Stora Terms of Use

These Terms of Use apply to your use of all software services provided by Stora Ltd of Avonmore House, 15 Church Square, Banbridge, Northern Ireland, BT32 4AP (“Stora”). By using the Platform, you (referred to in this Agreement as the “Customer”) agree to be bound by them in relation to all use of the Platform.

1. Definitions

The following definitions apply in this document:

The Platform means the self-storage facility management software service made available to the Customer and its Users on and subject to the terms of this Agreement and as specified in any invoice or order form sent to you by Stora.

Business Day means a day (other than a Saturday, Sunday or public holiday) on which banks are open for business in the United Kingdom.

Confidential Information means all information (whether or not it is described as confidential) in any form or medium concerning any past, present or future business, operations or affairs of either party, including, without limitation customer data, all technical or non-technical data, formulae, patterns, programs, devices, methods, techniques, plans, drawings, models and processes, source and object code, software and computer records; all business and marketing plans and projections, details of agreements and arrangements with third parties, and User and supplier information and lists; all financial information, pricing schedules and structures, product margins, remuneration details and investment outlays; all information concerning any employee, customer, contractor, supplier or agent of the relevant party; the party’s policies and procedures, but excludes information that the other party can establish is known by or is in the other party’s possession or control other than through a breach of this document and is not subject to any obligation of confidence; or is in the public domain other than by a breach of this document or any obligations of confidence.; or is independently developed by or on behalf of the receiving party without reference to or use of the disclosing party’s Confidential Information.

Customer Data means any information that the Customer or any of its Users uploads to the Platform, including Customer Personal Data.

Customer Personal Data means any Personal Data that the Customer or any of its Users uploads to the Platform.

Data Processing Addendum means the additional terms forming part of this Agreement at Schedule 1.

Data Protection Legislation means the UK Data Protection Act 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council, (the General Data Protection Regulation); any other existing or future law, directive or regulation (anywhere in the world) relating to the Processing of Personal Data or privacy, to which Stora or the Customer is subject.

Data Controller, Data Processor, Data Subject, Processing and Personal Data have the meanings given to those expressions or any equivalent or corresponding expressions in the Data Protection Legislation.

Force Majeure means an event or cause beyond the reasonable control of the party claiming force majeure. It includes each of the following, to the extent it is beyond the reasonable control of that party: act of God, lightning, storm, flood, fire, earthquake or explosion cyclone, tidal wave, landslide, adverse weather conditions; act of public enemy, war (declared or undeclared), terrorism, sabotage, blockade, revolution, riot, insurrection, civil commotion, epidemic or pandemic; the effect of any change in applicable laws, orders, rules or regulations of any government or other competent authority; and embargo, inability to obtain necessary materials, equipment or facilities, or power or water shortage.

Intellectual Property means all copyright, patents, inventions, trade secrets, know-how, product formulations, designs, circuit layouts, databases, registered or unregistered trade marks, brand names, business names, domain names and other forms of intellectual property;

Intellectual Property Rights means, for the duration of the rights in any part of the world, industrial or intellectual property rights, whether registrable or not, including in respect of Intellectual Property, applications for the registration of any Intellectual Property and any improvements, enhancements or modifications to any Intellectual Property registrations.

User means any end user authorised by the Customer to access the Customer’s self-storage management system instance on the Platform to purchase self-storage services and accompanying related goods and services.

2. The Platform

2.1. The Platform provides the Customer with a web-based platform to operate and manage a self-storage facility or facilities. Subject to payment of the applicable fees notified on Stora’s website, or otherwise on any invoice or order form, Stora shall make the Platform available to the Customer and its Users.

2.2. The Customer acknowledges that Stora accepts no liability for the operation or otherwise of the Platform as a result of interaction with integration with any third party software or service.

2.3. The Customer agrees and accepts that the Platform is an online service hosted by Stora and its infrastructure providers, and shall only be maintained by Stora, and is not available locally from the Customer’s systems. The Customer acknowledges that it is responsible for maintaining an internet connection to access the Platform. The Customer also acknowledges that the Platform is managed and supported exclusively by Stora and that no ‘back-end’ access to the Platform is available to the Customer or its Users.

2.4. Stora reserves the right to upgrade, maintain, tune, backup, amend, add or remove features, redesign, improve or otherwise alter the Platform at its sole discretion. Stora shall not amend the Platform in a manner that would intentionally cause the Customer to lose access to Customer Data or fundamentally decrease the utility of the Platform to the Customer, other than in accordance with the terms of this Agreement.

