SaaS Terms Of Service

Version 1.0 – Effective 2026-04-21

  1. INTRODUCTION

1.1                   These Terms of Service (this "Agreement") govern the provision of the Service by Luota Oy (“LumiDB”), a company incorporated in Finland (company number 3396773-6), with its registered address at Siltasaarenkatu 12 C, 00530 Helsinki (the "Supplier") to the customer identified in the Customer's account (the "Customer").

1.2                  Acceptance. The Customer accepts this Agreement by any of the following means: (a) creating an account on the Supplier's platform; (b) clicking "I Accept" or an equivalent affirmation in the Supplier's signup flow; (c) completing a subscription purchase via a Supplier-provided payment link; (d) accepting an invitation in a Supplier-provided email that references this Agreement; (e) executing an Order Form that incorporates this Agreement by reference; or (f) accessing or using the Service.

1.3                  Authority. The individual accepting this Agreement on behalf of the Customer represents and warrants that they have the authority to bind the Customer to this Agreement. If the Customer is a legal entity, all activity in the Customer's account is deemed performed by authorized representatives of the Customer.

1.4                  Commercial Terms. Where an Order Form has been executed between the Parties, the commercial terms (including Subscription Fee, Term, and Commencement Date) set out in that Order Form shall govern. Where no Order Form has been executed, the commercial terms displayed to the Customer in the Supplier's signup flow or payment link at the time of acceptance shall govern. Click-acceptance of an updated version of this Agreement shall not modify the commercial terms of any previously executed Order Form.

  1. DEFINITIONS AND INTERPRETATION

The definitions and rules of interpretation set out in Schedule 1 apply to this Agreement.

  1. COMMENCEMENT AND DURATION

This Agreement shall commence on the Commencement Date. Unless terminated earlier in accordance with its terms, this Agreement shall continue in force for the duration of the Term as specified in Order Form.

  1. SUBSCRIPTION

4.1                   Subject to the Customer's payment of the Subscription Fees (as applicable) and the Supplier’s strict compliance with the other terms and conditions of this Agreement, the Supplier hereby grants to the Customer a non-exclusive and non-transferable right (without the right to grant sub-licences) to use and access, and to permit the Customer Users to use and access, the Service, solely for Accepted Purposes during the Term.

4.2                  The Supplier may amend the Service and the Service Description from time to time. The current Service Description is available on the Supplier's website.

4.3                  The Customer acknowledges and agrees that the Supplier and its licensors own all Intellectual Property Rights in the Service, Information, Software and the Service Description. Except as expressly stated herein, this Agreement shall not grant the Customer any rights to, or in, any Intellectual Property Rights in respect of the Service, Information, Software and the Service Description.

4.4                  The Supplier and its licensors shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate into the Service, Information, Software and/or the Service Description, as the case may be, any enhancement requests or feedback provided by the Customer and any Customer Users, so long as the Customer is not identified in any way as the source of such feedback. For the avoidance of doubt, the Supplier shall not be obliged to implement any such enhancement requests or feedback.

  1. SUPPLIER OBLIGATIONS

5.1                   The Supplier shall perform its obligations under this Agreement in compliance with all laws applicable to the Supplier in general and independently of the performance of the Supplier’s obligations under this Agreement.

5.2                  The Supplier makes no representation, and gives no warranty or undertaking, that the operation or availability of the Service will be uninterrupted or error-free.

5.3                  The Customer acknowledges that the Supplier and/or the Supplier Personnel may from time to time carry out routine and/or emergency maintenance of the Service. The Customer may be unable to access the Service during any period in which routine or emergency maintenance is being carried out.

5.4                  Without limitation to Clause 18.1 (Force Majeure), the Customer acknowledges that the Supplier has no direct control over the availability of, or limitations in, bandwidth over the entirety of the internet and that, while the Supplier will use such endeavours as the Supplier deems appropriate to facilitate the Service, the Supplier shall not be responsible for delays in or unavailability of the Service caused by such bandwidth limitations or unavailability.

5.5                  Except as expressly provided in this Agreement, the Service is provided "as is" and to the extent permitted by law, the Supplier disclaims all other conditions, warranties, representations, undertakings or other terms which might have effect between the Parties with respect to the Service, or be implied or incorporated into this Agreement, whether by statute, common law, custom or otherwise, including any implied conditions, warranties, undertakings or other terms relating to satisfactory quality, reasonable skill and care, fitness for any particular purpose, ability to achieve a particular result, non-infringement or arising from course of dealing or usage of trade. Supplier does not warrant anything in relation to systems that do not make up the Service or the connection to the Service or those systems.

  1. DISCLAIMERS

6.1                   The Supplier does not warrant, represent, undertake or agree that: (a) the use of the Service by the Customer or its Customer Users will meet the Customer’s requirements nor that any recommendations derived from use of the Service will deliver any particular benefits if implemented; (b) defects in the Service will be corrected; or (c) the functions of the Service will operate in the combinations which the Customer selects for use. Under no circumstances shall the Supplier or the Supplier Personnel have any liability for any losses, claims, damages, costs or expenses caused by errors or omissions in any information, instructions or scripts provided to the Supplier and/or the Supplier Personnel by or on behalf of the Customer in connection with the Service, or any actions taken by the Supplier and/or the Supplier Personnel at the Customer's direction.

