Common use of DATA PROTECTION AND DATA PROCESSING Clause in Contracts

DATA PROTECTION AND DATA PROCESSING. 10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 10.2 The parties acknowledge that for the purposes of the Data Protections Legislation, the Customer is the data controller of the Personal Data in respect of which the Company is providing the services under the Main agreement as the data processor. For the avoidance of doubt, references to Personal Data below are in respect of that for which the Customer is the data controller. 10.3 Without prejudice to the generality of the clause 10.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (including any Special Categories of Personal Data) to and processing by EPX for the duration and purposes of this agreement. 10.4 Without prejudice to the generality of clause 10.1, EPX shall, in relation to any Personal Data processed in connection with the performance by EPX of its obligations under this agreement: 10.4.1 process that Personal Data only on the written instructions of the Customer unless EPX is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Company to process Personal Data (Applicable Laws). Where EPX is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, EPX shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit EPX from so notifying the Customer; 10.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 10.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 10.4.4 transfer any Personal Data outside of the European Economic Area only as required in connection with the Services under the Main Agreement, to which the Customer hereby gives its written consent and subject to the fulfilment of the following conditions: 10.4.4.1 the Customer or EPX has provided appropriate safeguards in relation to the transfer; 10.4.4.2 the data subject has enforceable rights and effective legal remedies; 10.4.4.3 EPX complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 10.4.4.4 EPX complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 10.4.5 assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 10.4.6 notify the Customer without undue delay on receiving a subject access request in relation to the Personal Data or on becoming aware of a Personal Data breach; 10.4.7 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 10.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 10. 10.5 The Customer consents to EPX appointing those parties listed in 10.7 or as otherwise notified to the Customer in writing from time-to- time as third party processors of Personal Data under this agreement. EPX confirms that it has entered or (as the case maybe ) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business but which incorporate terms which are substantially similar to those set out in this clause 10. As between the Customer and EPX, EPX shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 10. 10.6 Either party may, at any time on not less than 30 days’ notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 10.7 Third Party Processors include: ConnectWise, Continuum, Xero, Wyse-Sync, Prospect Global Ltd (trading as SoPro), Zoho Corporation.

DATA PROTECTION AND DATA PROCESSING. 10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 10.2 The parties acknowledge that for the purposes of the Data Protections Legislation, the Customer is the data controller of the Personal Data in respect of which the Company is providing the services under the Main agreement as the data processor. For the avoidance of doubt, references to Personal Data below are in respect of that for which the Customer is the data controller. 10.3 Without prejudice to the generality of the clause 10.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (including any Special Categories of Personal Data) to and processing by EPX for the duration and purposes of this agreement. 10.4 Without prejudice to the generality of clause 10.1, EPX shall, in relation to any Personal Data processed in connection with the performance by EPX of its obligations under this agreement: 10.4.1 process that Personal Data only on the written instructions of the Customer unless EPX is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Company to process Personal Data (Applicable Laws). Where EPX is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, EPX shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit EPX from so notifying the Customer; 10.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 10.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 10.4.4 transfer any Personal Data outside of the European Economic Area only as required in connection with the Services under the Main Agreement, to which the Customer hereby gives its written consent and subject to the fulfilment of the following conditions: 10.4.4.1 the Customer or EPX has provided appropriate safeguards in relation to the transfer; 10.4.4.2 the data subject has enforceable rights and effective legal remedies; 10.4.4.3 EPX complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 10.4.4.4 EPX complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 10.4.5 assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 10.4.6 notify the Customer without undue delay on receiving a subject access request in relation to the Personal Data or on becoming aware of a Personal Data breach; 10.4.7 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 10.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 10. 10.5 The Customer consents to EPX appointing those parties listed in 10.7 or as otherwise notified to the Customer in writing from time-to- time as third party processors of Personal Data under this agreement. EPX confirms that it has entered or (as the case maybe ) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business but which incorporate terms which are substantially similar to those set out in this clause 10. As between the Customer and EPX, EPX shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 10. 10.6 Either party may, at any time on not less than 30 days’ notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 10.7 Third Party Processors include: ConnectWise, Continuum, Xero, Wyse-Sync, Prospect Global Ltd (trading as SoPro), Zoho Corporation.

