Terms and Conditions

The parties to the Agreement are: (i) Bright Interactive Ltd, a company incorporated in England and Wales (registration number 03865036) having its registered office at Ninth Floor, Tower Point, 44 North Road, Brighton, East Sussex BN1 1YR, UK ("we", and "us" and "our" shall be construed accordingly); and (ii) the person (natural or legal) who is specified as the customer in the Proposal ("you", and "your" and "yours" shall be construed accordingly).

1. Definitions

1.1 In the Agreement:

"Admin Account" means an administrator account on the Platform enabling you to create user accounts and configure aspects of the Hosted Services;

"Agreement" means the agreement between the parties for the provision of the Hosted Services and/or On-premises Software incorporating:

the Proposal;
these terms and conditions;
where applicable, the EU Standard Contractual Clauses and the UK Addendum; and
the Support SLA available at https://support.assetbank.co.uk/hc/en-gb/articles/115000153291-Customer-Support-Service-Description

including any variations from time to time;

"Business Day" means any weekday other than a bank or public holiday in England;

"Business Hours" means between 09:00 and 17:00 London time on a Business Day;

"Charges" means the amounts payable by you to us under or in relation to the Agreement, as specified in the Proposal or elsewhere in the Agreement;

"Client Data" means all digital assets, files, works and materials uploaded to, stored on, processed using or transmitted via the Platform by you or on your behalf;

"Client Personal Data" means any Personal Data that we process on your behalf under the Agreement, as detailed in Clause 15;

"Cloud Services" means the Hosted Services plus the Support Services provided in relation to those Hosted Services;

"Confidential Information" means, in respect of a party, any information disclosed by that party to the other party during the Term that at the time of disclosure is marked as confidential, is described as confidential by the disclosing party, or should have been understood as confidential by the recipient party (acting reasonably); and providing that the Client Data shall be your Confidential Information and any third party service provider contracts that we supply to you shall be our Confidential Information;

"CSR Policy" means our corporate social responsibility policy as available at https://www.assetbank.co.uk/csr-policy and as amended by us acting reasonably from time to time;

"Customisations" means any new software developments, updates, upgrades, modules, libraries and APIs that are:

designed to be incorporated into, or to interface with, the Hosted Services and/or On-premises Software; and
created by us on your behalf in accordance with a written project plan and specification agreed in writing between the parties;

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including the UK GDPR and the EU GDPR;

"Defect" means a critical issue or major issue (as defined in the SLA) in the Hosted Services and/or On-premises Software, or a failure of the Hosted Services and/or On-premises Software to conform with the specification set out in the Proposal in some material way;

"Effective Date" means the date of execution of the Agreement, being the date upon which a paper copy or electronic copy of the signature page is signed by the second of the parties to sign;

"EU GDPR" means the EU General Data Protection Regulation 2016/679, as amended, superseded or replaced from time to time;

"EU Standard Contractual Clauses" means the Standard Contractual Clauses in the annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as set out in Schedule 1 to the Agreement;

"Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet, hacker attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);

"Hosted Services" means:

the Asset Bank functionality on the Platform, enabling you to upload, tag, organise, store, search, manipulate, access and download digital files; and
if the Proposal so provides or the parties have so agreed in writing, the Brand Hub functionality on the Platform;

"Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registered or unregistered, including any application or right of application for such rights (and these "Intellectual Property Rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing-off rights, unfair competition rights, patents, petty patents, utility models and rights in designs);

"Minimum Term" means the period of 12 months beginning on the Effective Date;

"On-premises Software" means the software known as Asset Bank that we own and license;

"Permitted Purposes" means the purposes of uploading, tagging, organising, storing, searching, manipulating, accessing, sharing and downloading digital files;

"Personal Data" means data that constitutes personal data under any of the Data Protection Laws;

"Platform" means the hardware, system software, server software, database software and application software that we use to provide the Hosted Services, whether shared or dedicated;

"Proposal" means the proposal we issue to you setting out the particulars of the Agreement;

"Restricted Transfer" means an international transfer of Personal Data that is:

with respect to the EU GDPR, restricted under Article 44 of the EU GDPR and is not to a jurisdiction that the Commission has decided ensures an adequate level of protection under Article 45 of the EU GDPR; and
with respect to the UK GDPR, is restricted under the Article 44 of the UK GDPR and is not to a jurisdiction that is the subject of adequacy regulations under Section 17A of the Data Protection Act 2018;

"Services" means all the services provided or to be provided by us to you under the Agreement, including any Hosted Services, Set-up Services and Support Services;

"Set-up Services" means the installation, integration and configuration of the Hosted Services and/or On-premises Software, and the provision of any associated training and consultancy services specified in the Proposal;

"SLA" means the service level agreement;

"Support Services" means:

assistance in relation to the use of the Hosted Services or On-premises Software;
the identification and resolution of defects in the Hosted Services or On-premises Software;
general maintenance of the Platform; and
the application of Upgrades to the Hosted Services or the supply to you of Upgrades and application of those Upgrades to the On-premises Software;

"Support Services Limit" has the meaning given to it in the SLA;

"Term" means the term of the Agreement;

"Third Party Services" means any hosted or cloud service owned and operated by a third party that may transmit data to and/or from the Hosted Services and/or On-premises Software under a contract or arrangement between you and the relevant third party;

"UK Addendum" means the UK addendum to the EU Standard Contractual Clauses issued or proposed by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as set out in Schedule 2 to the Agreement;

"UK GDPR" means the EU GDPR as incorporated into UK law by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as amended, superseded or replaced from time to time; and

"Upgrades" means new versions of, and updates to, the Hosted Services and/or On-premises Software, whether for the purpose of fixing an error, bug or other issue or enhancing the functionality of the Hosted Services and/or On-premises Software.

2. Term

2.1 The Agreement will come into force on the Effective Date.

2.2 The Agreement will continue in force indefinitely, unless and until terminated in accordance with its express provisions.

3. Set-up Services

3.1 We shall provide the Set-up Services to you promptly following the Effective Date.

3.2 The Cloud Services or On-premises Software shall be configured in accordance with your licence tier (Essential, Professional or Enterprise Unlimited), and shall be subject to the resource limitations applicable to your licence tier, as specified in the Proposal.

