Terms & Conditions – KastellVP | Business Transformation Services

MASTER TERMS AND CONDITIONS

Version Date: 23^rd July 2021

INTRODUCTION

These terms and conditions (the “Terms”) set forth a legally binding contract between you (the “Client”; “you” or “your”) and KastellVP LIMITED, a private limited liability company registered in Malta, with company registration number C 99218 and whose registered office is situated at 23, Notre Dame, Triq Il-Fjamma, Kappara, San Gwann SGN 4152, Malta (“KastellVP”; “we”; “us” or “our”). All Services that may be sold to you by KastellVP shall be subject to, and governed by, these Terms.

In order to purchase any Service from KastellVP, the Client must submit an Order Form to KastellVP. Our Terms are incorporated in full, and constitute an integral part, to any such Order Form. Your submission of an Order Form, completed or otherwise, constitutes (i) your full acceptance of these Terms, together with any additional terms that may be set out in the Order Form, and (ii) your agreement to be legally bound by them.

Collectively, the Terms and the applicable Order Form comprise the full binding, legal Agreement between yourself and us (the “Parties”) for your purchase, receipt or use of the Services which are the subject of that Order Form. This Agreement (that is, these Terms and the applicable Order Form) also supersedes any additional or inconsistent terms, understandings, commitments, agreements, representations or conditions, whether oral or in writing, in any acknowledgement, purchase order or other documents proposed to or provided by you (the Client). No terms or conditions, other than those set out in these Terms and the applicable Order Form, shall be legally binding on KastellVP, unless we expressly agree otherwise in writing.

CAPACITY

PRIOR TO SUBMITTING AN ORDER FORM TO US, CAREFULLY READ EACH PROVISION OF THESE TERMS AND ANY OF THE ADDITIONAL TERMS THAT MAY BE SET OUT IN THE ORDER FORM!

BY SUBMITTING AN ORDER FORM, YOU HEREBY REPRESENT AND WARRANT THAT:

YOU ARE LEGALLY CAPABLE OF ENTERING INTO THIS AGREEMENT AND ARE 18 YEARS OLD AND OF THE LEGAL AGE REQUIRED IN YOUR STATE, PROVINCE, JURISDICTION, DOMICILE OR RESIDENCE, IF THIS IS HIGHER, TO ENTER INTO THIS AGREEMENT;
IF YOU ARE ENTERING INTO THE AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU HAVE THE RIGHT, AUTHORITY AND CAPACITY TO DO SO AND TO BIND SUCH ENTITY TO THIS AGREEMENT, AND IN WHICH CASE THE TERMS the “Client”; “you” or “your” SHALL REFER TO SUCH ENTITY; AND
ON BEHALF OF YOURSELF AND/OR AS AN AUTHORISED REPRESENTATION OF THE ENTITY IN WHOSE NAME THE AGREEMENT IS BEING ENTERED INTO, AS APPLICABLE, YOU AGREE TO BE LEGALLY BOUND BY THESE TERMS AND ALL ADDITIONAL TERMS AND CONDITIONS THAT MAY BE SET OUT IN THE ORDER FORM.

IF ANY OF THE FOREGOING REPRESENTATIONS AND WARRANTIES DO NOT APPLY TO YOU (INCLUDING IF YOU DO NOT HAVE SUCH RIGHT, AUTHORITY AND CAPACITY TO ACT ON BEHALF OF YOUR ENTITY), OR IF YOU DO NOT AGREE WITH ALL OF THE TERMS AND CONDITIONS SET OUT IN THESE TERMS OR THE ORDER FORM, YOU MUST NOT SUBMIT AN ORDER FORM OR MAKE USE OF ANY OF OUR SERVICES!

GENERAL

3.1 Capitalized terms used in these Terms are defined in Clause 4 below.

3.2 You (the Client) should read these Terms, the Order Form and any document referred to in them very carefully. If there is anything which you not understand, you should discuss this matter with KastellVP and seek the necessary clarification.

3.3 You hereby waive any applicable rights to require an original (non-electronic) signature or delivery or retention of non-electronic forms (including submitted and executed Order Forms), records and agreements, to the extent not prohibited by the applicable laws of your jurisdiction.

3.4 All communications between KastellVP and Clients will, unless otherwise agreed between KastellVP and the Client, be made in the English language. In the event of any discrepancy between the English language version of the Terms and any translated version of the Terms, the English language version of these Terms shall prevail and take precedence at all times.

3.5 There are important legal terms provided below in these Terms, including the Client’s indemnification and our limitation of liability. To emphasise, please read these Terms carefully!

3.6 The data processing agreements set out in Annex A constitutes an integral part of these Terms.

3.7 To the extent that any of the terms and conditions set out in these Terms conflict with any terms and conditions in the Order Form, these Terms will take precedence and prevail.

DEFINITIONS

4.1 The following definitions shall apply in these Terms:

(i) “Agreement” means these Terms and the Order Form accepted by KastellVP and executed by the Parties (including all other terms and conditions set out in that Order Form);

(ii) “Confidential Information” means (a) any confidential, proprietary, professional secret or trade secret information (a ‘trade secret’ being as defined by Chapter 589 of the Laws of the Malta) of the disclosing party (the “Discloser”) that if in tangible form is marked as confidential, secret or with a comparable legend or if disclosed orally or visually is identified as confidential at the time of disclosure; and (b) any and all discussions relating to such information. Discloser shall use reasonable efforts to mark its confidential information in tangible form as confidential; however, tangible information that does not bear such a legend and the discussions relating thereto, will be protected hereunder as Confidential Information if the receiving party (the “Recipient”) knew or should have reasonably known under the circumstances that the information is confidential. Client Data is deemed to be Confidential Information

(iii) “Client Data” means any data, information and other materials generated by the Users and that is stored by KastellVP as a part of the Services;

(iv) “Data Protection Legislation” means all legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to the Parties, including without limitation, data protection laws and regulations implementing the Data Protection Directive 95/46/EC and as of 25 May 2018 the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR“);

(v) “Deliverables” means any deliverables provided to the Client pursuant to an accepted Order Form;

(vi) “Charges” has the meaning set forth in Clause 9 of these Terms;

(vii) “Intellectual Property Rights” means patents, utility models, rights to inventions, copyright and related rights, moral rights, trade marks, business names and domain names, rights in get-up, goodwill and the right to sue for passing off, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world;

(viii) “Order Form” means the ordering documents, in a form specified by KastellVP, which is signed and/or submitted by Client to KastellVP (as applicable);

(ix) “Professional Services” means consultancy and implementation services and other professional services provided by KastellVP to the Client, but specifically excluding Recurring Services;

(x) “Recurring Services” means those services that are delivered consistently and regularly through the year, including business coaching, leadership development coaching and other recurring services provided by KastellVP to the Client;

(xi) “Services” means any one or more of the following services provided by KastellVP to the Client as set forth in an Order Form: Recurring Services or Professional Services

(xii) “Service Start Date” means the first day of delivery of the respective service, and it applies to Recurring Services;

(xiii) “Users” means Client’s employees, contractors and agents;

INTERPRETATION

5.1 In these Terms, unless the context requires otherwise:

headings are inserted for convenience only and will not affect the construction or interpretation of these Terms;
words importing the singular include the plural and vice-versa;
a reference to any party shall include that party’s permitted assignees and successors in title;
any reference to a statute, statutory instrument, or other regulations includes all provisions, rules and regulations made under them and will be interpreted as reference to such statute, statutory instrument, or regulations as in force at the Version Date of these Terms; and
the exhibits form an integral part to these Terms.

