Global Reward Solutions MASTER SERVICES AGREEMENT

Exhibit 6.19

MASTER SERVICES AGREEMENT

This Agreement (“Agreement”) is made this Jul 6, 2022 (the “Effective Date”), by and between Robot Cache US, Inc., a PC video game distribution platform corporation, located at 0000 Xx Xxxxx Xxxxxxx Xxxxx Xxxxx 000, Xxx Xxxxx, Xx. 92122, USA (hereinafter called “Client”) and Carlton One Engagement Corporation, d.b.a. Global Reward Solutions ®, a British Columbia corporation, located at 00 Xxxxxxxx Xxx, 0xx Xxxxx, Xxxxxxx, Xxxxxxx X0X 0X0, Xxxxxx (hereinafter called “GRS”):

(each of “Client” and “GRS” is a Party, together the “Parties)

WITNESSETH:

WHEREAS GRS provides global reward management services through the GRS Web Services including access to Client’s GRS Dashboard where Client can self-manage their global rewards. GRS shall also provide order fulfillment services along with Tier 2 customer service support to Client;

AND WHEREAS Client desires to employ GRS services in connection with Client’s Incentive Programs in the U.S. and other international locations as required;

AND WHEREAS Client further agrees to be bound by the terms of the Mutual Confidentiality Agreement (“MCA”) previously signed by it, a copy of which is attached as Schedule #4 to this Agreement.

NOW, THEREFORE GRS and Client hereby mutually agree as follows:

The following Schedules form part of this Agreement and by signing below, Client/GRS acknowledges that it has read, agrees and will comply with all the terms contained therein with Schedules 1 through 4 available below:

	●	Schedule #1 – Customer Service Level Agreement (SLA) External Partners
	●	Schedule #2 – Definitions
	●	Schedule #3 – Security Requirements of Client and GRS
	●	Schedule #4 – Mutual Confidentiality Agreement
	●	Schedule #5 – Data Processing Agreement (DPA)

Term and Renewal. This Agreement shall be for a term of two (2) years commencing on February 1, 2023, and shall renew automatically on each anniversary date for successive one year renewal terms unless either Party delivers a written notice of intent not to renew to the other Party no later than ninety (90) days prior to the next anniversary date. In the event of the expiration of this Agreement pursuant to this Paragraph 1, GRS shall fulfill in the manner specified in this Agreement all redemption requests it receives prior to such expiration and Client shall pay GRS for such fulfillment in the manner further specified in this Agreement

Termination. In the event of a material breach of this Agreement by one Party, which breach remains uncured for thirty (30) days after delivery of notice of breach to the breaching Party, the non-breaching Party shall be entitled to terminate the Agreement immediately upon the expiration of the thirty (30) day cure period by sending written notice thereof. Either Party may also terminate this Agreement by written notice to the other Party in the event that (a) the other Party petitions for or is granted relief under the Bankruptcy Code, or any comparable law of any jurisdiction, or if involuntary bankruptcy proceedings are instituted by the other Party under any federal law or under the insolvency laws of any applicable jurisdiction and such petition is not dismissed within sixty (60) days or (b) the other Party makes an assignment for the benefit of its creditors, or (c) for convenience by either Party subject to a 90 day written notice period. Client agrees to maintain a positive Float Balance throughout the 90-day Notice Period and GRS will refund any remaining float to Client within 10 days following the last day of the Notice Period, at which time all order processing will be stopped by GRS..

Support Services. GRS and Client shall make the shipment information regarding a Participant order available through the GRS Client Portal site, inclusive of all GRS Reports. GRS Customer Service hours are detailed in Schedule #1 attached to this Agreement and entitled: GRS SLA’s. Client will provide all Tier 1 customer service support and GRS will support Client’s customer service on a Tier 2 level only through the GRS Ticketing system. Tier 1 customer service means all member-facing communications whereby Client will manage any order related enquiries through the GRS Ticketing system which tracks and reports all Tier 1 escalations. The back-end order escalation process using the GRS Ticketing system is deemed to be Tier 2.

4.	Awards Data. GRS and Client will make available the Catalog data through the GRS Web Services and Client will be required, at its own expense, to integrate the GRS Web Services and to use them in accordance with technical guidelines provided in the GRS Whitepaper.

It is assumed that some merchandise in the Awards Catalog maybe discontinued by the manufacturer and shall no longer be available to GRS or Client. If a Participant orders a discontinued product that is no longer in stock, GRS will automatically notify Client that the redemption request has been discontinued and that the order has been cancelled. GRS and Client agree to use their best efforts via automated daily updates to remove discontinued product from the Awards Catalog(s) in a prompt and timely fashion.

5.	Redemption of Merchandise. GRS award catalogues are made available for Participant point redemption. Any other payment method must be approved by each party prior to it being made available to the targeted customers.

6.	Shipment of Merchandise. All orders for in-stock items shall be processed for redemption and are typically drop shipped within five (5) business days of receipt of an order. All merchandise shall be shipped via a recognized carrier used by the participating GRS approved supplier.

Merchandise damaged in shipment will be replaced by GRS, at its sole expense, if reported by a Participant in writing within ten (10) days after the Participant receives the shipment. Merchandise shall be replaced once the damaged merchandise has been received from the Participant. Both Parties agree that damaged merchandise is not returnable if written notification is received by GRS after ten (10) day reporting requirement.

Receipt of defective merchandise must be reported within ten (10) days of receipt of same by GRS. GRS will arrange for replacement of defective merchandise if reported within ten (10) days of receipt of same. For some products, the manufacturer does not allow returns but provides exceptional warranty service. Therefore, GRS or Client shall receive instruction on how to obtain warranty service as opposed to a complete award replacement, if such warranty service applies.

GRS will not offer substitutes nor suggest same as this is the responsibility of Client’s customer care center.

GRS shall respond to the Client’s customer care tickets with respect to their Participants orders only and within one (1) business day of receipt of such inquiry.

7.	Advertising Merchandise. Client, at its sole expense, shall be responsible for the actual cost of advertising the merchandise offers to its Participants.

8.	Data Access Services. GRS shall use its best efforts to make such services operational 24 hours per day, 7 days per week with guaranteed network availability of 99.5% uptime, excluding System Update times.

GRS schedules System Update activities on an as-required basis and shall notify Client promptly.

Payments.

GRS and Client agree to the following terms and processes for payments of all GRS orders: GRS shall provide Client with real-time order and float tracking through its GRS portal access (Float Account). Client shall either wire transfer as required or sign up for the Pre-Authorized Debit (PAD) Plan, which authorizes GRS and its financial institution to draw funds from Client’s bank account to fund the Float Account. The initial Float Account deposit amount will be established prior to a program launch. A Threshold Amount will be established prior to a program launch. Upon the Float Account reaching the Threshold Amount, Client shall either wire transfer or GRS shall debit the Client’s bank account a Replenishment Amount to top up the account which will be established prior to a program launch. The Client can choose to modify the Threshold Amount and the Replenishment Amount by sending a written request to xx@xxxxxxxxxx.xxx. GRS reserves the right to stop processing Client’s orders when there are not enough funds available in the Float Account. The Float Account is debited upon GRS accepting an order. Credits are issued upon approval by GRS Customer Service Team. An invoice is issued monthly and summarizes redemptions for the month. Invoices are issued for Client’s records only and no payment is required.

The delivered price invoiced to the Client includes the item cost, all shipping and handling charges as well as all applicable taxes which are separately broken out for all orders within the GRS tracking reports. The delivered price pertains to shipments within the specific country that the member placed the order.

GRS Currency Converter: GRS can work internationally in any currency. All product values can be automatically converted to the specified currency and all purchases regardless of country and currency will be converted to the core currency equivalent. In order for this to function seamlessly, GRS updates all global currencies automatically on a daily basis. For greater clarity, if a US based company sets the GRS currency to USD and activates catalogues in the UK and Spain, all International orders will be converted from Euros and Pound Sterling to their US equivalent and only USD’s will be reported by GRS.

GRS Fee Structure

GRS Fee Schedule

Item	Amount	Frequency

One-Time Set Up Fee	$15,000.00 USD	One Time

Minimum Annual Order	$0 USD	Annual Target Only

Volume Target	Pre-Tax Order Volume

Annual Renewal & Licensing Fee	$5,000.00 USD	Annual – Term Date

*Note: Unless otherwise indicated, all currency is shown in USD

Float Management and Monthly Fees: Our monthly fee as set out in this Agreement revolves around the amount of pre-tax sales that is processed monthly and these amounts are managed through the GRS Float Management System.

Once Client has activated the GRS Web Service integration, Client shall set up a Float Account prior to its orders being processed by GRS. GRS will debit Client’s Float Account $5,000 USD on the first day of each month only in the event that the Float Account drops below $1,000 USD. For the purposes of clarification, GRS will not debit Client’s account unless the Client’s Float Account drops below $1,000 USD.

Based on Client’s month end pre-tax sales, GRS will then apply a credit to Client’s GRS Float Account equal to 10% of Client’s pre-tax purchase volume at the end of each month and then such process starts all over again the next month. For example, if Client attain sales of $50,000 USD, Client’s Float would be credited $5,000 USD by GRS. If Client attained sales of $25,000 USD, Client’s Float would be credited $2,500 USD. If in the next month Client attains sales of $75,000 USD, Client’s float would be credited $7,500 USD. The GRS Float Management System works the same each month and will provide full credit to the Client up to $5,000 USD, so that as Client’s volume builds and is consistently over the $50,000 USD threshold, there would be absolutely no financial impact to Client’s Float Account

Other Services: GRS shall develop specialized client offers for specific markets based on Client’s detailed requirements and as provided to GRS in writing by Client. GRS will charge a flat fee to source the offers and reserves the right to charge the Client for any IT related data integration requirements. Should Client require IT services to complete any integration or specialized requirements, GRS will charge against a pre-approved Statement of Work (SOW) the amount of $200.00/hour for these services.

10.

Taxes.

Sales Taxes. GRS shall remit all sales tax collected from Client to the appropriate governmental authority. The Parties agree to cooperate with each other to minimize any applicable sales, use, or similar tax and, in connection therewith. In order to do so, the Parties shall provide each other with all required tax information including without limitation, resale or exemption certificates, multi-state exemption certificates, information concerning the use of assets, materials and notices of assessments. If US Tax Exemption Certificates are not provided, GRS shall invoice the required State level tax to Client.

Income and Employment Taxes. To the extent that applicable laws or regulations, including the provisions of Subtitle C, Employment Taxes, of Title 26 of the United States Code, or any other comparable laws of any country, state or other governmental authority, as they may be amended from time to time, require (1) that any points awarded to, or merchandise or other awards redeemed by, a Participant in connection with this Agreement, or the value thereof, be reported to the Internal Revenue Service or any other governmental authority, or (2) that any taxes be paid or amounts withheld in connection with the award of points or the redemption of merchandise or other awards in connections with this Agreement, Client shall perform all such reporting, and withholding and make all such payments, in a timely manner.

