Our Customer Terms of Service is a contract between you (the Customer) and us (Ordee) describing the services we will provide to you, how we will work together, and other aspects of our business relationship. It consists of the following documents:

SaaS agreement: These contain the core legal and commercial terms that apply to your subscription. View

Data Processing Agreement: This explains how we process your data and includes the EU Standard Contractual Clauses. View

Privacy Policy: This policy describes how we collect, receive, use, store, share, transfer, and process your Personal Data in connection with your use of the Subscription Service. It also describes your choices regarding use, as well as your rights of access to and correction of your Personal Data. View

This Ordee Processing Agreement and its Annexes reflects the parties’ agreement with respect to the Processing of Personal Data by Ordee on behalf of Customer in connection with the Ordee Subscription Services under the Ordee Customer Terms of Service between Ordee and Customer (the “Agreement”).

This annexes is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this ANNEXES shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

We periodically update these terms. If you have an active Ordee subscription, we will let you know when we do via email (if you have subscribed to receive email notifications via the link in our Agreement) or via in-app notification.

1. Definitions

2. Customer Responsibilities

3. Ordee Obligations

4. Data Subject Requests

5. Sub-Processors

6. Data Transfers

7. Additional Provisions for European Data

8. Additional Provisions for California Personal Information

9. General Provisions

10. Parties to this ANNEXES

Annex 1 - Details of Processing

Annex 2 - Security Measures

Annex 3 - Standard Contractual Clauses

Annex 4 - List of Sub-Processors

1. Definitions

"Consumer", "Business", "Sell" and "Service Provider" shall have the meanings given to them in the CCPA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time.

“Data Subject” means the individual to whom Personal Data relates.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

"Permitted Affiliates" means any of Customer's Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with Ordee and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by Ordee, and (iii) are subject to European Data Protection Laws.

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Ordee and/or its Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Privacy Shield" means the EU-U.S. and Swiss-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July, 12 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July, 12 2016.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, in the form set out at Annex 3.

“Sub-Processor” means any Processor engaged by Ordee or its Affiliates to assist in fulfilling Ordee's obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or Ordee Affiliates but shall exclude any Ordee employee or consultant.

2. Customer Responsibilities

a. Compliance with Laws. Within the scope of the Agreement and in its use of the services, Customer shall be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Ordee.

In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it shall be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring it has the right to transfer, or provide access to, the Personal Data to Ordee for Processing in accordance with the terms of the Agreement (including this ANNEXES); (iv) ensuring that its Instructions to Ordee regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Customer shall inform Ordee without undue delay if it is not able to comply with its responsibilities under this sub-section (a) or applicable Data Protection Laws.

b. Controller Instructions. The parties agree that the Agreement (including this ANNEXES), together with Customer's use of the Subscription Service in accordance with the Agreement, constitute Customer’s complete and final Instructions to Ordee in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between Customer and Ordee.

3. Ordee Obligations

a. Compliance with Instructions. Ordee shall only Process Personal Data for the purposes described in this ANNEXES or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable law. Ordee is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to Ordee.

b. Conflict of Laws. If Ordee becomes aware that it cannot Process Personal Data in accordance with Customer's Instructions due to a legal requirement under any applicable law, Ordee will (i) promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions with which Ordee is able to comply. If this provision is invoked, Ordee will not be liable to Customer under the Agreement for any failure to perform the applicable Subscription Services until such time as Customer issues new lawful Instructions with regard to the Processing.

c. Security. Ordee shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this ANNEXES ("Security Measures"). Notwithstanding any provision to the contrary, Ordee may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

d. Confidentiality. Ordee shall ensure that any personnel whom Ordee authorizes to Process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

e. Personal Data Breaches. Ordee will notify Customer without undue delay after it becomes aware of any Personal Data Breach and shall provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, Ordee will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.

f. Deletion or Return of Personal Data. Ordee will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this ANNEXES, on termination or expiration of your Subscription Service in accordance with the procedures and timeframes set out in the Agreement, save that this requirement shall not apply to the extent Ordee is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which data Ordee shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices. You may request the deletion of your Ordee account after expiration or termination of your subscription by sending a request to privacy@Ordee.ie.

4. Data Subject Requests

To the extent that Customer is unable to independently address a Data Subject Request through the Subscription Service, then upon Customer’s written request Ordee shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. Customer shall reimburse Ordee for the commercially reasonable costs arising from this assistance.

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Ordee, Ordee will promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

5. Sub-Processors

Customer agrees that Ordee may engage Sub-Processors to Process Personal Data on Customer's behalf. Ordee has currently appointed, as Sub-Processors, the Ordee Affiliates and third parties listed in Annex 4 to this ANNEXES. Ordee shall notify Customer if it adds or removes Sub-Processors to Annex 4 prior to any such changes.

Where Ordee engages Sub-Processors, Ordee will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this ANNEXES, to the extent applicable to the nature of the services provided by such Sub-Processors. Ordee will remain responsible for each Sub-Processor’s compliance with the obligations of this ANNEXES and for any acts or omissions of such Sub-Processor that cause Ordee to breach any of its obligations under this ANNEXES.

6. Data Transfers

Customer acknowledges and agrees that Ordee may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Ordee, Ltd. in the United States and to other jurisdictions where Ordee Affiliates and Sub-Processors have operations. Ordee shall ensure such transfers are made in compliance with the requirements of Data Protection Laws.

7. Additional Provisions for European Data

a. Scope of Section 7. This Section 7 (Additional Provisions for European Data) shall apply only with respect to European Data.

b. Roles of the Parties. When Processing European Data in accordance with Customer's Instructions, the parties acknowledge and agree that Customer is the Controller of European Data and Ordee is the Processor.

c. Instructions. If Ordee believes that an Instruction of Customer infringes European Data Protection Laws (where applicable), it will inform Customer without delay.

d. Notification and Objection to New Sub-Processors. Ordee will notify Customer of any changes to Sub-processors by updating Annex 4 to this ANNEXES and will give Customer the opportunity to object to the engagement of the new Sub-Processor on reasonable grounds relating to the protection of Personal Data within 30 days after updating Annex 4 to this ANNEXES. If Customer does notify Ordee of such an objection, the parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Ordee will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

e. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to Ordee, and Customer does not otherwise have access to the required information, Ordee will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

f. Transfer Mechanisms for Data Transfers.

Ordee shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is self-certified to the Privacy Shield, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Law, or to a recipient that has executed appropriate standard contractual clauses adopted or approved by the European Commission.

Customer acknowledges that in connection with the performance of the Subscription Services, Ordee, Ltd. is a recipient of European Data in the United States. The parties agree that Ordee makes available the transfer mechanisms listed below:

• Standard Contractual Clauses: Ordee Ltd. agrees to abide by and process European Data in compliance with the Standard Contractual Clauses, provided that notwithstanding the foregoing the parties agree that where the Ordee contracting entity under the Agreement is not Ordee, Ltd., such contracting entity (not Ordee, Ltd.) will remain fully and solely responsible and liable to Customer for the performance of the Standard Contractual Clauses by Ordee, Ltd. If and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this ANNEXES, the Standard Contractual Clauses shall prevail to the extent of such conflict.

Demonstration of Compliance. Ordee shall make available to Customer all information reasonably necessary to demonstrate compliance with this ANNEXES and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this ANNEXES. Customer acknowledges and agrees that it shall exercise its audit rights under this ANNEXES by instructing Ordee to comply with the audit measures described in this sub-section (g). Customer acknowledges that the Subscription Service is hosted by Ordee's data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001) and Ordee's systems are regularly tested by independent third party penetration testing firms. Upon request, Ordee shall supply (on a confidential basis) a summary copy of its penetration testing report(s) to Customer so that Customer can verify Ordee's compliance with this ANNEXES. Further, at Customer's written request, Ordee will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer necessary to confirm Ordee's compliance with this ANNEXES, provided that Customer shall not exercise this right more than once per calendar year.

9. General Provisions

a. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 3(c) (Security), Ordee reserves the right to make any updates and changes to this ANNEXES and the terms that apply in Section 9 (a), para. 1 “Amendment; No Waiver” of the Agreement shall apply.

b. Severability. If any individual provisions of this ANNEXES are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this ANNEXES shall not be affected.

c. Limitation of Liability. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this ANNEXES (and any other ANNEXESs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the section of the Agreement entitled 'Limitation of Liability' and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this ANNEXES). For the avoidance of doubt, if Ordee, Ltd. is not a party to the Agreement, the section of the Agreement entitled ‘Limitation of Liability’ shall apply as between Customer and Ordee, Ltd., and in such respect any references to ‘Ordee’, ‘we’, ‘us’ or ‘our’ shall include both Ordee, Ltd. and the Ordee entity that is a party to the Agreement.

d. Governing Law. This ANNEXES shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

10. Parties to this ANNEXES

a. Permitted Affiliates. By signing the Agreement, Customer enters into this ANNEXES on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Permitted Affiliates, thereby establishing a separate ANNEXES between Ordee and each such Permitted Affiliate subject to the Agreement and Sections 9 and 10 of this ANNEXES. Each Permitted Affiliate agrees to be bound by the obligations under this ANNEXES and, to the extent applicable, the Agreement. For the purposes of this ANNEXES only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates.

b. Authorization. The legal entity agreeing to this ANNEXES as Customer represents that it is authorized to agree to and enter into this ANNEXES for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

c. Remedies. Except where applicable Data Protection Laws require a Permitted Affiliate to exercise a right or seek any remedy under this ANNEXES against Ordee directly by itself, the parties agree that (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Permitted Affiliate may have under this ANNEXES on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement shall exercise any such rights under this ANNEXES not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all communication with Ordee under the ANNEXES and shall be entitled to make and receive any communication related to this ANNEXES on behalf of its Permitted Affiliates.

d. Other rights. The parties agree that Customer shall, when reviewing Ordee's compliance with this ANNEXES pursuant to Section 7(g) (Demonstration of Compliance), take all reasonable measures to limit any impact on Ordee and its Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

Annex 1 - Details of Processing

This Annex forms part of the ANNEXES.

A. Nature and Purpose of Processing

Ordee will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by Customer in its use of the Subscription Services.

B. Duration of Processing

Subject to the "Deletion or Return of Personal Data" section of this ANNEXES, Ordee will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

C. Categories of Data subjects

Customer may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Customer’s Contacts and other end users including Customer’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.

D. Categories of Personal Data

Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to the following categories of Personal Data:

• - Contact Information (as defined in the Ordee Customer Terms of Service).

• - Any other Personal Data submitted by, sent to, or received by Customer, or Customer’s end users, via the Subscription Service.