4. Cloud Services

4.1 This Clause 4 applies if the Proposal specifies that we have agreed to supply Cloud Services to you.

4.2 We shall complete the installation of your Asset Bank and create one or more Admin Accounts for you after the Effective

4.3 Date, enabling you to access the Hosted Services.
Subject to Clauses 4.5 to 4.7, we hereby grant to you a non-exclusive licence to use the Hosted Services on the Platform for the Permitted Purposes via:

any supported web browser; and
if the applicable specification for the Hosted Services so provides, via the API for the Hosted Services,

in each case during the Term.

4.4 You may permit your own customers to use the Hosted Services on the Platform for the Permitted Purposes via any supported web browser, whether on a free or paid basis, providing that you shall be responsible for your customers' use of the Hosted Services and that all the other limitations and prohibitions relating to your use of the Hosted Services shall apply to your customers' use.

4.5 Your use of the Hosted Services must not exceed the user limitations and storage resources limitations referred to in the Agreement. We may use technical measures to enforce those limitations. From time to time during the Term we may agree with you changes to those limitations. Increases may be subject to additional Charges.

4.6 Your use of the non-storage resources for the Hosted Services (bandwidth, processing power and API calls) must not be excessive. For the purposes of this Clause 4.6, usage will be excessive if:

it exceeds, during any calendar month, with respect to any one or more of these resources, the 99th percentile of use that we observe from our other customers within your licence tier during the preceding calendar month; and/or
it causes a material negative impact upon the services that we provide to our other customers;

and if your use is excessive, we may give you written notice of this. From time to time during the Term we may agree with you changes to the resources available to you. Increases may be subject to additional Charges. Notwithstanding the preceding provisions of this Clause 4.6, we may use technical measures to ensure that the usage of non-storage resources is not excessive.

4.7 Except to the extent mandated by applicable law or expressly permitted in the Agreement or in any reseller agreement between us and you, the licence granted under Clause 4.3 is subject to the following prohibitions:

you must not frame or otherwise republish or redistribute the Platform or Hosted Services;
you must not modify or alter, or attempt to modify or alter, the Platform or Hosted Services; and
you must not hack or attempt to gain unauthorised access to any part of the Platform or Hosted Services.

4.8 All Intellectual Property Rights in the Platform and Hosted Services shall, as between the parties, be our exclusive property.

4.9 You must ensure that no unauthorised person accesses the Platform or Hosted Services using any Admin Account or your API access credentials (if we supply these to you).

4.10 We shall use reasonable endeavours to ensure that the Hosted Services are available 99.9% of the time during each calendar month, subject to downtime for scheduled maintenance under Clause 6. Hosted Services uptime shall be measured and calculated by us using any reasonable methodology, and reported to you promptly following our receipt of a written request from you.

4.11 For the avoidance of doubt, you have no right to access the object code or source code of the Platform or Hosted Services, either during or after the Term.

5. On-premises Software

5.1 This Clause 5 applies if the Proposal specifies that we have agreed to supply On-premises Software to you.

5.2 Subject to Clauses 5.3 and 5.4, we grant to you a worldwide, non-transferable, non-exclusive, non-expiring (subject to Clause 20.6) licence from the Effective Date to:

install a single copy of the On-premises Software for live use on a computer in your control and use that On-premises Software for the Permitted Purposes;
install a second copy of the On-premises Software on a computer in your control for fail-over purposes only; and
make and keep up to 5 back-up copies of the On-premises Software.

5.3 Your use of the On-premises Software must not exceed the user limitations referred to in the Agreement. We may use technical measures to enforce those limitations. From time to time during the Term we may agree with you changes to those limitations. Increases may be subject to additional Charges.

5.4 Except as required by applicable law on a mandatory basis, you must not:

copy any part of the On-premises Software except in accordance with Clause 5.2;
reverse compile or reverse assemble any portion of the On-premises Software;
distribute, disclose, market, rent, lease or transfer the On-premises Software; or
allow others to make or obtain copies of the On-premises Software.

5.5 You must use reasonable technical and organisational security measures to prevent the disclosure of the On-premises Software code to any unauthorised person.

5.6 For the avoidance of doubt, you have no right to access the source code of the On-premises Software, either during or after the Term.

5.7 You will be responsible for enabling us to apply Upgrades to the On-premises Software. We may from time to time by written notice grant to you the right to apply Upgrades to the On-premises Software, but we shall have no obligation to do so.

If any Upgrade is not applied to the On-premises Software within the period of 12 months following release as a result of any act or omission by you, then:
any Services required as a result of such failure will be subject to additional Charges at our then current time and materials rates; and
subject to Clause 18.1, we will not be liable to you in respect of any loss or damage that may arise out of the failure to apply the Upgrade.

5.8 If a critical security Upgrade is not applied to the On-premises Software within 7 days following release as a result of any act or omission by you, then, subject to Clause 18.1, we will not be liable to you in respect of any loss or damage that may arise out of the failure to apply the Upgrade.

6. Support Services

6.1 If you are entitled to Cloud Services, then we will provide Support Services to you in respect of the Hosted Services in accordance with the SLA; and if the Proposal specifies that you are entitled to Support Services in respect of On-premises Software, then we will provide the Support Services to you in respect of the On-premises Software in accordance with the SLA.

6.2 You acknowledge that from time to time we may apply Upgrades to the Hosted Services.

6.3 We may suspend access to the Hosted Services at any time in order to carry out scheduled maintenance to the Hosted Services and/or Platform. Our scheduled maintenance windows are published on the Asset Bank Help Centre and updated from time to time. Scheduled maintenance will usually be completed outside working hours in your jurisdiction.

6.4 Hosted Services downtime during any scheduled maintenance shall not be counted as downtime for the purposes of Clause 4.10.

6.5 Upgrades may result in changes to the appearance and/or functionality of the Hosted Services and/or On-premises Software. We will give you advanced written notice of the deprecation or removal of any major functionality by an Upgrade.