3. Payment of fees

3.1. The Customer shall pay the fees notified to it by Stora for use of the Platform. The fees for the use of the Platform are payable monthly (or as otherwise agreed in writing) in full and are based on the applicable tier of Customer’s usage of the Platform. No refunds are payable for any fees under any circumstances.

3.2. All invoices for the use of the Platform must be paid within 14 days of receipt. If full payment is not received by such date, Stora may suspend or withhold access for the Customer and all Users until such payment is received. Stora reserves the right to charge interest for any late payments at 4% above the prevailing Bank of England base rate.

3.3. All prices are exclusive of applicable local, state, federal and international sales, value added, withholding and other taxes and duties of any kind unless otherwise stated.

3.4. The Customer shall pay all invoices for the use of the Platform in full and shall have no right of set off for any liability it may claim to be owed to it by Stora at any time.

3.5. Stora may make the Platform (or any part of it) available to you for a limited evaluation period at no charge at its discretion. All the terms and conditions of this Agreement apply to your use of the Platform during any such period. the Platform. The terms and conditions of this Agreement will apply to your use of the Platform regardless of whether you pay for it or not.

4. Licence to use the Platform

4.1. Subject to compliance with the terms and conditions of this Agreement, the Customer and its Users are granted a limited, non-exclusive and revocable license to access and use the Platform for the duration of this Agreement.

4.2. The Customer is solely responsible for the security of user names and passwords issued to it for access to the Platform.

4.3. Stora may revoke or suspend access to the Platform at any time if the Customer or any User is in breach of this Agreement and has failed to comply with Stora’s reasonable request to remedy such breach within a reasonable time period.

4.4. The Customer shall ensure that each of its Users is aware of and complies with the terms of this Agreement, and the Customer shall remain liable to Stora for any breach of this Agreement by its Users, and any losses or damages that Stora may suffer as a result of any such breach.

4.5. The Customer agrees that it shall only use the Platform for its own internal business purposes and shall not use it to engage in any conduct that is unlawful, immoral, threatening, abusive or in a way that is deemed unreasonable by Stora in its sole discretion. The Customer shall not provide access to the Platform to any third party except to its Users purchasing access to the Customer’s self-storage facility.

4.6. Stora shall endeavour to respond to all support requests within 3 Business Days or sooner. Stora reserves the right to require the payment of reasonable fees for non-standard support requests prior to the provision of such support.

5. Customer Data

5.1. The Customer shall provide Stora with access to such Customer Data as Stora may reasonably request in order to provide the Platform.

5.2. Stora obtains no right, title or interest in Customer Data including any Intellectual Property found within it. The Customer grants Stora a licence to use the Customer Data solely for the purposes of providing the Platform in accordance with this Agreement.

5.3. Stora accepts no liability for the content of Customer Data.

5.4. The Customer and its Users are responsible for the accuracy, quality and legality of Customer Data. The Customer shall ensure that it is has an appropriate legal basis (including consents where required by law) for making any Customer Data available to Stora for use on the Platform. The Customer hereby indemnifies Stora in relation to any claims, losses, damages and costs that Stora or its related parties may suffer as a result of any claim that Stora’s possession or use of the Customer Data to provide the Platform in accordance with this Agreement infringes any applicable Data Protection Legislation or the Intellectual Property Rights or any other rights of any third party, or that the Customer has acted in breach of the Data Processing Addendum.

5.5. Stora shall be entitled to delete Customer Data where any outstanding payments due to Stora by Customer remain unpaid in accordance with the terms of this Agreement and following reasonable attempts by Stora to seek payment.

5.6. Stora shall not access, use, modify or otherwise deal with Customer Data except to provide the Platform, where required by compulsion of law, or upon the Customer or any User’s authority (such as to provide technical support for the Platform), or as part of internal testing and troubleshooting. Notwithstanding the foregoing, Stora shall be permitted to use aggregated and/or anonymised sets of Customer Data and data otherwise generated through the use of the Platform by the Customer and its Users which do not contain Personal Data at its discretion without limitation, including after termination or expiry of this Agreement.

6. Compliance with data privacy laws

6.1. Stora and the Customer will comply with all applicable requirements of the Data Protection Legislation.

6.2. To the extent that Stora acts as a Data Processor of Customer Personal Data in the course of making the Platform available to the Customer, both parties shall comply with the terms of the Data Processing Addendum.