E. Special categories of data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

F. Processing operations

Personal Data will be Processed in accordance with the Agreement (including this ANNEXES) and may be subject to the following Processing activities:

a. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to Customer; and/or

b. Disclosure in accordance with the Agreement (including this ANNEXES) and/or as compelled by applicable laws.

Annex 2 - Security Measures

This Annex forms part of the ANNEXES.

Ordee currently observes the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

a) Access Control

i) Preventing Unauthorized Product Access

Outsourced processing: Ordee hosts its Service with outsourced cloud infrastructure providers. Additionally, Ordee maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Ordee relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: Ordee hosts its product infrastructure with multi-tenant, outsourced infrastructure providers.

Authentication: Ordee implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Ordee’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.

ii) Preventing Unauthorized Product Use

Ordee implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.

Intrusion detection and prevention: Ordee implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Security reviews of code stored in Ordee’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

Penetration testing: Ordee maintains relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

iii) Limitations of Privilege & Authorization Requirements

Product access: A subset of Ordee’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.

Background checks: All Ordee employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

In-transit: Ordee makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Ordee products. Ordee’s HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Ordee stores user passwords following policies that follow industry standard practices for security. Ordee has implemented technologies to ensure that stored data is encrypted at rest.

c) Input Control

Detection: Ordee designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Ordee personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Ordee maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Ordee will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to Customer will be in accordance with the terms of the ANNEXES or Agreement.

d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Ordee’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Ordee operations in maintaining and updating the product applications and backend while limiting downtime.

Annex 3 - Standard Contractual Clauses

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,

The Customer, as defined in the Ordee Customer Terms of Service (the “data exporter”)

And

Ordee Ltd., (the “data importer”)

each a ‘party’; together ‘the parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

‘the data exporter’ means the controller who transfers the personal data;

‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

'the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Defined terms used in this Appendix 1 shall have the meaning given to them in the Agreement (including the ANNEXES).

Data exporter

The data exporter is the legal entity specified as "Customer" in the ANNEXES.

Data importer

The data importer is Ordee, Ltd.

Data subjects

Please see Annex 1 of the ANNEXES, which describes the data subjects.

Categories of data

Please see Annex 1 of the ANNEXES, which describes the categories of data.

Special categories of data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

Purposes of Processing

Ordee, Ltd. shall process personal data as necessary to provide the Subscription Services to data exporter in accordance with the Agreement.

Processing operations

Please see Annex 1 of the ANNEXES, which describes the processing operations.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please see Annex 2 of the ANNEXES, which describes the technical and organisational security measures implemented by Ordee.

Appendix 3 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

This Appendix sets out the parties' interpretation of their respective obligations under specific terms of the Standard Contractual Clauses ("Clauses"). Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under the Clauses.

For the purposes of this Appendix, "ANNEXES" means the Data Processing Agreement in place between Customer and Ordee and to which these Clauses are incorporated and "Agreement" shall have the meaning given to it in the ANNEXES.

Clause 4(h) and 8: Disclosure of these Clauses

a. Data exporter agrees that these Clauses constitute data importer's Confidential Information as that term is defined in the Agreement and may not be disclosed by data exporter to any third party without data importer's prior written consent unless permitted pursuant to Agreement. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.

Clause 5(a): Suspension of data transfers and termination

a. The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.

b. The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract.

c. If the data exporter intends to suspend the transfer of personal data and/or terminate these Clauses, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).

d. If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.

Clause 5(f): Audit

a. Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in Section 7(g) (Demonstration of Compliance) of the ANNEXES.

Clause 5(j): Disclosure of subprocessor agreements

a. The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter.

b. The parties further acknowledge that, pursuant to subprocessor confidentiality restrictions, data importer may be restricted from disclosing onward subprocessor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to data exporter.

c. Even where data importer cannot disclose a subprocessor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably requires in connection with such subprocessing agreement to data exporter.

Clause 6: Liability

a. Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.

Clause 11: Onward subprocessing

a. The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled "FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC" the data exporter may provide a general consent to onward subprocessing by the data importer.

b. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in Section 7(d) (Notification and Objection to New Sub-Processors) of the ANNEXES.

Clause 12: Obligation after the termination of personal data-processing services

a. Data importer agrees that the data exporter will fulfil its obligation to return or destroy all the personal data on the termination of the provision of data-processing services by complying with the "Deletion or Return of Personal Data" section of the ANNEXES.

Annex 4 - List of Sub-Processors

Amazon Web Services, Ltd.

Google, Ltd.

Twilio, Ltd.

Sparkpost

Stripe

Agreement

1.      Definitions

1.1    In this Agreement, except to the extent expressly provided otherwise:

"Acceptance Criteria" means:

(a)    the Platform and Hosted Services conforming in all material respects with the Hosted Services Specification; and

(b)    the Hosted Services being free from Hosted Services Defects;

"Acceptance Period" means a period of 10 Business Days following the making available of the Hosted Services to the Customer for the purposes of testing in accordance with Clause 4 or any repeated making available of the Hosted Services to the Customer for the purposes of testing in accordance with Clause 4, or such other period or periods as the parties may agree in writing;

"Acceptance Tests" means a set of tests designed to establish whether the Hosted Services meet the Acceptance Criteria, providing that the exact form of the tests shall be agreed and documented by the parties acting reasonably in advance of the first Acceptance Period;

"Access Credentials" means the usernames, passwords and other credentials enabling access to the Hosted Services, including both access credentials for the User Interface and access credentials for the API;

"Affiliate" means an entity that Controls, is Controlled by, or is under common Control with the relevant entity;

"Agreement" means this agreement including any Schedules, and any amendments to this Agreement from time to time;

"API" means the application programming interface for the Hosted Services defined by the Provider and made available by the Provider to the Customer;

"Business Day" means any weekday other than a bank or public holiday in Ireland;

"Business Hours" means the hours of 09:00 to 17:00 GMT/GMT+1 on a Business Day;

"CCN" means a change control notice issued in accordance with Clause 17;

"CCN Consideration Period" means the period of 10 Business Days following the receipt by a party of the relevant CCN from the other party;

"Change" means any change to this Agreement;

"Charges" means the following amounts:

(a)    the amounts specified in Section 4 of Schedule 1 (Hosted Services particulars);

(b)    such amounts as may be agreed in writing by the parties from time to time; and

"Confidential Information" means the Provider Confidential Information and the Customer Confidential Information;

"Control" means the legal power to control (directly or indirectly) the management of an entity (and "Controlled" should be construed accordingly);

"Customer Confidential Information" means:

(a)    any information disclosed by the Customer to the Provider at any time before the termination of this Agreement (whether disclosed in writing, orally or otherwise) that at the time of disclosure:

(i)     was marked or described as "confidential"; or

(ii)    should have been reasonably understood by the Provider to be confidential; and

(b)    the Customer Data;

"Customer Data" means all data, works and materials: uploaded to or stored on the Platform by the Customer; transmitted by the Platform at the instigation of the Customer; supplied by the Customer to the Provider for uploading to, transmission by or storage on the Platform; or generated by the Platform as a result of the use of the Hosted Services by the Customer (but excluding analytics data relating to the use of the Platform and server log files)];

"Customer Indemnity Event" has the meaning given to it in Clause 27.3;

"Customer Data" is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the Services. For example, Customer Data includes data that you upload for storage or processing in the Services and applications that you or your end users upload for hosting in the Services. It does not include configuration or technical settings and information;

"Customer Representatives" means the person or persons identified as such in Section 5 of Schedule 1 (Hosted Services particulars), and any additional or replacement persons that may be appointed by the Customer giving to the Provider written notice of the appointment;

"Customer Systems" means the hardware and software systems of the Customer that interact with, or may reasonably be expected to interact with, the Hosted Services;

"Customisation" means a customisation of the Hosted Services, whether made through the development, configuration or integration of software, or otherwise;

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including, while they are in force and applicable, Ireland's Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679);

"Documentation" means the documentation for the Hosted Services produced by the Provider and delivered or made available by the Provider to the Customer;

"Effective Date" means the date of execution of this Agreement;

"Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);

"Hosted Services" means Ordee, as specified which will be made available by the Provider to the Customer as a service via the internet in accordance with this Agreement;

"Hosted Services Defect" means a defect, error or bug in the Platform having a material adverse effect on the appearance, operation, functionality or performance of the Hosted Services, but excluding any defect, error or bug caused by or arising as a result of:

(a)    any act or omission of the Customer or any person authorised by the Customer to use the Platform or Hosted Services];

(b)    any use of the Platform or Hosted Services contrary to the Documentation, whether by the Customer or by any person authorised by the Customer;

(c)    a failure of the Customer to perform or observe any of its obligations in this Agreement; and/or

(d)    an incompatibility between the Platform or Hosted Services and any other system, network, application, program, hardware or software not specified as compatible in the Hosted Services Specification;

"Hosted Services Specification" means the specification for the Platform and Hosted Services set out in [Section 2 of Schedule 1 (Hosted Services particulars) and in the Documentation];

"Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights (and these "intellectual property rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs);

"Maintenance Services" means the general maintenance of the Platform and Hosted Services, and the application of Updates and Upgrades;

"Minimum Term" means, in respect of this Agreement, the period of 12 months beginning on the Effective Date;

"Mobile App" means the mobile application known as Ordee that is made available by the Provider through the Google Play Store and the Apple App Store;

"Personal Data" means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in or is likely to come into the possession of the data controller;

"Platform" means the platform managed by the Provider and used by the Provider to provide the Hosted Services, including the application and database software for the Hosted Services, the system and server software used to provide the Hosted Services, and the computer hardware on which that application, database, system and server software is installed;

"Provider Confidential Information" means:

(a)    any information disclosed by or on behalf of the Provider to the Customer during the Term or at any time before the termination of this Agreement (whether disclosed in writing, orally or otherwise) that at the time of disclosure was marked or described as "confidential" or should have been understood by the Customer (acting reasonably) to be confidential; and

(b)    the terms of this Agreement;

"Provider Indemnity Event" has the meaning given to it in Clause 27.1;

"Provider Representatives" means the person or persons identified as such in Section 5 of Schedule 1 (Hosted Services particulars), and any additional or replacement persons that may be appointed by the Provider giving to the Customer written notice of the appointment;

"Remedy Period" means a period of 20 Business Days following the Customer giving to the Provider a notice that the Hosted Services have failed the Acceptance Tests, or such other period as the parties may agree in writing;

"Schedule" means any schedule attached to the main body of this Agreement;

"Services" means any services that the Provider provides to the Customer, or has an obligation to provide to the Customer, under this Agreement;

"Set Up Services" means the configuration, implementation and integration of the Hosted Services in accordance with Section 1 of Schedule 1 (Hosted Services particulars);

"Support Services" means support in relation to the use of, and the identification and resolution of errors in, the Hosted Services, but shall not include the provision of training services;

"Supported Web Browser" means the current release from time to time of Microsoft Edge, Mozilla Firefox, Google Chrome or Apple Safari, or any other web browser that the Provider agrees in writing shall be supported;

"Term" means the term of this Agreement, commencing in accordance with Clause 2.1 and ending in accordance with Clause 2.2;

"Third Party Services" means any hosted, cloud or software-based services provided by any third party that are or may be integrated with the Hosted Services by the Provider from time to time in circumstances where the Customer must, in order to activate the integration, have an account with the relevant services provider or obtain activation or access credentials from the relevant services provider;

"Update" means a hotfix, patch or minor version update to any Platform software;

"Upgrade" means a major version upgrade of any Platform software; and

"User Interface" means the interface for the Hosted Services designed to allow individual human users to access and use the Hosted Services.