7. Other services

7.1 We may from time to time agree with you that we will provide:

additional training and/or consultancy Services relating to the Hosted Services and/or On-premises Software; and/or
other additional Services or changes to Services.

7.2 Unless we agree otherwise in writing, all such additional Services will be provided under and subject to the Agreement, and will be subject to additional Charges at our then current time and materials rates.

8. Your obligations

8.1 Save to the extent that we have agreed otherwise in writing, you must provide to us, or procure for us, such:

co-operation, support and advice;
information and documentation,

as are reasonably necessary to enable us to perform our obligations under the Agreement and/or monitor compliance with our CSR Policy.

8.2 If we agree to supply On-premises Software to you, you must provide to us, or procure for us, such access to your computer hardware, software, networks and systems as may be reasonably required by us to enable us to perform our obligations under the Agreement.

9. Client Data

9.1 We will perform a back-up of Client Data once per day. At your request, we will promptly restore the Client Data in the Hosted Services database using the latest available back-up.

9.2 All the Intellectual Property Rights in Client Data will remain your property and the property of your licensors, subject to Clause 9.3.

9.3 You grant to us a non-exclusive licence to store, copy and otherwise use Client Data on and in relation to the Platform for the purposes of operating the Platform, providing the Services, fulfilling our obligations under the Agreement and exercising our rights under the Agreement. The exercise of our rights under this licence is subject to our obligations under and referred to in Clause 15 in respect of Personal Data.

9.4 You warrant to us that Client Data, and its use by us in accordance with the terms of the Agreement, will not:

breach any laws, statutes, regulations or legally binding codes;
infringe any person's Intellectual Property Rights or other legal rights; or
give rise to any cause of action against you or us or any third party.

9.5 If we reasonably suspect that there has been a breach by you of the provisions of Clause 9.4, we may:

delete or amend the relevant elements of Client Data; and/or
suspend any or all of the Services and/or your access to the Platform while we investigate the matter,

providing that we will give you advance notification of any such action if that notification does not prejudice our legal position.

9.6 Any breach by you of Clause 9.4 will be deemed to be a material breach of the Agreement for the purposes of Clause 19.

10. Integrations with Third Party Services

10.1 You will have the opportunity to activate integrations with Third Party Services; such integrations will not be active by default.

10.2 The supply of Third Party Services shall be under a separate contract or arrangement between you and the relevant third party. We do not contract to supply the Third Party Services and are not a party to any contract for, or otherwise responsible in respect of, the provision of any Third Party Services.

10.3 The use of some features of the Hosted Services and/or On-premises Software may depend upon you enabling and agreeing to integrations with Third Party Services.

10.4 We may remove, suspend or limit any Third Party Services integration at any time in our sole discretion.

10.5 You acknowledge that:

the integration of Third Party Services may entail the transfer of Client Data to the relevant Third Party Services; and
we have no control over, or responsibility in respect of, any disclosure, modification, deletion, export or other use of Client Data by any third party resulting from any integration with any Third Party Services.

10.6 You warrant to us that the transfer of Client Data to a provider of Third Party Services in accordance with this Clause 10 will not infringe any person's legal or contractual rights and will not put us in breach of any applicable laws (including the Data Protection Laws).

10.7 Save to the extent that the parties expressly agree otherwise in writing and subject to Clause 18.1:

we give no warranties or representations in respect of any Third Party Services; and
we will not be liable to you in respect of any loss or damage that may be caused by any Third Party Services or any provider of Third Party Services.

11. Customisations

11.1 This Clause 11 applies if we agree with you in writing, whether in the Proposal or otherwise, that we shall design and develop a Customisation or Customisations on your behalf.

11.2 Each Customisation will conform in all material respects with the specification for the Customisation agreed by us in writing.

11.3 We will use reasonable endeavours to ensure that each Customisation is made available or (if it forms part of the On-premises Software) delivered to you in accordance with any timetable or project plan agreed by the parties in writing.

11.4 All Intellectual Property Rights in the Customisations shall, as between the parties, be our exclusive property. However, this shall not affect the ownership of Intellectual Property Rights in your brands and/or logos, which shall belong to you.

11.5 From the time and date when a Customisation is first delivered or made available to you, the Customisation shall form part of the Hosted Services and/or On-premises Software, as the case may be, and accordingly from that time and date your rights to use the Customisation shall be governed by Clauses 4 and/or 5.

11.6 You acknowledge that we may make any Customisation available to any of our other customers or any other third party at any time.

12. Charges

12.1 You must pay the Charges to us in accordance with Clause 13.

12.2 All Charges and other amounts stated in or in relation to the Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by you to us.

12.3 We may elect to vary any element of the Charges (including any time-based charging rate) by giving to you not less than 90 days' written notice of the variation, providing that:

we will not vary the Charges payable with respect to Services provided during the first 12 months of the Agreement; and
if we vary any element of the Charges during the Term by a percentage exceeding the percentage increase, during the same period, in the Retail Prices Index (all items) published by the UK's Office for National Statistics, then we will provide to you a written explanation of the reason for the increase.

12.4 You acknowledge that we may charge for new functionality added to Hosted Services or On-premises Software. Customers who do not wish to upgrade will be able to continue with their legacy package at the original charge.

13. Payments

13.1 We will issue invoices for the Charges in accordance with the Proposal; and, save to the extent specified otherwise in the Proposal, you must pay the Charges to us within 30 days following the date of issue of the relevant invoice.

13.2 Charges must be paid by bank transfer or by such other means as we may authorise from time to time.

13.3 If more than one payment due under the Agreement is not received by us by the due date and you are signed-up for quarterly or 6-monthly invoicing, we may by written notice to you move your invoicing frequency to annual and issue your next invoice on this basis.

13.4 If you do not pay any amount properly due to us under or in connection with the Agreement, we may claim interest and statutory compensation from you pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.

13.5 We may suspend the provision of any Services if any amounts due to be paid by you to us under the Agreement are overdue, and we have given you at least 5 Business Days' written notice of our intention to suspend Services on this basis. For the avoidance of doubt, you will not be entitled to any refund of the Charges with respect to any period of suspension under this Clause 13.5, nor will you be released from any liability to pay Charges with respect to any such period of suspension.