ACCEPTANCE

6.1 No Services shall be sold or provided by KastellVP to the Client by virtue of these Terms alone, but in each case require the submission of a sufficiently completed and signed Order Form to KastellVP by the Client.

6.2 As a minimum, any Order Form submitted by the Client must contain:

(a) an identification of the Services and associated Charges;

(b) the quantity of each Service;

(d) each of which must be duly confirmed upon submission by the Client.

6.3 Where an Order Form does not include the location for delivery, then the location/place of delivery will be deemed to be in Malta. It is the Client’s sole responsibility to advise KastellVP of any special delivery requirements that are needed and, for all such cases, KastellVP reserves the right to revise or adjust any quotation which may have been already provided to the Client.

6.4 Order Forms which do not satisfy any of the above requirements will not be considered valid and shall be deemed as rejected by KastellVP.

6.5 ALL ORDER FORMS ARE SUBJECT TO KastellVP’s WRITTEN ACCEPTANCE. Quotations shall be non-binding on KastellVP unless and until KastellVP issues its written acceptance to that Order Form submitted by the Client.

6.6 The submission of an Order Form by the Client shall constitute a legal offer made by that Client to KastellVP to purchase the Services that are the subject of that same Order Form.

6.7 KastellVP is under no obligation to accept or execute any Order Form submitted by the Client.

6.8 Where KastellVP does not issue its written acceptance to the Client within two (2) weeks from the date of its receipt of the submitted Order Form, that same Order Form shall be deemed to have been rejected in full by KastellVP. For avoidance of doubt, these Terms shall also govern any Order Forms which are rejected by KastellVP (including deemed rejection) together with all controversies, disputes or claims arising or connected thereto (whether contractual or non-contractual).

6.9 KastellVP’s written acceptance, where provided, shall either:

(a) confirm the lead-time for commencement of the Services that has been requested by the Client; or

(b) otherwise offer an alternative lead-time.

In the latter case (‘b’):

(a) the Client shall either confirm its acceptance in writing to the alternative lead-time that has been proposed by KastellVP; and

(b) where the Client informs KastellVP that it does not agree to the proposed alternative lead-time, the Parties will discuss in good faith and mutually agree in writing to a lead-time that is suitable for both Parties.

6.10 Further to Clause 9, in the absence of any reply by the Client within the period of five (5) working days from the date of KastellVP’s communication, the alternative lead-time proposed by KastellVP shall be deemed to have been accepted and agreed to by the Client without reservation.

6.11 In those cases where the terms of the Order Form specify that a deposit must be made upon submission of the Order, then any written acceptance that may be provided by KastellVP shall (under all circumstances) be subject to its receipt of timely payment of this deposit. The Client shall, in all cases, pay the deposit to KastellVP by not later than two (2) weeks from submission of the Order Form and, if the Client fails to do so within that timeframe, KastellVP shall have the right to revoke its conditional acceptance, in which case the Order Form will automatically terminate and cease to have any effect between Parties and KastellVP will be immediately released (without liability) from any obligations which it may have to the Client in respect of the order.

SERVICE DELIVERY

7.1 Following KastellVP’s written acceptance of the applicable Order Form submitted by the Client, in accordance with the above clauses, delivery of the Recurring Services as applicable, will be deemed to have been initiated by KastellVP upon the Service Start Date.

7.2 With regards to the Professional Services, delivery to the Client will be deemed to have been made and completed by KastellVP upon the completion of the provision of those Professional Services (and, in the case of a service milestone, upon fulfilment of that milestone).

INTELLECTUAL PROPERTY RIGHTS

8.1 Any and all documentation provided through Services, whether made by KastellVP or any third party, are the proprietary property of KastellVP and/or its licensors or suppliers (as applicable) and are protected by copyright laws and other laws and treaties on Intellectual Property Rights.

8.2 Nothing in this Agreement shall have the effect, or be construed as having the effect, of assigning, transferring, disposing or conferring onto the Client any rights, title or interest in and to any Intellectual Property Rights, all of which shall remain vested in KastellVP or its applicable licensor or supplier at all times.

8.3 For avoidance of doubt, this Clause 8 is without prejudice to the limited rights of use granted to the Client by virtue of this Agreement. For avoidance of doubt, the rights of the Client to use any such Intellectual Property Rights belonging to KastellVP or its applicable licensor or supplier shall, all times, be strictly limited to what is expressly contained in these Terms or set out in the terms of the accepted Order Form.

8.4 KastellVP reserves all rights that are not expressly granted to the Client under the Agreement, and nothing in this Agreement shall constitute or be construed as a waiver by KastellVP of any of its Intellectual Property Rights under any law or those of its licensors or suppliers.

8.5 Unless expressly agreed and stated otherwise by KastellVP, the Intellectual Property Rights (including all title thereto) to any Deliverables provided to the Client under this Agreement shall remain the property of, and vested in, KastellVP.

FEES AND PAYMENT

9.1 In consideration of the sale of the Services to the Client by KastellVP, the Client shall pay to KastellVP the applicable charge and all other fees set forth in the applicable Order Form (collectively, referred to as the “Charges”).

9.2 Payments due under the Agreement shall be made in the currency and amounts set forth in the applicable Order Form, and by the payment dates specified therein or, if not specified therein, within a period of fifteen (15) days of the date of issuance of the relative invoice. If it is the Client’s standard business practice to issue a purchase order prior to its payment of an invoice, the Client hereby warrants and undertakes to ensure that any such purchase order accompanies each and any Order Form which it may submit to KastellVP.

9.3 If the Client fails to pay any amount due to KastellVP under the Agreement by the due date for payment, the Client shall, in addition to all other remedies and rights available to KastellVP under these Terms or at law, pay default interest on the overdue amount at the maximum rate permissible at law (which, under Maltese law, is presently eight percent (8%) per annum). Such interest shall accrue on a daily basis from the due date of payment until the date of actual full and complete payment to KastellVP of the overdue amount. The Client shall be obligated to pay to KastellVP both the overdue amount and all interest that has accrued on the overdue amount.

9.4 Prices quoted by KastellVP, and as agreed to by the Parties, are exclusive of Value Added Tax (“VAT”) at applicable current rates.

9.5 KastellVP reserves the right to change or revise prices quoted to the Client provided that, prior to imposing any such price changes or revisions, KastellVP shall provide the Client with appropriate notice and the Client shall have the right to withdraw from the applicable Order Form.

9.6 The Client shall be solely responsible for any charges due to any third party resulting from the use of the Recurring Services or Professional Services.