  1. CUSTOMER'S OBLIGATIONS

7.1                   In relation to the Service:

7.1.1               the Customer shall not (and shall ensure that its Customer Users do not) store, distribute or transmit any Malware, or any material, information or data through the Service that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; facilitates illegal activity; illegal images; or promotes unlawful violence, discrimination based on race, gender, colour, religious belief, sexual orientation, disability, or any other illegal activities;

7.1.2              the Customer shall not:

7.1.2.1           except as may be allowed by any applicable law which is incapable of exclusion by agreement between the Parties, attempt to copy, duplicate, modify, create derivative works from or distribute all or any portion of the Service, Information, Software or Service Description;

7.1.2.2          access, develop, supply or market all or any part of the Service in order to build a product or service which replicates, competes with or is substantially similar to the Service;

7.1.2.3          attempt to undertake any security, vulnerability, penetration, or similar testing of the Service without the prior written consent of the Supplier;

7.1.2.4          subject to Clause 18.5 (Assignment), transfer, temporarily or permanently, any of its rights under this Agreement; or

7.1.2.5          assist third parties in obtaining access to the Service;

7.1.3               the Customer shall use its best endeavours to prevent any unauthorised access to, or use of, the Service and shall notify the Supplier promptly of any such unauthorised access or use; and

7.1.4              the Supplier may audit the Customer's compliance with this Clause 7.1 by any lawful, technical means and the Customer shall provide all reasonable assistance and information to the Supplier necessary to establish that the Service is only being accessed and used in accordance with this Agreement.

7.2                  The Customer shall

7.2.1              provide the Supplier with all necessary co-operation in relation to this Agreement and access to such information as may be required by the Supplier in order to provide the Service;

7.2.2              ensure that the Customer Users comply with any acceptable use policies specified or provided by the Supplier from time to time for the Service;

7.2.3              maintain sufficient licences to any software (from third parties or licensed by the Supplier separately to this Agreement) operated using or in conjunction with the Service;

7.2.4              maintain adequate technical capabilities to access and use the Service, including complying with possible Minimum Technical Requirements. The Customer acknowledges that as between the Parties, it is solely responsible for ensuring that its firewalls, security and privacy systems and settings, and other plug-ins or applications, do not interfere with or restrict the Customer's, or its Customer Users', access and use of the Service, and the Supplier and Supplier Personnel shall have no responsibility or liability in relation thereto;

7.2.5              provide such personnel assistance as may be reasonably requested by the Supplier from time to time;

7.2.6              comply with all applicable laws and regulations with respect to its activities under this Agreement;

7.2.7              carry out all other Customer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Customer's provision of such assistance as agreed by the parties, the Supplier may adjust any timetable or delivery schedule set out in this Agreement as reasonably necessary;

7.2.8              before the Customer uses any updates to any third-party software in a live environment, carry out testing updates to any third-party software to its satisfaction, to ensure that such updates meet the Customer's own requirements without causing any issues with the Customer's use of the Service; and

7.2.9              undertake appropriate back-ups to its data and to secure media with such regularity and in such a manner so as to ensure that it can restore such data and media in the event of data loss or corruption from any cause.

  1. CUSTOMER USERS AND LOCATIONS

8.1                   In relation to Customer Users:

8.1.1               the Customer shall ensure that the Customer Users comply with the terms of this Agreement, and shall be responsible for any acts and omissions of the Customer User as if committed by the Customer itself;

8.1.1.1           the Customer shall ensure that each Customer User keeps any user log-in(s), and password(s) for their use of the Service secure and confidential, password(s) are of adequate strength and conforming to the password policies of the Service, and that each Customer User does not share their login password(s) to allow any other employees, contractors (individuals or otherwise), representatives and agents of the Customer or any other individual or third party to access the Service;

8.1.1.2           in respect of any Customer User, the Customer will not allow any Customer User account to be used by more than one (1) individual Customer User; and

8.1.1.3           if a Customer User leaves the employment or engagement of the Customer or where the employment or engagement of a Customer User is transferred such that the Customer does not intend for them to have access to the Service, the Customer shall promptly ensure that the Customer User shall not have access to the Service.

8.2                  The Customer will not allow any Customer User account to be used (including to access or use the Service) in Restricted Locations.

8.3                  If the Customer wishes to purchase the right to access and use the Service at Restricted Locations, the Customer shall notify the Supplier in writing. The Supplier shall evaluate such request and respond to the Customer with approval or rejection of the request. If the Supplier approves the Customer's request to purchase access for Restricted Locations, the Customer shall, within thirty (30) calendar days of the date of the Supplier's invoice, pay to the Supplier the relevant fees for such additional location as agreed upon.

8.4                  The Customer acknowledges that the Service may provide functionality or features that enable Customer Users to perform functions, or order services that may incur additional Subscription Fees (as specified in the Service Description and/or on the Service itself) and the Customer agrees to be bound by the actions and orders performed by the Customer Users (or any person who obtains access to the Service as a result of a breach of this Agreement by the Customer) using the Service and pay any additional Subscription Fees arising as a result.

  1. SUBSCRIPTION FEES AND PAYMENT TERMS

Subscription Fees

9.1                   The Customer shall pay the Subscription Fees (as applicable) to the Supplier in accordance with this Clause 9 and the Order Form.

9.2                  The Supplier will invoice the Subscription Fees to the Customer in advance. Where the Customer has authorized automatic payment via a payment method on file (including via the Supplier's payment processor), Subscription Fees shall be charged on the invoice date. In all other cases, the Customer shall pay the invoice within fourteen (14) days of the invoice date.

9.3                  The Supplier reserves the right to make provision of the Service subject to receipt of payment of the Subscription Fees.

