5.2.2021

DETAILED TERMS

1 SCOPE OF SERVICES

1.1 The Customer engages the Contractor Company to provide the services set out in the Summary Terms (as amended from time to time by agreement of the parties in writing) (the “Services”).

1.2 The period of engagement is as set out in the Summary Terms.

2 PROVIDING THE SERVICES

2.1 The Contractor Company must ensure that the Services are provided by the individual named in the Summary Terms or a suitably qualified and skilled substitute (together the “Individual”).

2.2 The Contractor Company must provide the Services with all reasonable care and skill, efficiently and in a lawful, proper and timely manner.

2.3 The Contractor Company must:

(a) keep such records of the work as the Customer may reasonably require; and

(b) provide reports on the Services to such person as the Customer may nominate on a weekly basis or more or less frequently as reasonably required by the Customer from time to time; and

2.4 The Contractor Company must ensure that, when providing the Services, the Individual will comply with any applicable policies, procedures and rules of the Customer.

2.5 Contractor Company understands that Customer is subject to applicable anti-corruption laws, which may include the U.S. Foreign Corrupt Practices Act of 1977 (15 U.S.C. § 78dd-1 et seq.), as amended (“FCPA”), the UK Bribery Act 2010, and other applicable anti-corruption laws. Accordingly, Contractor Company nor any of their, Individuals, respective owners, officers, directors, employees, agents or representatives are permitted to offer, pay, promise, authorise, or give anything of value to any Government Official (defined below) for purposes of obtaining or retaining business or gaining any improper advantage in connection with this Agreement. Contractor Company represents and warrants that (i) Contractor Company and its affiliates have conducted their business in compliance with the FCPA, the UK Bribery Act 2010, and other applicable anti-corruption laws, and (ii) neither Contractor Company nor any of its affiliates nor, to the knowledge of Contractor Company, any Individual, owner, director, officer, employee, agent or representative of Contractor Company or any of its affiliates, has taken or will take any action, directly or indirectly, that would result in a violation by such persons of the FCPA, the UK Bribery Act 2010, or other applicable anti-corruption laws in connection with their business dealings with Customer. This includes directly or indirectly accepting or making any offer, payment, promise to pay, or authorisation of the payment of anything of value (including money, property, gifts and entertainment) to any (i) government official, (ii) political party or official thereof, (iii) candidate for political office or (iv) officer or employee of a public international organisation (collectively and hereinafter, “Government Official”), or to or from any private person or commercial entity or representative thereof, in contravention of the FCPA, the UK Bribery Act 2010, or other applicable anti-corruption laws..

2.6 The Contractor Company must not, and must ensure the Individual does not, commit a tax evasion facilitation offence under the Criminal Finances Act 2017. Having regard to the nature and context of the Services and to the risks of tax evasion and facilitation of tax evasion, the Contractor Company must establish such processes as may be appropriate to avoid it or the Individual committing any criminal offence. In doing so, the Contractor Company must have

regard to any risk assessment and policy that the Customer may supply to it relating to avoidance of tax evasion and the facilitation of tax evasion.

2.7 Whilst the Customer will not fetter the right of substitution, the Contractor Company must procure that any substitute complies with the terms of this Agreement. If the substitute is found not to have the necessary skills or is unable adequately to fulfil the contractual requirements of this Agreement, the Customer reserves the right to terminate the Agreement with immediate effect by giving written notice and will be under no obligation to pay any fees under this Agreement.