INFORMATION SECURITY

10.1 The Client shall, and assumes the obligation to, encrypt all data or information which it transmits to KastellVP, including, without limitation, data transferred over the Internet or via other media. The Client shall be exclusively responsible and liable for all claims, losses, damages and any other consequences which may arise from any omission or breach on its part of its duties and responsibilities under this provision.

10.2 The Client grants to KastellVP, who accepts, a non-exclusive, world-wide, royalty-free license to use its data and all Client Data in order: (i) to perform KastellVP’s obligations under this Agreement; and (ii) as may be required by law. The Client will be responsible for obtaining all rights, permissions, and authorizations to provide such data to KastellVP for use as contemplated under this Agreement. Except for the limited license granted herein, nothing contained in this Agreement will be construed as granting KastellVP any right, title, or interest in or to that data.

10.3 The Client is solely responsible for all telecommunication or Internet connections and associated fees required to access and use the Services. KastellVP is not responsible for (i) Client’s access to the Internet, (ii) interception or interruptions of communications through the Internet, or (iii) changes or losses of data through the Internet.

DATA PROTECTION

11.1 “Client Data”, as applicable to these Terms, means any personal data which is processed by the Client, or its Users, in connection with or as a result of using the Services.

11.2 For the purposes of all Data Protection Legislation, the Client acknowledges and agrees that it is the controller of the Client Data. The Client:

(a) acknowledges and accepts that it is individually and independently bound to ensure that it complies with all applicable obligations that may be imposed on a controller under all Data Protection Legislation; and

(b) warrants and undertakes to, at all times for the term of the Agreement (which includes the duration of any service provision by KastellVP), observe and maintain full compliance with Data Protection Legislation, including with regards to all applicable controller obligations.

11.3 The provision of the Services may require KastellVP to access, use, store, host or otherwise process Client Data on behalf of the Client, in which case the Parties acknowledge and agree that KastellVP would, in such circumstances and in terms of the applicable Data Protection Legislation, amount to a processor acting on behalf of and on the express, written appointment of the Client (collectively, the “Processing Services”).

11.4 For the above purpose, the data processing agreement (the “Processing Agreement”), which is incorporated into these Terms as “Annex A”, defines the data processing relationship between the Parties limitedly in the context of those Processing Services that are provided to or for the Client by KastellVP, and sets out the additional terms, requirements and conditions on which KastellVP will process Client Data as a processor for the Client when providing such Processing Services to the Client. The Processing Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

11.5 By entering into these Terms as per the above clauses, you accept and endorse the Processing Agreement set out in Annex A in full and confirm that KastellVP is authorised to access and process Client Data in accordance with, and subject to, the terms of that Processing Agreement.

11.6 The Client is solely responsible for the collection, accuracy, quality, legality, completeness and use of the Client Data.

CONFIDENTIALITY

12.1 Each Party acknowledges that, in the course of its performance of the Agreement (including any service provision), it may obtain or otherwise have access to the Confidential Information of the other Party (the “Recipient”).

12.2 The Recipient shall at all times handle and use the other Party’s Confidential Information in the strictest confidence. The Recipient hereby warrants and undertakes to the other Party that it shall take all reasonable steps to:

(a) prevent and protect against any third-party access to the other Party’s Confidential Information (unless otherwise expressly authorised in writing by the other Party);

(b) prevent and protect against any unauthorised disclosure of the other Party’s Confidential Information; and

12.3 The Recipient warrants and undertakes to the other Party that it shall:

(a) not disclose the other Party’s Confidential Information to any third parties other than to its, directors, officers, employees, advisors or consultants (collectively, the “Representatives”) on a strictly “need to know” basis only and provided that such Representatives are bound by written agreements to comply with confidentiality obligations equivalent to those contained herein, and in any event, the Recipient shall remain responsible for the acts or omissions of its Representatives to the same extent as if such acts or omissions were performed by the Recipient;

(b) not use or reproduce the other Party’s Confidential Information for any purpose except as necessary to perform its obligations or exercise its rights under this Agreement; or

(c) keep the other Party’s Confidential Information confidential using at least the same degree of care it uses to protect its own confidential information, which shall in any event not be less than a reasonable degree of care.

12.4 The Recipient shall be liable for any breach, or failure to maintain the confidentiality of, the other Party’s Confidential Information committed by any of its Representatives.

12.5 The Parties however acknowledge and accept that, regardless of the measures taken to prevent unauthorised access or unauthorised disclosure, use of or connection to the Internet provides the opportunity for unauthorised third parties to circumvent such precautions and illegally gain access to Confidential Information. Accordingly, the Parties accept and agree that a Recipient cannot and does not guarantee the privacy, security or authenticity of any information so transmitted over or stored in any system connected to the Internet (and nothing in this Clause 12 or the Agreement is intended to provide any such guarantee).

12.6 This Clause 12 shall not apply to any information which:

(a) is or becomes generally available to the public, or within the industry to which the information relates, other than as a result of a breach of the Agreement;

(b) was known to Recipient prior to receipt from the other Party, provided such prior knowledge can be substantiated by documentary evidence antedating any disclosure by the other Party;

(c) has been disclosed to the Recipient by a third party (other than employees or agents of either Party) who is not subject to obligations of confidentiality to the other Party; or

(d) is independently developed by Recipient, provided such independent development can be substantiated by documentary evidence.

12.7 A disclosure of Confidential Information (i) in response to a valid order by a court or other governmental body, or (ii) otherwise required by law, will not be considered to be a breach of this Agreement or a waiver of confidentiality for other purposes. Provided, however, that the Recipient will provide prompt written notice thereof to the other Party to enable it to seek a protective order or otherwise prevent such disclosure, unless prohibited from doing so by the applicable order or at law.

12.8 The Parties obligations with respect to Confidential Information under this Clause 12 shall remain in force for the Term of the Agreement and, thereafter, for a period of five (5) years following its expiration or termination, unless however a longer period of protection applies under applicable Law, either as trade secret in terms of the Trade Secrets Act (Chapter 589 of the Laws of Malta) or otherwise.

12.9 Upon expiration or termination of the Agreement, or upon the written request of the other Party, the Recipient shall promptly return the other Party’s Confidential Information to the said other Party or, if requested by the other Party, permanently and irretrievably delete or destroy (as instructed) such Confidential Information and certify to the other Party its compliance with the above in writing. Without limiting the generality of the foregoing sentence, upon expiry or termination of the Agreement, you agree to promptly return to KastellVP, or if instructed by KastellVP, permanently and irretrievably delete or destroy all copies and partial copies of the Licensed Software and Documentation in your possession, including such that are fixed or resident in the memory or hard disks of your systems or other storage devices, and such that were made for your backup or archival purposes; and, thereafter, you agree to certify in writing to KastellVP compliance with such instructions, and that the software and Documentation are no longer in use, and will not in the future be used, by you.

13. LIMITED WARRANTIES AND DISCLAIMERS

13. 1 ASSUMPTION AND RESPONSIBILITY. The Client assumes all responsibility for the selection of, use of and the results obtained from, the Services. All warranties provided under the Agreement extend solely to the Client and not to any third parties.