Payment Terms

9.4                  As applicable, the Customer shall pay all sums due to the Supplier in cleared funds (in the currency specified in the invoice or, if not specified, euros (EUR)) into the bank account nominated by the Supplier from time to time.

9.5                  The Subscription Fees shall include all public charges determined by the authorities and effective on the date of signature of the agreement, with the exception of value added tax. Value added tax shall be added to the Subscription Fees in accordance with the then current regulations. If the amount of public charges determined by the authorities or their collection basis change due to changes in the regulations or taxation practice, the Subscription Fees and other prices, if any, shall be revised correspondingly.

9.6                  If the Customer is or may be required under any law or regulation of any governmental entity or authority, domestic or foreign, to withhold or deduct any portion of any payment due to the Supplier pursuant to this Agreement and the Supplier is unable to reclaim or recover that deduction through the exercise of reasonable efforts, then the sum payable to the Supplier will be increased by the amount necessary to yield to the Supplier an amount equal to the sum it would have received had no withholdings or deductions been made.

9.7                   If the Customer fails to make any payment in accordance with this Agreement, then the Supplier shall (without prejudice to its other rights and remedies) be entitled to:

9.7.1               charge interest on the overdue amount at an annual rate of 16% ; and/or

9.7.2              suspend the Customer's and the Customer Users' access to and use of the Service until payment (including any accrued overdue interest thereon) is made by the Customer in accordance with this Agreement.

9.8                  Any Subscription Fees paid in accordance with this Clause 9 shall be non-refundable in any circumstances including upon early termination of this Agreement. Notwithstanding the foregoing, the Customer may cancel an auto-renewing subscription at any time before the renewal date to prevent the next renewal charge.

9.9                  The Customer shall provide accurate, current and complete information on the Customer’s billing address and billing contacts, including email address and phone number, and will promptly notify the Supplier if this information changes.

  1. CUSTOMER DATA

10.1                   The Customer shall own all rights, title and interest in and to all of the Customer Data and shall at all times have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data and for ensuring that its use does not infringe the rights of any third parties.

10.2                  The Customer hereby grants to the Supplier and the Supplier Personnel, on and subject to the terms and conditions of this Agreement, a non-exclusive, non-transferable licence to use the Customer Data for the purpose of providing the Service and the exercise of the Supplier's rights under this Agreement (together with the right to sub-licence these rights to its subcontractors to the extent necessarily required for the performance of the Supplier's obligations) and for any requirements ancillary to the provision of the Service (including any data analytics and service modelling specified in the Service Description). The Customer warrants to the Supplier that the use of the Customer Data in accordance with this Agreement will not: (a) breach any laws, statutes or regulations; (b) infringe the Intellectual Property Rights or other legal rights of any person; or (c) give rise to any cause of action against the Supplier, in each case in any jurisdiction and under any applicable law.

10.3                  In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data where such back-ups are made by the Supplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by the Customer, its Customer Users, the Customer's Affiliates or any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data hosting and back-up, in which case the Supplier's liability shall be subject to the limitations and exclusions set out in this Agreement, including those set out in this Clause and Clause 14).

  1. DATA PROTECTION

These Data Processing Terms (“Data Processing Terms”) constitute the terms for the processing of Personal Data between the data controller and the processor in accordance with Data Protection Legislation and sets out the terms and conditions for the processing of Personal Data by the Supplier on behalf of the Customer under the Agreement. The Supplier shall act as a processor on behalf of the Customer who may act either as a controller or as a processor on behalf of a third-party controller.

Terms defined in Data Protection Legislation which are not defined under the Agreement shall have the meaning given to them in Data Protection Legislation.

11.1                  Details of Personal Data processing

11.1.1               The processing of Personal Data is described in more detail in the Schedule 2 (Description of the Personal Data Processing).

11.2                 Rights and responsibilities of the customer

11.2.1              The Customer shall process Personal Data in compliance with Data Protection Legislation and good data processing practice.

11.2.2              At the time of signing this Agreement, the written instructions given by the Customer to the Supplier are included in these Data Processing Terms and the Schedules thereto. The Customer may provide the Supplier with binding instructions regarding the processing of personal data to the extent that compliance with Data Protection Legislation requires changes to the processing in accordance with the instructions, and the Customer is unable to ensure the legality of the personal data processing themselves. The Supplier is entitled to charge for additional costs for complying with new or amended documented instructions from the Customer and for other unexpected costs and expenses arising from tasks that the Supplier has to carry out under these Data Processing Terms.

11.2.3              In addition, the Customer undertakes to:

11.2.3.1          ensure that there is a legal ground for processing the Personal Data covered by these Data Processing Terms, and that necessary data processing agreements in accordance with Data Protection Legislation are in force;

11.2.3.2         warrant, if the Customer acts as a processor on behalf of a third-party controller, on an ongoing basis that the third-party controller has authorized (i) the Customer’s documented instructions; (ii) the Supplier as a subprocessor of the Customer; and (iii) the Supplier’s engagement of Subprocessors.

11.2.3.3         ensure that the Data Subjects, as required by the Data Protection Legislation, have received sufficient information regarding the processing, including information on that the Supplier may process the Personal Data on behalf of the Customer;

11.2.3.4         in a timely manner, provide the Supplier with lawful and documented instructions regarding the Supplier's processing of Personal Data; and

11.2.3.5         act as Data Subjects’ point of contact.