Option to Perform. In the event of Client’s failure to do so within 30 days, GRS, at its option may, although need not, in whole or in part, make any such reports and/or withhold or pay any such amounts. At GRS’s request, Client shall provide GRS with all information necessary to make any such reports, and/or withhold or pay any such amounts and any related penalties and interest.

	2.	Indemnity. Notwithstanding Section 15 below, Client shall indemnify and hold GRS and its affiliates and all of the foregoing entities’ officers, directors, employees, agents and their successors and assigns harmless against (i) any and all liability, including without limitation penalties, interest, court costs and reasonable legal or attorneys’ fees, that may arise out of or relate to the failure of such reports to be filed, or the failure of such taxes to be withheld or paid, in a timely manner, and (ii) any and all costs incurred by GRS in connection with wholly or partially exercising the Option to Perform described above. Any claim for indemnity shall be asserted within five (5) years after the later of (i) the date when the underlying claim which gives rise to the claim for indemnity is asserted against, or (ii) the last date when GRS incurs any costs in connection with exercising its Option to Perform in whole or in part.

	3.	Compliance with Law Representations and Warranties. GRS and Client each represent, warrant, and covenants that each Party and its affiliates, officers, employees and agents shall do or cause to be done all things necessary to comply with all applicable laws and regulations in connection with its own business and its rendering of its services and obligations pursuant to this Agreement. Client represents and warrants to solely provide GRS services to their own End Customers and, further represents and warrants, that it will not sell GRS services to any other third party, who in turn, could possibly resell GRS services down to its own end customers. GRS represents and warrants to the best of its Knowledge (“Knowledge” being that of the CTO) : (i) that the PLATFORM and CODES do not infringe the intellectual property rights of any third party; and (v) the PLATFORM AND CODES are developed with the usual standard of care and are to the best of its Knowledge free of material bugs and defects which preclude or affect the suitability for the customary or contractual use to an extent that is more than immaterial; and to the best of its Knowledge contain no viruses, malware, easter eggs, offensive or illegal material, etc.

11.

Participant Data. GRS and Client understand and agree that GRS and Client are the sole and exclusive owners of all data and information about Participants provided by each to the other in accordance with this Agreement (“Participant Data”). All Participant Data is subject to all applicable privacy laws and regulations (“Privacy Laws”) and all Parties hereto agree to abide by all such applicable Privacy Laws with respect to the handling of such Participant Data. All Participant Data supplied to GRS hereunder, in any form, and any and all copies thereof, are to be used by GRS solely in the performance of its rights and obligations under this Agreement. And likewise, all Participant Data supplied to Client hereunder, in any form, and any and all copies thereof, are to be used by Client solely in the performance of its rights and obligations under this Agreement. Each Party agrees that they shall not otherwise use, sell, license, lease, transfer, store in a retrieval system, duplicate or transmit, in any form or by any means, such Participant Data without the prior written consent of the other party.

12.	Confidential Information.

a. Neither Party shall disclose any information concerning the business or properties of the other Party which it learns as a result of negotiating or implementing this Agreement, including, without limitation, the terms and conditions of this Agreement, trade secrets (including but not limited to each Party’s respective data), Participant Data, business and financial information, business methods, procedures, processes, software, know-how, intellectual property and any other information of every kind that relates to the business of either Party (the “Confidential Information”) except to the extent disclosure is required by applicable law, is necessary for the performance of the disclosing Party’s obligation under this Agreement, or is agreed to in writing by the other Party, provided that:

(a)

prior to disclosing any Confidential Information to any third party, other than to a Party’s affiliates and subcontractors, the Party making the disclosure shall give notice to the other Party of the nature of such disclosure and of the fact that such disclosure will be made; and (ii) prior to filing a copy of this Agreement with any governmental authority or agency, the filing Party will consult with the other Party with respect to such filing and shall redact such portions of this Agreement which the other Party requests be redacted, unless, in the filing Party’s reasonable judgment based on the advice of its legal counsel (which advice shall have been discussed with legal counsel to the other Party), the filing Party concludes that such request is inconsistent with the filing Party’s obligations under applicable laws. Neither Party shall use the other Party’s name, trademarks, logos, designs, slogans or other marks for advertising or promotional purposes without such other Party’s written consent.

(b)

The obligations of this Section, shall not apply to any information:

	(i)	which is generally known to the trade or to the public at the time of such disclosure; or

	(ii)	which becomes generally known to the trade or the public subsequent to the time of such disclosure, provided, however, that such general knowledge is not the result of a disclosure in violation of a confidentiality obligation pursuant to this Section; or

	(iii)	which is obtained by a Party from a source other than the other Party, without breach of this Agreement or any other obligation of confidentiality or secrecy owed to such other party or any other person or organization; or

	(iv)	which is independently conceived and developed by the disclosing Party and proven by the disclosing Party through tangible evidence not to have been developed as a result of a disclosure of information to the disclosing Party, or any other person or entity which has entered into a confidential arrangement with the non-disclosing Party.

(c)

If any disclosure is made pursuant to the provisions of this Section, to any parent company, subsidiary, affiliate or third party, the disclosing Party shall be responsible for ensuring that such parent, subsidiary, affiliate or third party keeps all such information in confidence and that any third party executes a confidentiality agreement with obligations of confidentiality at least as stringent as those contained herein. Each Party covenants that at all times it shall have in place procedures designed to assure that each of its employees is given access to the other party’s Confidential Information on a need-to- know basis and shall protect the privacy of such information as if it were its own. Each Party acknowledges that any breach of the confidentiality provisions of this Agreement by it shall result in irreparable damage to the other Party and that, therefore, in addition to any other remedy that may be afforded by law, any breach or threatened breach of the confidentiality provisions of this Agreement may be prohibited by restraining order, injunction or other such equitable remedies of any court. The provisions of this Section will survive termination or expiration of this Agreement. Any disclosure made pursuant to this Section shall be made in compliance with applicable law.

(d)

Each Party shall, upon termination of this Agreement or at any earlier time upon the request of the other Party (“Requesting Party”), immediately return all Confidential Information received from or otherwise owned or controlled by the Requesting Party, and copies thereof, to the Requesting Party, and shall retain none for its files, unless otherwise agreed to in writing and signed by both Parties.

(e)

GRS’s disclosure and Client’ s disclosure to Participants of Participant Data and information with respect to the number of Points required to exchange for each item of Merchandise in the course of performing its obligations under this Agreement shall not violate this paragraph.

b. Client agrees not to make public or share either directly, indirectly or through any third party any aspect of this Agreement, GRS IP inclusive of all GRS technology, GRS rewards across all GRS SKU’s, Reward categories, brands including any GRS pricing including GRS terms and conditions other than to Client’s professional advisers on a need to know basis, which advisors shall enter into a confidentiality agreement with the Client and shall be subject to the same stringent standards of confidentiality as the Client is under this Agreement.

14.

Trademarks and Intellectual Property. Each Party agrees that this Agreement does not grant or convey any right, title or interest, proprietary or otherwise, in or to any trade name, logo, design, slogan, copyrighted material, service mark, trademark or any other intellectual property owned or licensed by the other except for the right to use them specifically as set forth herein and that such use shall not create any rights ownership by the using Party in such trade name, logo, design, slogan, copyrighted material, service mark, trademark or any other intellectual property owned or licensed by the other. Except as specifically permitted under this Agreement, each Party agrees that it shall not use any trade name, logo, design, slogan, copyrighted material, service mark, trademark or any other intellectual property owned or licensed by the other in any other manner whatsoever without such Party’s prior written consent.

15.	Indemnification; Limitations of Liability.

Client agrees to solely provide GRS services to their End Customers. This Agreement does not enable Client to sell GRS services to any other third party, who in turn may resell GRS services a second time to their own end customers. This is a one-step distribution agreement; if Client breaches this aspect of this Agreement in any way, GRS reserves the right to terminate this Agreement immediately, at its sole discretion

If it is determined that the unlawful access to the GRS and Client’s systems is at the Client level, all IT and related support services are required to isolate, resolve, repair and secure the Client’s data and Float Account transactions will be undertaken, at Client’s expense. GRS shall undertake all required steps to help close off intruder access, work to cancel any fraudulent points issued or reward redemptions at the GRS supplier level and in general work to protect Client’s intellectual property. All costs related to resolving these issues shall be charged back to Client at GRS’ contracted IT rates. This policy is based on identifying the cause of the breach as being at the Client level. This breach could occur as a result of any number of scenarios including: exposing user credentials through malware or any other method thereby which would enable intruder access.

Client additionally agrees to maintain a Cyber Insurance Policy which shall be in a sufficient amount to cover any Client liability or any breaches by the Client of this Agreement.

(a) Each Party will defend, indemnify and hold the other Party harmless from and against any and all third party claims, demands, actions, causes of action, judgments, recoveries, fines, penalties, interest, liabilities, fees, costs, expenses and other losses, including reasonable legal or attorneys’ fees and court costs (“Claims”) caused by or as a result of (i) a material breach of this Agreement, (ii) a violation of any laws or regulations, or (iii) any act or omission constituting gross negligence or wilful misconduct on the part of such Party, its employees or agents.

(b) GRS Indemnity. GRS shall fully indemnify, hold harmless and defend Client and its subsidiaries and affiliates and all of the foregoing entities’ officers, directors, employees, agents, and their successors and assigns, from and against any and all claims, actions, suits, legal proceedings, demands, liabilities, damages, losses, judgments, settlements reasonably approved by GRS, costs and expenses, including, without limitation, attorney’s fees, that are asserted against or incurred by Client arising out of or in connection with: (a) a breach of GRS’s representations and warranties contained in this Agreement. Any claim for indemnity shall be asserted within five (5) years after the later of (i) the date when the underlying claim which gives rise to the claim for indemnity is asserted against,

(c) ALL GOODS ARE SOLD AS IS. GRS MAKES NO REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO ITS SERVICES OR ANY GOODS, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NO HIDDEN AND/OR UNKNOWN DEFECTS, NON- INFRINGEMENT OF ANY INTELLECTUAL PROPERTY, OR FITNESS FOR A PARTICULAR PURPOSE.

(d) Except as provided in Section 10(a) above, in no event shall either Party be liable to the other for any special, incidental, consequential, punitive or indirect damages whatsoever, including without limitation, loss of business profits, business interruption or loss of business information; provided, however, that this limitation shall not apply with respect to a Party’s intentional breach of this Agreement or to any liability under Section 10(b) above.

(e) In no event shall either Party be liable for damages to the other Party or any other person in excess of the lesser of $50,000 or the actual fees (excluding pass-through expenses) received by GRS from Client during the twelve (12) month period preceding the event that gave rise to the Claim (or if the Agreement has been in effect less than twelve months preceding the event that gave rise to the Claim, then the average monthly fee times the number of months that the Agreement has been in effect); provided, however, that this limitation shall not apply (i) with respect to a Party’s intentional breach of this agreement, (ii) to Client’s failure to pay for services or merchandise as provided in this Agreement, or (iii) to liability under Section 10(a) above.

