot be agreed between the parties within forty-five (45) days from Opkey’s receipt of the Objection (or such greater period agreed by Customer in writing), Customer may by written notice to Opkey with immediate effect terminate that part of the services which require the use of the proposed Subprocessor.

With respect to each Subprocessor which is the subject of Section 5.2 above, Opkey or the relevant Opkey Affiliate shall: (a)carry out adequate due diligence before the Subprocessor first Processes Personal Data, to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by the Agreement;(b) ensure that the Subprocessor is subject to a written agreement with Opkey that includes appropriate data protection provisions; and (c) if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses or other appropriate method of transfer are at all relevant times incorporated into the agreement executed between Opkey and the Subprocessor.

Opkey shall ensure that each Subprocessor performs the obligations under this Schedule as they apply to Processing of Personal Data carried out by that Subprocessor, as if such Subprocessor were party to this Schedule in place of Opkey.

Opkey shall (a) upon becoming aware, promptly notify Customer if Opkey receives a request from a Data Subject relating to an actionable Data Subject right under any Privacy Law in respect of Personal Data; (b) not respond to that request except on the documented instructions of Customer or as required by a Supervisory Authority; and (c)upon request from Customer where required by Privacy Laws and in the context of the services, reasonably assist Customer in dealing with an actionable Data Subject rights request to the extent Customer cannot fulfil this request without Opkey’s assistance. Opkey may fulfil this request by making available functionality that enables Customer to address such Data Subject rights request without additional Processing by Opkey. To the extent such functionality is not available, in order for Opkey to provide such reasonable assistance, Customer must communicate such request in writing to Opkey providing sufficient information to enable Opkey to pinpoint and subsequently amend, export or delete the applicable record.

Opkey shall notify Customer without undue delay upon Opkey or any Subprocessor becoming aware of a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet its obligations to report or inform Data Subjects of the Personal Data Breach under the Privacy Laws. Subject to Section 7.3 below, such notification shall as a minimum: (a) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;(b) communicate the name and contact details of Opkey's data protection officer or other relevant contact from whom more information may be obtained; (c)describe the likely consequences of the Personal Data Breach in so far as Opkey is able to ascertain having regard to the nature of the services and the Personal Data Breach; and (d) describe the measures taken or proposed to betaken to address the Personal Data Breach.

Opkey shall co-operate with Customer and take such reasonable commercial steps as are necessary to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Where and in so far as, it is not possible to provide the information referred to in Section 7.1 at the same time,the information may be provided in phases without undue further delay.

To the extent necessary, Opkey shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Privacy Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Opkey. To the extentthat such impact assessment and/or prior consultation requires assistance beyond Opkey providing the applicable Opkey processing record(s) and Documentation, Opkey shall reserve the right to charge Customer such engagement at Opkey’s then current daily rates.

Following Opkey’s receipt of Customer’s written request during the Return Period, Opkey will either delete or return available Customer Data in accordance with Section 13.3(b) of Schedule B.

Opkey may retain Personal Data to the extent required by Privacy Laws or any other statutory requirement to which Opkey is subject and only to the extent and for such period as required by Privacy Laws or any other statutory requirement to which Opkey is subject and always provided that (a) during such retention period the provisions of this Schedule will continue to apply, (b) Opkey shall ensure the confidentiality of all such Personal Data, and (c) Opkey shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Privacy Laws requiring its storage or any other statutory requirement to which Opkey is subject and for no other purpose.

Upon Customer’s reasonable request, Opkey shall provide all relevant and necessary material, documentation and information in relation to Opkey’s technical and organizational security measures used to protect the Personal Data in relation to the services provided in order to demonstrate Opkey’s compliance with Privacy Laws.

Opkey shall ensure a security audit of its technical and organizational security measures is carried out at least annually in compliance with Privacy Laws. Such security audit will be performed in accordance ISO 27001 standards by an internal qualified auditor within Opkey. The results of such security audit will be documented in a summary report. Opkey shall promptly provide Customer upon request with (i) a confidential summary of such report; and (ii)evidences of appropriate remediation of any critical issues within four (4)weeks from date of issuance of the audit report.