11.3                 Responsibilities of the Supplier

11.3.1             General principles applicable to the processing of Personal Data

The Supplier shall:

11.3.1.1           process Personal Data in compliance with these Data Processing Terms, Data Protection Legislation and good data processing practice;

11.3.1.2          process Personal Data on documented instructions from the Customer, unless prescribed otherwise by a provision of Data Protection Legislation applicable to the Supplier. In such cases, the Supplier shall inform the Customer of such requirements in reasonable time before beginning the processing of Personal Data in accordance with the instructions, unless informing of such requirement is prohibited in Data Protection Legislation. In case the Supplier considers that instructions of the Customer are in breach of Data Protection Legislation, the Supplier shall inform the Customer without undue delay;

11.3.1.3          ensure that the persons in service of the Supplier with access to Personal Data have committed themselves to appropriate confidentiality;

11.3.1.4          carry out the measures prescribed in Section 10.3.2 (Data security) of these Data Processing Terms;

11.3.1.5          follow the conditions concerning the use of Subprocessors as prescribed in Section 10.6 (Subprocessors) of these Data Processing Terms;

11.3.1.6          taking into account the information available to the Supplier, provide reasonable assistance to the Customer in responding to requests for exercising the rights of Data Subjects where the Customer does not have access to the needed information. The Supplier is entitled to charge the Customer for costs and expenses that are incurred as a result of complying with this Section 10.3.1.6;

11.3.1.7          taking into account the information available to the Supplier, provide reasonable assistance to the Customer in ensuring compliance with its obligations set out in Data Protection Legislation, relating to data security, Personal Data Breaches (as further defined in Section 6 of this Data Processing Terms), data protection impact assessments, and prior consulting obligations. The Supplier is entitled to charge the Customer for costs and expenses that were incurred as a result of complying with this Section 10.3.1.7;

11.3.1.8          at the choice of the Customer, delete or return Personal Data to the Customer as prescribed in Section 11.2 of this Data Processing Terms;

11.3.1.9          make available to the Customer all information necessary to demonstrate compliance with obligations set out in this Data Processing Terms and in Data Protection Legislation. The Customer is obliged to keep all such information confidential. The Supplier is entitled to charge the Customer for costs and expenses that were incurred as a result of complying with this Section 5.1.9;

11.3.1.10       allow the Customer to perform audits as prescribed in Section 9 (Auditing) of these Data Processing Terms.

11.4                 Data security

11.4.1              The Supplier shall implement technical and organisational measures to ensure an appropriate level of security to protect Personal Data against unauthorised access and loss, destruction, damage, alteration or disclosure, or against other unlawful processing.

11.5                 Personal Data breach notification

11.5.1               The Supplier shall notify the Customer of all Personal Data Breaches without undue delay after the Supplier has become aware of the suspected Personal Data Breach. The Personal Data Breach notification shall contain the following:

(a)           description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;

(b)           name and contact details of the contact person of the Supplier handling the Personal Data Breach;

(c)           description of likely consequences and/or realised consequences of the Personal Data Breach; and

(d)           description of the measures the Supplier has taken to address the Personal Data Breach and to mitigate its adverse effects.

11.5.2              If it is not possible to provide the information listed at the same time, the information may be provided in phases.

11.5.3              The Supplier shall document Personal Data Breaches and disclose the documentation to the Customer upon the Customer's request.

11.5.4              After the Supplier has become aware of the Personal Data Breach, the Supplier shall ensure the security of Personal Data and take appropriate measures to ensure the protection of Personal Data in cooperation with the Customer.

11.6                 Transfers of Personal Data

11.6.1              The Supplier shall not transfer Personal Data to a Third Country unless the Customer has given its prior written permission for the transfer to take place. Permission given by the Customer as prescribed in this Section 7.1 shall be irrevocable.

11.7                  Subprocessors

11.7.1               The Supplier is entitled to use Subprocessors in the processing of Personal Data when the Customer has approved such Subprocessors. On the Commencement Date, the Customer has agreed to use of the Subprocessors as agreed under the Description of Personal Data Processing. The Customer has also agreed that the Supplier may use any of the Affiliates of the Supplier as a Subprocessor in the processing of Personal Data.

11.7.2              The Supplier is entitled to reduce the number of Subprocessors without separate notice.

11.7.3              The Supplier shall notify the Customer about an addition of a Subprocessor processing Personal Data under these Data Processing Terms at least one (1) week before the Subprocessor begins processing Personal Data. If the Customer denies use of the new Subprocessor, the Customer has the right to terminate the Agreement within two weeks of being notified by the Supplier, with a fourteen two-week notice period.

11.7.4              The Supplier shall take appropriate measures to ensure that the used Subprocessors comply with the obligations specified in this Data Processing Terms, including security and confidentiality requirements. The Supplier is responsible for the performance of its Subprocessors as it is responsible for the performance of its own obligations.

11.8                 Auditing

11.8.1              The Parties agree that when the Customer requests for an audit, a third party appointed or approved in writing by the Supplier shall audit the Supplier's compliance with obligations set out in this Data Processing Terms in order for the Customer to ensure that the Supplier has fulfilled the obligations set out in this Data Processing Terms. The Customer has the right to request an audit prescribed in this Section 10.7.1 once in every twelve (12) months.

11.8.2              The Customer shall bear the costs and expenses incurred by the Supplier and the Customer in connection with the audit. The Customer shall bear fees and expenses of the third party and is responsible for all costs associated with the audit.