2.8 Contractor Company hereby represents and warrants that (a) any deliverables will be an original work of Contractor Company; (b) neither the deliverable nor any element thereof will infringe the Intellectual Property Rights of any third party; (c) Contractor Company will not grant, directly or indirectly, any rights or interest whatsoever in the deliverables to third parties; (d) should Customer permit Contractor Company to use any of Customer’s equipment, tools, or facilities during the term of this Agreement, such permission shall be gratuitous and Contractor Company shall be responsible for any injury to any person (including death) or damage to property arising out of use of such equipment, tools or facilities, whether or not such claim is based upon its condition or on the alleged negligence of Customer in permitting its use; and (e) should Customer permit Contractor Company to use or access Customer’s information technology system, Customer maintains its rights to, and ownership of, the system and all data that may reside on such system. Contractor Company hereby indemnifies and holds harmless Customer, its subsidiaries, and affiliates, and their officers and employees, from any damages, claims, liabilities, and costs, including reasonable attorney's fees, or losses of any kind or nature whatsoever (“Loss”) that arise from or relate to (i) any breach by Contractor of this Agreement or any Summary Terms, including the warranties set forth herein, (ii) any violation or claimed violation of a third party’s rights resulting in whole or in part from Customer’s use of the deliverables, or (iii) any negligent, reckless, or intentional wrongful act by Contractor Company, Individuals, or Contractor Company’s employees, agents, or representatives. Client shall retain control over the defence of, and any resolution or settlement relating to, such Loss. Contractor will cooperate with Client and provide reasonable assistance in defending any such claim.

3 FEES AND EXPENSES

3.1 The Customer will pay the Contractor Company fees for providing the Services as set out in the Summary Terms.

3.2 The Contractor Company will invoice fees for completed Services and any agreed expenses in accordance with Company’s payroll guidelines as advised to Contractor Company from time to time.

3.3 Each invoice must be accompanied by a description of the Services provided, any expenses due and such other information as the Customer may reasonably require from time to time.

3.4 Subject to clause 12.4(d), the Customer will pay the Contractor Company any fees due and invoiced within 30 days of receipt of an invoice complying with the requirements set out above.

3.5 All fees and other sums referred to in this Agreement are exclusive of VAT. The Customer will pay to the Contractor Company such VAT (if any) as may be chargeable from time to time subject to receipt by the Customer of an appropriate VAT invoice.

3.6 No sums will be due from the Customer to the Contractor Company for providing the Services or in respect of expenses (if any) incurred by the Individual other than those set out in this Agreement.

3.7 For the purposes of determining any fee due, a day means 8 or more hours of work. If agreed between the parties in writing, the Customer may also pay for half days at a rate of half the daily fee and a half day means between four and 8 hours of work.

- 2 -

4 SERVICES NOT PROVIDED IN ACCORDANCE WITH THIS AGREEMENT

4.1 If the Contractor Company does not provide the Services (or any part of them) in accordance with this Agreement, the Customer may choose (at its sole discretion and without prejudice to any other remedies it may have):

(a) not to pay any fee in respect of such Services; or

(b) to require the Contractor Company to remedy matters at its own expense.

4.2 If the Customer chooses to require the Contractor Company to remedy matters, then (without prejudice to any other rights or remedies it may have):

(a) no fee will be payable by the Customer in respect of the Services in question unless and until matters have been remedied; and

(b) if matters are remedied,

(i) the Customer will pay the fee due in accordance with clause 3.2 of matters being remedied;

(ii) the fee due will not exceed the fee that would have been payable had the Services in question been provided initially in accordance with the Agreement.

5 CONFIDENTIALITY

5.1 During and after the Contractor Company’s engagement by the Customer, it must not (and must ensure that the Individual does not) unless required to do so by law, protected in doing so by a legal right of protected disclosure or doing so in properly providing the Services:

(a) disclose any of the Customer’s or any Customer Group Company’s trade secrets or confidential information to any person; or

(b) use any of the Customer’s or any Customer Group Company’s trade secrets or confidential information for any purposes other than the Customer’s.

5.2 The Contractor Company must ensure that it and the Individual keep all trade secrets and confidential information which the Contractor Company or Individual obtains or otherwise receives in connection with the Services safely and effectively protected against improper disclosure or use. The Contractor Company must also use its reasonable endeavours to prevent improper disclosure or use of such trade secrets or confidential information by third parties.

5.3 The Contractor Company will require the Individual to enter into a direct agreement with the Customer or any Customer Group Company about confidentiality (mirroring the obligations above) if required.