13.2 SERVICES WARRANTY. KastellVP warrants to the Client that the Services will be of professional quality conforming to generally accepted industry standards and practices, which will be rated by the Client at the end of each session, where only a rating of 8 or above (out of a maximum rating of 10) will constitute such acceptance. For any breach of this warranty, Client’s sole and exclusive remedy and KastellVP’s sole and exclusive liability to the Client will be as follows: (i) for KastellVP to re-perform the non-compliant portion of the Services (as applicable) and (ii) only, if after a reasonable number of attempts, KastellVP is unable to provide the Services (as applicable) in compliance with the warranty, the Client may then at that point terminate the affected Services and not be liable to pay for the non-compliant portion of the Services. Any claim under this warranty must be made within one (1) week after delivery of the non-compliant services (‘delivery’ being as established by these Terms).

13.3 DISCLAIMER. To the fullest extent permitted by applicable law, the Services are provided on an “AS IS” and “AS AVAILABLE” basis. The Parties each acknowledge and agree that the warranties contained in this Clause 9 are in lieu of and fully exclude all other terms, conditions, guarantees, representations or warranties of any kind that may be implied by statute, law or otherwise as to the merchantability, title, custom, trade non-infringement, non-misappropriation, quiet enjoyment accuracy or informational content or results, fitness for any particular purpose or satisfactory quality, of the Services to the fullest extent permitted by law. In addition, KastellVP makes no representation, warranty or guarantee that any Service provided or supplied by KastellVP will meet the needs, requirements or expectations of the Client or its Users, which is hereby being fully excluded by and between the Parties to the maximum extent permitted by applicable law.

THIS CLAUSE 13.2 CONSTITUTES AN ESSENTIAL PART OF THE AGREEMENT. NO ORAL OR WRITTEN INFORMATION, MARKETING OR PROMOTIONAL MATERIALS, OR ADVICE GIVEN BY KASTELLVP OR KASTELLVP’s AUTHORIZED REPRESENTATIVES SHALL IN ANY WAY INCREASE THE SCOPE OF THE EXPRESS WARRANTIES PROVIDED HEREIN.

13.4 The Services may be used to access and transfer information over the internet. The Client acknowledges and agrees that KastellVP and its vendors and licensors do not operate or control the internet. KastellVP shall not be responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, or which otherwise arises due to any failure or disruption of any internet services, and the Client hereby acknowledges and accepts that the Services (may be subject to limitations, delays and other problems inherent in the use of such communications facilities and/or reliance on internet services.

13.5 MODIFICATION AND DISCONTINUANCE. KastellVP reserves the right to modify or discontinue (temporarily or permanently) any of the Services from time to time, for any reason, providing notice to the Client were deemed necessary.

13.6 SUPPORT OF THIRD-PARTY COMPONENTS. Notwithstanding anything contained herein to the contrary, third-party hardware and software components and third-party services that do not form part of the relevant Service are supported solely by, and subject to the support terms and conditions of, their respective third-party providers.

13.7 YOUR WARRANTY RESPONSIBILITIES. The warranties set out in this Clause 12.9 may require KastellVP or its authorised third-party providers to access hardware or software that is not provided by KastellVP. Some manufacturers’ warranties may become void if KastellVP, its authorised third-party provider or anyone else other than the manufacturer, works on such hardware or software. It is your responsibility to ensure that KastellVP or its authorised third-party providers’ performance of any warranty in these Terms will not affect any such third-party warranties or, if it does, that the effect and possible consequences are acceptable to you. NEITHER KastellVP NOR ITS THIRD-PARTY PROVIDERS SHALL HAVE ANY RESPONSIBILITY OR LIABILITY FOR THIRD- PARTY WARRANTIES OR FOR ANY EFFECT THAT THEIR PERFORMANCE OF THE WARRANTY UNDER THIS CLAUSE 12.9 MAY HAVE ON THOSE WARRANTIES.

INDEMNIFICATION

14.1 In the event of any claim, action, suit or proceeding instituted by a third party against the Client claiming that a Service infringes such third party’s Intellectual Property Rights (an “Infringement Claim”), KastellVP will defend and hold the Client harmless against the Infringement Claim, and will cover and make good for:

(a) the amount awarded (and then-currently payable) against the Client by virtue of the final decision rendered by the competent court or tribunal presiding over the Infringement Claim (to the extent that said decision determines and rules that an infringement of the third party’s Intellectual Property Rights did in fact exist or otherwise arise); or

(b) the amount which has been agreed to with the third party to settle the Infringement Claim, provided that KastellVP has expressly authorised the settlement or compromise with this third party in writing and in the absence of which the Client shall forfeit its rights under this Clause 1 and KastellVP shall be released from its obligations and duties hereto.

14.2 Notwithstanding anything to the contrary that may be contained herein, the Parties acknowledge and accept that KastellVP’s duty to indemnify the Client in terms of Clause 1 shall be strictly capped at its limitation of liability under Clause 15.2 and subject to the Client’s fulfilment of the conditions in Clause 14.3. In no event shall KastellVP be bound or have any duty to indemnify the Client in an amount exceeding its limitation of liability set out under Clause 15.2.

14.3 KastellVP’s obligations under Clause 1 shall only apply if the Client:

(a) promptly notifies KastellVP in writing of the Infringement Claim;

(b) fully cooperates with KastellVP and tenders full control of the defence and/or settlement of the Infringement Claim to KastellVP; and

(c) refrains from admitting any liability, or otherwise compromising the defence of any part of the Infringement Claim, without KastellVP’s prior express written consent.

14.4 If the Service (or any part thereof) becomes or, in KastellVP’s opinion, is likely to become, the subject of an Infringement Claim, the Client hereby permits and authorises KastellVP to, at KastellVP’s option and expense:

(a) procure for the Client the right to continue using the Service or the affected part thereof (as the case may be); or

(b) replace or modify the Service or the affected part so that it becomes non-infringing, while maintaining substantially the same functionality.

14.5 If neither (a) nor (b) under Clause 4 proves to be commercially practicable, then KastellVP may, at its sole and absolute discretion, terminate the Client’s rights under the Agreement with respect to the Service, and provide a refund of any periodic Fees paid to KastellVP for any portion of such Services not yet received.

14.6 KastellVP shall have no obligation or liability with respect to an Infringement Claim that is based upon or otherwise results from:

(a) unauthorized use of the Service, including any use in excess of the rights actually granted to the Client in this Agreement;

(b) any intellectual property rights provided, included or incorporated by the Client.

14.7 The Client hereby warrants, procures and undertakes to KastellVP that it shall indemnify, defend and hold KastellVP harmless (including its directors, representatives, officers, employees, affiliates, agents and sub-contractors) against all liabilities, claims, actions costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) which KastellVP may suffer or incur, or otherwise become liable for, as a result of or in connection with:

(a) any breach, negligence performance, or non-performance by the Client of any of its obligations and/or warranties under the Agreement, including these Terms;

(b) KastellVP’s authorised use of the Client Data or other data of the Client;

(d) any acts or omissions on the part of the Client or its contractors which (directly or indirectly) amount to any of the items (a) and (b) inclusive of Clause 6.