2.      Term

2.1    This Agreement shall come into force upon the Effective Date.

2.2    This Agreement shall continue in force until 12 months from the effective date at the beginning of which this Agreement shall terminate automatically upon which this Agreement shall terminate automatically, subject to termination in accordance with Clause 30 or any other provision of this Agreement.

3.      Set Up Services

3.1    The Provider shall provide the Set Up Services to the Customer.

3.2    The Provider shall use all reasonable endeavors to ensure that the Set Up Services are provided promptly following the Effective Date.

3.3    The Customer acknowledges that a delay in the Customer performing its obligations in this Agreement may result in a delay in the performance of the Set Up Services; and subject to Clause 28.1 the Provider will not be liable to the Customer in respect of any failure to meet the Set Up Services timetable to the extent that that failure arises out of a delay in the Customer performing its obligations under this Agreement.

3.4    Subject to any written agreement of the parties to the contrary, any Intellectual Property Rights that may arise out of the performance of the Set Up Services by the Provider shall be the exclusive property of the Provider.

4.      Acceptance procedure

4.1    During each Acceptance Period, the Customer shall carry out the Acceptance Tests.

4.2    The Provider shall provide to the Customer at the Provider's own cost and expense all such assistance and co-operation in relation to the carrying out of the Acceptance Tests as the Customer may reasonably request.

4.3    Before the end of each Acceptance Period, the Customer shall give to the Provider a written notice specifying whether the Hosted Services have passed or failed the Acceptance Tests.

4.4    If the Customer fails to give to the Provider a written notice in accordance with Clause 4.3, then the Hosted Services shall be deemed to have passed the Acceptance Tests.

4.5   

 

5.      Hosted Services

5.1    The Provider shall ensure that the Platform will provide, to the Customer upon the Effective Date the Access Credentials necessary to enable the Customer to access and use the Hosted Services.

5.2    The Provider hereby grants to the Customer a license to use the Hosted Services by means of the User Interface and the API for the internal business purposes of the Customer in accordance with the Documentation during the Term.

5.3    The license granted by the Provider to the Customer under Clause 5.2 is subject to the following limitations:

(a)    the User Interface may only be used through a Supported Web Browser or the Mobile App;

(b)    the User Interface may only be used by the officers, employees, agents and subcontractors of either the Customer or an Affiliate of the Customer;

(c)    the User Interface may only be used by the named users identified in Schedule 1 (Hosted Services particulars), providing that the Customer may change, add or remove a designated named user in accordance with the user change procedure defined by the Hosted Services;

(d)    the User Interface must not be used at any point in time by more than the number of concurrent users specified in Schedule 1 (Hosted Services particulars), providing that the Customer may add or remove concurrent user licenses in accordance with the license change procedure defined by the Hosted Services; and

(e)    the API may only be used by an application or applications approved by the Provider in writing and controlled by the Customer.

5.4    Except to the extent expressly permitted in this Agreement or required by law on a non-excludable basis, the license granted by the Provider to the Customer under Clause 5.2 is subject to the following prohibitions:

(a)    the Customer must not sub-license its right to access and use the Hosted Services;

(b)    the Customer must not permit any unauthorised person or application to access or use the Hosted Services;

(c)    the Customer must not use the Hosted Services to provide services to third parties;

(d)    the Customer must not republish or redistribute any content or material from the Hosted Services;

(e)    the Customer must not make any alteration to the Platform, except as permitted by the Documentation; and

(f)    the Customer must not conduct or request that any other person conduct any load testing or penetration testing on the Platform or Hosted Services [without the prior written consent of the Provider.

5.5    The Customer shall implement and maintain reasonable security measures relating to the Access Credentials to ensure that no unauthorised person or application may gain access to the Hosted Services by means of the Access Credentials.

5.6    The parties acknowledge and agree that Schedule 3 (Availability SLA) shall govern the availability of the Hosted Services.

5.7    The Customer must comply with Schedule 2 (Acceptable Use Policy), and must ensure that all persons using the Hosted Services with the authority of the Customer comply with Schedule 2 (Acceptable Use Policy).

5.8    The Customer must not use the Hosted Services in any way that causes, or may cause, damage to the Hosted Services or Platform or impairment of the availability or accessibility of the Hosted Services.

5.9    The Customer must not use the Hosted Services in any way that uses excessive Platform resources and as a result is liable to cause a material degradation in the services provided by the Provider to its other customers using the Platform; and the Customer acknowledges that the Provider may use reasonable technical measures to limit the use of Platform resources by the Customer for the purpose of assuring services to its customers generally.

5.10  The Customer must not use the Hosted Services:

(a)    in any way that is unlawful, illegal, fraudulent or harmful; or

(b)    in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.

5.11  For the avoidance of doubt, the Customer has no right to access the software code (including object code, intermediate code and source code) of the Platform, either during or after the Term.

6.      Customisations

6.1    The Provider and the Customer may agree that the Provider shall design, develop and implement a Customisation or Customisations in accordance with a specification and project plan agreed in writing by the parties and using the Change control procedure in Clause 17.

6.2    All Intellectual Property Rights in the Customisations shall, as between the parties, be the exclusive property of the Provider (unless the parties agree otherwise in writing).

6.3    From the time and date when a Customisation is first delivered or made available by the Provider to the Customer, the Customisation shall form part of the Platform, and accordingly from that time and date the Customer's rights to use the Customisation shall be governed by Clause 5.

6.4    The Customer acknowledges that the Provider may make any Customisation available to any of its other customers or any other third party at any time after the end of the period of 90 days following the making available of the Customisation to the Customer.

7.      Maintenance Services

7.1    The Provider shall provide the Maintenance Services to the Customer during the Term.

7.2    The Provider shall provide the Maintenance Services with reasonable skill and care.

7.3    The Provider shall provide the Maintenance Services in accordance with Schedule 4 (Maintenance SLA).

7.4    The Provider may suspend the provision of the Maintenance Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least 30 days' written notice, following the amount becoming overdue, of its intention to suspend the Maintenance Services on this basis.

8.      Support Services

8.1    The Provider shall provide the Support Services to the Customer during the Term.

8.2    The Provider shall provide the Support Services with reasonable skill and care.

8.3    The Provider shall provide the Support Services in accordance with Schedule 5 (Support SLA).

8.4    The Provider may suspend the provision of the Support Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least 30 days' written notice, following the amount becoming overdue, of its intention to suspend the Support Services on this basis.

9.      Customer obligations

9.1    Save to the extent that the parties have agreed otherwise in writing, the Customer must provide to the Provider, or procure for the Provider, such:

(a)    co-operation, support and advice;

(b)    information and documentation; and

(c)    governmental, legal and regulatory licences, consents and permits,

        as are reasonably necessary to enable the Provider to perform its obligations under this Agreement.

9.2    The Customer must provide to the Provider, or procure for the Provider, such access to the Customer's computer hardware, software, networks and systems as may be reasonably required by the Provider to enable the Provider to perform its obligations under this Agreement.

10.    Customer Systems

10.1  The Customer shall ensure that the Customer Systems comply, and continue to comply during the Term, with the requirements of Section 3 of Schedule 1 (Hosted Services particulars) in all material respects, subject to any changes agreed in writing by the Provider.

11.    Customer Data

11.1  The Customer hereby grants to the Provider a non-exclusive licence to copy, reproduce, store, distribute, publish, export, adapt, edit and translate the Customer Data to the extent reasonably required for the performance of the Provider's obligations and the exercise of the Provider's rights under this Agreement. The Customer also grants to the Provider the right to sub-license these rights to its hosting, connectivity and telecommunications service providers, subject to any express restrictions elsewhere in this Agreement.

11.2  The Customer warrants to the Provider that the Customer Data will not infringe the Intellectual Property Rights or other legal rights of any person, and will not breach the provisions of any law, statute or regulation, in any jurisdiction and under any applicable law.

11.3  The Provider shall create a back-up copy of the Customer Data at least daily, shall ensure that each such copy is sufficient to enable the Provider to restore the Hosted Services to the state they were in at the time the back-up was taken, and shall retain and securely store each such copy for a minimum period of 30 days.

11.4  Within the period of 1 Business Day following receipt of a written request from the Customer, the Provider shall use all reasonable endeavours to restore to the Platform the Customer Data stored in any back-up copy created and stored by the Provider in accordance with Clause 11.3. The Customer acknowledges that this process will overwrite the Customer Data stored on the Platform prior to the restoration.

12.    Integrations with Third Party Services

12.1  The Hosted Services are integrated with certain Third Party Services and the Provider may integrate the Hosted Services with additional Third Party Services at any time.

13.    Mobile App

13.1  The parties acknowledge and agree that the use of the Mobile App, the parties' respective rights and obligations in relation to the Mobile App and any liabilities of either party arising out of the use of the Mobile App shall be subject to separate terms and conditions, and accordingly this Agreement shall not govern any such use, rights, obligations or liabilities.

14.    No assignment of Intellectual Property Rights

14.1  Nothing in this Agreement shall operate to assign or transfer any Intellectual Property Rights from the Provider to the Customer, or from the Customer to the Provider.

15.    Representatives

15.1  The Provider shall ensure that all instructions given by the Provider in relation to the matters contemplated in this Agreement will be given by a Provider Representative to a Customer Representative, and the Customer:

(a)    may treat all such instructions as the fully authorised instructions of the Provider; and

(b)    may decline to comply with any other instructions in relation to that subject matter.