DATA PROTECTION AND DATA PROCESSING. 10.1 9.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 Clause 9 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. In this Clause Applicable Laws means (for so long as and to the extent that they apply to the Contractor) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK. 10.2 9.2 The parties acknowledge that for the purposes of the Data Protections Protection Legislation, the Customer Business is the data controller of and the Personal Data in respect of which the Company is providing the services under the Main agreement as the data processor. For the avoidance of doubt, references to Personal Data below are in respect of that for which the Customer Contractor is the data controllerprocessor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). 10.3 9.3 Without prejudice to the generality of the Sub- clause 10.19.1, the Customer Business will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (including any Special Categories of Personal Dataas defined in the Data Protection Legislation) to and processing by EPX the Contractor for the duration and purposes of this agreementthe Contract. 10.4 9.4 Without prejudice to the generality of Sub-clause 10.19.1, EPX the Contractor shall, in relation to any Personal Data processed in connection with the performance by EPX the Contractor of its obligations under this agreementthe Contract: 10.4.1 process 9.4.1 Process that Personal Data only on the written instructions of the Customer Business unless EPX the Contractor is required by the laws of any member of the European Union or by the laws of the European Union applicable Applicable Laws to the Company to otherwise process that Personal Data (Applicable Laws)Data. Where EPX the Contractor is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, EPX the Contractor shall promptly notify the Customer Business of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit EPX the Contractor from so notifying the CustomerBusiness; 10.4.2 ensure 9.4.2 Ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the CustomerBusiness, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 10.4.3 ensure 9.4.3 Ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 10.4.4 9.4.4 Not transfer any Personal Data outside of the European Economic Area only as required in connection with unless the Services under the Main Agreement, to which the Customer hereby gives its prior written consent and subject to the fulfilment of the Business has been obtained and the following conditionsconditions are fulfilled: 10.4.4.1 i. The Business or the Customer or EPX Contractor has provided appropriate safeguards in relation to the transfer; 10.4.4.2 ii. The Data Subject (as defined in the data subject Data Protection Legislation) has enforceable rights and effective legal remedies; 10.4.4.3 EPX iii. The Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 10.4.4.4 EPX iv. The Contractor complies with reasonable instructions notified to it in advance by the Customer Business with respect to the processing of the Personal Data; 10.4.5 assist 9.4.5 Assist the CustomerBusiness, at the Customer's Business' cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 10.4.6 notify 9.4.6 Notify the Customer Business without undue delay on receiving a subject access request in relation to the Personal Data or on becoming aware of a Personal Data breach; 10.4.7 at 9.4.7 At the written direction of the CustomerBusiness, delete or return Personal Data and copies thereof to the Customer Business on termination of the agreement unless required by Applicable Law to store the Personal Data; and 10.4.8 maintain 9.4.8 Maintain complete and accurate records and information to demonstrate its compliance with this clause 10Clause 9. 10.5 9.5 The Customer consents to EPX appointing those parties listed in 10.7 or as otherwise notified Business does not consent to the Customer in writing from time-to- time as third party processors of Personal Data under this agreement. EPX confirms that it has entered or (as the case maybe ) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business but which incorporate terms which are substantially similar to those set out in this clause 10. As between the Customer and EPX, EPX shall remain fully liable for all acts or omissions of Contractor appointing any third-party processor appointed by it pursuant to this clause 10of Personal Data under the Contract. 10.6 9.6 Either party may, at any time on not less than 30 days’ ' notice, revise this clause 10 Clause 9 by replacing it with any applicable controller to processor standard clauses or similar terms forming party part of an applicable certification scheme (which shall apply when replaced by attachment to this agreementthe Contract). 10.7 Third Party Processors include: ConnectWise, Continuum, Xero, Wyse-Sync, Prospect Global Ltd (trading as SoPro), Zoho Corporation.