14.8 This Section 14 (Indemnification) states the entire obligation and liability of KastellVP, and the Client’s sole and exclusive remedy, with respect to an Infringement Claim.

LIABILITY

15.1 EXCLUSION OF LIABILITY. In no event or circumstances will KastellVP or its vendors, licensors or suppliers, be liable to the Client, whether in contract, tort or for negligence or for breach of statutory duty, in respect of:

(a) any third party claims (save for its duty hereto to indemnify the Client in respect of an Infringement Claim, in accordance with and subject to Clause 14)

(b) any special, indirect, incidental, exemplary, punitive, consequential damages or any other damages of whatever kind or nature, whether in contract, tort (including negligence), breach of statutory duty, including, without limitation, loss or damage to data, inaccuracy of data, loss of anticipated revenue or profits, work stoppage or impairment of other assets or loss or damage of good will (each a “Loss”), whether or not foreseeable and whether or not a Party has been advised of the possibility of the Loss and notwithstanding any failure of the essential purpose of the Agreement or any limited remedy hereunder;

15.2 LIMITATION OF LIABILITY. Without prejudice to the above, and only where and strictly to the extent that KastellVP’s exclusion of liability as set out above under Clause 1 is held to be unenforceable by a court or tribunal of competent jurisdiction, then in no event shall KastellVP’s liability to the Client exceed the fees paid by Client for the applicable service during the twelve (12) month period immediately preceding the date on which the event giving rise to the claim occurred;

15.3 KastellVP and the Client agree that the above limitations are reasonable in all circumstances and no greater than is necessary.

15.4 DISCLAIMER. The foregoing limitations contained in Clause 2 apply to all causes of action in the aggregate, including without limitation, breach of contract, breach of warranty, indemnification, negligence, strict liability, misrepresentation and other torts, and statutory claims. Each of the Parties hereby confirms that it understands and accepts the legal and economic ramifications of the foregoing limitations, and that the foregoing limitations allocate the various risks between the Parties and form an essential part of the agreement of the parties.

15.5 GROSS NEGLIGENCE, FRAUD AND WILFUL MISCO Nothing in this Agreement shall limit or exclude a Party’s liability for gross negligence, fraud or wilful misconduct or any other liability which cannot be excluded or limited in terms of applicable law.

TERM AND TERMINATION

16.1 TERM. This Agreement, including the term of any Recurring Services, shall continue in force between the Parties for the period set forth in the applicable Order Form as accepted by KastellVP (the “Initial Term”), unless however terminated earlier by either of the Parties in accordance with the provisions of these Terms. Upon the expiration of the Initial Term, this Agreement shall be automatically renewed and prolonged between the Parties for succeeding terms of one (1) year (each a “Renewed Term”), except and unless either Party notifies the other Party in writing of its intention not to renew by no later than ninety (90) days prior to the expiration of the Initial Term or, as the case may be, the Renewed Term that is applicable at the time (failing which, this Agreement, including these Terms, shall continue to apply to the Parties for the next Renewed Term). Where however a Party issues notice in terms of this Clause 1, this Agreement and all obligations created or imposed by it shall terminate upon, but only upon, the lapse of the term during which that notice has been issued.

16.2 TERMINATION. Either Party may terminate this Agreement (together with all Serv ices provided hereunder) at any time with immediate effect by giving written notice to the other Party upon the occurrence of any of the events or circumstances listed below:

(a) the other party commits a material breach of any term of this agreement which breach is irremediable or (if such a breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so;

(b) if the other Party files a petition for bankruptcy, insolvency or reorganization under any bankruptcy law or is adjudicated bankrupt;

(c) the other Party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts;

(d) if a petition for the winding up or bankruptcy or an application is made to court for the appointment of an administrator over the other party is filed against the other party and such petition is not dismissed within sixty (60) days of the filing date;

(e) if the other Party becomes insolvent or makes an assignment for the benefit of its creditors pursuant to any bankruptcy or insolvency law;

(f) if an administrative receiver is appointed for the other Party or its business;

(g) the other Party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with any of its creditors;

(h) the other Party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business; or

(l) any regulatory change or regulatory order preventing the continuation of this Agreement.

16.3 TERMINATION FEE. With respect to any Support Service, Subscription Service or Other Service, in addition to those termination rights set forth in Clause 216.2 above (inclusive), the Client may terminate any such service for convenience upon the provision of thirty (30) days’ notice in writing to KastellVP, provided that in all such cases the Client shall be bound to immediately pay to KastellVP a termination fee equal to (a) the monthly subscription fee in effect for the Term at the time that KastellVP receives the termination notice, multiplied by (b) the number of months remaining in the current term.

OBLIGATIONS UPON TERMINATION.

17.1 Upon non-renewal or termination of this Agreement (for any reason whatsoever):

(a) the Client shall pay for all work in process;

(b) KastellVP shall have no further obligation to continue providing Services to the Client;

17.2 The non-renewal or termination of this Agreement does not relieve either Party of any obligations that have accrued on or before the effective date of the termination or expiration.

18. SURVIVAL

18.1 The following Clauses will survive the non-renewal or termination Agreement:

(a) Clauses 7 through 17 (inclusive); and

(b) any other provisions of the Agreement that by reasonable interpretation are intended by the Parties to survive the non-renewal or termination of this Agreement.

GENERAL

19.1 COMPLIANCE WITH LAWS. Each Party shall be responsible for its own compliance with laws, regulations and other legal requirements applicable to the conduct of its business and this Agreement and agrees to comply with all such laws, regulations and other legal requirements. Furthermore, the Client warrants and represents that it will use the Services in full compliance with applicable laws and warrants to avoid any violations of third party rights, including, without limitation, applicable data protection and privacy rights.

19.2 FORCE MAJEURE. Except for Client’s payment obligations to KastellVP hereto, neither Party will be liable for any failure or delay in performance under this Agreement which might be due in whole or in part, directly or indirectly, to any fortuitous event or due to any contingency, delay, circumstance, failure, or cause of, any nature beyond the reasonable control of such Party, including, without limitation, fire, earthquake, storm, flood, power outage, strike, war, act of terrorism, law, export control regulation, pandemic, epidemic, instructions of government authorities or judgment of a court (not arising out of breach by such Party of this Agreement). The affected Party shall be entitled to a reasonable extension of time in order to perform its affected duties or obligations If, however, the affected Party is prevented from performing its obligations for a period of three (3) months or more, then the other Party shall be entitled to terminate the Agreement with immediate effect on written notice to the affected Party at any time prior to the affected Party resuming the performance of its obligations.

19.3 No variation of the Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

19.4 NO EMPLOYMENT RELATIONSHIP OR PARTNERSHIP. Nothing in this Agreement shall create, or otherwise be construed to create, an employment or agency relationship, partnership or joint venture between the Parties.

19.5 NO ASSIGNMENT. The Client may not assign or sub-license,transfer, delegate or deal with any of its rights or obligations under the Agreement.