If, following the completion of the steps set out in Sections 10.1 and 10.2 Customer reasonably believes that Opkey is non-compliant with Privacy Laws, Customer may request that Opkey make available, either by webinar or in a face-to-face review, extracts of all relevant information necessary to further demonstrate compliance with Privacy Laws.

In the event that Customer reasonably believes that its findings following the steps set out in Section 10.3 do not enable Customer to comply materially with Customer’s obligations mandated under the Privacy Laws in relation to its appointment of Opkey, then Customer may give Opkey not less than thirty (30) days prior written notice of its intention, undertake an audit which may include inspections of Opkey to be conducted by Customer or an auditor mandated by Customer (not being acompet it or of Opkey). Such audit and/or inspection shall (i) be subject to confidentiality obligations agreed between Customer (or its mandated auditor)and Opkey, (ii) be undertaken solely to the extent mandated by, and may not be further restricted under applicable Privacy Laws, (iii) not require Opkey to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Subprocessors), and (iv) not be undertaken where it would place Opkey in breach of Opkey’s confidentiality obligations to other Opkey customers vendors and/or partners generally or otherwise cause Opkey to breach laws applicable to Opkey. Customer (or auditor mandated by Customer) undertaking such audit or inspection shall avoid causing any damage, injury or disruption to Opkey’s premises, equipment, personnel and business in the course of such a review. To the extent that such audit performed in accordance with this Section 10.4 exceeds one (1) business day, Opkey shall reserve the right to charge Customer for each additional day at its then current daily rates.

If following such an audit or inspection under Section 10.4, Customer, acting reasonably, determines that Opkey is non-compliant with Privacy Laws then Customer will provide details there of to Opkey upon receipt of which Opkey shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the “Remediation Plan”). Where the parties are unable to reach agreement on the Remediation Plan or, in the event of agreement, Opkey materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer’s notice or another period as mutually agreed between the Parties, Customer may terminate the services in part or in whole which relates to the non-compliant Processing and the remaining services shall otherwise continue unaffected by such termination.

The rights of Customer under this Section 10 shall only be exercised once per calendar year unless Customer reasonably believes Opkey to be in material breach of its obligations under either this Schedule or Privacy Laws.

Customer (as "data exporter") and Opkey, as appropriate, (as "data importer") hereby agree that the Standard Contractual Clauses shall apply in respect of any Restricted Transfer from Customer to Opkey.  Each Party agrees to execute the Standard Contractual Clauses upon request of the other Party and further agrees that absent of execution the terms and conditions of the Standard Contractual Clauses shall in any event apply to any Restricted Transfer. Where such Standard Contractual Clauses must be fully executed to take effect and Customer has not executed such Standard Contractual Clauses as set out in this Section 11, Customer authorizes Opkey to enter into the Standard Contractual Clauses for and on behalf of Customer as data exporter with each applicable data importer.

For the purposes of appendix 1 to the Standard Contractual Clauses or other relevant part of the Standard Contractual Clauses, the Data Processing Instructions sets out the Data Subjects, categories of Personal Data, special categories of Personal Data, Subprocessors and description of Processing (processing operations).

For the purposes of appendix 2 to the Standard Contractual Clauses or other relevant part of the Standard Contractual Clauses, Schedule D sets out the description of the technical and organizational security measures implemented by Opkey (the data importer) in accordance with clauses 4(d) and 5(c) of the Standard Contractual Clauses.

To the extent that Processing relates to Personal Data originating from a jurisdiction which has any mandatory requirements in addition to those in this Schedule, both Parties may agree to any additional measures required to ensure compliance with applicable Privacy Laws and any such additional measures agreed to by the Parties will be documented in a duly executed written addendum or amendment to this Agreement or in an Order.

If any variation is required to this Schedule as a result of a change in Privacy Laws, including any variation which is required to the Standard Contractual Clauses, then either party may provide written notice to the other party of that change in law.  The parties will discuss and negotiate in good faith any necessary variations to this Schedule, including the Standard Contractual Clauses, to address such changes.

The applicable law provisions of this Agreement are without prejudice to clauses 7 (Mediation and Jurisdiction) and 10 (Governing Law) of the Standard Contractual Clauses where applicable to Restricted Transfers of Personal Data from the European Union (including the United Kingdom) to a third country.