11.8.3              The Customer must notify the Supplier of the audit at least twenty (20) Business Days in advance. The Supplier shall assist the Customer and the third party during normal business hours in conducting the audit with reasonable measures. The audit shall be carried out as quickly as possible and it shall not disturb the Supplier’s normal business operations. The auditor shall comply with the Supplier’s work rules, security requirements and standards. Before commencing any audit, the independent auditor (including relevant parties/persons conducting the audit) shall enter into the non-disclosure agreement(s) provided by or approved by the Supplier.

11.9                 Term and termination

11.9.1              The Supplier shall process Personal Data only during the Term. Upon termination or expiry of this Agreement, or upon the Customer’s written request, the Supplier shall either destroy or return, either to the Customer or to a third party designated by the Customer in writing, the Personal Data processed, unless otherwise required by Data Protection Legislation or other applicable legislation. In case the Customer demands Personal Data to be returned to the Customer or transferred to a third party, the Customer will pay the Supplier for any additional costs caused by return or transfer of Personal Data. If the Customer does not demand the Personal Data to be returned as provided above within a period of three (3) days from when this Agreement was terminated or expired, the Supplier will be entitled to delete any such Personal Data, including copies thereof, unless storage of the personal data is required under the Data Protection Legislation.

  1. CONFIDENTIALITY

12.1                  The Receiving Party shall:

12.1.1               only use (including making copies of) Confidential Information in connection with and to the extent necessary for the purposes of this Agreement;

12.1.2              not disclose the Confidential Information to any person except with the prior written consent of the Disclosing Party or in accordance with clauses 12.2 and 12.3; and;

12.1.3               keep all Confidential Information secret and securely protected against theft or unauthorised access.

12.2                  The Customer may disclose Confidential Information of the Supplier to its Customer Users, provided that the Customer informs all Customer Users that the Confidential Information is confidential.

12.3                  The Receiving Party may disclose any Confidential Information to any regulator, law enforcement agency or other third party if it is required to do so by law, regulation, or similar authority. In those circumstances the Receiving Party shall (to the extent practical and lawful to do so) notify the Disclosing Party in writing as soon as practicable before the disclosure and use all reasonable endeavours to consult with the Disclosing Party with a view to agreeing the timing, manner and extent of the disclosure.

12.4                  All Confidential Information shall remain the property of the Disclosing Party and the Disclosing Party reserves all rights in its Confidential Information. Nothing in this Agreement or the disclosures envisaged by this Agreement shall (except as expressly agreed otherwise in this Agreement) operate to transfer, or operate as a grant of any licences or right to use, to any Intellectual Property Rights in the Confidential Information.

12.5                  The parties' obligations under this clause 12 shall continue in force notwithstanding the termination or expiry of this Agreement.

12.6                  Each Party acknowledges that damages alone would not be an adequate remedy in the event of breach by the other Party of the provisions of this clause 12. Accordingly, it is agreed that either Party shall be entitled, without proof of special damages, to seek an injunction or other interim remedy for any threatened or actual breach of this clause 12 by the other Party, without prejudice to any other rights and remedies which that first Party may have.

  1. INDEMNITIES

13.1                   The Customer shall indemnify, keep indemnified and hold the Supplier and the Supplier Personnel harmless against any and all damages, claims, actions, proceedings, losses and reasonable costs (including legal fees) and expenses arising from any third party claims or actions arising out of or in connection with: (i) the Customer's or the Customer Users' use (or misuse) of the Service in breach of this Agreement; and/or (ii) any breach of the Customer's warranty in Clause 10.2.

  1. LIMITATION OF LIABILITY

14.1                   Nothing in this Agreement excludes or limits the liability of either Party to the other for:

14.1.1               death or personal injury caused by negligence;

14.1.2              fraud or fraudulent misrepresentation by it or its employees; or

14.1.3               any other liability that cannot be excluded or limited by law.

14.2                  Subject to Clause 14.1, the Supplier or the Customer shall not be liable whether in tort (including for negligence), breach of statutory duty, contract, misrepresentation (whether innocent or negligent), restitution or otherwise for:

14.2.1              any loss of profits, loss of business, loss of savings, depletion of goodwill and/or similar losses, or pure economic loss or (subject to Clause 10.3) any loss or corruption of data or information (regardless of whether these types of loss or damage are direct, indirect or consequential); or

14.2.2              any special, indirect or consequential loss or damage whatsoever, in each case however arising under or in connection with this Agreement and even if the Supplier or the Customer were aware of the possibility that such loss or damage might be incurred.

14.3                  Subject to Clause 14.1 and 14.2, the total aggregate liability of the Supplier (including liability for breach) in contract (including under any indemnities), tort (including negligence or breach of statutory duty), misrepresentation (whether innocent or negligent), restitution or otherwise, arising under or in connection with the performance, non-performance or contemplated performance of this Agreement in respect of any and all causes of action shall in no event exceed EUR 100.

14.4                  The provisions of this Agreement allocate risks under this Agreement between the Supplier and the Customer and form an essential basis of the bargain between the Parties and, absent any of such provisions, the remaining provisions of this Agreement, including, without limitation, the economic terms, would be substantially different. The Supplier pricing reflects this allocation of risks and limitation of liability. The provisions of Clause 14 shall apply to the maximum extent permitted by law, even if any remedy fails its essential purpose.

  1. TERM, TERMINATION AND SUSPENSION

15.1                   Without affecting any other right or remedy available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party if:

15.1.1               the other Party fails to pay any amount due under this Agreement on the due date for payment and remains in default not less than fourteen (14) days after being notified in writing to make such payment;

15.1.2              the other Party commits a material breach of any term of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of thirty (30) days after being notified in writing to do so; or

15.1.3               the other Party suffers an Insolvency Event.