14. Confidentiality

14.1 Each party must:

keep the other party's Confidential Information strictly confidential;
not disclose the other party's Confidential Information to any person without the other party's prior written consent, and then only under conditions of confidentiality no less onerous than those contained in the Agreement;
use the same degree of care to protect the confidentiality of the other party's Confidential Information as it uses to protect its own confidential information of a similar nature, being at least a reasonable degree of care; and
act in good faith at all times in relation to the other party's Confidential Information.

14.2 Notwithstanding Clauses 14.1, a party's Confidential Information may be disclosed by the other party to that other party's officers, employees, professional advisers, insurers, agents and subcontractors who have a need to access the Confidential Information that is disclosed for the performance of their work and who are bound by a written agreement or professional obligation to protect the confidentiality of the Confidential Information that is disclosed.

14.3 No obligations are imposed by this Clause 14 with respect to:

a. a party's Confidential Information that is known to the other party before disclosure under the Agreement and is not subject to any other obligation of confidentiality;

b. a party's Confidential Information that is or becomes publicly known through no act or default of the other party;

c. a party's Confidential Information that is obtained by the other party from a third party in circumstances where the other party has no reason to believe that there has been a breach of an obligation of confidentiality; or

d. any information independently developed by a party without reference to or use of the other party’s Confidential Information.

14.4 The restrictions in this Clause 14 do not apply to the extent that any Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of either party on any recognised stock exchange.

14.5 The provisions of this Clause 14 shall continue in force indefinitely following the termination of the Agreement.

15. Client Personal Data and the General Data Protection Regulation

15.1 The parties agree that:

the Client Personal Data to be processed under the Agreement may consist of: (i) names, email addresses and other account-related data; and (ii) any information comprised in digital assets and metadata that are processed by the Hosted Services or the On-premises Software; and
the Client Personal Data shall relate to: (i) individuals holding accounts in the Hosted Services or On-premises Software; and (ii) other persons whose data is comprised in the digital assets and metadata processed by the Hosted Services or the On-premises Software.

15.2 You warrant to us that:

all of the Client Personal Data supplied by you to us shall fall within the categories specified in Clause 15.1;
the Client Personal Data has been and shall be collected in accordance with the Data Protection Laws; and
you have the legal right to disclose the Client Personal Data to us (and, where such disclosure is based upon consent, have retained evidence of such consent).

15.3 We warrant to you that:

we will act only on documented instructions from you in relation to the processing of the Client Personal Data (which instructions are set out in the Agreement and in any additional documents agreed by the parties) unless required to do so by applicable law (in which case we shall inform you of that legal requirement, unless such information is prohibited by applicable law on important grounds of public interest);
we will only process the Client Personal Data for the purposes of providing the Hosted Services, performing our obligations under the Agreement and exercising our rights under the Agreement;
the processing of the Client Personal Data by us shall take place only during the Term, subject to the express derogations elsewhere in the Agreement;
we have in place appropriate security measures (both technical and organisational) against unlawful or unauthorised processing of the Client Personal Data and against loss or corruption of the Client Personal Data, including those measures specified in our security policy as published on our website from time to time;
save to the extent caused by your failure to comply with Clause 15.2, we will process the Client Personal Data in compliance with the Data Protection Laws;
we shall not appoint or utilise any sub-processor of the Client Personal Data without your prior specific or general authorisation, and we will notify you at least 30 days in advance of any change of sub-processor with respect to any general authorisation by updating the list of sub-processors in the Asset Bank Help Centre; we will also notify you by email if you have subscribed to our sub-processor email notification service; and if you object to any such change, you may terminate the Agreement on at least 14 days' written notice to us expiring before the end of that 30-day period;
we shall ensure that each contract between us and any sub-processor of the Client Personal Data contains equivalent data protection obligations to those set out in the Agreement;
subject to applicable law, we will not transfer or permit the transfer of the Client Personal Data to any place outside the UK or EEA without your prior written consent; and
we shall maintain written records of our Client Personal Data processing activities in accordance with the requirements of the Data Protection Laws.

15.4 You hereby give to us a general authorisation to appoint sub-processors of Client Personal Data in the following categories:

hosting service providers;
connectivity and electronic communications service providers;
data transfer service providers;
document and file processing or transformation service providers; and
application development, support and professional service providers.

Details of appointed processors are set out in the Asset Bank Help Centre. You acknowledge that some of our appointed sub-processors are multi-national corporations with facilities in jurisdictions around the world, and hereby consent to the transfer of Client Personal Data outside the UK and EEA to or by sub-processors, providing that: (i) the principal database for the Hosted Services shall be located within the UK or EEA, unless you expressly agree otherwise in writing; (ii) all such transfers shall be made only for the purpose of providing services to you; and (iii) all such transfers shall be protected by appropriate safeguards in accordance with the Data Protection Laws.

15.5 We shall notify you in accordance with the Data Protection Laws, using the contact details set out in this Agreement or any alternative breach notification contact details supplied by you, promptly and in any case within 24 hours of becoming aware of the issue, if:

any of the Client Personal Data is lost or destroyed, or becomes damaged, corrupted or unusable;
we receive any complaint or regulatory notice which relates to the processing of any of the Client Personal Data; or
we receive a request from a data subject for access to any of the Client Personal Data.

15.6 We shall co-operate with you in relation to:

any request from you to amend or delete any of the Client Personal Data;
any complaint or regulatory notification relating to the processing of any of the Client Personal Data;
any request from a data subject for access to any of the Client Personal Data or relating to the exercise of the data subject's legal rights in relation to the Client Personal Data; and
any measures taken by you that are reasonably necessary to ensure that you comply with your own obligations under Data Protection Laws,

in each case at your cost and expense.

15.7 We shall ensure that access to the Client Personal Data is limited to those of our personnel who have a reasonable need to access the Client Personal Data to enable us to perform our duties under the Agreement; any access to the Client Personal Data shall be limited to such part or parts of the Client Personal Data as are strictly necessary.