5.4 The words “confidential information” include but are not limited to:

(a) lists of the Customer’s or any Customer Group Company’s actual or potential clients;

(b) details of relationships or arrangements with or knowledge of the requirements of the Customer’s or any Customer Group Company’s actual or potential clients;

(c) details of the Customer’s or any Customer Group Company’s business methods, finances, prices or pricing strategy, marketing or development plans or strategies;

(d) details of any tenders, pitches or presentations proposed or made by the Customer or any Customer Group Company;

(e) personal information about any of the Customer’s or any Customer Group Company’s directors, employees or clients;

(f) information divulged to the Customer or any Customer Group Company by a third party in confidence;

(g) embargoed content of any type and any information relating to the Customer or any Customer Group Company or any of its clients which the Customer or any Customer Group Company or client in question reasonably considers to be confidential.

5.5 These obligations will not apply to information which comes into the public domain other than by reason of the Contractor Company’s or the Individual’s default or breach of these obligations.

6 DATA PROTECTION AND MONITORING

6.1 In this Agreement:

(a) “Services Personal Data” means personal data of which the Customer is controller which the Contractor Company will, in providing the Services, process on the Customer’s behalf;

(b) “Data Protection Legislation” has the meaning set out in section 3(9) of the Data Protection Act 2018;

(c) “GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data;

(d) “Losses” means losses, damages, liabilities, claims, costs and expenses including fines, penalties, legal and other professional fees and expenses.

Words and expressions defined in Article 4 of the GDPR shall have the same meaning in this Agreement.

The provisions of this Clause 6 are separate from and additional to any right or obligation that relates to personal data in other provisions of this Agreement.

Compliance with Data Protection Legislation and this Agreement

6.2 In connection with this Agreement, each party shall, whether acting as controller or processor comply with its obligations under Data Protection Legislation.

6.3 The Contractor Company shall procure that the Individual

(a) complies with Data Protection Legislation; and

(b) acts consistently with and does not do anything which is inconsistent with the Contractor Company’s obligations under

(i) Data Protection Legislation; and

(ii) Clause 6 and Schedule 1 of this Agreement.

Controller to controller data sharing

6.4 In connection with the Services, a party which processes personal data as a controller may provide that data (or some of it) to the other party which will separately process it as controller (controller to controller data sharing). For example (and without limitation), the Contractor Company is likely to provide the Customer with details of the Individual’s name, contact and other details and the Customer is likely to provide the Contractor Company with information on the names, contact and other details of staff with responsibilities for or in connection with the Services.

6.5 Where controller to controller data sharing occurs, the parties will be separate (and not joint) controllers. The party receiving the shared personal data shall:

(a) process that personal data only for the purposes of and in connection with the Services and not for any other purpose;

(b) promptly notify the other party if it

(i) receives any complaint, notice or other communication relating to the processing of that personal data or compliance with Data Protection Legislation; or

(ii) becomes aware of any personal data breach.

- 3 -

and, in such circumstances, shall provide such information, co-operation and assistance as the other party may reasonably require;

(d) ensure that the information required under Articles 13 and 14 of the GDPR (a privacy notice) is made available to any person who, in respect of that personal data, is a data subject.

Contractor as processor of Services Personal Data

6.6 In providing the Services, to the extent that the Contractor Company processes Services Personal Data, the Contractor Company shall act as a processor on behalf of the Customer. The provisions of Schedule 1 shall have effect.

Indemnity

6.7 The Contractor Company shall indemnify the Customer on demand against all Losses incurred by the Customer or any Customer Group Company arising from or related to

(a) the Contractor Company’s breach of its obligations under this Agreement (including those obligations set out in Schedule 1) or

(b) the Contractor Company’s breach of Data Protection Legislation; and

(c) any claim by a data subject arising from or related to a breach by the Contractor Company of this Agreement or Data Protection Legislation.