6.3. Stora hereby indemnifies the Customer in relation to any claims, losses, damages and costs that the Customer may suffer as a result of any claim that Stora has acted in breach of the Data Processing Addendum. This indemnity shall not apply to any claim which arises from use of the Platform by the Customer or any User otherwise than in accordance with Stora’s reasonable instructions or the terms of this Agreement or in breach of the Data Processing Addendum.

7. Security

7.1. Stora takes the security of the Platform and the privacy of its Customers and Users very seriously. Stora shall use industry-standard systems and processes to protect the security of Customer Data.

7.2. The Customer agrees that its Users shall not do anything to prejudice the security or privacy of Stora’s systems (and the systems of Stora’s infrastructure providers) or the information on them.

8. Intellectual Property

8.1. The Customer shall not copy, alter, or use the Platform except as provided by this Agreement without the prior written consent of Stora.

8.2. The Platform may incorporate software and other proprietary systems and Intellectual Property owned by Stora or which Stora has appropriate authority to use, and the Customer agrees that such is protected by copyright, trademarks, patents, proprietary rights and other laws, both domestically and internationally.

8.3. The Customer warrants that it shall not infringe on any third-party rights through the use of the Platform.

8.4. The Customer agrees and accepts that the Platform is the Intellectual Property of Stora and the Customer further warrants that by using the Platform the Customer and its Users will not:

8.4.1. copy the Platform or the services that it provides for their own commercial purposes; and

8.4.2. directly or indirectly copy, recreate, decompile, reverse engineer or otherwise obtain, modify or use any source or object code, architecture, algorithms contained in the Platform or any documentation associated with it.

8.5. All content (with the exception of Customer Data) remains the Intellectual Property of Stora, including (without limitation) any source code, ideas, enhancements, feature requests, suggestions or other information provided by the Customer or any other party with respect to the Platform.

8.6. Stora hereby indemnifies the Customer in relation to any claims, losses, damages and costs that the Customer may suffer as a result of any claim that the Customer’s use of the Platform in accordance with this Agreement and any instructions provided by Stora to the Customer infringes the Intellectual Property Rights of any third party. This indemnity shall not apply to any use of the Platform by the Customer or any User otherwise than in accordance with Stora’s reasonable instructions or the terms of this Agreement.

9. Confidentiality

9.1. Stora agrees to keep all Customer Data in confidence, and to the extent Customer Data is accessed and/or received by the Platform it shall be deemed as Confidential Information for the purposes of this Agreement.

9.2. Each party acknowledges and agrees that:

9.2.1. the Confidential Information is secret, confidential and valuable to the disclosing party (Discloser);

9.2.2. it owes an obligation of confidence to the Discloser concerning the Confidential Information;

9.2.3. it must not disclose the Confidential Information to a third party except as permitted in this Agreement;

9.2.4. all Intellectual Property rights remain vested in the Discloser but disclosure of Confidential Information does not in any way transfer or assign any rights or interests in the Intellectual Property to the receiving party; and

9.2.5. any breach or threatened breach by the receiving party of an obligation under this Agreement may cause the Discloser immediate and irreparable harm for which damages alone may not be an adequate remedy. Consequently the Discloser has the right, in addition to other remedies available at law or in equity, to seek injunctive relief against the receiving party (and its agents, assigns, employees, officers and directors, personally) or to compel specific performance of this clause.

9.3. A party must notify the Discloser in writing, giving full details known to it immediately, when it becomes aware of:

9.3.1. any actual, suspected, likely or threatened breach by it of any obligations it has in relation to the Confidential Information.

9.3.2. any actual, suspected, likely or threatened breach by any person of any obligation in relation to the Confidential Information; or

9.3.3. any actual, suspected, likely or threatened theft, loss, damage, or unauthorized access, use or disclosure of or to any Confidential Information.

9.4. The receiving party must promptly take all steps that the Discloser may reasonably require and must co-operate with any investigation, litigation or other action of the Discloser or of a related body corporate if there is:

9.4.1. any actual, suspected, likely or threatened breach of a term of this Agreement; or

9.4.2. any theft, loss, damage or unauthorized access, use or disclosure of or to any Confidential Information that is or was in its possession or control.

10. Warranties

10.1. Stora warrants that the Platform will conform to all representations and descriptions of functionality and service made available to the Customer and that it will use all reasonable commercial efforts to maintain the online availability of the Platform, excluding downtime for scheduled and emergency maintenance, which shall be notified in advance to Customer wherever possible, and scheduled to minimize disruption to Customer’s operations.