15.2  The Customer shall ensure that all instructions given by the Customer in relation to the matters contemplated in this Agreement will be given by a Customer Representative to a Provider Representative, and the Provider:

(a)    may treat all such instructions as the fully authorised instructions of the Customer; and

(b)    may decline to comply with any other instructions in relation to that subject matter.

17.    Change control

17.1  The provisions of this Clause 17 apply to each Change requested by a party.

17.2  Either party may request a Change at any time.

17.3  A party requesting a Change shall provide to the other party a completed CCN in the form specified in Schedule 6 (Form of CCN).

17.4  A party in receipt of a CCN may:

(a)    accept the CCN, in which case that party must countersign the CCN and return it to the other party before the end of the CCN Consideration Period;

(b)    reject the CCN, in which case that party must inform the other party of this rejection before the end of the CCN Consideration Period; or

(c)    issue an amended CCN to the other party before the end of the CCN Consideration Period, in which case this Clause 17 will reapply with respect to the amended CCN.

17.5  A proposed Change will not take effect until such time as a CCN recording the Change has been signed by or on behalf of each party.

18.    Charges

18.1  The Customer shall pay the Charges to the Provider in accordance with this Agreement.

18.2  If the Charges are based in whole or part upon the time spent by the Provider performing the Services, the Provider must obtain the Customer's written consent before performing Services that result in any estimate of time-based Charges given to the Customer being exceeded or any budget for time-based Charges agreed by the parties being exceeded; and unless the Customer agrees otherwise in writing, the Customer shall not be liable to pay to the Provider any Charges in respect of Services performed in breach of this Clause 18.2.

18.3  All amounts stated in or in relation to this Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by the Customer to the Provider.

18.4  The Provider may elect to vary any element of the Charges by giving to the Customer not less than 30 days' written notice of the variation expiring on any anniversary of the date of execution of this Agreement, providing that no such variation shall constitute a percentage increase in the relevant element of the Charges that exceeds 2% over the percentage increase, since the date of the most recent variation of the relevant element of the Charges under this Clause 18.4 or, if no such variation has occurred, since the date of execution of this Agreement.

19.    Expenses

19.1  The Customer shall reimburse the Provider in respect of any Expenses, providing that the Provider must obtain the prior written authorisation of the Customer before incurring any Expenses exceeding such limitations as may be agreed in writing by the parties from time to time.

19.2  The Provider must collect and collate evidence of all Expenses, and must retain such evidence during the Term and for a period of 90 days following the end of the Term.

19.3  Within 10 Business Days following receipt of a written request from the Customer to do so, the Provider must supply to the Customer such copies of the evidence for the Expenses in the possession or control of the Provider as the Customer may specify in that written request.

20.    Timesheets

20.1  The Provider must:

(a)    ensure that the personnel providing Services, the Charges for which will be based in whole or part upon the time spent in the performance of those Services, complete reasonably detailed records of their time spent providing those Services; and

(b)    retain such records during the Term, and for a period of at least 12 months following the end of the Term.

20.2  Within 10 Business Days following receipt of a written request, the Provider shall supply to the Customer copies of such of the timesheets referred to in Clause 20.1 and in the Provider's possession or control as the Customer may specify in that written request.

21.    Payments

21.1  The Provider shall issue invoices for the Charges to the Customer on or after the invoicing dates set out in Section 4 of Schedule 1 (Hosted Services particulars).

21.2  The Customer must pay the Charges to the Provider within the period of 30 days following the issue of an invoice in accordance with this Clause 21.

21.3  The Customer must pay the Charges by debit card, credit card, direct debit or bank transfer (using such payment details as are notified by the Provider to the Customer from time to time).

21.4  If the Customer does not pay any amount properly due to the Provider under this Agreement, the Provider may:

(a)    without liability to the Customer, disable the Customer’s password, account and access to all or part of the Services and Ordee Limited shall be under no obligation to provide any or all of the Services while the Subscription Fee concerned remain unpaid; and

(b)    interest shall accrue on such due amounts at an annual rate equal to 3% over the then current base lending rate of Ordee Limited’s bankers in Ireland on the Due Date, commencing on the Due Date and continuing until fully paid, whether before or after judgment.

22.    Confidentiality obligations

22.1  The Provider must:

(a)    keep the Customer Confidential Information strictly confidential;

(b)    not disclose the Customer Confidential Information to any person without the Customer's prior written consent, and then only under conditions of confidentiality approved in writing by the Customer;

(c)    use the same degree of care to protect the confidentiality of the Customer Confidential Information as the Provider uses to protect the Provider's own confidential information of a similar nature, being at least a reasonable degree of care;

(d)    act in good faith at all times in relation to the Customer Confidential Information.

22.2  The Customer must:

(a)    keep the Provider Confidential Information strictly confidential;

(b)    not disclose the Provider Confidential Information to any person without the Provider's prior written consent, and then only under conditions of confidentiality approved in writing by the Provider;

(c)    use the same degree of care to protect the confidentiality of the Provider Confidential Information as the Customer uses to protect the Customer's own confidential information of a similar nature, being at least a reasonable degree of care;

(d)    act in good faith at all times in relation to the Provider Confidential Information.

22.3  Notwithstanding Clauses 22.1 and 22.2, a party's Confidential Information may be disclosed by the other party to that other party's officers, employees, professional advisers, insurers, agents and subcontractors who have a need to access the Confidential Information that is disclosed for the performance of their work with respect to this Agreement and who are bound by a written agreement or professional obligation to protect the confidentiality of the Confidential Information that is disclosed.

22.4  No obligations are imposed by this Clause 22 with respect to a party's Confidential Information if that Confidential Information:

(a)    is known to the other party before disclosure under this Agreement and is not subject to any other obligation of confidentiality;

(b)    is or becomes publicly known through no act or default of the other party; or

(c)    is obtained by the other party from a third party in circumstances where the other party has no reason to believe that there has been a breach of an obligation of confidentiality.

22.5  The restrictions in this Clause 22 do not apply to the extent that any Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of either party on any recognised stock exchange.

22.6  Upon the termination of this Agreement, each party must immediately cease to use the other party's Confidential Information.

22.7  Following the date of effective termination of this Agreement, and within 5 Business Days following the date of receipt of a written request from the other party following the date of effective termination of this Agreement, the relevant party must:

(a)    irreversibly delete from its media and computer systems all copies of the other party's Confidential Information (and ensure that the other party's Confidential Information is irreversibly deleted from the media and computer systems of all persons to whom the relevant party has directly or indirectly disclosed that Confidential Information);

(b)    ensure that no other copies of the other party's Confidential Information remain in the relevant's party possession or control (or the possession of control of any person to whom the relevant party has directly or indirectly disclosed the other party's Confidential Information);

(c)    certify in writing to the other party that it has complied with the requirements of this Clause 22.7,

        subject in each case to any obligations that the relevant party has under this Agreement to supply or make available to the other party any data or information, and providing that the relevant party shall have no obligation under this Clause 22.7 to delete or to cease to possess or control any of the other party's Confidential Information to the extent that the relevant party is required by applicable law to retain that Confidential Information.

22.8  The provisions of this Clause 22 shall continue in force indefinitely following the termination of this Agreement.

23.    Publicity

23.1  Neither party may make any public disclosures relating to this Agreement or the subject matter of this Agreement (including disclosures in press releases, public announcements and marketing materials) without the prior written consent of the other party.

23.2  Nothing in this Clause 23 shall be construed as limiting the obligations of the parties under Clause 22.

24.    Data protection

24.1  Each party shall comply with the Data Protection Laws with respect to the processing of the Customer Personal Data.

24.2  The Customer warrants to the Provider that it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with this Agreement.

24.3  The Customer shall only supply to the Provider, and the Provider shall only process, in each case under or in relation to this Agreement:

(a)    the Personal Data of data subjects falling within the categories specified in Section 1 of Schedule 7 (Data processing information) (or such other categories as may be agreed by the parties in writing); and

(b)    Personal Data of the types specified in Section 2 of Schedule 7 (Data processing information) (or such other types as may be agreed by the parties in writing).

24.4  The Provider shall only process the Customer Personal Data for the purposes specified in Section 3 of Schedule 7 (Data processing information).

24.5  The Provider shall only process the Customer Personal Data during the Term and for not more than 30 days following the end of the Term, subject to the other provisions of this Clause 24.

24.6  The Provider shall only process the Customer Personal Data on the documented instructions of the Customer (including with regard to transfers of the Customer Personal Data to any place outside the European Economic Area, as set out in this Agreement or any other document agreed by the parties in writing.

24.7  The Customer hereby authorises the Provider to make the following transfers of Customer Personal Data:

(a)    the Provider may transfer the Customer Personal Data internally to its own employees, offices and facilities in Ireland, providing that such transfers must be protected by appropriate safeguards; and

(b)    the Provider may transfer [the Customer Personal Data to its sub-processors in the jurisdictions identified in Section 5 of Schedule 7 (Data processing information), providing that such transfers must be protected by any appropriate safeguards identified therein; and

(c)    the Provider may transfer the Customer Personal Data to a country, a territory or sector to the extent that the competent data protection authorities have decided that the country, territory or sector ensures an adequate level of protection for Personal Data.

24.8  The Provider shall promptly inform the Customer if, in the opinion of the Provider, an instruction of the Customer relating to the processing of the Customer Personal Data infringes the Data Protection Laws.

24.9  Notwithstanding any other provision of this Agreement, the Provider may process the Customer Personal Data if and to the extent that the Provider is required to do so by applicable law. In such a case, the Provider shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

24.10 The Provider shall ensure that persons authorised to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

24.11 The Provider and the Customer shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Customer Personal Data, including those measures specified in Section 4 of Schedule 7 (Data processing information).

24.12 The Provider must not engage any third party to process the Customer Personal Data without the prior specific or general written authorisation of the Customer. In the case of a general written authorisation, the Provider shall inform the Customer at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Customer objects to any such changes before their implementation, then the Provider must not implement the changes. The Provider shall ensure that each third party processor is subject to the same legal obligations as those imposed on the Provider by this Clause 24.

24.13 As at the Effective Date, the Provider is hereby authorised by the Customer to engage, as sub-processors with respect to Customer Personal Data, the third parties identified in Section 5 of Schedule 7 (Data processing information).

24.14 The Provider shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws.

24.15 The Provider shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 24.15.

24.16 The Provider must notify the Customer of any Personal Data breach affecting the Customer Personal Data without undue delay and, in any case, not later than 24 hours after the Provider becomes aware of the breach.

24.17 The Provider shall make available to the Customer all information necessary to demonstrate the compliance of the Provider with its obligations under this Clause 24 and the Data Protection Laws. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 24.17, providing that no such charges shall be levied with respect to the completion by the Provider (at the reasonable request of the Customer, not more than once per calendar year) of the standard information security questionnaire of the Customer.