Compliance with policies and monitoring

6.8 If, in connection with the provision of the Services, the Contractor Company uses the Customer’s computer and IT systems, the Contractor Company:

(a) must comply (and must procure that the Individual complies) with the Customer’s IT and security policies;

(b) should be aware (and must ensure that the Individual is aware) that the Customer monitors its IT systems, that e-mail and internet usage is logged and that e-mails may be opened by persons other than the intended recipient. The Customer may access e-mails and use records/logs for business purposes, including checking and ensuring compliance with its policies and with applicable laws, for virus-checking, conducting investigations and dealing with emails in the absence of relevant personnel.

7 INSURANCE

7.1 Without prejudice to its obligations under this Agreement or otherwise at law, the Contractor Company must maintain with an insurer approved by the Customer reasonable and appropriate insurance cover at all times.

7.2 The Contractor Company will maintain the required professional indemnity insurance (not less than £1,000,000.00) and public liability insurance (not less than £2,000,000.00) from the date of this Agreement until the expiry of six years after the termination of its engagement. In addition, Contractor Company will maintain tax investigation insurance (not less than £100,000.00) and tax liability insurance (not less than £100,000.00) including cover for any claims pursuant to IR35 legislation from the date of this Agreement until the expiry of six years after the termination of its engagement.

7.3 As and when required to do so by the Customer, the Contractor Company will produce evidence to show that its insurance obligations under this Agreement have been met.

8 INTELLECTUAL PROPERTY AND PROPRIETARY RIGHTS

8.1 The Contractor Company acknowledges, and must ensure that the Individual acknowledges, that the Customer or any Customer Group Company is, from the date of creation, entitled to:

(a) ownership of the Materials and Inventions; and

(b) all of the Intellectual Property Rights in the Materials and Inventions, which the Contractor Company hereby assigns (and will ensure that the Individual assigns) to the Customer or any Customer Group Company with full title guarantee free from all encumbrances (and in the case of copyright and design rights by way of a present assignment of future copyright or design rights, as applicable).

8.2 In this Agreement:

(a) “Materials" means any work or material created, developed, delivered or prepared by or on behalf of the Contractor Company or Individual during the course of or in connection with the Services (whether individually, collectively or jointly with the Customer or any Customer Group Company and on whatever media) including (without limitation) any documents, reports, studies, data, diagrams, charts, specifications or computer programs and related copies and working papers whether created, developed, delivered or prepared before or after the signing of this Agreement;

(b) “Intellectual Property Rights” means all present and future copyright, design rights (whether registered or unregistered) patents, database rights, trademarks (whether registered or unregistered), trading goodwill, performer’s property rights, business names, and any other analogous rights subsisting anywhere in the world and including all applications (or rights to apply), revivals, renewals and reversions; and

(c) “Inventions” means any invention, improvement, modification, device, concept, process, formula, model or prototype which is created, devised, developed, discovered or worked on by the Contractor Company or Individual (whether alone or jointly) during the course of or in connection with the Services.

8.3 The Contractor Company undertakes, and must ensure that the Individual undertakes, to do anything reasonably required (both during and after the termination of its engagement) to ensure that all Intellectual Property Rights in the Materials and the Inventions belong to or are assigned to the Customer or any Customer Group Company and to assist the Customer or such Customer Group Company in obtaining, registering, protecting, maintaining, enforcing or defending them (although the Customer or any Customer Group Company will not be obliged to do so).

8.4 The Contractor Company will, and must ensure that the Individual will upon request by the Customer or any Customer Group Company, and in any event upon the termination of its engagement, promptly deliver to the Customer or any Customer Group Company all Materials and Inventions in its or his/her possession or control.

8.5 The Contractor Company will, and will ensure that the Individual will, notify the Customer or any Customer Group Company of any Intellectual Property Rights owned by a third party which the Contractor Company and/or the Individual intends to incorporate in the Materials or Inventions, where the relevant third party owner will not grant an assignment to the Contractor Company or the Individual or the Customer or any Customer Group Company. The Contractor Company will obtain the Customer’s or any Customer Group Company’s prior written consent before using such Materials or Inventions in the course of the Services.