(f) Except as otherwise provided in Section 10(a) above, any Claims arising under or related in any way to this Agreement against either Client or GRS shall be brought within two (2) years after the occurrence giving rise to the Claim or shall be barred forever.

(g) Liability for Third Party Redemption Cards. Any award redeemed or acquired by a Participant or plan sponsor constituting a gift card, merchant gift card, gas card, debit card, airline certificate, prepaid Visa card, prepaid MasterCard card or any other item constituting a promise by a third party to provide goods or services to the holder, or pay for goods and services provided to the holder, in connection with such item is referred to herein as a “Third Party Redemption Card.”

(h) GRS and Client shall be deemed to have fulfilled their obligation to provide a Participant or plan sponsor with a Third Party Redemption Card and GRS and Client shall have no further responsibility or liability to a Participant, plan sponsor or any other person or entity in regard to a Third Party Redemption Card if the Third Party Redemption Card which GRS or Client sent to the Participant or plan sponsor or directed a third party to send to a Participant or plan sponsor, could have been used to obtain goods or services at the time that GRS or Client sent payment for the card. For the purposes of this section, activation and any other preliminary step necessary to use the Third-Party Redemption Card shall be deemed to have been performed at or before such time. The Participant or plan sponsor, as the case may be, shall bear the risk that any such Third-Party Redemption Card may not subsequently be useable for any reason, including without limitation bankruptcy of the issuer of the Third-Party Redemption Card. This Section shall not apply if GRS or Client had actual knowledge at the time that it sent the Third-Party Redemption Card to a Participant or plan sponsor, or directed a third party to do so, that at that time the Third Party Redemption Card could not be used to acquire goods or services.

16.

Independent Contractor; No Third Party Beneficiary. Each Party hereto is an independent contractor; neither Party is the agent of the other. The Parties have entered into this Agreement solely for their own respective benefit and neither the Participants nor any other person or entity is intended to have, or shall have, any right to enforce any of the terms or provisions of this Agreement or any claim against any of the Parties hereto under any of the terms or provisions of this Agreement.

17.

Notices. All notices, requests, demands and other communications hereunder shall be in writing and delivered personally or by certified mail, with postage prepaid, to the Party intended at the following addresses, or at such other address as a Party may designate by written notice to the other Party:

If to GRS:	If to Client:

Global Reward Solutions
00 Xxxxxxxx Xxx	Robot Cache US, Inc.
9th Floor	0000 Xx Xxxxx Xxxxxxx Xx., Xxxxx 000 Xxx Xxxxx, Xx. 92122
Markham, Ontario	With a copy to:
L3R 0C9
Attention: Legal Dept
Email: xxxxx@xxxxxxxxxxx.xxx	Attn: Xxxxxxxx Xxxxx, General Counsel

A notice delivered personally is effective, pursuant to the terms of this Agreement, on the date of delivery. A notice delivered by certified mail, with postage prepaid, shall be deemed to have been delivered five (5) business days after mailing and shall be effective, pursuant to the terms of this Agreement, on such fifth (5 th ) business day.

18.

Binding Effect; Assignment. Neither Party may assign this Agreement or any of its respective rights or obligations hereunder except with the prior written consent of the other Party hereto, which shall not be unreasonably withheld. No such assignment shall be effective to transfer any rights without the consent of such other Party. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and assigns. Notwithstanding the foregoing, either Party may assign its rights under this Agreement to a party purchasing the portion of such Party’s business to which this Agreement relates, whether by merger, sale of all or substantially all of the assets of such Party, stock sale or otherwise, without such consent, but with 30 business days prior written notice.

19.

Entire Agreement. This Agreement together with Schedules 1 to 5 sets forth all the promises, agreements, terms, conditions, and understandings between the Parties hereof, and there are no promises, agreements, or undertakings, either oral or written, express or implied, between them other than as set forth herein.

20.	Amendment of Agreement. No alteration, amendment, change, or addition to this Agreement or waiver of any provision of this Agreement shall be binding upon the Parties hereto unless reduced to writing and duly authorized and signed by authorized representatives of each of them.

21.	Choice of Law. This Agreement shall be interpreted, construed and enforced, and governed by the laws of the Province of Ontario and the laws of Canada applicable therein and the Parties attorn to the exclusive jurisdiction of the courts thereof.

22.

Legal Fees. In the event any legal action is taken by either Party against the other Party to enforce any of the terms and conditions of this Agreement, it is agreed that the unsuccessful Party to such action shall pay to the prevailing Party therein all court costs, reasonable attorneys’ fees and expenses incurred by the prevailing Party.

23.	Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but which together constitute one and the same instrument.

24.	No Waiver. Any failure at any time of either Party to enforce any provision of this Agreement shall neither constitute a waiver of such provision nor prejudice the right of either Party to enforce such provision at any subsequent time.

25.

Survivability. Any rights or remedies either Party may have with respect to the other Party arising out of such other Party’s performance or non-performance of its obligations in respect of this Agreement shall survive the expiration or termination of this Agreement, including Sections 1, 2, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 24, 25 and 27.

26.	Headings. The headings used in this Agreement are inserted only as a matter of convenience and for reference and in no way define, limit or describe the scope of this Agreement nor the intent of any provision thereof.

27.

Sever Unenforceable Terms. Each of the terms and provisions of this Agreement is severable in whole or in part and, if any term or provision or the application thereof in any circumstances should be invalid, illegal, or unenforceable, the remaining terms and provisions or the application thereof to circumstances other than those as to which it is held invalid, illegal, or unenforceable shall not be affected thereby and shall remain in full force and effect.

28.

Force Majeure. Neither Party shall be considered in default in the performance of its obligations hereunder (other than its obligation to pay any sum), or be liable in damages or otherwise for any failure or delay in performance, which is due to any of the following: strikes, lockouts, concerted acts of workmen or other industrial disturbances, fires, explosions, floods or other natural catastrophes, civil disturbance, riots or armed conflict whether declared or undeclared, curtailment, shortage, rationing or allocation of normal sources of supply of labor, materials, transportation, energy or utilities, accidents, acts of God, delays of subcontractors or vendors, sufferance of or voluntary compliance with acts of government and government regulations (whether valid or invalid), embargoes, or any other similar or dissimilar cause which is beyond the reasonable control of the party affected and which makes performance commercially impracticable. The Party unable to perform as a result of force majeure shall promptly notify the other of when such period begins and ends. If any period of force majeure continues for 30 days or more, the Party receiving the notice of force majeure may terminate this Agreement by giving the other Party ten days’ prior written notice, mailed or delivered after such period. Neither P arty shall be required to make any concession or grant any demand or request to bring to an end any strike or other concerted act of workmen. Force majeure shall not include financial difficulty.

[signature page to follow]

IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the day and year first above written.

Robot Cache US, Inc.		Carlton One Engagement Corporation d.b.a.
		Global Reward Solutions ®

By:		By:
Name:	Xxx Xxxxxxxx	Name:	Xxxxxx Xxxxx
Title:	CEO	Title:	CEO & Founder
Date:	3/14/2023	Date:	3/15/2023

Schedule #1- Customer Service Level Agreement (SLA) External Partners

Global Reward Solutions

Service Level Agreement (SLA)

External Clients

Version 3.0

1	General Overview

This document describes the Service Level Agreement (“SLA”) between the GRS Customer Service and GRS Technical Support teams and the Client. It covers the following areas:

	a)	The GRS Customer Service and GRS Technical Support provided to the Client

	b)	The general level of response and availability associated with these services

	c)	The delivery timeframes associated to merchandise rewards

	d)	The responsibilities of GRS as a Customer Service and Technical Support provider and of the Client in receiving services and providing feedback.

2	Service Description

2.1

GRS Customer Service

	a)	GRS Customer Service provides Tier 2 Support as related to inquiries associated with orders placed with GRS suppliers. GRS Customer Service Tier 2 Support handles questions and issues related to orders which the Client cannot answer using the supplied GRS System tools, which may entail contacting suppliers and other internal departments to reach resolution.

	b)	Inquiries handled are related to order processing and fulfillment which cover the following: order status, delivery status, order cancellation requests, product issues, and product returns.

	c)	GRS will provide the Client a GRS Customer Service Ticketing account for reporting and tracking of raised inquiries.

	d)	GRS Customer Service is available 24/7, exclusive of Ontario, Canada statutory holidays.

2.2

GRS Technical Support

	a)	GRS Technical Support provides support to inquiries associated with the GRS System. When applicable, the GRS Technical Support team will engage internal departments to reach resolution.

	b)	GRS will provide the Client a GRS Technical Support Ticketing account for reporting and tracking of technical issues, data inquiries, GRS System usage, bugs, unscheduled down time, or other general inquires or tasks not related to orders.

	c)	GRS Technical Support standard availability for High, Medium and Low severity events is 8:30 a.m. – 9:00 p.m. EST Monday to Friday, exclusive of Ontario, Canada statutory holidays.

The availability for Urgent / Emergency severity events outside of and inclusive of the standard hours are 7:00 a.m. – 11:00 p.m. EST 365 days per year.

3	Roles and Responsibilities

3.1

GRS Responsibilities

GRS responsibilities in support of this SLA include:

	a)	Endeavour to meet key performance indicators as outlined herein.

	b)	Meet technical service levels, including the availability of the GRS System, as outlined herein.

	c)	All reasonable assistance to the Client in event of downtime.

	d)	Implement and improve processes as necessary to deliver defined service levels.

	e)	Generate and provide reports on service level performance on a quarterly basis.

	f)	Provide GRS System Operation Availability and Response Time reports to the Client on the 3rd business day of each month

	g)	Appropriate notification to Client, at least monthly, of any GRS offering changes, updates or additions

3.2

Client Responsibilities

Client responsibilities in support of this SLA include:

	a)	Communicate updates in operational country details including participant count by country and spend by country. Quarterly updates to be provided as a minimum and should include current and near-term requirements.

	b)	Provide timely feedback to all GRS Customer Service and GRS Technical Support questions related to submitted inquiries and order related communications.

	c)	Utilization of the provided online ticketing tools to submit and follow-up on all reported inquiries, requests and issues.

4	Contact Methods

4.1

GRS Customer Service Ticketing System

	a)	GRS Customer Service inquiries are to be submitted by the Client using their GRS Customer Service Ticketing System login via xxxxx://xxxxxxx.xxxxxxx.xx or through a dedicated email address linked to their login.

	b)	GRS Customer Service support available in English, French and Spanish.