15.8 We shall take reasonable steps to ensure the reliability of any of our personnel who have access to the Client Personal Data. Without prejudice to this general obligation, we shall ensure that all relevant personnel are informed of the confidential nature of the Client Personal Data, are subject to confidentiality obligations in relation to the Client Personal Data, have undertaken training in the laws relating to handling Client Personal Data, and are aware of our duties in respect of that Client Personal Data.

15.9 Each party shall upon request make available to the other party all such information as may be necessary to demonstrate its compliance with the Data Protection Laws and the provisions of this Clause 15.

15.10 We shall upon request make available to you all such information as may be necessary to facilitate the carrying out of an audit of our compliance with the Data Protection Laws and the provisions of this Clause 15. For this purpose, we will provide to you a completed security questionnaire, in a form to be determined by us (acting reasonably). We shall ensure that the completed security questionnaire includes all the information that is necessary to enable you to assess our compliance. We will also provide, upon request, evidence of the most recent independent audit(s) carried out to verify GDPR compliance and ISO 27001 compliance. Other than the provision of this security questionnaire, and audit evidence, we may charge you at our standard time and materials rates for any work performed at your request when fulfilling our obligations under this Clause 15.10.

15.11 In the event of changes to the Data Protection Laws that affect the terms of the Agreement, the parties shall act reasonably to agree any necessary changes to the Agreement.

15.12 We shall, if requested by you, provide to you a copy of the Client Personal Data in accordance with Clause 20.3; and, unless applicable law requires otherwise, we shall delete all the Client Personal Data from our systems and storage media at the end of the period of 4 months following termination.

15.13 The EU Standard Contractual Clauses and UK Addendum shall apply to Personal Data in the following circumstances:

if you transfer any Customer Personal Data to us, and that transfer is a Restricted Transfer under the EU GDPR, then the MODULE TWO provisions of the EU Standard Contractual Clauses shall apply to that Customer Personal Data, in addition to the other provisions of this Clause 15 (with you being the data exporter and us being the data importer);
if you transfer any other Personal Data to us, and that any transfer is a Restricted Transfer under the EU GDPR, then the MODULE ONE provisions of the EU Standard Contractual Clauses shall apply to that Personal Data (with you being the data exporter and us being the data importer);
if you transfer any Customer Personal Data to us, and that transfer is a Restricted Transfer under the UK GDPR, then the MODULE TWO provisions of the EU Standard Contractual Clauses as modified by the UK Addendum shall apply to that Customer Personal Data, in addition to the other provisions of this Clause 15 (with you being the data exporter and us being the data importer);
if you transfer any other Personal Data to us, and that any transfer is a Restricted Transfer under the UK GDPR, then the MODULE ONE provisions of the EU Standard Contractual Clauses as modified by the UK Addendum shall apply to that Personal Data (with you being the data exporter and us being the data importer);
if we transfer any Customer Personal Data to you, and that transfer is a Restricted Transfer under the EU GDPR, then the MODULE FOUR provisions of the EU Standard Contractual Clauses shall apply to that Customer Personal Data (with us being the data exporter and you being the data importer);
if we transfer any other Personal Data to you, and that any transfer is a Restricted Transfer under the EU GDPR, then the MODULE ONE provisions of the EU Standard Contractual Clauses shall apply to that Personal Data (with us being the data exporter and you being the data importer);
if we transfer any Customer Personal Data to you, and that transfer is a Restricted Transfer under the UK GDPR, then the MODULE FOUR provisions of the EU Standard Contractual Clauses as modified by the UK Addendum shall apply to that Customer Personal Data (with us being the data exporter and you being the data importer); and
if we transfer any other Personal Data to you, and that any transfer is a Restricted Transfer under the UK GDPR, then the MODULE ONE provisions of the EU Standard Contractual Clauses as modified by the UK Addendum shall apply to that Personal Data (with us being the data exporter and you being the data importer).

15.14 Where the EU Standard Contractual Clauses (with or without the UK Addendum) apply in addition to this Clause 15, and there is any conflict between the EU Standard Contractual Clauses (or the UK Addendum) and this Clause 15, then the contractual provisions providing the highest degree of protection for the Personal Data shall take precedence.

16. Warranties

16.1 Each party warrants to the other party that:

it has the legal right and authority to enter into and perform its obligations under the Agreement; and
it will comply with all applicable laws in relation to the performance of those obligations.

16.2 We warrant to you that:

we will perform our obligations under the Agreement with reasonable care and skill; and
the Hosted Services and/or On-premises Software will not, when used by you in accordance with the Agreement, infringe the Intellectual Property Rights of any third party under English law.

16.3 We warrant to you that we will use reasonable endeavours to ensure that the Hosted Services and the On-premises Software will be supplied free from Defects, and we will endeavour to resolve any Defects and other issues in accordance with the SLA. Without prejudice to this warranty, you acknowledge that complex software is never wholly free from defects, errors and bugs, and we give no warranty or representation that the Hosted Services or On-premises Software will be wholly free from such defects, errors and bugs.

16.4 We warrant to you that we will ensure that the Hosted Services and the On-premises Software will incorporate security measures reflecting the requirements of good industry practice. Without prejudice to this warranty, you acknowledge that complex software is never wholly free from security vulnerabilities, and we give no warranty or representation that the Hosted Services or On-premises Software will be wholly free from such vulnerabilities.

16.5 All of the parties' warranties and representations in respect of the subject matter of the Agreement are expressly set out in the terms of the Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of the Agreement will be implied into the Agreement.

17. Additional acknowledgements

17.1 You acknowledge that, subject to the express warranties set out in the Agreement:

we do not warrant or represent that the Hosted Services or On-premises Software will be compatible with any other application, program or software;
you are responsible for determining whether the Hosted Services and/or On-premises Software meet your requirements, and we do not warrant or represent that the Hosted Services or On-premises Software will meet those requirements;
we will not and do not purport to provide any legal, taxation or accountancy advice under the Agreement or in relation to the Hosted Services or On-premises Software and (except to the extent expressly provided otherwise) we do not warrant or represent that the Hosted Services or On-premises Software will not give rise to any civil or criminal liability on the part of you or any other person;
we may from time to time make changes to the hardware, software, services and other technical means by which the Hosted Services are provided, although we will not make any such changes without your permission if the changes will have a material negative effect upon the security, functionality or performance of the Hosted Services; and

18. Limitations and exclusions of liability

18.1 Nothing in the Agreement will:

limit or exclude the liability of a party for death or personal injury resulting from negligence;
limit or exclude the liability of a party for fraud or fraudulent misrepresentation by that party;
limit any liability of a party in any way that is not permitted under applicable law; or
exclude any liability of a party that may not be excluded under applicable law.