8.6 The Contractor Company agrees, and must ensure that the Individual agrees, because of the nature of its and the Individual’s duties and responsibilities, the Contractor Company and the Individual are under a special obligation to further the Customer’s and any Customer Group Company’s interests.

8.7 The Contractor Company will, and will ensure that the Individual will, promptly disclose in writing and deliver any Inventions to the Customer or any Customer Group Company and will not disclose any Inventions to anyone else without the Customer’s prior written consent.

8.8 Both during and after the termination of this Agreement, the Contractor Company will, and will ensure that the Individual will, give any information, explanations, or demonstrations reasonably

- 4 -

requested of it or the Individual to enable the Customer to make use of any Material or Inventions.

8.9 If any moral right or analogous right arises in respect of any Materials or Inventions the Contractor Company must ensure that the Individual:

(a) irrevocably waives and agrees not to assert (save as directed by the Customer) the right; and

(b) will ensure that all applicable consents have been obtained to entitle the Customer and any Customer Group Company to make the fullest use of the Intellectual Property Rights in the Materials and Inventions without restriction or further payment.

8.10 The Contractor Company consents, and will ensure that the Individual will consent, to the Customer doing any act which would, in the absence of such consent, infringe the Individual’s rights in performance under Part II of the Copyright, Designs and Patents Act 1988 or any similar legislation anywhere in the world (such as recording a presentation or workshop given by the Individual).

8.11 The Contractor Company will ensure that the Individual enters into a direct agreement with the Customer or any Customer Group Company about intellectual property and proprietary rights (mirroring the above obligations) upon request.

9 DISCRIMINATION AND DIGNITY AT WORK

9.1 The Contractor Company must (and must ensure that the Individual will) treat all employees, agents and contractors of the Customer and any Customer Group Company (and such agents’ and contractors’ employees) with respect and must not harass, victimise or otherwise unlawfully discriminate against any such persons.

9.2 The Contractor Company will indemnify the Customer and any Customer Group Company and keep it and them indemnified against any claims, liabilities, costs and expenses which the Customer and any Customer Group Company incurs as a result of, or related to, breaches or alleged breaches by the Contractor Company of its obligations under this Clause.

10 TERMINATION

10.1 The Customer may terminate the Contractor Company’s engagement at any time by giving to the Contractor Company not less than two weeks’ notice in writing.

10.2 The Contractor Company may terminate its engagement at any time by giving to the Customer not less than two weeks’ notice in writing.

10.3 The Customer may terminate the Contractor Company’s engagement immediately by giving written notice having immediate effect if:

(a) the Contractor Company is in material breach of this Agreement; or

(b) the Contractor Company fails to meet any deadline; or

10.4 Upon termination of its engagement the Contractor Company must (and must ensure that the Individual will):

(a) provide such co-operation and information as the Customer may reasonably request in connection with the termination and any consequences, including co-operating in a smooth handover of any ongoing work;

(b) deliver to Customer or Customer Group Company all deliverables (in whatever stage of completion it may be at such time);

(c) return immediately all items of the Customer’s or any Customer Group Company’s property which the Contractor Company or Individual has in its or his/her possession or under its or his/her control in connection with the engagement (including any security pass, disks, tapes, documents or copies of documents); and

(d) delete any documents or information belonging to the Customer or any Customer Group Company from any personal computer that the Individual or Contractor Company may have (unless returning that personal computer to the Customer) without retaining copies in any format.

10.5 For the avoidance of doubt, the termination of the Contractor Company’s engagement (however arising) will not affect:

(a) any rights or obligations which have accrued up to the date of termination; or

(b) any rights or obligations which expressly or impliedly survive the termination of the engagement.

11 STATUS

11.1 The Contractor Company is not an agent of the Customer and (unless otherwise agreed in writing) will have no right to make contracts or enter any engagements on the Customer’s behalf.

11.2 Nothing in this Agreement should be construed as giving rise to an employment relationship between the Customer and the Individual.