DATA PROTECTION AND DATA PROCESSING. 10.1 8.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 Clause 8 is in addition to, and does not relieve, remove or replace, a party's ’s obligations under the Data Protection Legislation. In this Clause 8, Applicable Laws means (for so long as and to the extent that they apply to the Company) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law. 10.2 8.2 The parties acknowledge that for the purposes of the Data Protections Protection Legislation, the Customer Company is the data controller of Data Controller (where Data Controller and Data Processor have the Personal meanings as defined in the Data in respect of which the Company is providing the services under the Main agreement as the data processor. For the avoidance of doubt, references to Personal Data below are in respect of that for which the Customer is the data controllerProtection Legislation). 10.3 8.3 Without prejudice to the generality of the clause 10.1Clause 12.1, the Customer will ensure that it has all necessary appropriate consents consents, notices and notices in place systems to comply with the Data Protection Legislation and to enable lawful the transfer of the Personal Data (including any Special Categories of Personal Dataas defined in the Data Protection Legislation) to and processing by EPX the Supplier for the duration and purposes of this agreementthe Contract. In the event that the Customer does not comply with the Data Protection Legislation it will indemnify the Supplier for any breaches that result in the Supplier or any of its third-party contractors suffering damages, fines or other penalties. 10.4 8.4 Without prejudice to the generality of clause 10.1Clause 8.1, EPX the Company shall, in relation to any Personal Data processed in connection with the performance by EPX the Company of its obligations under this agreementthe Contract: 10.4.1 8.4.1 process that Personal Data only on the written instructions of the Customer unless EPX is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Company to process Personal Data (Applicable Laws). Where EPX is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, EPX shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit EPX from so notifying the Customer; 10.4.2 8.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 10.4.3 8.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 10.4.4 8.4.4 not transfer any Personal Data outside of the European Economic Area only as required in connection with unless the Services under the Main Agreement, to which prior written consent of the Customer hereby gives its written consent has been obtained and subject to the fulfilment of the following conditionsconditions are fulfilled: 10.4.4.1 (a) the Customer or EPX the Company has provided appropriate safeguards in relation to the transfer; 10.4.4.2 (b) the data subject Data Subject (as defined in the Data Protection Legislation) has enforceable rights and effective legal remedies; 10.4.4.3 EPX (c) the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 10.4.4.4 EPX (d) the Company complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 10.4.5 assist (e) notify the Customer without undue delay on becoming aware of a Personal Data breach; (f) at the written direction of the Customer, at delete or return Personal Data and copies thereof to the Customer's cost, Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and (g) maintain complete and accurate records and information to demonstrate its compliance with this Clause 8. 8.4.5 assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;. 10.4.6 notify 8.5 The Customer consents for the Customer without undue delay on receiving a subject access request Company to contact them in relation to the Personal Data or on becoming aware of a Personal Data breach; 10.4.7 at the written direction of the Customer, delete or return Personal Data future offers and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 10.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 10. 10.5 any other marketing promotions. The Customer further consents that the Company may use any Personal Information to EPX appointing those parties listed in 10.7 or as otherwise notified to the Customer in writing from time-to- time as third party processors of Personal Data under this agreement. EPX confirms that it has entered or (as the case maybe ) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of market and promote their business but which incorporate terms which are substantially similar to those set out in this clause 10. As between the Customer and EPX, EPX shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 10interests. 10.6 Either party may, at any time on not less than 30 days’ notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 10.7 Third Party Processors include: ConnectWise, Continuum, Xero, Wyse-Sync, Prospect Global Ltd (trading as SoPro), Zoho Corporation.

DATA PROTECTION AND DATA PROCESSING. 10.1 8.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 Clause 8 is in addition to, and does not relieve, remove or replace, a party's ’s obligations under the Data Protection Legislation. In this Clause 8, Applicable Laws means (for so long as and to the extent that they apply to the Company) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law. 10.2 8.2 The parties acknowledge that for the purposes of the Data Protections Protection Legislation, the Customer Company is the data controller of Data Controller (where Data Controller and Data Processor have the Personal meanings as defined in the Data in respect of which the Company is providing the services under the Main agreement as the data processor. For the avoidance of doubt, references to Personal Data below are in respect of that for which the Customer is the data controllerProtection Legislation). 10.3 8.3 Without prejudice to the generality of the clause 10.1Clause 12.1, the Customer will ensure that it has all necessary appropriate consents consents, notices and notices in place systems to comply with the Data Protection Legislation and to enable lawful the transfer of the Personal Data (including any Special Categories of Personal Dataas defined in the Data Protection Legislation) to and processing by EPX the Supplier for the duration and purposes of this agreementthe Contract. In the event that the Customer does not comply with the Data Protection Legislation it will indemnify the Supplier for any breaches that result in the Supplier or any of its third-party contractors suffering damages, fines or other penalties. 10.4 8.4 Without prejudice to the generality of clause 10.1Clause 8.1, EPX the Company shall, in relation to any Personal Data processed in connection with the performance by EPX the Company of its obligations under this agreementthe Contract: 10.4.1 8.4.1 process that Personal Data only on the written instructions of the Customer unless EPX the Company is required by the laws of any member of the European Union or by the laws of the European Union applicable Applicable Laws to otherwise process that Personal Data. Where the Company to process Personal Data (Applicable Laws). Where EPX is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, EPX the Company shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit EPX the Company from so notifying the Customer;. 10.4.2 8.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 10.4.3 8.