18.2 The limitations and exclusions of liability set out in this Clause 18 and elsewhere in the Agreement:

are subject to Clause 18.1;
govern all liabilities arising under the Agreement or in relation to the subject matter of the Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty;
shall not apply to any liability of a party under Clause 9.4, 14, 15 or 16.2(b), or under the EU Standard Contractual Clauses or the UK Addendum (where they apply), except that Clause 18.9 shall apply to such liabilities.

18.3 Neither party will be liable to the other for any indirect or consequential loss.

18.4 Neither party will be liable to the other party for any loss of business, contracts or commercial opportunities.

18.5 Neither party will be liable to the other party for any loss of or damage to goodwill or reputation.

18.6 Subject to our compliance with Clause 9.1 and excluding any loss of the most recent back-up copy of the Client Data we make in accordance with Clause 9.1, we will not be liable to you in respect of any loss or corruption of any Client Data.

18.7 Neither party will be liable to the other party for any losses arising out of a Force Majeure Event. Where a Force Majeure Event gives rise to a failure or delay in either party performing its obligations under the Agreement (other than the obligation to make payment), those obligations will be suspended for the duration of the Force Majeure Event.

18.8 Neither party's liability to the other party in relation to any event or series of related events will exceed the greater of:

GBP 25,000; and
the total amount paid and payable by you to us under the Agreement during the 12 month period immediately preceding the event or events giving rise to the claim.

18.9 Neither party's aggregate liability to the other party will exceed GBP 2,000,000.

19. Termination

19.1 The Agreement may only be terminated for convenience after the end of the Minimum Term in accordance with this Clause 19.1. You may terminate the Agreement by giving to us at least 30 days' written notice of termination expiring after the end of the Minimum Term; and we may terminate the Agreement by giving to you at least 120 days' written notice of termination expiring after the end of the Minimum Term.

19.2 Either party may terminate the Agreement immediately by giving written notice of termination to the other party if:

the other party commits any material breach of the Agreement, and the breach is not remediable; or
the other party commits a material breach of the Agreement, and the breach is remediable but the other party fails to remedy the breach within the period of 30 days following the giving of a written notice to the other party requiring the breach to be remedied.

19.3 Either party may terminate the Agreement immediately by giving written notice of termination to the other party if:

the other party: (i) is dissolved; (ii) ceases to conduct all (or substantially all) of its business; (iii) is or becomes unable to pay its debts as they fall due; (iv) is or becomes insolvent or is declared insolvent; or convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;
an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;
an order is made for the winding up of the other party, or the other party passes a resolution for its winding up; or
if that other party is an individual: (i) that other party dies; (ii) as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or (iii) that other party is the subject of a bankruptcy petition or order.

19.4 We may terminate the Agreement immediately by giving written notice to you if:

any amount due to be paid by you to us under the Agreement is unpaid by the due date and remains unpaid upon the date that that written notice of termination is given; and
we have given to you at least 30 days' written notice, following the failure to pay, of our intention to terminate the Agreement in accordance with this Clause 19.4.

19.5 We may terminate the Agreement immediately by giving written notice to you if, in our reasonable opinion, continuing to provide services to you would be contrary to our CSR Policy.

20. Effects of termination

20.1 Upon termination of the Agreement, all the provisions of the Agreement will cease to have effect, save that the following provisions of the Agreement will survive and continue to have effect (in accordance with their terms or otherwise indefinitely): Clauses 1, 4.11, 5 (if applicable and subject to Clause 20.6), 10.7(b), 13.4, 14, 15, 18, 20, 23 and 24.

20.2 Termination of the Agreement will not affect either party's accrued liabilities and rights as at the date of termination.

20.3 You may download a copy of the Client Data from the Platform at any time before the date of termination. We will retain a copy of the Client Data for a period of at least 30 days following the date of termination. During this period, if you request that we provide you with a copy of the Client Data, we will do so, subject to payment of charges (calculated using our standard time-based charging rates). At any time following the end of that 30 day period, we may delete from our computer systems all Client Data. You acknowledge that, if you have not retrieved Client Data from the Platform before termination or requested it before deletion, you will lose that Client Data.

20.4 You acknowledge that we may retain Client Data in our systems for a period of up to 4 months after the date of termination; and the licence set out in Clause 9.3 shall continue after termination to the extent necessary for us to exercise our rights under this Clause 20.4.

20.5 If the Agreement is terminated under Clause 15.3(f), 19.1 or 19.5, then you will be entitled to a refund of any Charges paid to us with respect to Services that were to be provided to you after the date of effective termination, and you will be released from any liability to pay such Charges. The amount of the refund or release shall be calculated by us using any reasonable methodology. Subject to this, you will not be entitled to any refund of the Charges upon the termination of the Agreement, nor will you be released from any liability to pay Charges that have accrued before the date of effective termination.

20.6 If the Agreement is terminated under Clause 15.3(f), 19.1 0r 19.5, then any licence of On-premises Software under the Agreement shall continue notwithstanding such termination; if the Agreement is terminated in any other circumstances, then any licence of On-premises Software under the Agreement shall automatically and simultaneously terminate. If any licence of On-premises Software continues following termination of the Agreement, and it comes to our attention that you have breached any term of that licence, whether before or after termination of the Agreement, then we may by written notice to you terminate that licence.

21. Notices

21.1 Any notice under the Agreement must be in writing (whether or not described as "written notice" in the Agreement) and must be sent in accordance with this Clause 21.

21.2 Any notice that a party gives to the other party under the Agreement must be sent by email, courier or recorded signed-for post:

in the case of notices to you, using the contact details in the Proposal; and
in the case of notices to us, using the following contact details: support@assetbank.co.uk or to Bright Interactive Ltd, Ninth Floor, Tower Point, 44 North Road, Brighton, BN1 1YR.