11.3 The Customer shall not have the right, nor shall it seek to exercise direction, control or supervision over the Contractor Company’s personnel. The Contractor Company’s personnel shall co-operate with any reasonable request of the Customer within the scope of the Services, but it is acknowledged that the Contractor Company’s Personnel will be able to determine how best the services are provided and will have autonomy over their working methods.

11.4 The Contractor Company warrants that it is not, and during the term of this Agreement it shall not become, a managed services company for the purposes of Section 61B Income Tax (Earnings and Pensions) Act 2003.

11.5 The Contractor Company will be fully responsible for and will indemnify the Customer and each and every Customer Group Company for and in respect of any liability for any employment-related claim or any claim based on worker status (including reasonable costs and expenses) brought by either the Contractor Company or the Individual against the Customer arising out of or in connection with the provision of the Services.

12 TAX

12.1 Subject to clause 12.4 below, the Contractor Company will account to the appropriate authorities for any VAT, corporation tax, income tax, national insurance contributions, apprenticeship levy and all other taxes, liabilities and duties due in respect of sums payable by the Customer to the Contractor Company and/or by the Contractor Company to the Individual in connection with this Agreement.

12.2 As soon as reasonably practicable following a request from the Customer, the Contractor Company shall provide the Customer with such documentation and information as is reasonably requested by the Customer to enable the Customer to comply with its tax obligations including under Part 2 Income Tax (Earnings and Pensions) Act 2003. In addition, the Contractor Company undertakes on a continuing basis to promptly share with the Customer such information which might reasonably be expected to affect any determination as to whether the IR35 rules (“the IR35 Rules”) apply.

12.3 Subject to clause 12.4 below, the Contractor Company will indemnify the Customer and keep the Customer indemnified against:

(a) any claim or demand made by HMRC against the Customer in respect of any income tax (whether under PAYE or otherwise), apprenticeship levy or national insurance contributions in respect of sums payable by the Customer to the Contractor Company and/or by the Contractor Company to the Individual in connection with this Agreement and against any interest or penalties imposed in connection with any such tax, levy or contributions; and

- 5 -

(b) any legal fees or other costs incurred by the Customer in enforcing its rights under this clause.

12.4 In the event that the Customer, acting reasonably, determines that this arrangement is within the IR35 Rules and that it is legally obliged to deduct PAYE income tax and employee national insurance contributions on any sums payable to the Contractor Company under this Agreement, the following provisions shall apply:

(a) the Customer shall be entitled to make such deductions, having provided the Individual and the Contractor Company with a Status Determination Statement (“SDS”) notifying the Individual and the Contractor Company that the IR35 Rules apply and that it intends to make such deductions. If the Individual and/or the Contractor Company challenge the SDS the Customer shall be entitled to continue to make such deductions unless and until it withdraws the previous SDS and issues a new SDS notifying the Individual and the Contractor Company that the IR35 Rules do not apply. In such a situation the Customer will, if legally permissible, refund to the Contractor Company any deductions which the Customer reasonably considers are due to the Contractor Company.

(b) As provided under clause 12.1, the Contractor Company and/or the Individual (as appropriate) will account to the appropriate authorities for any VAT, corporation tax, income tax, employee national insurance contributions and all other taxes, liabilities and duties due in respect of sums payable by the Customer to the Contractor Company and/or by the Contractor Company to the Individual in connection with this Agreement (excluding any amounts deducted by the Customer under clause 12.4(a) above and any employer NICs and apprenticeship levy); and

(c) As provided under clause 12.3, the Contractor Company will indemnify the Customer and keep the Customer indemnified against:

(i) any claim or demand made by HMRC against the Customer in respect of any income tax and employee national insurance contributions and all other taxes, liabilities and duties due in respect of sums payable by the Customer to the Contractor Company and/or by the Contractor Company to the Individual in connection with this Agreement (excluding any amounts deducted by the Customer under clause 12.4(a) above and any employer NICs and apprenticeship levy) and against any interest or penalties imposed in connection with any such tax, levy or contributions (excluding any interest or penalties incurred due to the fault or delay of the Customer); and

(ii) any legal fees or other costs incurred by the Customer in enforcing its rights under this clause; and

(d) The Customer will pay the Contractor Company any fees due and invoiced in the next payroll run following the 30th day of receipt of an invoice complying with the requirements set out in clause 3.3 above.