10.2. Stora warrants that it will use industry standard measures to maintain the security of the Platform as described in this Agreement, and that it will fix defects in the software in a prompt manner.

10.3. Except as otherwise provided in this Agreement, the Customer acknowledges and agrees that the Platform (including all content, function, and services) is provided “as is,” without additional warranty of any kind, either express or implied, including any additional warranty for information, data, data processing services or uninterrupted access, any warranties concerning the availability, accuracy, completeness, usefulness, or content of information, and any warranties of title, non-infringement, merchantability or fitness for a particular purpose.

10.4. Stora does not warrant that the Platform (or the function, content or services made available within it) will be timely, secure, uninterrupted or error free. Stora makes no warranty that the Platform will meet the Customer’s expectations or requirements. No advice, results or information, or data whether oral or written, obtained through the Platform shall create any warranty not expressly made herein. If a Customer is dissatisfied with the Platform, the sole remedy is to discontinue using the Platform.

10.5. The Customer acknowledges that the Platform is hosted on third party infrastructure, and Stora shall not be liable to Customer for any costs, losses, damages, downtime, or other liability arising from the use of or reliance upon such third party infrastructure.

10.6. Each party acknowledges that it has not relied on any representation, warranty or statement made by any other party, other than as set out in this Agreement.

11. Liability & Indemnity

11.1. THE CUSTOMER AGREES THAT IT USES THE PLATFORM AT ITS OWN RISK.

11.2. THE CUSTOMER ACKNOWLEDGES THAT STORA IS NOT RESPONSIBLE FOR THE CONDUCT OR ACTIVITIES OF ANY USER AND THAT STORA IS NOT LIABLE FOR SUCH UNDER ANY CIRCUMSTANCES.

11.3. THE CUSTOMER ACKNOWLEDGES AND AGREES THAT STORA SHALL NOT BE LIABLE FOR ANY USE OF TEMPLATE TERMS AND CONDITIONS OR SIMILAR DOCUMENTATION MADE AVAILABLE BY STORA FOR USE BY THE CUSTOMER WHEN SELLING SERVICES TO ITS USERS. SUCH TEMPLATES ARE PROVIDED BY STORA FOR INFORMATION ONLY AND ARE USED BY THE CUSTOMER AT THEIR OWN RISK. THE CUSTOMER AGREES THAT IT IS RESPONSIBLE FOR SEEKING ITS OWN LEGAL ADVICE ON THE SUITABILITY OF SUCH TEMPLATES FOR THE CUSTOMER’S BUSINESS.

11.4. THE CUSTOMER AGREES TO INDEMNIFY STORA FOR ANY LOSS, DAMAGE, COST OR EXPENSE THAT STORA MAY SUFFER OR INCUR AS A RESULT OF OR IN CONNECTION WITH THE USE BY CUSTOMER OR ITS USERS OF THE PLATFORM OR CONDUCT IN CONNECTION WITH THE PLATFORM, INCLUDING ANY BREACH BY THE CUSTOMER OR ANY OF ITS USERS OF THIS AGREEMENT.

11.5. EXCEPT AS REQUIRED BY LAW, STORA’S MAXIMUM LIABILITY TO THE CUSTOMER OR ANY USER IN RELATION TO THIS AGREEMENT (INCLUDING UNDER ANY INDEMNITY) SHALL NOT EXCEED THE FEES PAID IN THE TWELVE MONTHS PRECEDING THE DATE OF THE LIABILITY ARISING.

11.6. IN NO CIRCUMSTANCES WILL STORA BE LIABLE FOR ANY INCIDENTAL, CONSEQUENTIAL OR INDIRECT DAMAGES, LOSS OR CORRUPTION OF DATA, LOSS OF PROFITS, GOODWILL, BARGAIN OR OPPORTUNITY, LOSS OF ANTICIPATED SAVINGS OR ANY OTHER SIMILAR OR ANALOGOUS LOSS RESULTING FROM THE CUSTOMER OR ANY USER’S ACCESS TO, OR USE OF, OR INABILITY TO USE THE PLATFORM, WHETHER BASED ON WARRANTY, CONTRACT, TORT, NEGLIGENCE, IN EQUITY OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT STORA KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGE, TO BUSINESS INTERRUPTION OF ANY TYPE, WHETHER IN TORT, CONTRACT OR OTHERWISE.