24.18 The Provider shall, at the choice of the Customer, delete or return all of the Customer Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.

24.19 The Provider shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of the Provider's processing of Customer Personal Data with the Data Protection Laws and this Clause 24. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 24.19, providing that no such charges shall be levied where the request to perform the work arises out of any breach by the Provider of this Agreement or any security breach affecting the systems of the Provider.

24.20 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under this Agreement, then the parties shall use their best endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.

25.    Warranties

25.1  The Provider warrants to the Customer that:

(a)    the Provider has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement;

(b)    the Provider will comply with all applicable legal and regulatory requirements applying to the exercise of the Provider's rights and the fulfilment of the Provider's obligations under this Agreement; and

(c)    the Provider has or has access to all necessary know-how, expertise and experience to perform its obligations under this Agreement.

25.2  The Provider warrants to the Customer that:

(a)    the Platform and Hosted Services will conform in all material respects with the Hosted Services Specification;

(b)    the Hosted Services will be free from Hosted Services Defects;

(c)    the Platform will be free from viruses, worms, Trojan horses, ransomware, spyware, adware and other malicious software programs; and

(d)    the Platform will incorporate security features reflecting the requirements of good industry practice.

25.3  The Provider warrants to the Customer that the Hosted Services, when used by the Customer in accordance with this Agreement, will not breach any laws, statutes or regulations applicable under Irish law.

25.4  The Provider warrants to the Customer that the Hosted Services, when used by the Customer in accordance with this Agreement, will not infringe the Intellectual Property Rights of any person in any jurisdiction and under any applicable law.

25.5  If the Provider reasonably determines, or any third party alleges, that the use of the Hosted Services by the Customer in accordance with this Agreement infringes any person's Intellectual Property Rights, the Provider may at its own cost and expense:

(a)    modify the Hosted Services in such a way that they no longer infringe the relevant Intellectual Property Rights; or

(b)    procure for the Customer the right to use the Hosted Services in accordance with this Agreement.

25.6  The Customer warrants to the Provider that it has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement.

25.7  All of the parties' warranties and representations in respect of the subject matter of this Agreement are expressly set out in this Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of this Agreement will be implied into this Agreement or any related contract.

26.    Acknowledgements and warranty limitations

26.1  The Customer acknowledges that complex software is never wholly free from defects, errors and bugs; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Hosted Services will be wholly free from defects, errors and bugs.

26.2  The Customer acknowledges that complex software is never entirely free from security vulnerabilities; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Hosted Services will be entirely secure.

26.3  The Customer acknowledges that the Hosted Services are designed to be compatible only with that software and those systems specified as compatible in the Hosted Services Specification; and the Provider does not warrant or represent that the Hosted Services will be compatible with any other software or systems.

26.4  The Customer acknowledges that the Provider will not provide any legal, financial, accountancy or taxation advice under this Agreement or in relation to the Hosted Services; and, except to the extent expressly provided otherwise in this Agreement, the Provider does not warrant or represent that the Hosted Services or the use of the Hosted Services by the Customer will not give rise to any legal liability on the part of the Customer or any other person.

27.    Indemnities

27.1  The Provider shall indemnify and shall keep indemnified the Customer against any and all liabilities, damages, losses, costs and expenses (including legal expenses and amounts reasonably paid in settlement of legal claims) suffered or incurred by the Customer and arising directly or indirectly as a result of any breach by the Provider of this Agreement (a "Provider Indemnity Event").

27.2  The Customer must:

(a)    upon becoming aware of an actual or potential Provider Indemnity Event, notify the Provider;

(b)    provide to the Provider all such assistance as may be reasonably requested by the Provider in relation to the Provider Indemnity Event;

(c)    allow the Provider the exclusive conduct of all disputes, proceedings, negotiations and settlements with third parties relating to the Provider Indemnity Event; and

(d)    not admit liability to any third party in connection with the Provider Indemnity Event or settle any disputes or proceedings involving a third party and relating to the Provider Indemnity Event without the prior written consent of the Provider,

        without prejudice to the Provider's obligations under Clause 27.1 and the Provider's obligation to indemnify the Customer under Clause 27.1 shall not apply unless the Customer complies with the requirements of this Clause 27.2].

27.3  The Customer shall indemnify and shall keep indemnified the Provider against any and all liabilities, damages, losses, costs and expenses (including legal expenses and amounts reasonably paid in settlement of legal claims) suffered or incurred by the Provider and arising directly or indirectly as a result of any breach by the Customer of this Agreement (a "Customer Indemnity Event").

27.4  The Provider must:

(a)    upon becoming aware of an actual or potential Customer Indemnity Event, notify the Customer;

(b)    provide to the Customer all such assistance as may be reasonably requested by the Customer in relation to the Customer Indemnity Event;

(c)    allow the Customer the exclusive conduct of all disputes, proceedings, negotiations and settlements with third parties relating to the Customer Indemnity Event; and

(d)    not admit liability to any third party in connection with the Customer Indemnity Event or settle any disputes or proceedings involving a third party and relating to the Customer Indemnity Event without the prior written consent of the Customer,

        without prejudice to the Customer's obligations under Clause 27.3 and the Customer's obligation to indemnify the Provider under Clause 27.3 shall not apply unless the Provider complies with the requirements of this Clause 27.4.

27.5  The indemnity protection set out in this Clause 27 shall be subject to the limitations and exclusions of liability set out in this Agreement.

28.    Limitations and exclusions of liability

28.1  Nothing in this Agreement will:

(a)    limit or exclude any liability for death or personal injury resulting from negligence;

(b)    limit or exclude any liability for fraud or fraudulent misrepresentation;

(c)    limit any liabilities in any way that is not permitted under applicable law; or

(d)    exclude any liabilities that may not be excluded under applicable law.

28.2  The limitations and exclusions of liability set out in this Clause 28 and elsewhere in this Agreement:

(a)    are subject to Clause 28.1; and

(b)    govern all liabilities arising under this Agreement or relating to the subject matter of this Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in this Agreement.

28.3  Neither party shall be liable to the other party in respect of any losses arising out of a Force Majeure Event.

28.4  Neither party shall be liable to the other party in respect of any loss of profits or anticipated savings.

28.5  Neither party shall be liable to the other party in respect of any loss of revenue or income.

28.6  Neither party shall be liable to the other party in respect of any loss of use or production.

28.7  Neither party shall be liable to the other party in respect of any loss of business, contracts or opportunities.

28.8  Neither party shall be liable to the other party in respect of any loss or corruption of any data, database or software; providing that this Clause 28.8 shall not protect the Provider unless the Provider has fully complied with its obligations under Clause 11.3 and Clause 11.4.

28.9  Neither party shall be liable to the other party in respect of any special, indirect or consequential loss or damage.

28.10 The liability of each party to the other party under this Agreement in respect of any event or series of related events shall not exceed the greater of:

(a)    €1,200; and

(b)    the total amount paid and payable by the Customer to the Provider under this Agreement in the 12 month period preceding the commencement of the event or events.

28.11 The aggregate liability of each party to the other party under this Agreement shall not exceed the greater of:

(a)    €1,200; and

(b)    the total amount paid and payable by the Customer to the Provider under this Agreement.

29.    Force Majeure Event

29.1  If a Force Majeure Event gives rise to a failure or delay in either party performing any obligation under this Agreement (other than any obligation to make a payment), that obligation will be suspended for the duration of the Force Majeure Event.

29.2  A party that becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in that party performing any obligation under this Agreement, must:

(a)    promptly notify the other; and

(b)    inform the other of the period for which it is estimated that such failure or delay will continue.

29.3  A party whose performance of its obligations under this Agreement is affected by a Force Majeure Event must take reasonable steps to mitigate the effects of the Force Majeure Event.

30.    Termination

30.1  Either party may terminate this Agreement by giving to the other party not less than 30 days' written notice of termination, the annual subscription fee is non refundable for year one. A monthly recurring subscription is in place from month 13 onwards.

30.2  Either party may terminate this Agreement immediately by giving written notice of termination to the other party if:

(a)    the other party commits any material breach of this Agreement, and the breach is not remediable;

(b)    the other party commits a material breach of this Agreement, and the breach is remediable but the other party fails to remedy the breach within the period of 30 days following the giving of a written notice to the other party requiring the breach to be remedied; or

(c)    the other party persistently breaches this Agreement (irrespective of whether such breaches collectively constitute a material breach).

30.3  Either party may terminate this Agreement immediately by giving written notice of termination to the other party if:

(a)    the other party:

(i)     is dissolved;

(ii)    ceases to conduct all (or substantially all) of its business;

(iii)   is or becomes unable to pay its debts as they fall due;

(iv)   is or becomes insolvent or is declared insolvent; or

(v)    convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;

(b)    an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;

(c)    an order is made for the winding up of the other party, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under this Agreement); or

(d)    if that other party is an individual:

(i)     that other party dies;

(ii)    as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or

(iii)   that other party is the subject of a bankruptcy petition or order.

30.4  The Provider may terminate this Agreement immediately by giving written notice to the Customer if:

(a)    any amount due to be paid by the Customer to the Provider under this Agreement is unpaid by the due date and remains unpaid upon the date that that written notice of termination is given; and

(b)    the Provider has given to the Customer at least 30 days' written notice, following the failure to pay, of its intention to terminate this Agreement in accordance with this Clause 30.4.

30.5  The rights of termination set out in this Agreement shall not exclude any rights of termination available at law.

31.    Effects of termination

31.1  Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save that the following provisions of this Agreement shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely): [Clauses 1, 4.8, 5.11, 12.7, 13, 19.2, 19.3, 20, 21.2, 21.4, 22, 23, 24, 27, 28, 31, 32, 33.1, 33.2, 33.4, 33.8, 33.9, 34.1, 34.5, 35.1, 35.5, 38, 39, 40, 41, 42, 43, 44 and 45].

31.2  Except to the extent that this Agreement expressly provides otherwise, the termination of this Agreement shall not affect the accrued rights of either party.

31.3  Within 30 days following the termination of this Agreement for any reason:

(a)    the Customer must pay to the Provider any Charges in respect of Services provided to the Customer before the termination of this Agreement; and

(b)    the Provider must refund to the Customer any Charges paid by the Customer to the Provider in respect of Services that were to be provided to the Customer after the termination of this Agreement,

        without prejudice to the parties' other legal rights.