13 MISCELLANEOUS

13.1 In this Agreement references to “Customer Group Company” means the Customer and any holding company or subsidiary of the Customer from time to time and any other subsidiary of any holding company of the Customer from time to time, where “holding company” and “subsidiary” have the meanings given in sections 1159 and 1173 of the Companies Act 2006.

13.2 The Customer and Contractor Company confirm that they are not entering into the engagement in reliance upon any oral or written representations made to them by or on behalf of the other.

13.3 This Agreement contains the whole agreement between the

Customer and the Contractor Company in connection with the Contractor Company’s engagement by the Customer.

13.4 Any Customer Group Company may enjoy the benefit and enforce the terms of this Agreement in accordance with the Contracts (Rights of Third Parties) Act 1999. Notwithstanding this, neither the Customer nor the Contractor Company require the consent of any Customer Group Company to rescind or vary this Agreement at any time, even if that variation or rescission affects the benefits conferred on such Customer Group Company.

13.5 This Agreement will be governed by the laws of England and Wales and the Courts of England and Wales will have non-exclusive jurisdiction to adjudicate any disputes arising under it.

13.6 The Customer is under no obligation to offer further contracts or services to the Contractor Company nor is the Contractor Company under any obligation to accept any contract or services offered. For the avoidance of doubt, both the Contractor Company and the Customer agree and intend that this agreement does not create any mutuality of obligation, either during or following the agreement.

- 6 -

SCHEDULE 1

Obligations of the Contractor Company acting as processor

Core information on processing

1. In relation to the processing of Services Personal Data, the Annex to this Schedule sets out:

(a) the subject matter and duration of processing;

(b) the nature and purposes of processing;

(d) the categories of data subjects comprised within the Services Personal Data

Compliance with instructions

2. The Contractor Company shall process Services Personal Data strictly in accordance with the documented instructions of the Customer.

Restrictions on Contractor Company

3. The Contractor Company shall:

(a) not do anything or omit to do anything that may put the Customer in breach of its obligations under Data Protection Legislation or otherwise materially damage the reputation of the Customer;

(b) only make copies of Services Personal Data to the extent reasonably necessary (which may include back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and/or testing of the data);

(c) not transfer Services Personal Data outside the European Economic Area without the prior written consent of the Customer, which can be withheld at the sole discretion of the Customer and subject to any additional requirements (which may include entering into or procuring that the Contractor Company (or a sub-processor (if any)) enter into appropriate safeguards as contemplated by Article 46 of the GDPR).

(d) not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy or store Services Personal Data other than as permitted under the terms of this Agreement;

(e) ensure that persons (if any) authorised by it to process Services Personal Data are subject to a legally binding obligation of confidentiality;

(f) only permit access to Services Personal Data to any person (not being the Contractor Company or the Individual) who requires such access in order to carry out a role in the performance of the Contractor Company’s obligations under this Agreement. To the extent that the Contractor Company permits such access, he/she shall take all reasonable steps to ensure the reliability of any person having such access (including personnel of a sub-processor).

Security

4. The Contractor Company shall implement appropriate technical and organisational measures to ensure that Services Personal Data is subject to a level of security appropriate to the risks arising from processing by the Contractor Company under this Agreement, taking into account the factors stated in Article 32 of the GDPR, including as appropriate:

(a) the pseudonymisation and encryption of Services Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to Services Personal Data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Services Personal Data;

Personal data breach

5. The Contractor Company shall notify the Customer promptly and without delay after becoming aware of a personal data breach relating to Services Personal Data and in any event not later than twenty four (24) hours after becoming aware of such breach. Such notification shall be accompanied by the following information (where available at the time of the notification):

(a) the Services Personal Data affected by the breach, including the categories and volumes of such data;

(b) the factual circumstances giving rise to the breach;

(d) any other information that is reasonably required by the Customer to assess the impact and severity of the breach.