19.6 WAIVER. No failure or delay by either Party in exercising any rights, power or legal remedy available to it herein shall operate as a waiver thereof.

19.7 SEVERENCE. If any provision of this Agreement (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part provision shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision, to the extent required, shall be deemed not to form part of this Agreement, and the validity and enforceability of the other provisions of this Agreement shall not be affected.

19.8 ELECTRONIC SIGNATURE. You and KastellVP both agree to execute the Agreement by electronic signature (whatever form the electronic signature takes) and that this method of signature is valid and conclusive of the Parties’ intention to be bound by the Agreement as if signed by each Party’s manuscript (handwritten) signature.

19.9 GOVERNING LAW. This Agreement, including these Terms, shall be governed by, and construed in accordance with, the Laws of Malta without regard to conflict of laws principles.

19.10 DISPUTE RESOLUTION AND JURISDICTION. The Parties hereby agree to submit any dispute, controversy or claim, whether contractual or non-contractual, arising out of or relating to this Agreement, or the breach, termination or invalidity thereof to arbitration in accordance with the Malta Arbitration Act, 1996 and the Arbitration Rules of the Malta Arbitration Centre as at present in force, which rules are deemed to be incorporated by reference into this clause. The number of arbitrators shall be determined by the value of the claim, as follows:

19.11 where the value of the claim is equal to or less than ten thousand euro (€10,000), the number of arbitrators shall be one (1);

19.12 where the value of the claim exceeds ten thousand euro (€10,000) or where the claimant is requesting a liquidation of damages, the number of arbitrators shall be three (3). Each Party to the dispute shall, within fifteen (15) days from being served with a notice of arbitration, be entitled to appoint an arbitrator and the third arbitrator, who will act as Chairman of the panel, shall be selected by the mutual accord of the said two appointed arbitrators. Should a Party fail to appoint an arbitrator within this period of fifteen (15) days, the Malta Centre for Arbitration shall appoint an arbitrator at its own discretion.

19.13 In all cases, the place of arbitration shall be Malta. The language to be used in the proceedings shall be English. The applicable substantive law shall be the laws of Malta. The award shall be final and binding upon the Parties, and no appeal shall lie thereto.

19.14 All notices, consents and approvals under this Agreement must be delivered in writing by e-mail, by courier or by certified or registered mail, (postage prepaid and return receipt requested) to the other party at the address for Client set forth in the Order Form (or if none is specified, that address to which Client invoices are sent) and for KastellVP, by email to info@kastellvp.com or by post to KastellVP Limited, 23, Notre Dame, Triq il-Fjamma, Kappara, San Gwann SGN4152, Malta. Where notice is given by sending in a prescribed manner it shall be deemed to have been received when in the ordinary course of the means of transmission it would be received by the addressee. To prove the giving of a notice it shall be sufficient to show it was dispatched and will be effective upon the sooner of its actual or deemed receipt by the addressee. Either Party may change its address by giving written notice of the new address to the other party in writing.

ANNEX A: DATA PROCESSING AGREEMENT

This data processing agreement (the “Processing Agreement”) forms an integral part of these Terms entered into by and between (i) yourself (the “Client” in this Processing Agreement) and (ii) KastellVP Limited (C 99218) of 23, Notre Dame, Triq il-Fjamma, Kappara, San Gwann, Malta (the “Provider” in this Processing Agreement), pursuant to which the Provider provides services to Client that may include processing of Client Data (as defined below).

This Processing Agreement defines the data processing relationship between the Parties limitedly in the context of the Processing Services (as defined and described in an indicative manner in Clause 11 of the body of the Terms) that are provided to or for the Client by the Provider, and sets out the additional terms, requirements and conditions on which the Provider will process Client Data as a processor for the Client when providing such to the Client. The Processing Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors

The Client and the Provider shall be jointly referred to as the “Parties” and each as a “Party”.

AGREED TERMS

DEFINITIONS

1.1 In this Processing Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 “Contracted Processor” means the Provider or a Subprocessor;

1.1.2 “Client Data” means any information relating to an identified or identifiable natural person that is processed by the Provider, or to which the Provider obtains access, as a result of or in connection with its provision of any Processing Services, and which is specified to be such by the Client. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and any equivalent definition under the Data Protection Laws. For sake of clarity, any data which is not specified by the Client as amounting to personal data will be deemed to be dummy data, not linked to an identifiable natural person.

1.1.3 “Client Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Client Data;

1.1.4 “Data Protection Laws” means the Maltese Data Protection Laws and any EU legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party, in each case as may be amended, supplemented or replaced from time to time;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

1.1.7 “Maltese Data Protection Laws” means all applicable data protection and privacy laws in force from time to time in Malta, including (i) the Data Protection Act, Chapter 586 of the laws of Malta; (ii) the GDPR and (iii) all national implementing laws, regulations and secondary legislation applicable in Malta which relate to the processing of personal data, in each case as may be amended, supplemented or replaced from time to time;

1.1.8 “Standard Contractual Clauses” means the European Commission’s Standard Contractual Clauses for the transfer of personal data from the EU to processors established in third countries (controller-to-processor transfers), as currently accessible from the following link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and as may be amended or replaced by the European Commission from time to time;

1.1.9 “Subprocessor” means any person (including any third party or affiliate) appointed by or on behalf of the Provider to process Client Data on behalf of the Client for or in connection with the provision or performance of any Processing Services;

1.1.10 “Supervisory Authority” means the supervisory authority in Malta for data protection.

1.2 This Processing Agreement is incorporated into these Terms. Interpretations and defined terms set forth in the body of the Terms apply to the interpretation of this Processing Agreement.

1.3 The terms “controller”, “data subject”, “Member State”, “personal data”, “personal data breach”, “process”, “processing”, “processed”, “processor”, “supervisory authority”, “third country transfer” shall have the same meanings given to them in the GDPR, and their cognate terms shall be construed accordingly.

1.4 A reference to writing or written includes faxes and email.

1.5 Any words following the terms “including”, “include”, “in particular”, “for example” or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

1.6 With regard to the subject matter of this Processing Agreement, in the event of any inconsistencies or conflicts between the provisions of this Processing Agreement and any other agreements between the Parties (whether signed before or after the date of entry into the Agreement), the provisions of this Processing Agreement shall take precedence and prevail.

AUTHORITY

2.1 Subject to the below clauses, the Provider is hereby given the authority by the Client to process Client Data for the purpose of performing or providing the Processing Services.

2.2 The Parties hereby acknowledge and agree that:

2.2.1 for the purpose of any and all Data Protection Laws:

(i) the Client is the controller, and

(ii) the Provider is the processor,

of the Client Data; and

2.2.2 the Client, at all times, retains control of the Client Data and, as the controller, remains solely responsible for ensuring and maintaining compliance with any and all obligations which may be imposed upon controllers of personal data under Data Protection Laws. This includes providing any required notices and mandatory information, and obtaining any required consents from data subjects, and for any and all instructions which it may give from time to time.