12. Termination

12.1. This Agreement shall remain in force unless it terminates or expires in accordance with this clause 12.

12.2. Unless otherwise stated in any invoice or order form, this Agreement shall remain in force for one calendar month – whether the Customer is paying monthly or annually - and shall automatically renew for subsequent calendar months unless either party provides written notice to the other party of its intention to terminate no later than 7 days before the end of the then-current month.

12.3. Where a party is in material breach of this Agreement, and has failed to remedy such breach within 28 days of notification by the other party, the other party may terminate this Agreement by giving written notice of termination, which shall become effective 5 Business Days after the date of the notice.

12.4. Either party may terminate this Agreement immediately by notice, if either party:

12.4.1. stops or suspends or threatens to stop or suspend payment of all or a class of its debts;

12.4.2. is insolvent under company law;

12.4.3. has an administrator appointed in respect of it;

12.4.4. has an order made or a resolution passed for its winding up or dissolution or it enters into an arrangement, compromise or composition with or assignment for the benefit of its creditors or a class of them;

12.4.5. has any security enforced over, or a distress, execution or other similar process levied or served against, the whole or a substantial part of its assets or undertaking; or

12.4.6. is subject to any event which, under the law of any relevant jurisdiction, has an analogous or equivalent effect to any of the events listed above.

12.5. Expiry or termination of this Agreement is without prejudice to and does not affect the accrued rights or remedies of any of the parties arising in any way out of this Agreement up to the date of expiry or termination.

12.6. Rights and obligations under this Agreement shall survive termination of this Agreement where reasonably required to give commercial effect to such rights and obligations.

12.7. Stora may terminate this agreement and the Customer account with Stora with 28 days notice without cause. In the event that the Customer has already paid for time beyond this, Stora may at it’s sole discretion refund pro-rata any pre-paid subscription fees after deducting any costs incurred for onboarding or any other support services provided. At the end of the 28 days notice, the Customer’s account with Stora will be closed.

13. Force Majeure

13.1. If a party is prevented in whole or in part from carrying out its obligations under this Agreement as a result of Force Majeure, it will promptly notify the other party accordingly. The notice must:

13.1.1. specify the obligations and the extent to which it cannot perform those obligations;

13.1.2. fully describe the event of Force Majeure;

13.1.3. estimate the time during which the Force Majeure will continue; and

13.1.4. specify the measures proposed to be adopted to remedy or abate the Force Majeure.

13.2. Following a notice of Force Majeure in accordance with section 13.1 and while the Force Majeure continues, the obligations which cannot be performed because of the Force Majeure will be suspended, other than obligations to pay money that is due and payable.

13.3. The party that is prevented from carrying out its obligations under this Agreement as a result of Force Majeure must remedy the Force Majeure to the extent reasonably practicable and resume performance of its obligations as soon as reasonably possible.

13.4. The party that is prevented from carrying out its obligations under this Agreement as a result of Force Majeure must take all action reasonably practicable to mitigate any loss suffered by the other party as a result of the party’s failure to carry out its obligations under this Agreement.

13.5. The term of this Agreement will not be extended by the period of Force Majeure.

14. Other provisions

14.1. The Customer may not assign or otherwise license or transfer any of its rights and obligations under this Agreement.

14.2. Each party acknowledges that it has not relied on any representation, warranty or statement made by any other party, other than as set out in this Agreement.

14.3. The relationship of the parties to this Agreement does not form a joint venture or partnership.

14.4. The Customer agrees that Stora may reference the Customer’s use of the Platform in its promotional materials.

14.5. No clause of this Agreement will be deemed waived and no breach excused unless such waiver or consent is provided in writing.

14.6. Any clause of this Agreement, which is invalid or unenforceable is ineffective to the extent of the invalidity or unenforceability without affecting the remaining clauses of this Agreement.

14.7. Any part of this Agreement may be amended by Stora at any time, and any aspect of the Platform may be updated or discontinued at any time, provided that the core functionality of the Platform will not be varied in a way that materially affects the Customer’s use of the Platform. Any changes to this Agreement or to the Platform which will significantly affect the rights and obligations of the Customer will be notified to the Customer in advance of such changes taking effect.

14.8. This Agreement shall be governed by and construed and enforced in accordance with the laws of England and Wales.

14.9. Each Party expressly agrees that exclusive jurisdiction for resolving any claim or dispute between the Customer and Stora relating in any way to use of the Platform shall be with the courts of England and Wales.