4.2

GRS Technical Support

	a)	GRS Technical Support inquiries are to be submitted by the Client using their GRS Technical Support ticketing system login via xxxxx://xxxxxxx.xxxxxxx.xx.

	b)	For Urgent / Emergency events, Client is to submit details by email via xxxxxx@xxxxxxx.xx

5	Key Performance Indicators – GRS System

5.1

GRS System Availability

	a)	99.5% Uptime in a calendar month as monitored via an automated system

	b)	Uptime is measured in hours, excluding Scheduled Downtime, and is divided by the total number of hours in the calendar month. The resulting value is presented as a percentage, indicating the amount of time the GRS System was available during the calendar month.

	c)	Example: A 30-day month with 6 hours of Scheduled Downtime and 2 hours of Unscheduled Downtime, the calculation would be:

Available hours = 30 days x 24 hours/day = 720 hours

Available hours Excluding Scheduled Downtime= 720 – 6 = 714 hours

Uptime % = (714 – 2 Unscheduled Downtime) / 714 * 100 = 99.72%

5.2

GRS System Response Time

	a)	2 seconds (or less) average response time in a calendar month

	b)	Response time is measured by Google Analytics, using a 5% sample of requests to determine and average response time on the GRS System

5.3

GRS System Incident Management

GRS System issues will be assigned a specific severity level based on the impact to Participants and the Program. The severity levels are as follows:

Emergency

○

Used for GRS System outages, defined as the inability for all Participants of one or more Programs to be able to access the GRS System

High

○

When all Participants from one or more Programs are prevented from completing core functions (for example, check-out) with the GRS System

Medium

	○	All Participants from one or more Programs are experiencing a defect not defined as core functionality (for example, image display), or

	○	One or more, but not all, Participants are prevented from completing core functions in the GRS System

Low

○

A low level of impact on business operations and/or Participant experience, typically affecting a single Participant.

6	Key Performance Indicators – GRS Customer Service & Technical Support

6.1

GRS Customer Service Tier 2 Support – Inquiry Cycle Time

75% of enquires closed in 1 business days

98% of enquires closed in 2 business days

100% of inquiries closed in 5 business days

This KPI measures the % of inquiries in a calendar month where a resolution is given by GRS Customer Service Agents to the Client, counting from the next business day the inquiry is received from the Client to the day the inquiry is closed. The target is to have 100% of Tier 2 inquiries resolved within 5 business days or less.

6.2

GRS Technical Support – Response Time

Emergency – 95% within 1 hour

High – 95% within 1 hour

Medium – 95% within 4 hours

Low – 95% within 8 hours

This KPI measures the length of time for an initial response by GRS Technical Support upon the creation of a GRS Technical Support System ticket or the issuance of an Urgent / Emergency email by the Client. The measurements are based on the hours of availability stated in section 2.2 GRS Technical Support.

6.3

KPIs Date Exceptions

GRS holiday observances are based on Ontario, Canada and will be taken into consideration when calculating all GRS Key Performance Indicators:

January 1 – New Year’s Day

February – 2nd Monday (Family Day)

March / April – Easter: Good Friday

May – Last Monday before May 25 (Victoria Day)

July 1 – Canada Day

August – First Monday (Simcoe Day)

September – First Monday (Labour Day)

October – Second Monday (Thanksgiving)

December 24 – Christmas Eve

December 25 – Christmas Day

December 26 – Boxing Day

December 31 – New Year’s Eve

7	Key Performance Indicators – Merchandise

7.1

Order Fulfillment Cycle Time

USA - 95% of orders dispatched in 7 business days Canada - 95% of orders dispatched in 12 business days International - 95% of orders dispatched in 15 business days

This KPI measures the percentage of orders in a calendar month that are processed in maximum business days or less, counting from the next business day the order is received by the supplier to the day the order is shipped. Since it’s the responsibility of GRS to keep the reward offering up to date, orders that cannot be fulfilled due to product unavailability or are delayed due to supplier backorder will be taken into consideration.

7.2

% of order errors / damaged < than 1.5%

This KPI measures the % of orders in a calendar month that are received and the product is either the incorrect product or is received damaged or in a non-working order.

7.3

Special Orders, Oversized Products and Remote Locations

Special order requests (i.e. bulk orders for special promotions, personal/concierge-like service for items outside of the core GRS offerings), oversized merchandise products orders, and orders to remote locations are subject to supplier terms and availability. Due to varying delivery options and timing, these orders will not be included within the 7.1 Order Fulfillment Cycle Time KPI measurement.

These orders are not returnable unless received damaged or in a non-working condition.

7.4

Data Integrity, Incorrect Addresses and/or Incomplete Order Details

Client is responsible for ensuring all Orders are provided to the GRS system complete with all required order fulfillment data, which may vary by country and/or reward offering (i.e. local address information, mobile phone number per supplier delivery requirements; personal identification per national legal requirements).

If Client supplied order details are not accepted by the supplier, including incorrect or missing address details or mandatory data, the GRS Customer Service team will contact the Client for incorrect/incomplete order details. If the requested order details are not returned by the Client by the end of the 3^rd full business day, the order will be cancelled.

Orders cancelled or delayed due to insufficient or incorrect data will not be included in the 7.1 Order Fulfillment Cycle Time KPI measurement.

7.5

Substitutions

If an order becomes unavailable with the supplier, the order will be cancelled.

A substitution may be presented to the Client by GRS Customer Service if the order cancelation occurs 4 business days after being accepted by GRS. If the presented substitution is not confirmed by the Client by the end of the 3^rd full business day, the order will be cancelled.

Orders cancelled or delayed through the substitution process will be included in the 7.1 Order Fulfillment Cycle Time KPI measurement.

8	Key Performance Indicators – Non-Merchandise

8.1

Order Fulfillment Cycle Time

USA - 95% of orders dispatched in 7 business days

Canada - 95% of orders dispatched in 7 business days

International - 95% of orders dispatched in 7 business days

This KPI measures the percentage of all non-merchandise reward orders in a calendar month that are processed in maximum business days or less, counting from the next business day the order is received by the supplier to the day the order is shipped. Since it’s the responsibility of GRS to keep the reward offering up to date, orders that cannot be fulfilled due to product unavailability or are delayed due to supplier backorder will be taken into consideration.

Non-merchandise orders measured within this KPI include, but are not limited to: retail gift cards, prepaid debit, digital codes, mobile top-up, experiences, and coupons.

Event Tickets are dispatched within 2-3 days of Event date and are not included in this KPI measurement.

Travel confirmation emails are sent directly by the provider upon successful completion of the booking. Travel related orders are not included in this KPI measurement.

8.2

% of order errors / damaged < than 1.5%

This KPI measures the % of orders in a calendar month that are received and the product is either the incorrect product or is received a non-working order (i.e. different retail store gift card, incorrect funds on prepaid debit card).

8.3

Special Orders & Remote Locations

Special order requests (i.e. bulk orders for special promotions, personal/concierge-like service for items outside of the core GRS offerings), and orders to remote locations are subject to supplier terms and availability. Due to varying delivery options and timing, these orders will not be included within the 8.1 Order Fulfillment Cycle Time KPI measurement.

These orders are not returnable.

8.4

Data Integrity, Incorrect Addresses and/or Incomplete Order Details

Orders cancelled or delayed due to insufficient or incorrect data will not be included in the 8.1 Order Fulfillment Cycle Time KPI measurement.

8.5

Substitutions

If an order becomes unavailable with the supplier, the order will be cancelled.

A substitution may be presented to the Client by GRS Customer Service if the order cancelation occurs after 4 business days. If the presented substitution is not confirmed by the Client by the end of the 3rd full business day, the order will be cancelled.

Orders cancelled or delayed through the substitution process will be included in the 8.1 Order Fulfillment Cycle Time KPI measurement.

9	Return Policy – Merchandise & Non-Merchandise

9.1	Products received damaged or in a non-working condition

The Client must notify GRS of any returns of damaged or non-working condition products within 10 business days from delivery date. GRS Customer Service will coordinate all aspects of the return, including collection of the product directly from the recipient. All GRS Customer Service inquiry tickets for this scenario should include pictures of both the product and the packaging. GRS Customer Service will process these requests as per the service level outlined in 6.1 GRS Customer Service Tier 2 Support – Inquiry Cycle Time

Upon receipt and verification of the damaged or non-working product by supplier, the replacement order will be dispatched, subject to supplier availability of the original product. The applicable Merchandise or Non-Merchandise KPI will be applied for all replacement orders. When applicable, return freight for both the return to the supplier and/or for the replacement delivery, will be paid by GRS.

If the original product is no longer available, the order will be cancelled by GRS and the Client will be notified.

If a damaged or non-working claim is not accepted by the supplier (i.e. product is working correctly, product damaged after delivery), GRS Customer Service will work directly with the Client to determine next steps including, but not limited to, coordinating reshipment and assignment of responsibility for incurred costs.

9.2

Incorrect product received

The Client must notify GRS of a return of incorrect products received within 10 business days from delivery date. GRS Customer Service will coordinate all aspects of the return, including collection of the product directly from the recipient. All GRS Customer Service inquiry tickets for this scenario should include pictures of the product and packing slips. GRS Customer Service will process these requests as per the service level outlined in 6.1 GRS Customer Service Tier 2 Support – Inquiry Cycle Time.

Upon receipt and verification of the damaged or non-working product by supplier, the replacement order will be dispatched, subject to supplier availability of the original product. The applicable Merchandise or Non- Merchandise KPI will be applied for all replacement orders. When applicable, return freight for both the return to the supplier and/or for the replacement delivery, will be paid by GRS.

If the original product is no longer available, the order will be cancelled by GRS and the Client will be notified.

If an incorrect product claim is not accepted by the supplier, GRS Customer Service will work directly with the Client to determine next steps including, but not limited to, coordinating reshipment and assignment of responsibility for incurred costs.

9.3

Product not received

The Client must notify GRS of a non-receipt of a product within 10 business days from notification of dispatch. GRS Customer Service will process these requests as per the service level outlined in 6.1 GRS Customer Service Tier 2 Support – Inquiry Cycle Time.

Upon completion of a non-receipt of product inquiry, if proof of delivery from the supplier can be obtained by GRS, the proof of delivery will be provided to the Client and the investigation will be closed. However, if proof of delivery from the supplier cannot be obtained by GRS, a replacement order will be processed as per the applicable Merchandise or Non-Merchandise KPI.

If the original product is no longer available, the order will be cancelled by GRS and the Client will be notified.

9.4

Return Policy – Merchandise

The Client must notify GRS for a merchandise return within 10 business days of the delivery date. GRS Customer Service will coordinate all aspects of the return, including collection of the product directly from the recipient. GRS Customer Service will process these requests as per the service level outlined in 6.1 GRS Customer Service Tier 2 Support – Inquiry Cycle Time

Limited merchandise products may be returned. Products eligible for return must be unopened, be in new condition with all original packaging, and include all packing slips and accessories. The Client will be responsible for all costs associated with a merchandise return, including but not limited to: return freight, restocking fees, replacement reward freight, product cost difference. Restocking fees are determined by individual suppliers and vary in costs. Upon receipt and verification of the returned product by supplier, the order will be canceled.

If the supplier of the product will not accept a return, the Client is responsible for handling the merchandise return request.

If return is not accepted by the supplier (i.e. missing materials, product has been used), GRS Customer Service will work directly with the Client to determine next steps including, but not limited to, coordinating reshipment and assignment of responsibility for incurred costs.