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 10.4.4 8.4.4 not transfer any Personal Data outside of the European Economic Area only as required in connection with unless the Services under the Main Agreement, to which prior written consent of the Customer hereby gives its written consent has been obtained and subject to the fulfilment of the following conditionsconditions are fulfilled: 10.4.4.1 (a) the Customer or EPX the Company has provided appropriate safeguards in relation to the transfer; 10.4.4.2 (b) the data subject Data Subject (as defined in the Data Protection Legislation) has enforceable rights and effective legal remedies; 10.4.4.3 EPX (c) the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 10.4.4.4 EPX (d) the Company complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 10.4.5 assist (e) notify the Customer without undue delay on becoming aware of a Personal Data breach; (f) at the written direction of the Customer, at delete or return Personal Data and copies thereof to the Customer's cost, Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and (g) maintain complete and accurate records and information to demonstrate its compliance with this Clause 8. 8.4.5 assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;. 10.4.6 notify 8.5 The Customer consents for the Customer without undue delay on receiving a subject access request Company to contact them in relation to the Personal Data or on becoming aware of a Personal Data breach; 10.4.7 at the written direction of the Customer, delete or return Personal Data future offers and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 10.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 10. 10.5 any other marketing promotions. The Customer further consents that the Company may use any Personal Information to EPX appointing those parties listed in 10.7 or as otherwise notified to the Customer in writing from time-to- time as third party processors of Personal Data under this agreement. EPX confirms that it has entered or (as the case maybe ) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of market and promote their business but which incorporate terms which are substantially similar to those set out in this clause 10. As between the Customer and EPX, EPX shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 10interests. 10.6 Either party may, at any time on not less than 30 days’ notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 10.7 Third Party Processors include: ConnectWise, Continuum, Xero, Wyse-Sync, Prospect Global Ltd (trading as SoPro), Zoho Corporation.

DATA PROTECTION AND DATA PROCESSING. 10.1 9.1 Data protection legislation means any and all laws, statutes, regulations, by-laws, orders, ordinances and court decrees that apply to the processing of the Client personal data, including the General Data Protection Regulation EU 2016/679 (the “GDPR”), and any other binding codes of practice or regulations or other legislation made under or separate to the GDPR relating to the processing of personal data. 9.2 Both parties will comply with all applicable requirements of the Data Protection Legislationdata protection legislation. This clause 10 9 is in addition to, and does not relieve, remove or replace, a party's ’s obligations under the Data Protection Legislation. 10.2 The parties acknowledge that for the purposes of the Data Protections Legislation, the Customer is the data controller of the Personal Data in respect of which the Company is providing the services under the Main agreement as the data processor. For the avoidance of doubt, references to Personal Data below are in respect of that for which the Customer is the data controller. 10.3 Without prejudice to the generality of the clause 10.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (including any Special Categories of Personal Data) to and processing by EPX for the duration and purposes of this agreement. 10.4 9.3 Without prejudice to the generality of clause 10.19, EPX shallthe Supplier shall to the extent it acts as a processor of personal data within the meaning of the data protection legislation, in relation to any Personal Data personal data processed as a result of or in connection with the performance by EPX the Supplier of its obligations under this agreement: 10.4.1 9.3.1 process that Personal Data personal data only on the written instructions of the Customer Client unless EPX is required by the laws of any member of the European Union or Supplier by the laws of the European Union applicable to the Company Supplier to process Personal Data (Applicable Laws)personal data. Where EPX the Supplier is relying on laws of a member of the European Union or European Union law laws as the basis for processing Personal Datapersonal data, EPX the Supplier shall promptly notify the Customer Client of this before performing the processing required unless prohibited by the Applicable Laws unless those Applicable Laws prohibit EPX from so notifying the Customerlaw; 10.4.2 9.3.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the CustomerClient, to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Datapersonal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 10.4.3 9.3.3 ensure that all personnel who have access to and/or process Personal Data personal data are obliged to keep the Personal Data personal data confidential; and 10.4.4 9.3.4 not transfer any Personal Data personal data outside of the European Economic Area only as required in connection with the Services under the Main Agreement, to which the Customer hereby gives its unless prior written consent and subject to the fulfilment of the Client has been obtained and the following conditions: 10.4.4.1 conditions are fulfilled: (i) the Customer Client or EPX the Supplier has provided appropriate safeguards in relation to the transfer; 10.4.4.2 ; (ii) the data subject has enforceable rights and effective legal remedies; 10.4.4.3 EPX ; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred; and 10.4.4.4 EPX and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer Client with respect to the processing of the Personal Data;personal data. 10.4.5 assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 10.4.6 9.4 notify the Customer Client without undue delay on receiving a subject access request in relation to the Personal Data or on becoming aware of a Personal Data personal data breach;. 10.4.7 9.5 at the written direction request of the CustomerClient, delete or return Personal Data personal data and copies thereof to the Customer Client on termination of the agreement unless required by Applicable Law law to store the Personal Datapersonal data; and 10.4.8 9.6 maintain complete and accurate records and information to demonstrate its compliance with this clause 109. 10.5 9.7 The Customer Client consents to EPX the Supplier appointing those parties listed in 10.7 or [THIRD-PARTY PROCESSOR] as otherwise notified to the Customer in writing from timea third-to- time as third party processors processor of Personal Data personal data under this agreementAgreement. EPX The Supplier confirms that it has entered or (as the case maybe may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business but which incorporate terms which are substantially similar to those set out in this clause 109. As between the Customer and EPX, EPX The Supplier shall remain fully be liable for all acts or and omissions such sub-processor as if that of any third-party processor appointed by it pursuant to this clause 10. 10.6 Either party may, at any time on not less than 30 days’ notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming party the Supplier for the purposes of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 10.7 Third Party Processors include: ConnectWise, Continuum, Xero, Wyse-Sync, Prospect Global Ltd (trading as SoPro), Zoho Corporation.