If all or part of the information specified above is not available at the time of notification to the Customer, the Contractor Company shall supply such information to the Customer as soon as possible and shall keep the Customer updated on the timescales for delivery of the outstanding information.

Data subject rights

6. The Contractor Company shall, so far as possible, use appropriate technical and organisational measures to enable the Customer to fulfil its obligations to respond to data subjects who exercise rights under the GDPR.

Assistance to the Customer

7. The Contractor Company shall assist the Customer to comply with its obligations under the following Articles of the GDPR taking into account the nature of the processing and the information available to the Contractor Company:

(a) Article 32 (Security of processing);

(b) Without prejudice to paragraph 5 of this Schedule, Articles 33 and 34 (Notification and communication of a personal data breach);

(d) Article 36 (Prior consultation by the Customer with a relevant supervisory authority).

8. The Contractor Company shall at its own expense and without undue delay, notify the Customer, and provide such co-operation, assistance and information as the Customer may reasonably require if the Contractor Company:

(a) receives any complaint, notice or communication which relates directly or indirectly to its processing of Services Personal Data, or to either party's compliance with Data Protection Legislation; or

(b) becomes aware of any unauthorised or unlawful processing of any Services Personal Data.

9. The Contractor Company shall promptly and without undue delay comply with any request from the Customer requiring the Contractor Company to amend, transfer or delete Services Personal Data, either during or after the term of this Agreement.

Information and audit

10. The Contractor Company shall, at the request of the Customer, provide the Customer with all information necessary to demonstrate the Contractor Company’s compliance with its obligations under this Agreement, including permitting and contributing to audits and inspections conducted by or on behalf of the Customer.

- 7 -

Services Personal Data after Services end

11. Upon ending provision of Services (or part of them) the Contractor Company shall, at the sole election of the Customer, deliver up in such format as the Customer may require, or destroy such Services Personal Data in the possession of, or under the control of, the Contractor Company as the Customer may specify.

Processing Records

12. Where required by the GDPR, the Contractor Company shall maintain written records of its processing of Services Personal Data (the “Processing Records”) as follows:

(a) the name and contact details of:

(i) the Contractor Company (and approved sub-processors (if any));

(ii) the Customer;

(iii) where applicable, the representatives of the Customer, the Contractor Company and its approved sub-processors (if any);

(b) the categories of processing of Services Personal Data carried out on behalf of the Customer;

(c) transfers of Services Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where applicable, details of the suitable safeguards in place; and

(d) a general description of the technical and organisational security measures taken by the Contractor Company and its approved sub-processors (if any).

13. The Contractor Company shall and shall procure that its approved sub-processors (and, where applicable, their appointed representatives) shall make the Processing Records available to the Customer and/or any supervisory authority on request.

Contractor Company’s engagement of sub-processors

14. Notwithstanding any other provision of this Agreement, the Contractor Company shall only be entitled to sub-contract any processing of Services Personal Data with the Customer’s prior written consent and subject to the Contractor Company providing the Customer with full details of the proposed sub-contracting including, without limitation, details of the identity of such sub-processor, the services to be supplied by such sub-processor and the nature of Services Personal Data to be processed by such sub-processor.

When appointing (or replacing) a sub-processor of Services Personal Data the Contractor Company shall:

(a) conduct such due diligence on the sub-processor as is necessary to ensure that the sub-processor’s processing of Services Personal Data complies with Data Protection Legislation;

(b) put in place written contractual obligations which are at least equivalent to the obligations imposed on the Contractor Company pursuant to clause 6 and this Schedule 1, including obligations which provide sufficient guarantees from the sub-processor that the processing meets the requirements of Data Protection Legislation; and

(c) be liable to the Customer for the failure by any such sub-processor to comply with such equivalent data protection obligations.