SCHEDULE 1 - DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms a part of the Stora Terms of Use between Stora Ltd and Customer (“Agreement”) which apply to the Customer’s use of the Platform. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

This DPA is an addendum to and forms a part of the Agreement and shall be legally binding with effect from the commencement of the Agreement. If any terms of this DPA are inconsistent with the terms of the Agreement, including the exhibits thereto, then the terms of this DPA shall prevail.

1. BACKGROUND

1.1. This DPA applies to Customer Personal Data provided by Customer as a Data Controller in connection with their use of the Platform. It states the technical and organizational measures Stora uses to protect Customer Personal Data in the course of acting as a Data Processor when providing the Platform.

1.2. If processing of Customer Personal Data involves an International Transfer, the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses, as the case may be, apply, and as stated in Section 5 and are incorporated by reference.

2. APPENDICES

Customer as a Data Controller determines the purposes of collecting and processing Customer Personal Data in the Platform. Appendix 1 states the details of the processing Stora will provide via the Platform under the Agreement. Appendix 2 states the technical and organizational measures Stora applies to the Platform, unless the Agreement states otherwise. Appendix 3 defines the applicable modules and options for the EU Standard Contractual Clauses and the UK Standard Contractual Clauses.

3. STORA OBLIGATIONS

3.1. Stora will follow instructions received from Customer with respect to Customer Personal Data, unless they are (i) legally prohibited or (ii) require material changes to the Platform. In the event and to the extent the functionality of the Platform does not allow Customer or authorized users to do so, Stora may correct, block or remove any Customer Personal Data in accordance with Customer’s instruction. If Stora cannot comply with an instruction, it will notify Customer (email permitted) without undue delay.

3.2. Stora will use the appropriate technical and organizational measures to protect all Customer Personal Data.

3.3. Stora shall notify Customer without undue delay but in no event later than seventy-two (72) hours of its discovery of a Security Breach.

3.4. At Customer’s request, Stora will reasonably support Customer in dealing with requests from Data Subjects or regulatory authorities regarding Stora’s processing of Customer Personal Data.

3.5. Upon termination of the Agreement for whatever reason, and upon Customer’s written request made within thirty (30) days after such termination, Stora will (as applicable) return to Customer or destroy all Customer Personal Data. After such 30-day period, Stora will destroy such Personal Data.

4. SUBPROCESSORS

4.1. Customer authorizes Stora to subcontract the processing of Customer Personal Data to Subprocessors. Stora is responsible for any breaches of the Agreement caused by its Subprocessors.

4.2. Subprocessors will have the same obligations in relation to Stora as Stora does as a Data Processor (or Subprocessor) with regard to their processing of Customer Personal Data.

4.3. Stora will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection. Subprocessors may have security certifications that evidence their use of appropriate security measures. If not, Stora will regularly evaluate each Subprocessor’s security practices as they relate to data handling.

4.4. Stora’s use of Subprocessors is at its discretion, provided that:

4.4.1. Stora will notify Customer in advance (by email or such other means which Stora makes available to its customers) of any changes to the list of Subprocessors in place as of the commencement of provision of the Platform (except for Emergency Replacements or deletions of Subprocessors without replacement).

4.4.2. If Customer has a legitimate reason that relates to the Subprocessors’ processing of Customer Personal Data, Customer may object to Stora’s use of a Subprocessor, by notifying Stora in writing within thirty days after receipt of Stora’s notice. If Customer objects to the use of the Subprocessor, the parties will come together in good faith to discuss a resolution. Stora may choose to: (i) not use the Subprocessor or (ii) take the corrective steps requested by Customer in its objection and use the Subprocessor. If none of these options are reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days’ written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.

4.4.3. If Customer’s objection remains unresolved sixty days after it was raised, and Stora has not received any notice of termination, Customer is deemed to accept the Subprocessor.

4.4.4. The list of Subprocessors current as of the commencement of provision of the Platform is set out in Appendix 1.

4.5. Stora may change a Subprocessor where the reason for the change is outside of Stora’s reasonable control. In this case, Stora will inform Customer of the replacement Subprocessor as soon as possible. Customer retains its right to object to a replacement Subprocessor under Section 4.4.2.

5. INTERNATIONAL TRANSFERS

5.1. Personal Data from EEA, UK, or Swiss Data Controller(s) may only be exported to or accessed by Stora or its Subprocessors outside the EEA, the UK, or Switzerland, as applicable (“International Transfer”):

5.1.1. if the recipient, or the country or territory in which it processes or accesses Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction; or

5.1.2. in accordance with Section 5.2.