15.2                  On termination of this Agreement for any reason:

15.2.1              all licences and other rights granted under this Agreement shall immediately terminate and the Customer and the Customer Users shall immediately cease all use of the Service. For the avoidance of doubt, any licences and other rights granted under this Agreement which are stated to be granted on a perpetual and irrevocable basis shall survive the termination of this Agreement for any reason and shall continue in full force and effect;

15.2.2              the Supplier may immediately end the Customer's and the Customer Users’ use of and access to the Service;

15.2.3              the Customer shall immediately pay all sums and amounts payable to the Supplier under the terms of this Agreement;

15.2.4              each Party shall return or destroy, and (in each case) make no further use of any equipment, property, materials and other items (and all copies of them) belonging to the other Party, including the other Party's Confidential Information (except the Supplier may retain reasonable professional records of the Customer’s and its Customer Users' use of the Service and shall be entitled to retain the Customer's Confidential Information for the purposes of internal audit, litigation and/or to comply with applicable laws);

15.2.5              the Supplier may destroy or otherwise dispose of any of the Customer Data in its possession at any point thirty (30) days or more after termination of this Agreement;

15.2.6              any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination shall not be affected or prejudiced; and

15.2.7              Clauses 9 to 20 and any other provisions which are necessary for the interpretation or enforcement of this Agreement shall continue in force notwithstanding termination.

15.3                  The Supplier may suspend the Customer's right to access the Service or use any portion or all of the Service immediately upon notice to the Customer if it determines acting reasonably:

15.3.1               that the Customer's (or a Customer User's) use of or access to the Service (a) poses a security risk to the Supplier, the Service or any third party; (b) may adversely impact availability or performance of the Service, the Software or the systems or software of any other customer of the Supplier; (c) may subject the Supplier or any third party to any liability; or (d) may be fraudulent; or

15.3.2              that the Customer, or any Customer User, is in breach of this Agreement or any other agreement by which software being used on or in conjunction with the Service is licensed.

15.4                  The Supplier shall reinstate the suspended Service once it has established the cause of the suspension has been remedied or ceased to exist. Where the cause of the suspension persists for more than thirty (30) days, the Supplier may immediately terminate this Agreement without incurring any liability to the Customer.

  1. ENTIRE AGREEMENT

16.1                   This Agreement constitutes the entire agreement between the parties in relation to its subject matter. It replaces and extinguishes all prior agreements, collateral warranties, collateral contracts, statements, representations and undertakings made by or on behalf of the parties, whether oral or written, in relation to that subject matter.

16.2                  Each Party acknowledges that in entering into this Agreement it has not relied upon any collateral warranties, collateral contracts, statements, representations or undertakings, whether oral or written, which were made by or on behalf of the other Party in relation to the subject matter of this Agreement (together "Pre-Contractual Statements") and which are not set out in this Agreement. Each Party hereby waives all rights and remedies which might otherwise be available to it in relation to such Pre-Contractual Statements.

16.3                  Nothing in this Clause shall exclude or restrict the liability of either Party arising out of its pre-contractual fraudulent misrepresentation or fraudulent concealment.

  1. NOTICES

17.1                   Any notice required to be given under this Agreement shall be in writing in English and shall be delivered by email. Notices to the Customer shall be sent to the primary email address associated with the Customer's account. Notices to the Supplier shall be sent to sales@lumidb.com, or in each case to such other address as has been notified by that Party for such purposes.

17.2                  A notice sent by email shall be deemed to have been received at the time and date of transmission shown on the saved sent copy kept by the sender (or if delivery is not in business hours, at 9am (EET) on the first Business Day following delivery).

17.3                  This Clause 17 shall not apply to the service of legal proceedings.

  1. MISCELLANEOUS

18.1                   Force Majeure. The Supplier shall not be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure results from events, circumstances or causes beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of the Supplier or any other party), failure of a utility service or transport or telecommunications network or the internet, act of God, war, pandemic, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors. In such circumstances the Supplier shall be entitled to a reasonable extension of the time for performing such obligations, provided that if the period of delay or non-performance continues for three (3) months, either Party may terminate this Agreement by giving thirty (30) days' written notice to the other Party.

18.2                  No Waiver. The failure to exercise, or delay in exercising, a right, power or remedy provided by this Agreement or by law shall not constitute a waiver of that right, power or remedy. If a Party waives a breach of any provision of this Agreement, this shall not operate as a waiver of a subsequent breach of that provision, or as a waiver of a breach of any other provision.

18.3                  Rights and Remedies. Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

18.4                  Severance. If any provision, or part of a provision, of this Agreement is found by any court or authority of competent jurisdiction to be illegal, invalid or unenforceable, that provision or part-provision shall be deemed not to form part of this Agreement, and the legality, validity or enforceability of the remainder of the provisions of this Agreement shall not be affected, unless otherwise required by operation of applicable law. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were modified, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

18.5                  Assignment. The Customer shall not, without the prior written consent of the Supplier, assign, transfer, charge, sub- contract or deal in any other manner with all or any of its rights or obligations under this Agreement. The Supplier may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. The Customer shall enter into any further agreements reasonably required by the Supplier to give effect to any of the above.

18.6                  Relationship of the Parties. Nothing in this Agreement is intended to, or shall be deemed to, establish or constitute any partnership or joint venture between any of the parties, create a relationship of principal and agent for any purpose between the parties, or authorise either Party to make or enter into any commitments for or on behalf of the other Party.