9.5

Return Policy – Non-Merchandise

The following non-merchandise orders are not eligible for return:

Retail gift cards

Prepaid debit

Digital codes (i.e. music downloads, magazines)

Event Tickets

Mobile Top-up

Experiences

Coupons

Returns associated with Travel bookings are dictated as per the terms and conditions presented at the time of purchase.

Schedule #2 – Definitions

Definitions

‘Business Day’ means a day other than a Saturday, Sunday or statutory holiday in Ontario, Canada;

‘Catalog’ means the online catalog of reward items that is available to the Client and Participants through the use of the GRS System;

‘Core Currency’ means the currency (for example, USD, GBP, EUR, AUD) of the Client Catalog, to which all redemptions, regardless of the local currency of the redemption, will be converted for the purposes of debiting the Float Account;

‘Downtime’ means the time during which the GRS System is not functioning due to hardware, operating system or application program failure excluding Scheduled Downtime. Downtime, if any, resulting from technology infrastructure not within the control of the GRS, including domain name service, will not count against the GRS System Availability calculation outlined at Schedule #1;

‘Electronic Rewards’ means any reward (for example gift card or voucher) that is delivered to the Participant by electronic (for example e-mail) means;

“End Customer” means any customer of the Client that is using GRS rewards for the sole purpose of rewarding their internal employees, sales staff, external channel sales partners and/or End Customers as part of a consumer loyalty program; all of these individuals are reward recipients managed by the Client

‘Float Account’ means a bank account, managed and accessible by GRS, that holds Client funds for the purpose of the payment for redemptions by Participants;

‘GRS Client Portal’ means the GRS System website and access rights provided to Clients, partners, suppliers or GRS administration personnel to perform duties to fulfil Client and Participant activity.

‘GRS Client Reports’ means standard reports available through the GRS Client Portal (as of Agreement date, this includes the reports entitled ‘Partner Account Balance Reconciliation Report’, ‘Aged Orders Partner Report’, ‘Shipped SLA Partner Report’.)

‘GRS System’ means the global redemption system platform, made available by GRS to the Client and Participants, for the purposes of redeeming certain reward items in countries around the world;

‘GRS Ticketing System’ means the instance of Kayako that GRS has licenced for the use of GRS and its clients to communicate Tier 2 Customer Service member facing escalations or inquiries.

‘GRS Web Services’ means the method by which the Client integrates its systems with the GRS System;

‘GRS Whitepaper’ means the detailed documentation provided by GRS to the Client to enable the integration of Client systems with the GRS System;

‘Participant’ means any person who can access the GRS System for the purposes of redeeming their Program points for merchandise, gift card, and other items that may be made available for redemption through the GRS System from time to time;

‘Program’ means a Client recognition, incentive, benefits and/or loyalty program;

‘Replenishment Amount’ means the value the Client will credit to the Float Account upon notification by GRS that the Threshold Amount has been reached;

‘Scheduled Downtime’ means maintenance work to be performed during off-peak hours and/or an agreed-upon time to minimize Participant impact. GRS will provide the Client with a minimum of one week notification via e-mail when maintenance is required on the GRS System;

‘Services’ means the GRS System, GRS Ticketing System, and all support services provided by GRS to the Client as outlined in this Agreement;

‘System Update’ means any release of new code to the GRS System platform(s) that impacts performance, features, enhancements, or quality.

‘Threshold Amount’ means the minimum value of the Float Account which, when reached, requires the Float Account to be replenished with the Replenishment Amount by the Client;

‘Ticket’ means a uniquely identifiable query record created by the GRS Ticketing System;

‘Tier 1 Customer Service’ means all Participant direct communications, managed by the Client, including order related enquiries, in which case the GRS Ticketing System will be used by the Client to Raise and track enquiries with GRS;

‘Tier 2 Customer Service’ means support provided to the Client by GRS for Participant order related enquiries through the GRS Ticketing System;

‘Uptime’ means whether (or how often) the GRS System is working without failure and accessible for use by its intended users (for example, Participants);

Schedule #3 – Security Requirements of Client & GRS

Security Requirements of Client and GRS

Introduction

Global Reward Solutions’ systems are designed and built with the assumption that clients would have their (GRS) own complementary internal security controls in place. These complementary internal security controls are necessary to achieve the overall data security and privacy of the GRS systems and data contained within. Without these controls it is impossible to provide a minimum level of security that would be expected by any user entrusting their data to the system and application.

The first part of the below schedule details the security and privacy commitments that GRS makes as the technology vendor. The second part details the complimentary controls that the client must enact to ensure complete security and privacy operations for the benefit of the end-clien and GRS.

These joint controls are necessary for proper security and privacy operations and can not be done in isolation by either party.

Terminology

Term		Definition
Client		A contracted organization who will be using a Storefront program instance managed by a Storefront partner

Program		A Storefront instance created for one or more clients, typically accessible and integrated through a single URL

Program Administrator		The person / account responsible for managing the configuration of a Storefront program, the associated account will normally be configured as a Super Administrator

Super Administrator		An account configuration that provides unlimited privileges within a Storefront program

Credentials		A combination of a username & password that provides access to a system

Global Reward Solutions Security Commitments

The following details the various security commitments that Global Reward Solutions offers to its clients. In conjunction with the applicable client complimentary controls both entities will be able to enjoy an operating environment with minimal risk to the security and privacy of the data contained within it. Global Reward Solutions considers the security and privacy of all data contained within its systems to be of utmost importance to its ongoing ability to conduct business. As such, it takes an aggressive and comprehensive approach to data security & privacy.

Data Security

	●	Global Reward Solutions will store client data only on production systems at approved data facilities
	●	Global Reward Solutions will limit all access to private data on a need-to-have basis

Systems Security

	●	Global Reward Solutions will ensure that physical access to production systems is limited to a need-to-have basis
	●	Global Reward Solutions will ensure that logical access to production systems is limited to a need-to-have basis
	●	Global Reward Solutions will operate a firewall and intrusion prevention system around the production network
	●	Global Reward Solutions will operate internal intrusion detection systems on all networks
	●	Global Reward Solutions will perform regular network penetration tests on all systems
	●	Global Reward Solutions will maintain a patch management program that patches systems on a priority basis

Application Security

	●	Global Reward Solutions will implement and enforce a SDLC policy and associated procedures
	●	Global Reward Solutions will integrate security analysis as part of its SDLC
	●	Global Reward Solutions will conduct regular internal application vulnerability tests on its SaaS applications
	●	Global Reward Solutions will conduct annual 3rd-Party application vulnerability tests on its SaaS applications

Staffing

	●	Global Reward Solutions will conduct background checks on all new staff
	●	Global Reward Solutions will train all staff on security & privacy concepts and practices according to their position and role
	●	Global Reward Solutions will implement and maintain rigorous onboarding, offboarding, and access change request procedures

Policies and Procedures

	●	Global Reward Solutions will maintain and enforce a Information Security Program complete with documented policies and procedures
	●	Global Reward Solutions will appoint a central point of contact and supporting committee for all security and privacy matters

Privacy

	●	Global Reward Solutions will maintain and enforce a privacy policy
	●	Global Reward Solutions will integrate privacy analysis as part of its SDLC
	●	Global Reward Solutions will abide by all privacy laws and regulations in the countries/regions it operates in
	●	Global Reward Solutions will make use of data received solely for the intended purposes as described

Backup & Disaster Recovery

	●	Global Reward Solutions will maintain backups of all systems at a frequency commensurate with the type of data stored
	●	Global Reward Solutions will maintain a remote Disaster Recovery location and replicate necessary backups on a daily basis Global Reward Solutions will test its backups and Disaster Recovery plans on a regular basis

Regulatory, Compliance, and Service Agreements

	●	Global Reward Solutions will adhere to all regulatory requirements within the countries/regions in which it conducts business
	●	Global Reward Solutions will conduct 3rd-party annual audits of its security program and remediate any found exceptions

Legal and Insurance

	●	Global Reward Solutions will maintain E&O & Cyber insurance valued at $5MM
	●	Global Reward Solutions will enforce an applicable set of security & privacy controls on all external parties from or to which data flows

Complementary Client Security Controls

Storefront was designed and built with the assumption that clients would have their own complementary internal security controls in place. These complementary internal security controls are necessary to achieve the overall security of the Storefront system and data. Without these controls it is impossible to provide a minimum level of security that would be expected by any user entrusting their data to the system and application.

The complementary client security controls presented below should not be regarded as a comprehensive list of all the controls that should be employed by a business partner. It should be regarded as a minimum level of compliance that will change as technology and threats evolve.

Provisioning Accounts

	●	Clients are responsible for provisioning unique user accounts for authorized users within a Storefront program
	●	Clients are responsible for requesting user accounts to Global Reward Solutions client & ticket management tools for their own authorized staff

Termination Procedures

	●	Clients are responsible for promptly informing Global Rewards Solutions of any terminated client program
	●	Clients are responsible for changing user credentials that might have been known by any of their terminated staff (i.e. credentials to client programs)
	●	Clients are responsible for contacting Global Reward Solutions in a timely manner to ensure their terminated employee account access is removed from Global Reward Solutions client & ticket management tools

Program Configuration

	●	Clients are responsible for configuring programs with a strong password management configuration [1]
	●	Clients are responsible for restricting or disabling the ability to do point transfers within a program except where necessary
	●	Clients are responsible for communicating to Global Reward Solutions the features and modules that client(s) will be used in a Storefront program
	●	Clients are responsible for restricting their staff’s access to client programs on a need-to-have basis
	●	Clients are responsible for contacting Global Reward Solutions if a program needs to be completely removed or reconfigured as a demo program
	●	Clients are responsible for ensuring that a privacy policy is written and posted for each program

Systems Integration Controls

	●	Clients are responsible for any liability incurred by any authenticated transaction made against the Storefront platform by their, or their client’s, integrated system
	●	Clients are responsible for ensuring that any system or application they, or their client, embed or integrate with the Storefront platform is secure. This includes but is not limited to the following measures:

	○	Ensuring that the connecting system uses data encryption in transit (HTTPS, SFTP, etc.)
	○	Ensuring that all users are properly authenticated on the integrated platform before proceeding to the Storefront platform (i.e. SSO integration)
	○	Ensure that the integrated platform had adequate logging of user activity for the purposes of post-incident forensic review
	○	Ensuring that the application development uses a rigorous SDLC process - including testing for vulnerabilities

	●	Clients are responsible for keeping API keys secure at all times
	●	Clients are responsible for immediately informing Global Reward Solutions if a GRS API key is known or suspected to be compromised

General Controls

	●	Clients are responsible for immediately contacting Global Reward Solutions in the event that one or more of their systems or user accounts that interface with the Storefront platform have been compromised
	●	Clients are responsible for responding to known or suspected incidents reported by Global Reward Solutions staff in a timely manner

	●	Clients are responsible for ensuring that access to reports and other information generated from Global Reward Solutions is restricted on a need-to-have basis.
	●	Clients are responsible for maintaining appropriate General Information Security Controls, this includes but is not limited to:

	○	Comprehensive security policies based on an industry standard security framework [2][3][4]
	○	Annual security awareness training for all staff
	○	Physically secure work spaces for all partner offices

	■	Guarded/monitored/keyed entrances and exits
	■	Locking drawers and cabinets for confidential documents
	■	Secure server & network installations, resistant to tampering

	○	Encryption of all data in transit in/out of partner systems
	○	Installed & active end-point antivirus and malware-protection on all user workstations and servers
	○	Email phishing, spam, malware scanning on mail gateways
	○	Network perimeter firewalls
	○	A functioning patch management process for all systems that interface-with or store, transmit, or process data from Global Reward Solutions systems.