5.2. The UK or EU Standard Contractual Clauses (as applicable) apply where:

5.2.1. there is an International Transfer to a country that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction, and/or

5.2.2. there is an International Transfer to a recipient that is not covered by an appropriate safeguard, including, but not limited to, binding corporate rules, an approved industry code of conduct, and individual adequacy decision by a regulatory body of competent jurisdictions, or an individual transfer authorisation granted by a regulatory body of competent jurisdiction.

5.3. For Third Country Subprocessors, Stora shall ensure that such Subprocessor has entered into the unchanged version of the UK or EU Standard Contractual Clauses prior to the Subprocessor’s processing of Personal Data.

5.4. Nothing in this DPA will be construed to prevail over any conflicting clause of the UK or EU Standard Contractual Clauses.

6. DEFINITIONS

“Customer Personal Data” means any Personal Data that the Customer or any of its Users uploads to the Platform.

“Data Protection Legislation” means the Data Protection Act 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council, (the General Data Protection Regulation); any other existing or future law, directive or regulation (anywhere in the world) relating to the Processing of Personal Data or privacy, to which Stora is subject.

“Data Controller”, “Data Processor”, “Data Subject”, “Processing” and “Personal Data” have the meanings given to those expressions or any equivalent or corresponding expressions in the Data Protection Legislation.

“EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Lichtenstein and Norway.

“EU Standard Contractual Clauses” shall mean the standard contractual clauses promulgated by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (C/2021/3972) on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.

“Security Breach” means a confirmed accidental or unlawful destruction, loss, alteration, or disclosure that results in the compromise of the integrity and/or confidentiality of Personal Data. They include Appendices 1 and 2 attached to this DPA.

“Subprocessor” means Stora affiliates and third parties engaged by Stora or Stora’s affiliates to process Personal Data.

“Third Country Subprocessor” means any Subprocessor incorporated outside the EEA and outside any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

“UK Standard Contractual Clauses” means the UK Data Transfer Addendum, being the applicable EU Standard Contractual Clauses as amended by a data transfer addendum in a form adopted by the UK ICO, as amended, superseded or replaced from time to time.

APPENDIX 1

DETAILS OF DATA PROCESSING

Data Exporter

Name: The Customer identified in the Agreement.

Address: As stated in the Agreement.

Role: (Controller/Processor): Controller

Data Importer

Name: Stora and its Subprocessors, each as identified in the Agreement.

Address: As stated in the Agreement.

Role: (Controller/Processor): Processor

Purpose(s) of the data transfer and further processing

Provision by Stora of the Platform, including:

• Monitoring the Platform

• Release and development of fixes and upgrades to the Platform

• Monitoring, troubleshooting and administering the underlying infrastructure of the Platform

• Security monitoring, network-based intrusion detection support, penetration testing

Description of Transfer

Categories of Data Subjects whose personal data is transferred

Unless provided otherwise by the Data Exporter, transferred Customer Personal Data relates to the following categories of data subjects: Users to whom the Customer wishes to market its products or services

Categories of personal data transferred

The transferred Customer Personal Data submitted to the Platform may concern the following categories of data: Customer, in its sole discretion and control, determines the categories of Customer Personal Data in accordance with the Platform component(s) ordered under the Agreement. Customer can configure the data fields during implementation of the Platform or as otherwise provided by the Platform, subject to the functionality of the related component(s). The transferred Customer Personal Data submitted into the Platform may include, but is not limited to the following categories of data:

• Data subject name and contact information

Sensitive data transferred

None.

Processing Operations (Activities relevant to the data transferred under the DPA)

The transferred Customer Personal Data is subject to the following basic processing activities:

• use of Customer Personal Data to set up, operate, monitor and provide the Platform

• integration with the Customer’s social media and other marketing platforms

• communication to Users

• upload any fixes or upgrades to the Platform

• execution of instructions of Customer in accordance with the Agreement

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

As defined in the Agreement.

Competent supervisory authority

United Kingdom

List of Subcontractors as of the Effective Date

Company	Purpose	Location of data hosting
Heroku	Hosting data services	EU, UK and US

APPENDIX 2

TECHNICAL AND ORGANIZATIONAL MEASURES

The following sets out Stora’s current technical and organizational security measures. Stora may change these at any time without notice so long as it maintains a comparable or better level of security. This may mean that individual measures are replaced by new measures that serve the same purpose without diminishing the security level.

1. Storage limitation

1.1 The Data Processor is required to limit the storage of personal data processed for the Data Controller by deleting personal data concerning users of services or customer service representatives upon request from the Data Controller.