DATA PROTECTION AND DATA PROCESSING. 10.1 12.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 Clause 12 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 10.2 12.2 The parties acknowledge that for the purposes of the Data Protections Protection Legislation, the Customer Company is the data controller of and the Personal Data in respect of which the Company is providing the services under the Main agreement as the data processor. For the avoidance of doubt, references to Personal Data below are in respect of that for which the Customer Provider is the data controllerprocessor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). 10.3 12.3 Without prejudice to the generality of the clause 10.112.1, the Customer Company will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal personal data (as defined in the Data (including any Special Categories of Personal DataProtection Legislation) to and processing by EPX the Provider for the duration and purposes of this agreementthe contract. 10.4 12.4 Without prejudice to the generality of clause 10.112.1, EPX the Provider shall, in relation to any Personal Data personal data processed in connection with the performance by EPX the Provider of its obligations under this agreementAgreement: 10.4.1 process 12.4.1 Process that Personal Data personal data only on in agreement with the written instructions of Company unless the Customer unless EPX Provider is required by the applicable laws of any member of the European Union or by the laws of the European Union applicable to the Company to otherwise process Personal Data (Applicable Laws). Where EPX is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, EPX shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit EPX from so notifying the Customerthat personal data; 10.4.2 ensure 12.4.2 Ensure that it has in place appropriate technical and organisational measures, reviewed measures (available on request for review and approved approval by the Customer, Company) to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Datapersonal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 10.4.3 ensure 12.4.3 Ensure that all personnel who have access to and/or process Personal Data personal data are obliged to keep the Personal Data personal data confidential; and; 10.4.4 12.4.4 Not transfer any Personal Data personal data outside of the European Economic Area only as required in connection with unless the Services under the Main Agreement, to which the Customer hereby gives its prior written consent and subject to the fulfilment of the following conditions: 10.4.4.1 the Customer or EPX Company has provided appropriate safeguards in relation to the transferbeen obtained; 10.4.4.2 12.4.5 Assist the data subject has enforceable rights and effective legal remedies; 10.4.4.3 EPX complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 10.4.4.4 EPX complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 10.4.5 assist the CustomerCompany, at the CustomerCompany's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 10.4.6 notify 12.4.6 Notify the Customer Company without undue delay on receiving a subject access request in relation to the Personal Data or on becoming aware of a Personal Data personal data breach; 10.4.7 at 12.4.7 At the written direction of the CustomerCompany, delete or return Personal Data personal data and copies thereof to the Customer Company on termination of the agreement unless required by Applicable Law applicable law to store the Personal Datapersonal data; and 10.4.8 maintain 12.4.8 Maintain complete and accurate records and information to demonstrate its compliance with this clause 1012. 10.5 The Customer consents to EPX appointing those parties listed in 10.7 or as otherwise notified to the Customer in writing from time-to- time as third party processors of Personal Data under this agreement. EPX confirms that it has entered or (as the case maybe ) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business but which incorporate terms which are substantially similar to those set out in this clause 10. As between the Customer and EPX, EPX shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 10. 10.6 Either party may, at any time on not less than 30 days’ notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 10.7 Third Party Processors include: ConnectWise, Continuum, Xero, Wyse-Sync, Prospect Global Ltd (trading as SoPro), Zoho Corporation.