Privacy

	●	Clients are responsible for ensuring that they are legally permitted to transmit, process, and store any of the private data they use within the system.
	●	Clients are responsible for ensuring that they do not transmit, process, or store any private data of persons under the age of 16.
	●	Clients are responsible for adhering to all privacy requirements within any jurisdiction their clients operate in.
	●	Clients are responsible for responding for promptly responding to client or client-user privacy requests.

Regulatory, Compliance, and Service Agreements

	●	Clients are responsible for ensuring that all physical and logical security controls are tested by a responsible 3rd-Party to ensure that the controls are configured appropriately and are effective
	●	Clients are responsible for adhering to all relevant regulatory compliance requirements while they are associated with Global Reward Solutions in a service agreement.
	●	Clients are responsible for reviewing and approving the terms and conditions stated in service agreements with Global Reward Solutions Inc.

Legal & Insurance

	●	Clients are responsible for maintaining their own E&O or Cyber Insurance policy, with a minimum of $5 million (USD) in coverage.
	●	Clients are responsible for ensuring that all client contracts impose similar but appropriate end user security controls as contained within this document.

Appendix

NIST Special Publication 800-63B - xxxxx://xxxxx.xxxx.xxx/000-00-0/xx000-00x.xxxx

NIST Security Framework - xxxxx://xxx.xxxx.xxx/xxxxxxxxxxxxxx/xxxxx-xxxxxxx-00

ISO/IEC 27001:2013 - xxxxx://xxx.xxx.xxx/xxxxxxxx/00000.xxxx

PCI DSS v3.2 - xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/xxxxxxxx_xxxxxxx

Schedule #4 – Mutual Confidentiality Agreement

CarltonOne

E N G A G E M E N T

MUTUAL CONFIDENTIALITY AGREEMENT

DATED

June 13, 202l (“Effective Date”) THIS CONFIDENTIALITY AGREEMENT is entered into between:

Carlton One Engagement Corporation, a corporation incorporated under the laws of British Columbia, Canada, having its office located at 00 Xxxxxxxx Xxx, 0^xx Xxxxx, Xxxxxxx, Xxxxxxx X0X 0X0 Xxxxxx (“XXX”) and Robot Cache US, Inc., located at 0000 Xxxxxxx Xxxxxx Xxxx. Suite 300. San Diego, Ca. 92121 (“Company”).

(collectively the “Parties”)

WHEREAS the Parties are having discussions related to XXX”s business solutions including but not limited to Power2Motivate®, Global Reward Solutions®, GCodes®, Evergrow™ (“Discussions”), during which information that XXX and Company may consider confidential will be disclosed;

AND WHEREAS the party disclosing confidential information (each, a “Disclosing Party”) desires to ensure that the party receiving the confidential information (each, a “Receiving Party”) will not use such confidential information except for the purpose of the Discussions or disclose such confidential information to any third party except as provided herein;

NOW THEREFORE, in consideration of the premises and the covenants and agreements herein contained, the parties agree as follows:

“Confidential Information” means all information relating to the Disclosing Party and its affiliates and their respective business and affairs, including, without limitation, all research, commercial, scientific, financial, systems, software, hardware, sales, marketing, intellectual property, personnel, administrative, technological, products and customer information relating to the Disclosing Party, furnished by or on behalf of the Disclosing Party to the Receiving Party or any of its Representatives (as defined below) that is: (i) marked “confidential”, “proprietary” or with other words of similar nature, (ii) indicated to the Receiving Party or its Representatives as being confidential or proprietary at the time it is furnished by or on behalf of the Disclosing Party, or (iii) considered by the Disclosing Party as confidential or proprietary or that ought to be considered as confidential or proprietary from its nature or from the circumstances surrounding its disclosure, in each case, regardless of the manner in which it is furnished (whether oral or in writing or in any other form or media) or obtained by the Receiving Party or its Representatives through observation or examination of the Disclosing Party’s facilities or procedures.

“Confidential Information” does not include any information that: (i) is or becomes readily available to the public, other than by fault of the Receiving Party or breach of this Agreement; (ii) is lawfully obtained by the Receiving Party on a non-confidential basis from a third party not in breach of any obligation of confidentiality to the Disclosing Party, as supported by evidence sufficient to demonstrate same; (iii) is proven to be developed by the Receiving Party independent of and without reference to or reliance upon Confidential Information disclosed by the Disclosing Party, as supported by evidence sufficient to demonstrate such independent development and which may be proven by competent evidence; or (iv) is proven to be known by the Receiving Party from sources other than the provider on a non-confidential basis prior to disclosure hereunder, as supported by evidence sufficient to demonstrate receipt of such information from such source and as documented in the Receiving Party’s written records.

The Receiving Party will only use the Confidential Information for the sole purpose of the Discussions and agrees to hold Confidential Information in confidence and, except as expressly set out in this Agreement, will not disclose, or permit any of its Representatives (as defined below) to disclose, Confidential Information to any person without the prior written consent of the Disclosing Party. The Receiving Party will use the same degree of care to protect the confidentiality of the Confidential Information as the Receiving Party would use to protect its own confidential information, but in any event, no less than a reasonable degree of care. The Receiving Party will promptly advise the Disclosing Party in writing of any misappropriation or misuse by any person of the Confidential Information which may come to its attention.

The Receiving Party will be permitted to disclose Confidential Information to its own directors, trustees, officers, employees, consultants, agents and advisors (“Representatives”) who have a “need-to-know” the Confidential Information for the purpose of the Discussions; provided, that the Receiving Party informs the Representative of the restrictions and obligations of confidentiality set out herein and the Representative agrees to be bound by restrictions and obligations of confidentiality at least as stringent as those contained in this Agreement. The Receiving Party will be responsible for any breach of the terms of this Agreement by its Representatives.

Confidential Information may be disclosed to the extent requested pursuant to, or required by, applicable law or legal process, provided that the Receiving Party first provides the Disclosing Party with prompt notice of the request or requirement, unless notice is prohibited by law, in order to enable the Disclosing Party to seek a protective order or other remedy. If, failing the obtaining of a protective order or other remedy by the Disclosing Party, such disclosure is required, the Receiving Party will take all reasonable steps to limit the scope of such disclosure to only include that portion that is required to be disclosed, and reasonably cooperate with the Disclosing Party in its efforts to limit such disclosure and ensure that the disclosure will be afforded confidential treatment.

THE DISCLOSING PARTY MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, AS TO THE CONFIDENTIAL INFORMATION, INCLUDING WITHOUT LIMITATION, NO REPRESENTATION OR WARRANTY AS TO MERCHANTABILITY, MERCHANTABLE QUALITY, SUITABILITY, NON-INFRINGEMENT OF ANY PROPRIETARY RIGHTS OR FITNESS FOR A PARTICULAR PURPOSE OF THE CONFIDENTIAL INFORMATION.

Upon the termination of this Agreement or upon the request of the Disclosing Party, the Receiving Party will promptly return or destroy all Confidential Information and all copies thereof made by the Receiving Party or its Representatives, provided that Receiving Party may retain one archival copy of the Confidential Information for the sole purpose of determining compliance with its obligations hereunder.

Nothing contained in this Agreement will obligate the parties to negotiate or enter into any business arrangement of any nature whatsoever. This Agreement will be effective as of the Effective Date and will terminate one (1) year from the Effective Date. The obligations of confidentiality set out herein will survive for five (5) years from the termination of this Agreement. The termination of this Agreement will not affect the rights and obligations arising under this Agreement prior to termination.

All right, title and interest in and to the Confidential Information of the Disclosing Party will remain the exclusive property of such Disclosing Party and such Confidential Information will be held in trust and confidence by the Receiving Party for such Disclosing Party. No interest, license or any right respecting such Confidential Information, other than expressly set out herein, is granted to the Receiving Party under this Agreement by implication or otherwise.

10.

The parties agree that monetary damages would not alone be sufficient to remedy any breach by a party or its Representatives of any term or provision of this Agreement and that the non-breaching party will also be entitled to seek equitable relief, including injunction and specific performance, in the event of any breach hereof and in addition to any other remedy available pursuant to this Agreement or at law or in equity.

11.

This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and cancels and supersedes any prior understandings and agreements between the parties with respect thereto. If any provision of this Agreement is held to be invalid or unenforceable in whole in part, such invalidity or unenforceability will attach only to such provision or part thereof and the remaining part of such provision and all other provisions hereof will continue in full force and effect. No party may assign this Agreement or any of its rights or obligations hereunder without the prior written consent of the other party. This Agreement will enure to the benefit of and be binding upon the parties and their respective executors, administrators, heirs, successors and permitted assigns.

12.

This Agreement will be governed by the laws of the Province of Ontario and the laws of Canada applicable therein, and the parties attorn to the exclusive jurisdiction of the courts thereof.

1.	IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first above written.

Carlton One Engagement Corporation		Robot Cache US, Inc.


Signature		Signature

Xxxxxx Xxxxx, CEO
		XxxXxxxxxxx,CEO
		Print Name and Title
Print Name and Title

Schedule #5

Data Processing Agreement (DPA)

2.	Definitions

“Authorized Persons” means GRS’s employees, contractors, agents and subcontractors who have a need to know or otherwise access Client Personal Data to enable GRS to perform its obligations under the Agreement.

“Client Personal Data” means any Personal Data of Client’s clients and/or client employees Processed by GRS or any Sub processors on behalf of Client pursuant to or in connection with the Agreement.

“EEA” means the European Economic Area.

“GDPR” means EU General Data Protection Regulation 2016/679.

“Data Protection Legislation” all applicable privacy and data protection laws in force from time to time in the UK and the European Union, including the EU General Data Protection Regulation 2016/679 (as applicable in the EU and as the same forms part of the law of the United Kingdom) and the Data Protection Act 2018, in each case as amended replaced or superseded from time to time.

“DPA” means this Data Processing Agreement.

“Security Breach” means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in relation to the Services and/or the Agreement.

“Security Measures” means the appropriate security measures to be taken by Data Processors in respect of Personal Data under Data Protection Legislation.

“Services” means the services and other activities to be supplied to or carried out by or on behalf of GRS for Client pursuant to the Agreement.

“Standard Contractual Clauses” means the contractual clauses set out in Annex 2.

“Sub processor” means any party (including any third party and any GRS Affiliate) appointed by or on behalf of GRS to Process Personal Data on behalf of any Client in connection with the Agreement.

“Supervisory Authority” means an applicable independent public authority responsible for monitoring the application of applicable Data Protection Legislation.