PROCESSING OF CLIENT DATA

3.1 The Provider shall:

3.1.1 comply with all applicable Data Protection Laws in the processing of Client Data; and

3.1.2 only process the Client Data for the Processing Services (as hereby instructed by the Client) or otherwise on any other documented instructions that may from time to time be given by the Client, unless the processing is required by any applicable law to which the Provider, in which case the Provider shall inform the Client of that legal requirement before processing, unless however the law in question prohibits this.

3.2 The Client hereby:

3.2.1 instructs the Provider (and authorises the Provider and each Provider Affiliate to instruct each Subprocessor) to:

(i) process Client Data; and

(ii) in particular, transfer Client Data to any country or territory,

as reasonably necessary to perform or provide the relevant Processing Services and consistent with the Terms above.

3.3 The Provider will maintain the confidentiality of all Client Data and will not disclose the Client Data to any person, except and unless either (i) the Client or this Processing Agreement specifically authorises the disclosure or (ii) where the disclosure is required by law or otherwise mandated by a Court or tribunal or by a regulator or other competent authority.

3.4 The Provider will reasonably assist the Client with meeting the Client’s obligations under Data Protection Laws, taking into account the nature of the processing and the information available to the Processor or, as applicable, the Provider Affiliate.

3.5 Notwithstanding any assistance provided in terms of Clause 4 above, the Provider shall not be responsible, and does not assume any responsibility whatsoever, for ensuring or procuring that the Client complies with its obligations as a controller under any Data Protection Law. Nothing in this Agreement or the Parties’ actions shall have the effect of or otherwise be construed as deviating or departing from the provisions of this Clause 3.5, which shall also apply where the Provider has informed the Client in good faith that the performance of the Client’s instructions may result in a breach of any Data Protection Law.

PROVIDER’S EMPLOYEES

4.1 The Provider shall ensure that all of its employees and other personnel who are given access to the Client Data:

4.1.1 are informed of the confidential nature of the Client Data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and

4.1.2 are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Laws and this Processing Agreement.

SUBPROCESSORS

5.1 The Client hereby authorises and grants the Provider a general written authorisation to appoint Subprocessors in accordance with this Clause 5.

5.2 The Provider shall notify the Client of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Client the opportunity to object to such changes. In the event of an objection, the Provider shall not appoint (nor disclose any Client Data) to the proposed Subprocessor except with the prior written consent of the Client.

CLIENT’S OBLIGATIONS

6.1 The Client shall be exclusively responsible for ensuring that it complies at all times with any and all obligations which it may have as the controller of the Client Data under the Data Protection Laws, and that all Client Data which it processes (including in respect of any access given to, or shared with, the Provider) is in accordance with all Data Protection Laws.

6.2 The Client hereby warrants and agrees that it will implement all security measures (technical and organisational) as well as all other technical controls (collectively, “Measures”) which may be necessary or otherwise mandated under Data Protection Laws to safeguard the privacy and security of the Client Data, and that these Measures will remain in place for the duration of the Processing Agreement. This will include ensuring that there are sufficient technical and organisational measures to ensure data protection by default and by design. The adequacy, integrity and functionality of those security measures and technical controls will be the sole and exclusive responsibility of the Client. The Provider shall not be responsible, and does not assume any responsibility whatsoever, for advising thereon or for making any recommendations to the Client.

6.3 The Client hereby represents and warrants that it has, and shall at all times throughout the term of this Processing Agreement maintain, all necessary policies and processes (including any and all data subject consents, where required) to authorise the access and processing of the Client Data by the Provider and any Subprocessors in the full manner contemplated by this Processing Agreement and, where relevant, the Terms above.

6.4 The Client represents and warrants that any and all instructions given by it in terms of this Processing Agreement shall, at all times, be in accordance with all Data Protection Laws, and that the compliance, performance or execution of any and all such instructions will not, at any point in time, cause the Provider to be in breach of any Data Protection Law.

SECURITY REQUIREMENTS

7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider shall, in respect of the Client Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Art. 32(1), GDPR.

7.2 In assessing the appropriate level of security, the Provider shall take account in particular of the risks that are presented by processing, in particular from a Client Data Breach.

7.3 If specific measures are requested by the Client, the Provider shall have the right to be reimbursed by the Client for any and all extraordinary expenses which they may need to incur in order to introduce or otherwise implement such requested measures.

7.4 To the extent possible or practicable, the Client shall anonymise or pseudonymise the Client Data to which the Provider may obtain, or otherwise require, access in connection with the Processing Services, such that it no longer amounts to personal data at law.

CLIENT DATA BREACH

8.1 The Provider shall promptly notify the Client if it becomes aware of a Client Data Breach. The Provider shall cooperate with the Client and take all steps (provided they are reasonable) to investigate, mitigate or remedy a breach, as directed by the Client.

8.2 All expenses required to investigate, mitigate or remedy the Client Data Breach or remedy or restore the affected Personal Data shall be borne by the Client, except where the Client Data Breach is due to the negligence, wilful default or breach of this Processing Agreement by the Provider or a Subprocessor used by the Provider.

8.3 The Provider shall not inform any third party of any Client Data Breach without first obtaining the prior written consent of the Client, except when required to do so by law.

COMPLAINTS, REQUESTS AND THIRD-PARTY RIGHTS

9.1 Taking into account the nature of the processing and the information available to the Provider, the Provider shall assist the Client, by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligations pursuant to Articles 32 to 36 of the GDPR.

9.2 The Provider shall:

9.2.1 promptly notify the Client if any Subprocessor receives a request from a data subject under any Data Protection Law in respect of Client Data; and

9.2.2 ensure that the Subprocessor does not respond to that request except on the documented instructions of the Client or as required by any applicable law to which the Subprocessor is subject, in which case the Provider shall to the extent permitted by applicable law inform Client of that legal requirement before the Subprocessor responds to the request.

9.3 If specific measures are requested by the Client, the Provider shall have the right to be reimbursed by the Client for any and all extraordinary expenses which they may need to incur in order to introduce or otherwise implement such requested measures

CROSS-BORDER TRANSFERS OF PERSONAL DATA

10.1 The Provider may only process, or permit the processing, of Client Data outside the EEA under the following conditions:

10.1.1 the Provider is processing Client Data in a territory which is subject to a current finding by the European Commission under the relevant Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or

10.1.2 the Provider participates in a valid cross-border transfer mechanism under the Data Protection Laws, so that the Provider (and, where appropriate, the Client) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or

10.1.3 the transfer otherwise complies with the Data Protection Laws for detailed reasons communicated in advance in writing to the Client by the Provider.

10.2 Subject to the above, where Client Data originating in the EEA is processed by the Provider outside the EEA and in a territory that has not been designated by the European Commission as ensuring an adequate level of protection to data subjects (adequacy decision), the Parties hereby agree that the transfer between the Client and the Provider shall be subject to and governed by the Standard Contractual Clauses (as in force at the relevant point in time), which contractual clauses shall be deemed to apply in respect of any and all such processing carried out by the Provider outside the EEA. The Provider shall ensure and hereby undertakes that it shall not commence any processing of the Client Data outside the EEA until both the Provider and the Client have confirmed that they have obtained any mandatory approvals required from relevant data protection authorities. Both Parties also hereby warrant, undertake and bind themselves to, in the event of such a third-country transfer (as described above), promptly execute those Standard Contractual Clauses with one another.