2. Information security policy

2.1 The Data Processor shall have a documented information security policy, which is defined and approved by the management, published and communicated to its staff and other relevant parties.

3. Information security organisation

3.1 The Data Processor shall have staff with appointed responsibilities for ensuring an appropriate information security.

4. Staff security

4.1 The Data Processor shall in the recruitment process conduct adequate controls for applicants according to applicable legislation, which shall be in proportion to the business operations, the categories of personal data given access to and risk levels.

4.2 The Data Processor shall ensure that all personnel with access to personal data processed for the Data Controller have a confidentiality obligation towards the Data Processor and receive continued information security training.

4.3 The Data Processor shall have an employee offboarding process which includes removal of access rights and return of IT equipment.

5. Personal data handling

5.1 The Data Processor shall handle personal data processed for the Data Controller as confidential information.

6. Access Control

6.1 Users shall only have access to personal data, personal data processing resources, networks and network services that are needed to perform their duties and for which they have received explicit permission to access.

6.2 The Data Processor shall prevent unauthorised access to personal data processed for the Data Controller by (at least) implementing activity logs which register user activities and can give information about what personal data has been exposed to unauthorised access, modification, erasure or destruction.

7. Physical security

7.1 Physical access to the Data Processor’s systems and processing environment shall be restricted to authorised personnel.

7.2 Physical access to personal data processed for the Data Controller shall be restricted and require identifiable and personal authentication scheme.

7.3 Equipment shall be placed and protected to minimise risks for environment related threats and dangers and unauthorised access.

8. Communication security

8.1 Personal data processing resources containing personal data or which are part of the system of the processing shall be protected by firewalls.

8.2 The Data Processor shall apply up-to-date security measures for electronic messages to actively protect against viruses, malware, ransomware and other harmful software.

8.3 Development, test and production environments shall be separated to minimise the risk for unauthorised access or changes in the production and other environments.

8.4 Data from the Data Controller cannot be used in test or development environments without removing or anonymising personal data.

APPENDIX 3

STANDARD CONTRACTUAL CLAUSES

EU Standard Contractual Clauses

EU SCC term	Amendment / Selected option
Module	Module 2 (Controller to Processor)
Clause 7 (Docking clause)	Not included
Clause 9 (Use of sub-processors) / Annex III	Option 2 shall apply. The list of sub-processors already authorised by Customer is contained in Appendix 1.
Clause 11 (Redress)	Not included
Clause 13 (Supervision) and Annex 1.C	The supervisory authority with responsibility for ensuring compliance by the data exporter is: where the data exporter is established within an EU member state, the supervisory authority of that EU member state OR where the data exporter is subject to EU GDPR pursuant to Article 3(2) EU GDPR and has appointed a representative in the EU, the supervisory authority of that EU member state OR where the data exporter is subject to EU GDPR pursuant to Article 3(2) EU GDPR, but has not appointed a representative in an EU member state, the supervisory authority of the EU member state where the relevant data subjects are located.
Clause 17 (Governing law)	Ireland
Clause 18 (Choice of forum and jurisdiction)	Ireland
Annex I.A (List of parties)	The relevant data exporters and data importers are specified in Appendix 1.
Annex I.B (Description of the transfer)	The categories of data subject, personal data categories, purposes of international transfer and processing, any additional safeguards, and if applicable the duration of processing and any maximum data retention periods are specified in Appendix 1.
Annex II (Technical and organisational measures)	The relevant technical and organisational measures are specified in Appendix 2.

UK Standard Contractual Clauses

UK Data Transfer Addendum Incorporating EU Standard Contractual Clause terms	Amendment / Selected option
Clause 7 (Docking clause)	Not included
Clause 9 (Use of sub-processors) / Annex III	Option 2 shall apply. The list of sub-processors already authorised by Customer is contained in Appendix 1.
Clause 11 (Redress)	Not included
Clause 13 (Supervision) and Annex 1.C	The competent supervisory authority is the UK Information Commissioner’s Office.
Clause 17 (Governing law)	England
Clause 18 (Choice of forum and jurisdiction)	England
Annex I.A (List of parties)	The relevant data exporters and data importers are specified in Appendix 1.
Annex I.B (Description of the transfer)	The categories of data subject, personal data categories, purposes of international transfer and processing, any additional safeguards, and if applicable the duration of processing and any maximum data retention periods are specified in Appendix 1.
Annex II (Technical and organisational measures)	The relevant technical and organisational measures are specified in Appendix 2.