18.7                   Variation. No variation of this Agreement shall be effective unless made in writing and signed by or on behalf of each of the parties or by their duly authorised representatives. If the Customer wishes the Supplier to proceed with any proposed variation, the Supplier has no obligation to do so unless and until the parties have agreed in writing the necessary variations to the Subscription Fees and any other relevant terms of this Agreement to take account of the change.

18.8                  Changes. This Agreement may only be amended by written agreement signed by both Parties. Nevertheless, the Parties acknowledge and agree that the Supplier’s field of business is subject to continuous changes (including changes regarding the Supplier’s Service as well as the applicable regulatory framework) which may also require changes to this Agreement. Therefore, the Supplier may make amendments to this Agreement as it deems necessary. The Supplier will endeavour to notify the Customer of such changes at least 60 days in advance, unless compliance with the law or regulation requires that the changes be made sooner. Following the change notification, the Customer will have 30 days to terminate the agreement.

18.9                  Conflicts. In the event of any conflict between an Order Form (if any), the Clauses of the Service Terms & Conditions, and the Schedules, the conflict shall be resolved by giving priority: (a) first, to the Order Form (if any); (b) second, to the Clauses of the Service Terms & Conditions; (c) third, to the Schedules. If there is a conflict between the Schedules, priority shall be given to the Schedule with the lower number. In the absence of an Order Form, the commercial terms displayed at the time of the Customer's acceptance shall be treated as the Order Form for the purpose of conflict resolution.

  1. THIRD-PARTY RIGHTS

19.1                   Subject to the Supplier Personnel being entitled to rely on and enforce the provisions of Clauses 6, 13, and 14, a person who is not a party to this Agreement may not enforce any of its provisions under any legislation otherwise entitling it to do so nor bring a claim for the recovery of any losses, liabilities, expenses or costs arising out of or relating to this Agreement or the Service. The consent of any third party is not necessary for any variation (including any release or compromise in whole or in part of any liability) or termination of this Agreement.

19.2                  All claims brought by the Customer under or as a result of this Agreement (whether in contract, misrepresentation (whether tortious or statutory), tort (including negligence), restitution, breach of statutory duty or otherwise) shall be brought against the Supplier only and not any Supplier Personnel. The limitations and exclusions of liability set out in this Agreement shall apply to all such claims.

  1. GOVERNING LAW AND JURISDICTION

20.1                   This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of Finland.

20.2                  The United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply to this Agreement.

20.3                  Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce.

(a)           The number of arbitrators shall be three.

(b)           The seat of arbitration shall be in Helsinki, Finland.

(c)           The language of the arbitration shall be English.

SCHEDULE 1: DEFINITIONS AND INTERPRETATION

Definitions

The following definitions apply in this Agreement:

You can read more about the cookies set by third parties and their privacy policies at their own websites.

Word/phrase

Privacy notice

Acceptable Purposes

mean all purposes related to the use and utilization of the Service under the Agreement, excluding purposes that are prohibited herein. The Customer may not resell, rent, license, or otherwise transfer the Service to a third party, or use or offer the Service for military purposes, including but not limited to the development, production, testing, or use of weapons. Accepted purposes must also comply with the governing laws of this Agreement and any other applicable laws, ensuring that the use of the Service shall not be illegal under these regulations. The Customer may use the Service as a platform to offer their own services to third parties, provided that the service offered to the third party does not consist entirely or predominantly of the Service.

Affiliate

means any entity in respect of a Party that from time to time, directly or indirectly, Controls, is Controlled by, or is under common Control with that Party and any other entity agreed in writing by the parties as being an Affiliate in respect of either Party.

Business Day

means any day which is not a Saturday, Sunday or public holiday in Finland.

Commencement Date

means the earliest of: (a) the date the Customer first accepts this Agreement in accordance with Clause 1.2

; (b) the date specified in an Order Form executed by both Parties; or (c) the date the Customer first accesses the Service.

Confidential Information

means all information in any medium or format (including written, oral, visual or electronic, and whether or not marked or described as "confidential"), together with any copies, which relates to the Disclosing Party, to its Affiliates, or to its (or its Affiliates’) employees, officers, customers or suppliers, and which is directly or indirectly disclosed by or on behalf of the Disclosing Party to the Receiving Party under or in connection with this Agreement (or which is learnt or acquired by the Receiving Party in connection with this Agreement), whether before or after the date of this Agreement, and which would reasonably be regarded as confidential, BUT shall not include (i) information which is in the public domain other than as a result of a breach of this Agreement or any separate confidentiality undertaking between the parties; (ii) information which the Receiving Party received, free of any obligation of confidence, from a third party which was not itself under any obligation of confidence in relation to that information, whether before the date of its disclosure by the Disclosing Party or otherwise; or (iii) information which the Receiving Party can show by its written or other records was developed or created independently by the Receiving Party or any of its Affiliates.

Control

means

(a) the power (whether by way of ownership of shares, proxy, contract, agency or otherwise) to (i) cast, or control the casting of, more than one-half of the maximum number of votes that might be cast at a general meeting of that Party; (ii) appoint or remove all, or the majority, of the directors or other equivalent officers of that Party; or (iii) give directions with respect to the operating and financial policies of the relevant Party with which the directors or other equivalent officers of that Party are obliged to comply; or

(b) the holding beneficially of more than 50 per cent of the issued share capital of the relevant Party (excluding any part of that issued share capital that carries no right to participate, or no right to participate beyond a specified amount, in a distribution of either profits or capital).