TERM AND TERMINATION

11.1 This Processing Agreement shall remain valid for the entire duration of the Agreement between the Provider and the Client. This Processing Agreement shall continue to bind the Parties despite the expiry or termination of the Agreement for as long as the Provider has access to Client Data or any Client Data in its possession (Term).

11.2 Any provision of this Processing Agreement that expressly or by implication should come into or else continue in force on or after the Term, including (but not limited to) Clause 14 (‘Liability’), Clause 15 (‘Indemnification’) and Clause 20 (‘Governing law and Dispute Resolution’), will remain in full force and effect.

DATA RETURN AND DESTRUCTION

12.1 On termination of the Agreement for any reason whatsoever or upon the expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Client, return and not retain, all or any Client Data in their possession (if any), except and unless the Provider is required by law to continue processing the Client Data.

12.2 The Provider may, however, retain Client Data to the extent and for such period as may be required by any applicable law, or by any order or direction of any competent Court, tribunal government or regulatory body, to which it may be subject.

AUDIT

13.1 At least once a year, the Provider shall conduct site audits and inspections of its processing operations relating to the Client Data and the IT and information security controls for all facilities and systems used to comply with its obligations under this Processing Agreement.

13.2 On the Client’s written request, provided it is reasonable, the Provider shall make its audit reports available to the Client for review and the Client shall treat and protect any and all such reports as the confidential information of the Provider. The Client acknowledges and agrees that it shall be subject to all statutory duties of confidentiality, without limit of time, in respect of any and all audit reports made available to it pursuant to this Clause 13.

LIABILITY

14.1 The Provider shall only be liable to the Client for damages or losses which the Client suffers or sustains as a direct result of a breach by the Provider of any or all of its obligations under this Processing Agreement (direct damages or losses), to the exclusion of any and all special, indirect, consequential, punitive and exemplary damages or losses.

14.2 Subject to Clause 14.1, in all instances the Parties agree that the Provider’s total liability, for all claims in any given one year relating to or arising out of this Processing Agreement, shall be capped to the total amount of professional and/or recurring services invoiced during the twelve (12) month period immediately preceding the date on which the event giving rise to the claim occurred.

INDEMNIFICATION

15.1 The Client shall defend, indemnify and hold harmless the Provider, on a full indemnity basis and at its own expense, against any and all losses, liabilities, damages, costs, penalties and expenses (including attorney fees, judicial fees and administrative fines) that may be incurred or suffered by the Provider, or for which the Provider may become liable, due to any failure by the Client (including its respective directors, representatives, officers, employees, agents, contractors or subcontractors) to comply with any or all of its obligations under this Processing Agreement or under any Data Protection Law.

15.2 The Provider shall not be responsible for observing or performing any processing instructions given to it by the Client. The Client shall, in addition to Clause 1, defend, indemnify and hold harmless the Provider, on a full indemnity basis and at its own expense, against any and all losses, liabilities, damages, costs, penalties and expenses (including attorney fees, judicial fees and administrative fines) that may be incurred or suffered by the Provider, or for which the Provider may become liable, as a result of or otherwise in connection with observing or performing any instructions given to it by the Client.

15.3 The Provider shall defend, indemnify and hold the Client harmless against any and all losses, liabilities, damages, costs, penalties and expenses (including attorney fees, administrative fines and court costs) that may be incurred or suffered by the Client, or for which the Client may become liable, due to any failure by the Provider (including its respective directors, representatives, officers, employees, agents or subcontractors) to comply with any or all of its obligations under this Processing Agreement or Data Protection Laws. In all cases, the Provider’s indemnity obligations hereto shall be strictly limited to the extent of the limitation of liability capping set forth above in Clause 14 of this Processing Agreement.

SEVERABILITY

16.1 If any of the clauses or part thereof of this Processing Agreement is or becomes invalid, illegal or unenforceable for any reason whatsoever, the validity of the remaining clauses or part thereof will not in any way be affected or impaired. The invalid, illegal or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid, illegal or unenforceable part had never been contained therein.

VARIATION AND WAIVER

17.1 No variation or amendment of this Processing Agreement shall be effective unless it is in writing and signed by, or on behalf of, each of the Parties.

17.2 No failure or delay by either Party in exercising any rights, power or legal remedy available to it herein shall operate as a waiver thereof.

17.3 The rights and remedies provided under this Processing Agreement are cumulative and are in addition to, and not exclusive of, any rights and remedies provided by law.

ENTIRE AGREEMENT

18.1 Each Party acknowledges and agrees that this Processing Agreement constitutes the entire agreement between them in relation to the processing of Client Data by the Provider as the processor of the Client and supersedes all previous drafts, agreements, arrangements, assurances and understandings between them, whether oral or written, in respect of the processing of Client Data by the Provider, including any clauses in this respect that may be found or implied from the Terms above.

NOTICES

19.1 Any notice or other communication given to the Provider under or in connection with this Agreement must be in writing and delivered to: dpcp@kastellvp.com.

GOVERNING LAW AND DISPUTE RESOLUTION

20.1 This Processing Agreement (including its construction, validity and performance) shall be governed and construed in all respects by the laws of Malta.

20.2 In the event of any dispute arising out of or relating to this Processing Agreement (including its subject-matter, validity or formation), the Client and KastellVP shall make every reasonable effort to resolve the dispute through good faith negotiation, and if the dispute cannot be resolved by negotiation, it shall be decided solely and exclusively by arbitration in Malta in accordance with the Malta Arbitration Act, Chapter 387 of the laws of Malta and the Arbitration Rules of the Malta Arbitration Centre as at present in force, which rules are deemed to be incorporated by reference into this clause. The number of arbitrators shall be one. The place of arbitration shall be Malta. The language to be used in the proceedings shall be English. The applicable substantive law shall be the laws of Malta. The award shall be final and binding upon the Parties, and no appeal shall lie thereto.

SCHEDULE 1 of ANNEX A

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

(i) Subject matter of processing:

The provision of the Services ordered by the Client in the Order Form.

(ii) Duration of Processing:

As set out in Clause 11 of this Processing Agreement (“Term and Termination”)

(iii) Nature of Processing:

Accessing, collecting, correcting, modifying, recording, organising, storing, retrieving, consulting, disclosing by transmission, using, dissemination, erasing or destroying the items of personal data mentioned in (iv) below for the Processing Services (as hereby instructed by the Client) or otherwise on any other documented instructions that may from time to time be given by the Client.

(iv) Personal Data Categories

The personal data categories include but are not limited to:

Name
Surname
Phone Number
E-mail Address
Postal Address
Identity Card No
Passport No
Social Security No
Occupation
Any other data required for or related to the provision of Service.

(v) Data Subject Types

Include:

Client Employees
Client Clients
Client Contractors, Consultants, Sub-Contractors

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.