21.3 A party receiving from the other party a notice by email must acknowledge receipt by email promptly, and in any event within 2 Business Days following receipt of the notice.

21.4 A notice will be deemed to have been received:

in the case of notices sent by email, at the time of the sending of an acknowledgement of receipt by the receiving party; and
in the case of notices sent by courier or recorded signed-for post, 48 Business Hours following sending.

21.5 You acknowledge that we may treat all instructions received by us in relation to this Agreement from any user with an Admin Account as fully authorised by you.

22. Subcontractors

22.1 We may subcontract the provision of hosting services and any other of our obligations under the Agreement, subject to our obligations in relation to the appointment of sub-processors of Client Personal Data.

22.2 We shall remain responsible to you for the performance of any subcontracted obligations.

23. General

23.1 No breach of any provision of the Agreement will be waived except with the express written consent of the party not in breach.

23.2 If a Clause of the Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other Clauses of the Agreement will continue in effect. If any unlawful and/or unenforceable Clause would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the Clause will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant Clause will be deemed to be deleted).

23.3 The Agreement may be varied as follows:

the Charges may be varied in accordance with Clause 12.3; and
the Agreement may be varied by a written instrument signed or otherwise agreed by or on behalf of each party.

23.4 Either party may freely assign the entirety of its contractual rights and obligations under the Agreement to any group company of the assigning party or to any successor to all or a substantial part of the business of the assigning party. The assigning party must give to the other party written notice of any assignment upon or before the date of the assignment. Save as provided in this Clause 23.4, neither party may without the other party's prior written consent assign, transfer, charge, license or otherwise dispose of or deal in the Agreement or any contractual rights or obligations under the Agreement.

23.5 The Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate or rescind, or agree any amendment, waiver, variation or settlement under or relating to, the Agreement are not subject to the consent of any third party.

23.6 Subject to Clause 18.1:

the Agreement constitutes the entire agreement between the parties in relation to the subject matter of the Agreement, and supersedes all previous agreements, arrangements and understandings between the parties in respect of that subject matter; and
neither party will have any remedy in respect of any misrepresentation (whether written or oral) made to it upon which it relied in entering into the Agreement.

23.7 The Agreement will be governed by and construed in accordance with English law; and the courts of England and Wales will have exclusive jurisdiction to adjudicate any dispute arising under or in connection with the Agreement.

24. Interpretation

24.1 In the Agreement, a reference to a statute or statutory provision includes a reference to:

that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and
any subordinate legislation made under that statute or statutory provision.

24.2 The Clause headings do not affect the interpretation of the Agreement.

24.3 In the Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.

Schedule 1 – EU Standard Contractual Clauses

You can see the text of the main body of EU Standard Contractual Clauses that applies Restricted Transfers of Personal Data between us and our customers at:

https://www.assetbank.co.uk/sccs

The Appendices and Annexures to the EU Standard Contractual Clauses are set out below.

APPENDIX A TO SCHEDULE 1

This Appendix A to the EU Standard Contractual Clauses sets out information relating to restricted transfers of personal data from the customer for Asset Bank (the data exporter, acting as controller) to Bright Interactive Ltd (the data importer, acting as controller or processor). Capitalised terms used in this Appendix A that are not defined here or in the main body of the EU Standard Contractual Clauses are defined in the Asset Bank Terms & Conditions.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name:

The customer for the Services, as specified in the Proposal

Address:

As specified in the Proposal

Contact person’s name, position and contact details:

As specified in the Proposal

Activities relevant to the data transferred under these Clauses:

The use and receipt of digital asset management software solutions and associated services

Signature and date:

By agreeing to the Proposal and the Asset Bank Terms and Conditions, the data exporter also agrees to the EU Standard Contractual Clauses including this Appendix

Role (controller/processor):

Controller

Data importer(s):

Name:

Bright Interactive Ltd, a company incorporated in England and Wales (registration number 03865036)

Address:

Ninth Floor, Tower Point, 44 North Road, Brighton, East Sussex BN1 1YR, UK

Contact person’s name, position and contact details:

Privacy Officer

Postal address: Bright Interactive Ltd, Ninth Floor, Tower Point, 44 North Road, Brighton, East Sussex BN1 1YR, UK

Email address: privacy@builtbybright.com

Activities relevant to the data transferred under these Clauses:

The provision of digital asset management software solutions and associated services

Signature and date:

By agreeing to the Proposal and the Asset Bank Terms and Conditions, the data importer also agrees to the EU Standard Contractual Clauses including this Appendix

Role (controller/processor):

Processor with respect to data categories (1) and (2); controller with respect to data category (3).

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

(1) user account data: individuals holding accounts in the Hosted Services or On-premises Software

(2) digital asset data: persons whose data is comprised in the digital assets and metadata processed by the Hosted Services or the On-premises Software

(3) customer relationship data: personnel of the data exporter

Categories of personal data transferred

(1) user account data: names, email addresses and other account-related data

(2) digital asset data: any information comprised in digital assets and metadata that are processed by the Hosted Services or the On-premises Software

(3) customer relationship data: names; contact details; job details; marketing preferences; communication content and metadata

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

(1) None

(2) Customer may submit special categories of data to the data importer at the sole discretion of the data exporter (special categories include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life)

(3) None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

(1) data transferred whenever the relevant person uses the Hosted Services or On-premises Software

(2) data transferred when digital assets are uploaded to or otherwise stored on the Hosted Services or On-premises Software

(3) data transferred periodically in communications between the parties

Nature of the processing

(1) & (2) This processing includes transfer and secure storage of data, and consultancy and support services, including: (a) transfer of data to Bright's cloud hosting solution for secure storage; (b) backup of the data; (c) access and transfer for the data for the provision of ongoing support services, and specific consultancy activities; (d) deletion of the data; (and e) other activities as requested by the customer or as required for the provision of the services.

(3) This processing includes storage of data, access to and use of data by personnel of the data importer, subcontractors and services providers, transfer of data between the parties

Purpose(s) of the data transfer and further processing

(1) & (2) to deliver services, and to meet contractual obligations.