32.    Non-solicitation of personnel

32.1  The Customer must not, without the prior written consent of the Provider, either during the Term or within the period of 6 months following the end of the Term, engage, employ or solicit for engagement or employment any employee or subcontractor of the Provider who has been involved in any way in the negotiation or performance of this Agreement.

32.2  The Provider must not, without the prior written consent of the Customer, either during the Term or within the period of 6 months following the end of the Term, engage, employ or solicit for engagement or employment any employee or subcontractor of the Customer who has been involved in any way in the negotiation or performance of this Agreement.

33.    Anti-corruption

33.1  Each party warrants and undertakes to the other that it has complied and will continue to comply with the Anti-Corruption Laws in relation to this Agreement.

33.2  Save to the extent that applicable law requires otherwise, each party must promptly notify the other if it becomes aware of any events or circumstances relating to this Agreement that will or may constitute a breach of the Anti-Corruption Laws (irrespective of the identity of the person in breach).

33.3  The Provider shall[ use all reasonable endeavors to ensure that all persons that:

(a)    provide services to the Provider (including employees, agents and subsidiaries of the Provider); and

(b)    are involved in the performance of the obligations of the Provider under this Agreement,

        will comply with the Anti-Corruption Laws; and the Provider shall maintain written contracts with all such persons, and shall ensure that each of those contracts includes express requirements on the provider of services to comply with the Anti-Corruption Laws, along with express obligations on the provider of services equivalent to the obligations set out in this Clause 33.

33.4  Each party shall create and maintain proper books and records of all payments and other material benefits given by one party to the other, and each party shall promptly following receipt of a written request from the other party supply copies of the relevant parts of those books and records to the other party.

33.5  The Provider must comply with the supply chain anti-corruption and anti-bribery policy of the Customer supplied or made available by the Customer to the Provider before the Effective Date, as it may be reasonably updated by the Provider from time to time.

33.6  The Provider warrants that it has in place its own policies and procedures designed to ensure the compliance of the Provider with the Anti-Corruption Laws; and the Provider undertakes to:

(a)    acting reasonably, maintain and enforce those policies and procedures during the Term;

(b)    promptly following receipt of a written request for the same from the Customer, provide copies of the documentation embodying those policies and procedures to the Customer.

33.7  Each party shall provide reasonable co-operation to the other party, at the other's expense, in relation to any due diligence exercises, risk assessments, monitoring programmes and reviews conducted by the other party for the purpose of ensuring or promoting compliance with the Anti-Corruption Laws.

33.8  Nothing in this Agreement shall prevent either party from reporting a breach of the Anti-Corruption Laws to the relevant governmental authorities.

33.9  Any breach of this Clause 33 shall be deemed to constitute a material breach of this Agreement.

34.    Anti-slavery

34.1  Each party warrants and undertakes to the other that it has complied and will continue to comply with the Anti-Slavery Laws.

34.2  The Provider shall ensure that all persons that provide services or supply products to the Provider, where such services or products are used in the performance of the obligations of the Provider under this Agreement, will comply with the Anti-Slavery Laws; and the Provider shall maintain written contracts with all such persons, and shall ensure that each of those contracts includes express requirements on the provider of services or supplier of goods to comply with the Anti-Slavery Laws.

34.3  The Provider must comply with the supply chain anti-slavery and anti-human trafficking policy of the Customer supplied or made available by the Customer to the Provider before the Effective Date, as it may be reasonably updated by the Provider from time to time.

34.4  The Provider warrants that it has in place its own policies and procedures designed to ensure the compliance of the Provider with the Anti-Slavery Laws; and the Provider undertakes to:

(a)    acting reasonably, maintain and enforce those policies and procedures during the Term;

(b)    promptly following receipt of a written request for the same from the Customer, provide copies of the documentation embodying those policies and procedures to the Customer.

34.5  Any breach of this Clause 34 shall be deemed to constitute a material breach of this Agreement.

35.    Anti-tax evasion

35.1  Each party warrants and undertakes to the other that it has complied and will continue to comply with the Anti-Tax Evasion Laws.

35.2  The Provider shall ensure that all employees, agents and persons that provide services to the Provider, when acting in such capacity in connection with this Agreement, will comply with the Anti-Tax Evasion Laws.

35.3  The Provider must comply with the supply chain anti-tax evasion policy of the Customer supplied or made available by the Customer to the Provider before the Effective Date, as it may be reasonably updated by the Provider from time to time.

35.4  The Provider warrants that it has in place its own policies and procedures designed to ensure the compliance of the Provider with the Anti-Tax Evasion Laws; and the Provider undertakes to:

(a)    acting reasonably, maintain and enforce those policies and procedures during the Term;

(b)    promptly following receipt of a written request for the same from the Customer, provide copies of the documentation embodying those policies and procedures to the Customer.

35.5  Any breach of this Clause 35 shall be deemed to constitute a material breach of this Agreement.

36.    Notices

36.1  Any notice given under this Agreement must be in writing, whether or not described as "written notice" in this Agreement.

36.2  Any notice given by one party to the other party under this Agreement must be:

(a)    delivered personally;

(b)    sent by courier;

(c)    sent by post;

(d)    sent by email; or

(f)    submitted using recipient party's online contractual notification facility,

        using the relevant contact details set out in Section 6 of Schedule 1 (Hosted Services particulars).

36.3  The addressee and contact details set out in Section 6 of Schedule 1 (Hosted Services particulars) may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 36.

36.4  A party receiving from the other party a notice by email must acknowledge receipt by email promptly, and in any event within 2 Business Days following receipt of the notice.

36.5  A notice will be deemed to have been received at the relevant time set out below or, where such time is not within Business Hours, when Business Hours next begin after the relevant time set out below:

(a)    in the case of notices delivered personally, upon delivery;

(b)    in the case of notices sent by courier, upon delivery;

(c)    in the case of notices sent by post, 48 hours after posting;

(d)    in the case of notices sent by email, at the time of the sending of an acknowledgement of receipt by the receiving party; and

(e)    in the case of notices submitted using an online contractual notification facility, upon the submission of the notice form.

37.    Subcontracting

37.1  Subject to any express restrictions elsewhere in this Agreement, the Provider may subcontract any of its obligations under this Agreement, providing that the Provider must give to the Customer, promptly following the appointment of a subcontractor, a written notice specifying the subcontracted obligations and identifying the subcontractor in question.

37.2  The Provider shall remain responsible to the Customer for the performance of any subcontracted obligations.

37.3  Notwithstanding the provisions of this Clause 37 but subject to any other provision of this Agreement, the Customer acknowledges and agrees that the Provider may subcontract to any reputable third party hosting business the hosting of the Platform and the provision of services in relation to the support and maintenance of elements of the Platform.

38.    Assignment

38.1  Save to the extent expressly permitted by applicable law, the Provider must not assign, transfer or otherwise deal with the Provider's contractual rights and/or obligations under this Agreement without the prior written consent of the Customer, such consent not to be unreasonably withheld or delayed, providing that the Provider may assign the entirety of its rights and obligations under this Agreement to any Affiliate of the Provider or to any successor to all or a substantial part of the business of the Provider from time to time.

38.2  Save to the extent expressly permitted by applicable law, the Customer must not assign, transfer or otherwise deal with the Customer's contractual rights and/or obligations under this Agreement without the prior written consent of the Provider, such consent not to be unreasonably withheld or delayed, providing that the Customer may assign the entirety of its rights and obligations under this Agreement to any Affiliate of the Customer or to any successor to all or a substantial part of the business of the Customer from time to time.

39.    No waivers

39.1  No breach of any provision of this Agreement will be waived except with the express written consent of the party not in breach.

39.2  No waiver of any breach of any provision of this Agreement shall be construed as a further or continuing waiver of any other breach of that provision or any breach of any other provision of this Agreement.

40.    Severability

40.1  If a provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions will continue in effect.

40.2  If any unlawful and/or unenforceable provision of this Agreement would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect.

41.    Third party rights

41.1  This Agreement is for the benefit of the parties, and is not intended to benefit or be enforceable by any third party.

41.2  The exercise of the parties' rights under this Agreement is not subject to the consent of any third party.

42.    Variation

42.1  This Agreement may not be varied except by means of a written document signed by or on behalf of each party, without prejudice to the requirements of Clause 17.

43.    Entire agreement

43.1  The main body of this Agreement and the Schedules shall constitute the entire agreement between the parties in relation to the subject matter of this Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.

43.2  Neither party will have any remedy in respect of any misrepresentation (whether written or oral) made to it upon which it relied in entering into this Agreement.

43.3  The provisions of this Clause 43 are subject to Clause 28.1.

44.    Law and jurisdiction

44.1  This Agreement shall be governed by and construed in accordance with Irish law.

44.2  Any disputes relating to this Agreement shall be subject to the jurisdiction of the courts of Ireland.

45.    Interpretation

45.1  In this Agreement, a reference to a statute or statutory provision includes a reference to:

(a)    that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and

(b)    any subordinate legislation made under that statute or statutory provision.

45.2  The Clause headings do not affect the interpretation of this Agreement.

45.3  References in this Agreement to "calendar months" are to the 12 named periods (January, February and so on) into which a year is divided.

45.4  In this Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.


 

Schedule 1

See processing agreement for further t&cs

 

 

1.      Financial provisions

Pricing - €99.99 per month paid annually

2.      Representatives

The Provider Representatives are: Anthony Cronin ,CEO – anthony@ordee.ie

                                                 Jonathan Shaw, CFO – jonathan@ordee.ie

                                                 Criostóir O’Codlatáin Lachtna – chris@ordee.ie

                                                                                            

The Customer Representatives are: [identify representatives].

3.      Contractual notices

Ordee Limited

12 Grattan Square,

Dungarvan,

Co. Waterford

X35 V670

 

Schedule 2 (Acceptable Use Policy)

1.      Introduction

1.1    This acceptable use policy (the "Policy") sets out the rules governing:

(a)    the use of www.ordee.ie, any successor website, and the services available on that website or any successor website (the "Services"); and

(b)    the transmission, storage and processing of content by you, or by any person on your behalf, using the Services ("Content").

1.2    References in this Policy to "you" are to any customer for the Services and any individual user of the Services (and "your" should be construed accordingly); and references in this Policy to "us" are to Ordee Limited (and "we" and "our" should be construed accordingly).

1.3    By using the Services, you agree to the rules set out in this Policy.

1.4    We will ask for your express agreement to the terms of this Policy before you upload or submit any Content or otherwise use the Services.

1.5    You must be at least 18 years of age to use the Services; and by using the Services, you warrant and represent to us that you are at least 18 years of age.

2.      General usage rules

2.1    You must not use the Services in any way that causes, or may cause, damage to the Services or impairment of the availability or accessibility of the Services.