“GRS Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with GRS, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

The terms “Controller”, “Data Subject”, “Personal Data”, “Process” and “Supervisory Authority” shall have the meanings set forth in applicable Data Protection Legislation. Other defined terms have the definitions provided for them in the Agreement or as otherwise specified below.

3.	Processing of Client Personal Data

In connection with provision of Services under the Agreement, GRS will have access to Client Personal Data. As such, GRS shall comply with the terms of the Agreement, this DPA and all applicable Data Protection Legislation, as well as all other applicable industry standards in its Processing of Client Personal Data. Further, GRS shall process Client Personal Data only: (i) so far as is necessary to provide the Services under the Agreement; and (ii) in accordance with Client’s documented instructions as set out in the Agreement and this DPA.

Annex 1 to this DPA sets out certain information regarding the GRS’s Processing of the Client Personal Data as required by Article 28(3) of the GDPR (if applicable).

4.	Authorized Persons

GRS shall restrict the disclosure of Client Personal Data to those Authorized Persons who are required to assist GRS in providing the Services under the Agreement and shall ensure that such Authorized Persons: (i) have undergone appropriate training regarding their responsibilities and obligations with respect to processing, protection and confidentiality of Personal Data; and (ii) are bound by contractual obligations which provide at least as stringent protections in relation to Client Personal Data to those set out in this DPA.

GRS shall be responsible for any unauthorized collection, receipt, transmission, access, storage, disposal, use and disclosure of Client Personal Data which it is entrusted to Process. In addition, GRS shall be responsible for the actions and omissions of all Authorized Persons concerning the treatment of Client Personal Data as if they were GRS’s own actions and omissions.

5.	Data Protection Impact Assessment and Prior Consultation

GRS shall provide reasonable assistance to Client with any data protection impact assessments, , and any consultations with Supervisory Authorities or other competent data privacy authorities, which Client reasonably considers to be required under applicable Data Protection Legislation, and in each case solely in relation to Processing of Client Personal Data under the Agreement and limited to such assistance that is reasonably practicable for GRS to provide, taking into account the nature of the processing.

6.	Rights of Data Subjects

GRS shall assist Client by implementing appropriate technical and organizational measures for the fulfilment of Client obligations relating to Client’s response to requests from Data Subjects to exercise their rights under applicable Data Protection Legislation. The parties acknowledge and agree that the measures specified in the Agreement constitute appropriate technical and organizational measures for the purposes of this clause. Further, GRS shall:

(i) promptly notify Client if GRS receives a request from a Data Subject under any applicable Data Protection Legislation in respect of Client Personal Data; and

(ii) ensure that such party does not respond to that request except on the documented instructions of Client or as required by applicable law, in which case GRS shall, to the extent permitted by applicable law, inform Client of that legal requirement before the GRS responds to the request.

7.	Cross Border and Onward Data Transfers

GRS shall not transfer Client Personal Data outside the UK or EEA to a country not deemed to provide an adequate level of protection for Personal Data under applicable Data Protection Legislation unless Client and GRS have executed Standard Contractual Clauses attached hereto as Annex 2 or unless another adequacy mechanism for the transfer applies, or in the case of transfers to the United States only, GRS is certified to the USEU and/or US-Swiss Privacy Shield Principles or any similar replacement program recognized by applicable Data Protection Legislation from time to time (“PSP”). In such case, GRS shall maintain its certifications for the duration of the Agreement and upon request, will provide evidence of such on an annual basis. If GRS:

	(a)	is at any time not compliant with the PSP;
	(b)	amends its certification to no longer cover Client Personal Data transferred to it pursuant to the Agreement; or
	(c)	has its status changed to ‘not current’,

GRS shall notify Client as soon as reasonably practicable and enter into an alternative data transfer mechanism, such as Standard Contractual Clauses, which provide an alternative means of complying with applicable Data Protection Legislation.

8.	Sub processors

Client acknowledges and agrees that (i) GRS Affiliates may be used as Sub processors; and (ii) GRS and GRS Affiliates respectively may engage third party Sub processors in connection with the provision of Services.

GRS shall inform Client of any intended changes concerning the addition or replacement of other Sub processors, thereby giving Client the opportunity to object to such changes.

If, within thirty (30) days of being informed of such changes, Client notifies GRS in writing of any objections (on reasonable grounds) to the proposed change:

(a) GRS shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids any such change to its Sub processors; or

(b) where such a change is not possible on a reasonable basis, notwithstanding anything in the Agreement, Client may by written notice to GRS immediately terminate the Agreement to the extent that it relates to the Services which require the change in Sub processors.

With respect to each Sub processor, GRS shall:

(a) before the Sub processor first Processes Client Personal Data, carry out adequate due diligence to ensure that the Sub processor is capable of providing the level of protection for Client Personal Data required by applicable Data Protection Legislation and the Agreement;

(b) ensure that the arrangement between GRS and Sub processor is governed by a written contract including terms which offer at least as stringent a level of protection for Client Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR; and

(c) if the arrangement involves a transfer of Client Personal Data outside the UK or EEA to a country not deemed to provide an adequate level of protection for Personal Data under applicable Data Protection Legislation, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between GRS and Sub processor., unless another adequacy mechanism for the transfer applies

(d) provide to Client for review copies of the Sub processors agreements (which will be redacted to remove confidential commercial information not relevant to the requirements of this DPA including the name and business address of the Sub processor and payment information) as Client may request from time to time. Where any Sub processor fails to fulfil its obligations under applicable Data Protection Legislation, GRS shall remain fully liable to Client for the performance of that Sub processor’s obligations.

9.	Technical and Organizational Safe Measures

GRS has implemented and will maintain appropriate technical and organizational Security Measures for the Processing of Personal Data that represent industry best practices, including the additional measures specified in this Section 8. These measures are intended to protect Client Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and all other unlawful forms of Processing. They include (a) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services; (b) the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and (c) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. The parties acknowledge and agree that the security measures specified in the Agreement and this DPA (and the Standard Contractual Clauses) constitute appropriate technical and organizational security measures to ensure a level of security appropriate to the risk.

Human Resource Security. Subject to applicable legal and regulatory restrictions, GRS shall carry out background screening on all Authorized Persons who will have access to Client Personal Data. All staff and contractors will be made aware of and be contractually bound to their information security responsibilities. Any breach of an internal security policy will lead to disciplinary action, up to and including dismissal. Security awareness and data protection training will take place on an ongoing basis, but no less than at least annually.

Asset Management. GRS will maintain an inventory of all assets. Removable media and disposal of media policies will be put in place and enforced.

Access Controls. To prevent unauthorized access to systems, applications and data, GRS shall apply the following, to the extent applicable: a secure logon procedure via quality passwords and/or two-factor authentication, documented authorization processes, user access reviews, and restricted access to source code and utility programs to authorized personnel. Client Personal Data is accessible and manageable only by properly authorized personnel. Direct database query access is restricted, and application access rights are established and enforced.

Encryption. GRS will use encryption as the risk dictates (using a commercially reasonable standard) to secure Client Personal Data, but at a minimum, will ensure that all Client Personal Data is encrypted at rest and in transit over any public network.

Physical and Environment Security. GRS employs adequate measures designed to prevent unauthorized persons from gaining access to data processing systems in which Client Personal Data is Processed, such as secure perimeter, visitor access procedures, the use of security personnel, secured buildings and data center premises. Data processing systems shall be housed in an environment which provides the appropriate level of environmental protection to reduce the risk of environmental threats and hazards including resilient power, cooling, and fire suppression, for example.

Operations Security. Documented processes will be put in place for change management and capacity management. At least industry best standard anti-malware and anti-virus software will be installed and updated regularly. Log-ins to Services environments by Authorized Persons and Subprocessors are logged and centralized logging and alerting is in effect with logging of access on several different levels.

Communications Security. Logical access to the data centers is restricted and protected by firewall/VLAN and intrusion detection systems are used where appropriate. Network is segregated. Transmissions of Client Personal Data outside the hosted environment are encrypted. Client Personal Data from different GRS client environments, to the extent applicable, is logically segregated on GRS’s systems.

System Development. Information Security is an integral part of GRS’s systems development lifecycle, and as such secure development procedures will be utilized, and all test data will be protected.

10.

Audit

GRS shall make available to Client on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, of GRS’s premises, data processing facilities, procedures or documentation, by Client or an auditor appointed by Client (provided that such auditor is not a competitor of GRS and is required to sign a confidentiality agreement with GRS) in relation to the Processing of the Client Personal Data by the GRS.

Client shall give GRS at least 30 days’ notice of any audit or inspection to be conducted under this section save in cases where a Supervisory Authority or applicable law requires an expedited audit or an audit without prior notification.

Client shall make (and ensure that each of its appointed auditors makes) reasonable endeavors to avoid Causing (or, if it cannot avoid, to minimize) any disruption to the GRS’s premises, equipment, personnel and business while its personnel are on the premises in the course of such an audit or inspection. GRS agrees that it shall remediate any inadequacies resulting from such audit or inspection as requested by Client at GRS’s expense.

Information and audit rights of the Client only arise under the first paragraph in this Section 9 to the extent that the Agreement does not otherwise provide for information and audit rights meeting the relevant requirements of applicable Data Protection Legislation (including, where applicable, Article 28(3)(h) of the GDPR).

11.

Security Breach

GRS shall promptly notify Client (and in any event within 48 hours) upon GRS becoming aware of any Security Breach. Such notification must be provided by email with a copy to GRS’s primary business contact within Client and shall include sufficient information to allow Client to meet any reporting obligations under applicable Data Protection Legislation. GRS shall not inform any third party of any Security Breach except as may be strictly required by applicable law, without first obtaining Client’s prior written consent.

To the extent the Security Breach originates with GRS, GRS shall take steps to immediately identify and remediate the Security Breach and prevent any further Security Breach at GRS’s sole expense. GRS agrees that Client shall have the sole right to determine: (i) whether notice of the Security Breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Client’s discretion; and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation. GRS shall reimburse Client for costs it incurs in responding to, remediating, and/or mitigating damages caused by a Security Breach, including all costs of notice and/or remediation, or in following up a complaint by an individual Data Subject or a regulator.

GRS shall cooperate fully with Client in the investigation and response to any Security Breach, including providing the name and contact information for GRS’s primary security contact who shall be available to assist Client in resolving obligations associated with a Security Breach. In addition, GRS agrees to: (i) provide Client with physical access to the facilities and operations affected; (ii) facilitate interviews with GRS’s employees and others involved in the matter; and (iii) make available and/or preserve all relevant records, logs, files, data reporting and other materials required to comply with applicable law orregulation, subject to confidentiality and legal obligations applicable to GRS.

12.

Return and Destruction of Client Personal Data

At any time during the term of the Agreement, at Client’s request or immediately upon the termination or expiration of the Agreement for any reason, GRS shall, and shall instruct all Subprocessors to, in Client’s sole discretion, either promptly: (i) return to Client all records and data containing Client Personal Data in a format and on storage media that Client may reasonably specify, and all copies, whether in written, electronic or other form or media, of Client Personal Data, or (ii) securely dispose of all such copies of Client Personal Data provided that GRS provides Client with a certificate of secure destruction. In each case, GRS shall comply with all directions provided by Client with respect to the return or disposal of Client Personal Data.