(3) Marketing, promotion, accounting and general business administration.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

(1) & (2) In accordance with clause 15 of the Asset Bank Terms and Conditions

(3) In accordance with the data importer's privacy policy

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As specified at:

https://support.assetbank.co.uk/hc/en-gb/articles/360003315731-Sub-processors-and-international-data-transfer

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

As specified in the Proposal, or if the Proposal does not specify the competent supervisory authority/ies:

The Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measure	Description
Physical Access	Data importer shall take reasonable measures to ensure the security of all physical locations and equipment required to perform its duties. This includes controls such as door security, CCTV, alarms, lockable storage and safes, encryption policies for storage media and leaver processes.
System Access	Data importer shall take reasonable measures to prevent Personal Data from being accessed without authorisation. This includes the use of industry standard password-management techniques, device handling procedures, network access procedures, user authentication controls and other documented procedures as well as logging protocols to capture all relevant activities.
Network Access	Data importer shall take reasonable measures to ensure the appropriate security techniques are utilised for all system access, including but not limited to controls governing secure protocols, port access restrictions , encryption and file transfer technologies and procedures.
Application Browser Access	Data importer shall take reasonable measures to ensure the service utilises sufficiently secure techniques when being delivered via a client browser. This includes utilisation of encryption protocols and support for SSL certificates.
Application Level Access	Data importer shall take reasonable measures to protect Personal Data that is handled by any applications that operate as part of any delivered services. This includes the use of encryption, data segregation and access and deployment restrictions and segregations.
Infrastructure penetration testing	Data importer shall take reasonable measures to test the security and vulnerability of the infrastructure delivered as part of the services via the use of regular risk assessments, information security reviews and formal penetration tests.
Patch management	Data importer shall take reasonable measures to ensure the security and reliability of the services through proper patch management techniques. This includes maintaining active awareness of all applicable latest software versions and following a documented process to incorporate these versions into the service as appropriate.
Data Backups	Data importer shall take reasonable measures to protect against accidental destruction or loss of personal data by taking regular backups of this data and applying suitable security measures to the process.
Other	Those security measures specified in Bright's security policy as published in the Asset Bank Help Centre from time to time.

ANNEX III

LIST OF SUB-PROCESSORS

Not applicable: insofar as the data importer is acting as processor on behalf of the data exporter, it benefits from a general authorisation to appoint sub-processors.

APPENDIX B TO SCHEDULE 1

This Appendix B to the EU Standard Contractual Clauses sets out information relating to restricted transfers of personal data from Bright Interactive Ltd (the data exporter, acting as controller or processor) to the customer for Asset Bank (the data importer, acting as controller). Capitalised terms used in this Appendix B that are not defined here or in the main body of the EU Standard Contractual Clauses are defined in the Asset Bank Terms & Conditions.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name:

Bright Interactive Ltd, a company incorporated in England and Wales (registration number 03865036)

Address:

Ninth Floor, Tower Point, 44 North Road, Brighton, East Sussex BN1 1YR, UK

Contact person’s name, position and contact details:

Privacy Officer

Postal address: Bright Interactive Ltd, Ninth Floor, Tower Point, 44 North Road, Brighton, East Sussex BN1 1YR, UK

Email address: privacy@builtbybright.com

Activities relevant to the data transferred under these Clauses:

The provision of digital asset management software solutions and associated services

Signature and date:

By agreeing to the Proposal and the Asset Bank Terms and Conditions, the data exporter also agrees to the EU Standard Contractual Clauses including this Appendix

Role (controller/processor):

Processor with respect to data categories (1) and (2); controller with respect to data category (3).

Data importer(s):

Name:

The customer for the Services, as specified in the Proposal

Address:

As specified in the Proposal

Contact person’s name, position and contact details:

As specified in the Proposal

Activities relevant to the data transferred under these Clauses:

The use and receipt of digital asset management software solutions and associated services

Signature and date:

By agreeing to the Proposal and the Asset Bank Terms and Conditions, the data importer also agrees to the EU Standard Contractual Clauses including this Appendix

Role (controller/processor):

Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

(1) user account data: individuals holding accounts in the Hosted Services or On-premises Software

(2) digital asset data: persons whose data is comprised in the digital assets and metadata processed by the Hosted Services or the On-premises Software

(3) customer relationship data: personnel of the data exporter

Categories of personal data transferred

(1) user account data: names, email addresses and other account-related data

(2) digital asset data: any information comprised in digital assets and metadata that are processed by the Hosted Services or the On-premises Software

(3) customer relationship data: names; contact details; job details; marketing preferences; communication content and metadata

(1) None

(3) None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

(1) data transferred whenever the relevant person uses the Hosted Services or On-premises Software

(2) data transferred when digital assets are accessed or downloaded from the Hosted Services or On-premises Software

(3) data transferred periodically in communications between the parties

Nature of the processing

(1) & (2) This processing includes transfer and secure storage of data, and consultancy and support services, including: (a) transfer of data from Bright's cloud hosting solution for secure storage; (b) access and transfer for the data for the provision of ongoing support services, and specific consultancy activities; (and c) other activities as requested by the customer or as required for the provision of the services

(3) This processing includes storage of data, access to and use of data by personnel of the data importer, subcontractors and services providers, transfer of data between the parties

Purpose(s) of the data transfer and further processing

(1) & (2) to deliver services, and to meet contractual obligations.

(3) Marketing, promotion, accounting and general business administration.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the data importer's privacy policy.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As specified at:

https://support.assetbank.co.uk/hc/en-gb/articles/360003315731-Sub-processors-and-international-data-transfer

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

As specified in the Proposal, or if the Proposal does not specify the competent supervisory authority/ies:

The Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measure

Description

As specified in the customer's information security policy

ANNEX III

LIST OF SUB-PROCESSORS

Not applicable, as all transfers under this Appendix are to the customer acting as controller.

Schedule 2 – UK Addendum

You can see the text of the main body of UK Addendum that applies to certain Restricted Transfers of Personal Data between us and our customers at:

https://www.assetbank.co.uk/ukaddendum

Version 15. Revision date 12th November 2024