2.2    You must not use the Services:

(a)    in any way that is unlawful, illegal, fraudulent, deceptive or harmful; or

(b)    in connection with any unlawful, illegal, fraudulent, deceptive or harmful purpose or activity.

2.3    You must ensure that all Content complies with the provisions of this Policy.

3.      Unlawful Content

3.1    Content must not be illegal or unlawful, must not infringe any person's legal rights, and must not be capable of giving rise to legal action against any person (in each case in any jurisdiction and under any applicable law).

3.2    Content, and the use of Content by us in any manner licensed or otherwise authorised by you, must not:

(a)    be libellous or maliciously false;

(b)    be obscene or indecent;

(c)    infringe any copyright, moral right, database right, trade mark right, design right, right in passing off, or other intellectual property right;

(d)    infringe any right of confidence, right of privacy or right under data protection legislation;

(e)    constitute negligent advice or contain any negligent statement;

(f)    constitute an incitement to commit a crime, instructions for the commission of a crime or the promotion of criminal activity;

(g)    be in contempt of any court, or in breach of any court order;

(h)    constitute a breach of racial or religious hatred or discrimination legislation;

(i)     be blasphemous;

(j)    constitute a breach of official secrets legislation; or

(k)    constitute a breach of any contractual obligation owed to any person.

3.3    You must ensure that Content is not and has never been the subject of any threatened or actual legal proceedings or other similar complaint.

4.      Graphic material

4.1    Content must be appropriate for all persons who have access to or are likely to access the Content in question, and in particular for children over 12 years of age.

4.2    Content must not depict violence in an explicit, graphic or gratuitous manner.

4.3    Content must not be pornographic or sexually explicit.

5.      Factual accuracy

5.1    Content must not be untrue, false, inaccurate or misleading.

5.2    Statements of fact contained in Content and relating to persons (legal or natural) must be true; and statements of opinion contained in Content and relating to persons (legal or natural) must be reasonable, be honestly held and indicate the basis of the opinion.

6.      Negligent advice

6.1    Content must not consist of or contain any legal, financial, investment, taxation, accountancy, medical or other professional advice, and you must not use the Services to provide any legal, financial, investment, taxation, accountancy, medical or other professional advisory services.

6.2    Content must not consist of or contain any advice, instructions or other information that may be acted upon and could, if acted upon, cause death, illness or personal injury, damage to property, or any other loss or damage.

7.      Etiquette

7.1    Content must be appropriate, civil and tasteful, and accord with generally accepted standards of etiquette and behaviour on the internet.

7.2    Content must not be offensive, deceptive, threatening, abusive, harassing, menacing, hateful, discriminatory or inflammatory.

7.3    Content must not be liable to cause annoyance, inconvenience or needless anxiety.

7.4    You must not use the Services to send any hostile communication or any communication intended to insult, including such communications directed at a particular person or group of people.

7.5    You must not use the Services for the purpose of deliberately upsetting or offending others.

7.6    You must not unnecessarily flood the Services with material relating to a particular subject or subject area, whether alone or in conjunction with others.

7.7    You must ensure that Content does not duplicate other content available through the Services.

7.8    You must ensure that Content is appropriately categorised.

7.9    You should use appropriate and informative titles for all Content.

7.10  You must at all times be courteous and polite to other users of the Services.

8.      Marketing and spam

8.1    You must not[ without our written permission use the Services for any purpose relating to the marketing, advertising, promotion, sale or supply of any product, service or commercial offering.

8.2    Content must not constitute or contain spam, and you must not use the Services to store or transmit spam - which for these purposes shall include all unlawful marketing communications and unsolicited commercial communications.

8.3    You must not send any spam or other marketing communications to any person using any email address or other contact details made available through the Services or that you find using the Services.

8.4    You must not use the Services to promote, host or operate any chain letters, Ponzi schemes, pyramid schemes, matrix programs, multi-level marketing schemes, "get rich quick" schemes or similar letters, schemes or programs.

8.5    You must not use the Services in any way which is liable to result in the blacklisting of any of our IP addresses.

9.      Regulated businesses

9.1    You must not use the Services for any purpose relating to gambling, gaming, betting, lotteries, sweepstakes, prize competitions or any gambling-related activity.

9.2    You must not use the Services for any purpose relating to the offering for sale, sale or distribution of drugs or pharmaceuticals.

9.3    You must not use the Services for any purpose relating to the offering for sale, sale or distribution of knives, guns or other weapons.

10.    Monitoring

10.1  You acknowledge that we may actively monitor the Content and the use of the Services.

 

11.    Data mining

11.1  You must not conduct any systematic or automated data scraping, data mining, data extraction or data harvesting, or other systematic or automated data collection activity, by means of or in relation to the Services.

12.    Hyperlinks

12.1  You must not link to any material using or by means of the Services that would, if it were made available through the Services, breach the provisions of this Policy.

13.    Harmful software

13.1  The Content must not contain or consist of, and you must not promote, distribute or execute by means of the Services, any viruses, worms, spyware, adware or other harmful or malicious software, programs, routines, applications or technologies.

13.2  The Content must not contain or consist of, and you must not promote, distribute or execute by means of the Services, any software, programs, routines, applications or technologies that will or may have a material negative effect upon the performance of a computer or introduce material security risks to a computer.


 

Schedule 3 (Availability SLA)

1.      Introduction to availability SLA

1.1    This Schedule 3 sets out the Provider's availability commitments relating to the Hosted Services.

1.2    In this Schedule 3, "uptime" means the percentage of time during a given period when the Hosted Services are available at the gateway between public internet and the network of the hosting services provider for the Hosted Services.

2.      Availability

2.1    The Provider shall use all reasonable endeavours to ensure that the uptime for the Hosted Services is at least 99.9% during each calendar month.

2.2    The Provider shall be responsible for measuring uptime, and shall do so using any reasonable methodology.

2.3    The Provider shall report uptime measurements to the Customer in writing, in respect of each calendar month, within 10 Business Days following the end of the relevant calendar month.

3.      Service credits

3.1    In respect of each calendar month during which the Hosted Services uptime is less than the commitment specified in Section 2.1, the Customer shall earn service credits in accordance with the provisions of this Section 3.

3.2    The Provider shall deduct an amount equal to the service credits due to the Customer under this Section 3 from amounts invoiced in respect of the Charges for the Hosted Services. All remaining service credits shall be deducted from each invoice issued following the reporting of the relevant failure to meet the uptime commitment, until such time as the service credits are exhausted.

3.3    Service credits shall be the sole remedy of the Customer in relation to any failure by the Provider to meet the uptime guarantee in Section 2.1, except where the failure amounts to a material breach of this Agreement.

3.5    Upon the termination of this Agreement, the Customer's entitlement to service credits shall immediately cease, save that service credits earned by the Customer shall be offset against any amounts invoiced by the Provider in respect of Hosted Services following such termination.

4.      Exceptions

4.1    Downtime caused directly or indirectly by any of the following shall not be considered when calculating whether the Provider has met the uptime guarantee given in Section 2.1:

(a)    a Force Majeure Event;

(b)    a fault or failure of the internet or any public telecommunications network;

(c)    a fault or failure of the Provider's hosting infrastructure services provider, unless such fault or failure constitutes an actionable breach of the contract between the Provider and that company;

(d)    a fault or failure of the Customer's computer systems or networks;

(e)    any breach by the Customer of this Agreement; or

(f)    scheduled maintenance carried out in accordance with this Agreement.

Schedule 4 (Maintenance SLA)

1.      Introduction

1.1    This Schedule 4 sets out the service levels applicable to the Maintenance Services.

2.      Scheduled Maintenance Services

2.1    The Provider shall where practicable give to the Customer at least 10 Business Days' prior written notice of scheduled Maintenance Services that are likely to affect the availability of the Hosted Services or are likely to have a material negative impact upon the Hosted Services, without prejudice to the Provider's other notice obligations under this Schedule 4.

2.2    The Provider shall provide all scheduled Maintenance Services outside Business Hours.

3.      Updates

3.1    The Provider shall give to the Customer written notice of the application of any security Update to the Platform and at least 10 Business Days' prior written notice of the application of any non-security Update to the Platform.

3.2    The Provider shall apply Updates to the Platform as follows:

(a)    third party security Updates shall be applied to the Platform promptly following release by the relevant third party, providing that the Provider may acting reasonably decide not to apply any particular third party security Update;

(b)    the Provider's security Updates shall be applied to the Platform promptly following the identification of the relevant security risk and the completion of the testing of the relevant Update; and

(c)    other Updates shall be applied to the Platform in accordance with any timetable notified by the Provider to the Customer or agreed by the parties from time to time.

4.      Upgrades

4.1    The Provider shall produce Upgrades at least once in each calendar year during the Term.

4.2    The Provider shall give to the Customer at least 10 Business Days' prior written notice of the application of an Upgrade to the Platform.

4.3    The Provider shall apply each Upgrade to the Platform within any period notified by the Provider to the Customer or agreed by the parties in writing.


 

Schedule 5 (Support SLA)

1.      Introduction

1.1    This Schedule 5 sets out the service levels applicable to the Support Services.

2.      Helpdesk

2.1    The Provider shall make available to the Customer a helpdesk in accordance with the provisions of this Schedule 5.

2.2    The Customer may use the helpdesk for the purposes of requesting and, where applicable, receiving the Support Services; and the Customer must not use the helpdesk for any other purpose.

2.3    The Provider shall ensure that the helpdesk is accessible by telephone, email and using the Provider's web-based ticketing system.

2.4    The Provider shall ensure that the helpdesk is operational and adequately staffed during Business Hours during the Term. In addition, the Provider shall provide a special telephone number for the Customer to report critical issues outside of Business Hours.

2.5    The Customer shall ensure that all requests for Support Services that it may make from time to time shall be made through the helpdesk.

3.      Response and resolution

3.1    Issues raised through the Support Services shall be categorised as follows:

(a)    critical: the Hosted Services are inoperable or a core function of the Hosted Services is unavailable;

(b)    serious: a core function of the Hosted Services is significantly impaired;

(c)    moderate: a core function of the Hosted Services is impaired, where the impairment does not constitute a serious issue; or a non-core function of the Hosted Services is significantly impaired; and

(d)    minor: any impairment of the Hosted Services not falling into the above categories; and any cosmetic issue affecting the Hosted Services.

3.2    The Provider shall determine, acting reasonably, into which severity category an issue falls.

3.3    The Provider shall[ use reasonable endeavours to respond to requests for Support Services promptly, and in any case in accordance with the following time periods:

(a)    critical: 2 Business Hours;

(b)    serious: 4 Business Hours;

(c)    moderate: 1 Business Day; and

(d)    minor: 5 Business Days.