GRS may retain Client Personal Data to the extent required by applicable Data Protection Legislation but only for such period as required by such laws provided that GRS shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose specified by the applicable Data Protection Legislation requiring its storage and for no other purpose.

13.

Legally Required Disclosures

Except as otherwise required by applicable law, GRS will promptly notify Client of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives and which relates to the Processing of Client Personal Data which is being Processed by GRS as the Client’s Data Processor. At Client’s request, GRS will provide Client with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Client to respond to the Demand in a timely manner.

14.

Additional Terms

Indemnification. GRS shall defend, indemnify, and hold harmless Client and Client’s subsidiaries, affiliates, and their respective directors, officers, employees, representatives, and agents (collectively “Indemnitees”) from and against any and all claims, actions, demands, and legal proceedings and all liabilities, damages, losses, judgments, authorized settlements, reasonable costs, fines, penalties and expenses including, without limitation, reasonable attorneys’ fees the cost of enforcing any right to indemnification hereunder arising out of or in connection with a third party claim against any Indemnitee arising out of or resulting from GRS’s or any of its Sub processors failure to comply with any of its obligations under this DPA.

Insurance. In addition to any insurance requirements specified in the Agreement, GRS will procure and maintain in force with a duly licensed insurance carrier for the duration of the Agreement, cyber-liability insurance or other coverage offering equivalent protections in amounts sufficient to cover GRS’s obligations under this DPA.

Order of Precedence. In the event of any conflict or inconsistency between the terms of the Agreement, and the terms of this DPA, the relevant terms of this DPA shall take precedence. In the event of any conflict or inconsistency between the terms of this DPA and the Standard Contractual Clauses, the relevant terms of the DPA shall take precedence.

Governing Law. Notwithstanding anything in the Agreement to the contrary, this DPA shall be governed by and construed in accordance with the laws of England.

Severability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement witheffect from the date first set out above.

ROBOT CACHE US, Inc.

Signature:

Name:

Title:

Date Signed:

Carlton One Engagement Corporation dba Global Reward Solutions

Signature:

Name:	Xxxxxx Xxxxx
Title:	CEO & Founder
Date Signed:

ANNEX 1: DETAILS OF PROCESSING OF CLIENT PERSONAL DATA

This Annex 1 includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Client Personal Data

The subject matter and duration of the Processing of the Client Personal Data are set out in the Agreement and the DPA.

The nature and purpose of the Processing of Client Personal Data

GRS will process Privacy Data as necessary to perform the Services pursuant to the Agreement including but not limited to:

	●	Order and contract fulfilment;
	●	Order processing and tracking;
	●	Product and service support;
	●	Payment processing;
	●	Data management;
	●	Statistical analysis;
	●	As otherwise instructed, in writing, by Client

The types of Client Personal Data to be Processed

	●	Participant ID
	●	First and last name
	●	Contact information (email, telephone number, address, city, zip/postal code, state/province, country)
	●	Language
	●	IP addresses

The categories of Data Subjects to whom the Client Personal Data relates

	●	Business partners and customers of Client (who are natural persons) and Client’s clients
	●	Employees, consultants, independent contractors and temporary workers or contact persons of Client’s clients, customers, and business partners

The obligations and rights of Client and Client Affiliates

The obligations and rights of Client and Client Affiliates are set out in the Agreement and this DPA.

ANNEX 2: STANDARD CONTRACTUAL CLAUSES

Standard Contractual Clauses

For the purposes of the General Data Protection Regulation 2016/679 (as applicable in the UJK and/or the EU as relevant) (the “GDPR”) as it applies to the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Robot Cache US, Inc.

0000 Xx Xxxxx Xxxxxxx Xxxxx, Xxxxx 000, Xxx Xxxxx, Xx. 92122

(the data exporter) and

Global Reward Solutions

00 Xxxxxxxx Xxx, 0xx Xxxxx, Xxxxxxx Xxxxxxx, Xxxxxx X0X 0X0

(the data importer) each a “party”;

together “the parties”,

HAVE AGREED on the following Standard Contractual Clauses (Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data as set forth on Appendix 1 hereto.

Background

The data exporter has entered into a DPA with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable Data Protection Legislation, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.

Clause 1

Definitions

	(a)	‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and &’supervisory authority’ shall have the same meaning as in the GDPR; [If these Clauses are governed by a law which extends the protection of data protection laws to corporate persons, the words “except that, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of ‘personal data’ is expanded to include those data” are added.]

	(b)	‘the data exporter’ means the controller who transfers the personal data;

(c)

‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 45 of the GDPR; [If these Clauses are not governed by the law of a Member State, the words “and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 45 of the GDPR “are deleted.]

(d)

the sub processor means any processor engaged by the data importer or by any other sub processor of the data importer who agrees to receive from the data importer or from any other sub processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)

‘the applicable Data Protection Legislation’ means the Data Protection Legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)

‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

The data subject can enforce against the sub processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub processor shall be limited to its own processing operations under the Clauses.

The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)

that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable Data Protection Legislation (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)

that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable Data Protection Legislation and the Clauses;

(c)

that the data importer will provide reasonably sufficient and up to industry standards guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d)

that after assessment of the requirements of the applicable Data Protection Legislation, the security measures are up to industry standards and reasonably appropriate and up to industry standards to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)

that it will ensure compliance with the security measures;

(f)

that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of the GDPR; [If these Clauses are not governed by the law of a Member State, the words “within the meaning of the GDPR are deleted.]

(g)

to forward any notification received from the data importer or any sub processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)

to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)

that, in the event of sub processing, the processing activity is carried out in accordance with Clause 11 by a sub processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)

that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a)

to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)

that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)

that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

(d)

that it will promptly notify the data exporter about:

(i)

any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)

any accidental or unauthorized access, and

(iii)

any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e)

to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)

at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)

to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)

that, in the event of sub processing, it has previously informed the data exporter and obtained its prior written consent;

(i)

that the processing services by the sub processor will be carried out in accordance with Clause 11;

(j)

to send promptly a copy of any sub processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub processor is entitled to receive compensation from the data exporter for the damage suffered.

If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub processor of its obligations in order to avoid its own liabilities

If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub processor agrees that the data subject may issue a claim against the data sub processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)

to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)

to refer the dispute to the courts in the Member State in which the data exporter is established.

The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable Data Protection Legislation.

The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable Data Protection Legislation.

The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub processor preventing the conduct of an audit of the data importer, or any sub processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub processor which imposes the same obligations on the sub processor as are imposed on the data importer under the Clauses. Where the sub processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub processor’s obligations under such agreement.

The prior written contract between the data importer and the sub processor shall also provide for a third party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub processor shall be limited to its own processing operations under the Clauses.

The provisions relating to data protection aspects for sub processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

The data exporter shall keep a list of sub processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

The parties agree that on the termination of the provision of data processing services, the data importer and the sub processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

The data importer and the sub processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name: Xxx Xxxxxxxx

Position: CEO

Company: Robot Cache US, Inc.

Address: 0000 Xx Xxxxx Xxxxxxx Xxxxx, Xxxxx 000, Xxx Xxxxx, Xx. 92122

Other information necessary in order for the contract to be binding (if any):

Signature

On behalf of the data importer:

Name: Xxxxxx Xxxxx

Position: CEO & Founder

Company: Global Reward Solutions

Address: 00 Xxxxxxxx Xxx, 0xx xxxxx, Xxxxxxx, XX X0X 0X0

Other information necessary in order for the contract to be binding (if any):

Signature

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the Parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter/Data controller

The data exporter is Robot Cache US, Inc.

Data importer/ Data processor

The data importer is Global Reward Solutions

Data subjects

The personal data transferred concern the following categories of data subjects:

	●	Business partners and customers of Client and its clients (who are natural persons)
	●	Employees, consultants, independent contractors and temporary workers or contact persons of Client’s customers, clients, and business partners

Categories of data

The personal data transferred concern the following categories of data:

	●	Participant ID
	●	First and last name
	●	Contact information (email, telephone number, address, city, zip/postal code, state/province, country)
	●	Language
	●	IP addresses

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

●

None

Processing operations

The personal data transferred will be subject to the following basic processing activities:

	●	Order and contract fulfilment;
	●	Order processing and tracking;
	●	Product and service support;
	●	Payment processing;
	●	Data management;
	●	Statistical analysis;
	●	As otherwise instructed, in writing, by Client

Robot Cache US, Inc.

Name: Xxx Xxxxxxxx

Position: CEO

Authorized Signature

Carlton One Engagement Corporation dba

Global Reward Solutions®

Name: Xxxxxx Xxxxx

Position: CEO & Founder

Authorized Signature

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

Data importer agrees and warrants that it has implemented technical and organizational measures appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. The measures data importer has taken include, as appropriate and without limitation:

Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of personal data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the data exporter, its customers or employees; and any anticipated threats or hazards to the security or integrity of such information.

Adopting and implementing reasonable policies and standards related to security;

Assigning responsibility for information security management;

Devoting adequate personnel resources to information security;

Carrying out verification checks on permanent staff that will have access to personal data;

Conducting appropriate background checks and requiring employees, vendors and others with access to the personal data to enter into written confidentiality agreements;

Conducting training to make employees and others with access to personal data aware of information security risks and to enhance compliance with its policies and standards related to data protection;

Preventing unauthorized access to the personal data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with its policies and standards related to data protection on an ongoing basis. In particular, data importer has implemented and complies with, as appropriate and without limitation:

●

Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance and exterior security);

●

Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements, firewalls, etc.);

●

Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization;

●

Data transmission control measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission, transport or storage on data media, and transfer and receipt records. In particular, data importer’s information security program shall be designed:

To encrypt in storage any data sets in data importer’s possession that includes sensitive personal data is encrypted in storage.

ii.

To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside data importer’s IT system or transmitted over a wireless network uses encryption to protect the security of the transmission.

●

Data Entry control measures to ensure that it is possible to check and establish whether and by whom personal data has been input into data processing systems, modified, or removed;

●

Sub-data importer supervision measures to ensure that, in the case data importer is permitted to use subprocessors, the data is processed strictly in accordance with the Controller’s instructions including, as appropriate and without limitation;

●

Measures to ensure that personal data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs;

●

Measures to ensure that data collected for different purposes can be processed separately including, as appropriate and without limitation, physical or adequate logical separation of client data.

9.	Taking such other steps as may be appropriate under the circumstances.

Robot Cache US, Inc.

Name: Xxx Xxxxxxxx

Position: CEO

Authorized Signature

Carlton One Engagement Corporation dba

Global Reward Solutions®

Name: Xxxxxx Xxxxx

Position: CEO & Founder

Authorized Signature

Document Metadata

Table of Contents

Global Reward Solutions MASTER SERVICES AGREEMENT

Document Metadata