3.4    The Provider shall ensure that its response to a request for Support Services shall include the following information (to the extent such information is relevant to the request): an acknowledgement of receipt of the request, where practicable an initial diagnosis in relation to any reported error, and an anticipated timetable for action in relation to the request.

3.5    The Provider shall[ use reasonable endeavours to resolve issues raised through the Support Services promptly, and in any case in accordance with the following time periods:

(a)    critical: 2 Business Hours;

(b)    serious: 8 Business Hours;

(c)    moderate: 4 Business Days; and

(d)    minor: 10 Business Days.

4.      Provision of Support Services

4.1    The Support Services shall be provided remotely, save to the extent that the parties agree otherwise in writing.

5.      Limitations on Support Services

5.1    If the total hours spent by the personnel of the Provider performing the Support Services during any calendar month exceed 10 then:

(a)    the Provider will cease to have an obligation to provide Support Services to the Customer during the remainder of that period; and

(b)    the Provider may agree to provide Support Services to the Customer during the remainder of that period, but the provision of those Support Services will be subject to additional Charges.

5.2    The Provider shall have no obligation to provide Support Services in respect of any issue caused by:

(a)    the improper use of the Hosted Services by the Customer; or

(b)    any alteration to the Hosted Services made without the prior consent of the Provider.

 

 

See processing agreement for further t&cs

 


 


Privacy policy

This privacy policy ("Policy") describes how Ordee Limited ("Ordee Limited", "we", "us" or "our") collects, protects and uses the personally identifiable information ("Personal Information") you ("User", "you" or "your") may provide in the Ordee mobile application and any of its products or services (collectively, "Mobile Application" or "Services").

It also describes the choices available to you regarding our use of your Personal Information and how you can access and update this information. This Policy does not apply to the practices of companies that we do not own or control, or to individuals that we do not employ or manage.

Automatic collection of information

When you open the Mobile Application our servers automatically record information that your device sends. This data may include information such as your device's IP address and location, device name and version, operating system type and version, language preferences, information you search for in our Mobile Application, access times and dates, and other statistics.

Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding Mobile Application traffic and usage. This statistical information is not otherwise aggregated in such a way that would identify any particular user of the system.

Collection of personal information

You can visit the Mobile Application without telling us who you are or revealing any information by which someone could identify you as a specific, identifiable individual. If, however, you wish to use some of the Mobile Application's features, you will be asked to provide certain Personal Information (for example, your name and e-mail address). We receive and store any information you knowingly provide to us when you create an account, publish content, or fill any online forms in the Mobile Application. When required, this information may include the following:

You can choose not to provide us with your Personal Information, but then you may not be able to take advantage of some of the Mobile Application's features. Users who are uncertain about what information is mandatory are welcome to contact us.

Managing personal information

You are able to delete certain Personal Information we have about you. The Personal Information you can delete may change as the Mobile Application or Services change. When you delete Personal Information, however, we may maintain a copy of the unrevised Personal Information in our records for the duration necessary to comply with our obligations to our affiliates and partners, and for the purposes described below. If you would like to delete your Personal Information or permanently delete your account, you can do so on the settings page of your account in the Mobile Application.

Storing personal information

We will retain and use your Personal Information for the period necessary to comply with our legal obligations, resolve disputes, and enforce our agreements unless a longer retention period is required or permitted by law. We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally. Once the retention period expires, Personal Information shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the expiration of the retention period.

Use and processing of collected information

In order to make our Mobile Application and Services available to you, or to meet a legal obligation, we need to collect and use certain Personal Information. If you do not provide the information that we request, we may not be able to provide you with the requested products or services. Some of the information we collect is directly from you via our Mobile Application. However, we may also collect Personal Information about you from other sources. Any of the information we collect from you may be used for the following purposes:

Processing your Personal Information depends on how you interact with our Mobile Application, where you are located in the world and if one of the following applies: (i) You have given your consent for one or more specific purposes. This, however, does not apply, whenever the processing of Personal Information is subject to California Consumer Privacy Act or European data protection law; (ii) Provision of information is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof; (iii) Processing is necessary for compliance with a legal obligation to which you are subject; (iv) Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in us; (v) Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party.

Note that under some legislations we may be allowed to process information until you object to such processing (by opting out), without having to rely on consent or any other of the following legal bases below. In any case, we will be happy to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Information is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Information transfer and storage

Depending on your location, data transfers may involve transferring and storing your information in a country other than your own. You are entitled to learn about the legal basis of information transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by us to safeguard your information. If any such transfer takes place, you can find out more by checking the relevant sections of this document or inquire with us using the information provided in the contact section.

The rights of users

You may exercise certain rights regarding your information processed by us. In particular, you have the right to do the following: (i) you have the right to withdraw consent where you have previously given your consent to the processing of your information; (ii) you have the right to object to the processing of your information if the processing is carried out on a legal basis other than consent; (iii) you have the right to learn if information is being processed by us, obtain disclosure regarding certain aspects of the processing and obtain a copy of the information undergoing processing; (iv) you have the right to verify the accuracy of your information and ask for it to be updated or corrected; (v) you have the right, under certain circumstances, to restrict the processing of your information, in which case, we will not process your information for any purpose other than storing it; (vi) you have the right, under certain circumstances, to obtain the erasure of your Personal Information from us; (vii) you have the right to receive your information in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that your information is processed by automated means and that the processing is based on your consent, on a contract which you are part of or on pre-contractual obligations thereof.

The right to object to processing

Where Personal Information is processed for the public interest, in the exercise of an official authority vested in us or for the purposes of the legitimate interests pursued by us, you may object to such processing by providing a ground related to your particular situation to justify the objection. You must know that, however, should your Personal Information be processed for direct marketing purposes, you can object to that processing at any time without providing any justification. To learn, whether we are processing Personal Information for direct marketing purposes, you may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to Ordee Limited through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by Ordee Limited as early as possible.

Privacy of children

We do not knowingly collect any Personal Information from children under the age of 13. If you are under the age of 13, please do not submit any Personal Information through our Mobile Application or Service. We encourage parents and legal guardians to monitor their children's Internet usage and to help enforce this Policy by instructing their children never to provide Personal Information through our Mobile Application or Service without their permission.

If you have reason to believe that a child under the age of 13 has provided Personal Information to us through our Mobile Application or Service, please contact us. You must also be at least 16 years of age to consent to the processing of your Personal Information in your country (in some countries we may allow your parent or guardian to do so on your behalf).

Newsletters

We offer electronic newsletters to which you may voluntarily subscribe at any time. We are committed to keeping your e-mail address confidential and will not disclose your email address to any third parties except as allowed in the information use and processing section or for the purposes of utilizing a third-party provider to send such emails. We will maintain the information sent via e-mail in accordance with applicable laws and regulations.

In compliance with the CAN-SPAM Act, all e-mails sent from us will clearly state who the e-mail is from and provide clear information on how to contact the sender. You may choose to stop receiving our newsletter or marketing emails by following the unsubscribe instructions included in these emails or by contacting us. However, you will continue to receive essential transactional emails.

Remarketing

We also may permit certain third-party companies to help us tailor advertising that we think may be of interest to users and to collect and use other data about user activities in the Mobile Application. These companies may deliver ads that might place cookies and otherwise track user behavior.

Advertisement

We may display online advertisements and we may share aggregated and non-identifying information about our customers that we collect through the registration process or through online surveys and promotions with certain advertisers. We do not share personally identifiable information about individual customers with advertisers. In some instances, we may use this aggregated and non-identifying information to deliver tailored advertisements to the intended audience.

Affiliates

We may disclose information about you to our affiliates for the purpose of being able to offer you related or additional products and services. Any information relating to you that we provide to our affiliates will be treated by those affiliates in accordance with the terms of this Privacy Policy.

Links to other mobile applications

Our Mobile Application contains links to other mobile applications that are not owned or controlled by us. Please be aware that we are not responsible for the privacy practices of such other mobile applications or third-parties. We encourage you to be aware when you leave our Mobile Application and to read the privacy statements of each and every mobile application that may collect Personal Information.

Information security

We secure information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. We maintain reasonable administrative, technical, and physical safeguards in an effort to protect against unauthorized access, use, modification, and disclosure of Personal Information in its control and custody. However, no data transmission over the Internet or wireless network can be guaranteed. Therefore, while we strive to protect your Personal Information, you acknowledge that (i) there are security and privacy limitations of the Internet which are beyond our control; (ii) the security, integrity, and privacy of any and all information and data exchanged between you and our Mobile Application cannot be guaranteed; and (iii) any such information and data may be viewed or tampered with in transit by a third-party, despite best efforts.

Data breach

In the event we become aware that the security of the Mobile Application has been compromised or users Personal Information has been disclosed to unrelated third parties as a result of external activity, including, but not limited to, security attacks or fraud, we reserve the right to take reasonably appropriate measures, including, but not limited to, investigation and reporting, as well as notification to and cooperation with law enforcement authorities. In the event of a data breach, we will make reasonable efforts to notify affected individuals if we believe that there is a reasonable risk of harm to the user as a result of the breach or if notice is otherwise required by law. When we do, we will post a notice in the Mobile Application, send you an email, get in touch with you over the phone, mail you a letter.

Legal disclosure

We will disclose any information we collect, use or receive if required or permitted by law, such as to comply with a subpoena, or similar legal process, and when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. In the event we go through a business transition, such as a merger or acquisition by another company, or sale of all or a portion of its assets, your user account, and Personal Information will likely be among the assets transferred.

Changes and amendments

We may update this Privacy Policy from time to time in our discretion and will notify you of any material changes to the way in which we treat Personal Information. When changes are made, we will revise the updated date at the bottom of this page. We may also provide notice to you in other ways in our discretion, such as through contact information you have provided. Any updated version of this Privacy Policy will be effective immediately upon the posting of the revised Privacy Policy unless otherwise specified. Your continued use of the Mobile Application or Services after the effective date of the revised Privacy Policy (or such other act specified at that time) will constitute your consent to those changes. However, we will not, without your consent, use your Personal Data in a manner materially different than what was stated at the time your Personal Data was collected.

Acceptance of this policy

You acknowledge that you have read this Policy and agree to all its terms and conditions. By using the Mobile Application or its Services you agree to be bound by this Policy. If you do not agree to abide by the terms of this Policy, you are not authorized to use or access the Mobile Application and its Services.

Contacting us

If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may send an email to info@ordee.ie

This document was last updated on May 19, 2020