Customer Data

means any data transferred to the Supplier by the Customer for input into the Service, including any data input into the Service by the Customer Users.

Customer Users

means the individual employee, agent or contractor of the Customer who are authorised by the Customer to access and use the Service solely on behalf and for the benefit of the Customer.

Data Protection Legislation

means the General Data Protection Regulation ((EU) 2016/679) ("GDPR"), the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC), and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may apply under the governing law of the Agreement.

Data Subject

means a natural person whose Personal Data is processed by the Supplier under the Agreement.

Disclosing Party

means a Party disclosing its Confidential Information to the Receiving Party, which in the case of the Customer may be the Customer and/or the Customer Users and in the case of the Supplier may be the Supplier and/or the Supplier's Affiliates, as applicable.

Description of the Personal Data Processing

means a schedule to the Service Terms & Conditions describing the Personal Data Processing under the Agreement.

EEA

means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein and Norway.

Information

means all data, records, reports, results, documents, papers, drawings, designs, transparencies, photos, graphics, logos, typographical arrangements, software, and all other outputs or materials in whatever form, including but not limited to hard copy and electronic form, generated by or on behalf of the Supplier in the performance of this Agreement and made available under or in connection with this Agreement (including the provision of the Service).

Insolvency Event

the occurrence of any one or more of the following events in relation to a Party:

(a) the Party becomes unable to pay its debts, admits its inability to pay its debts or becomes insolvent;

(b) a petition is presented, an order made or a resolution passed for the liquidation (otherwise than for the purposes of a solvent amalgamation or reconstruction), administration, bankruptcy or dissolution of the Party;

(c) an administrative or other receiver, manager, trustee, liquidator, administrator or similar person or officer is appointed to the Party and/or over all or any part of the assets of the Party;

(d) the Party enters into or proposes any composition or arrangement concerning its debts with its creditors (or any class of its creditors) generally; or

(e) anything equivalent to any of the events or circumstances listed in limbs (a) to (d) (inclusive) occurs in any applicable jurisdiction.

Intellectual Property Rights

(a) patents, inventions, designs, copyright and related rights, database rights, knowhow and Confidential Information, trademarks (whether registered or unregistered) and related goodwill, trade names (whether registered or unregistered), and rights to apply for registration;

(b) all other rights of a similar nature or having an equivalent effect anywhere in the world which currently exist or are recognised in the future; and

(c) all applications, extensions and renewals in relation to any such rights.

IPR Claim

means any claim or action against the Customer by any third party that the use of the Service (or any part of the Service) by the Customer or its Customer Users, in accordance with the terms of this Agreement, infringes the copyright of that third party in Finland.

Malware

means any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.

Minimum Technical Requirements

means the minimum technical requirements the Customer is required to meet in order to enable its Customer Users to access and use the Service in accordance with this Agreement (as may be notified by the Supplier from time to time, including in the Service Description).

Order Form

means, where applicable, a document executed between the Supplier and the Customer specifying commercial terms for the Service. Where no Order Form has been executed, the commercial terms displayed to the Customer at the time of the Customer's acceptance of this Agreement (including in the Supplier's signup flow or payment link) shall constitute the equivalent commercial terms.

Party

means a party to this Agreement (and "Parties" shall be construed accordingly).

Personal Data

means personal data as defined in the Data Protection Legislation and which the Supplier processes under this Agreement on behalf of the Customer.

Personal Data Breach

means a breach of security leading to destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Receiving Party

means a Party receiving Confidential Information from the Disclosing Party, which in the case of the Supplier may be the Supplier and/or the Supplier's Affiliates, as relevant.

Restricted Locations

mean any geographic locations where the Customer is not permitted to use the Service under this Agreement. Restricted Locations include Russia, China, Iran, and Iraq and any other location that the Supplier determines as a Restricted Location after the Commencement Date.

Service

means the services that the Supplier provides to the Customer pursuant to this Agreement as specified in the Service Description.

Service Description

means the published specification for the Service setting out (amongst other things) a description of the operation and functioning of the Service, the services available via the Service, and the Supplier's processes and procedures for maintaining the security, availability and performance of the Service, as updated by the Supplier from time to time.

Software

means the software used by the Supplier and/or any Supplier Affiliates or sub- contractors in delivering the Service.

Standard Contractual Clauses

mean the contractual clauses issued by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and any amendments thereto.

Subprocessor

means a processor acting on behalf of the Supplier.

Subscription Fees

means the subscription fee specified in the Order Form or, where no Order Form has been executed, the fee displayed to the Customer at the time of subscription purchase, as may be amended in accordance with this Agreement.

Supplier Personnel

means the Supplier's Affiliates and the Supplier's and its Affiliates' employees, directors, officers, agents and subcontractors.

Term

means the term of this Agreement as specified in the Order Form or, where no Order Form has been executed, the period for which Subscription Fees have been paid, renewing in accordance with the subscription interval displayed at the time of purchase unless terminated in accordance with Clause 15.

Third Country

means a country that is neither part of the EEA nor has been declared adequate by a decision of the European Commission under Article 45 GDPR.

Interpretation

The following rules of interpretation shall apply in this Agreement:

(a)                  The Clause and Schedule headings are for convenience only and shall not affect the interpretation of this Agreement.

(b)                  A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

(c)                   A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

(d)                  Unless the context otherwise requires: (a) words in the singular shall include the plural and in the plural include the singular; and (b) a reference to one gender shall include a reference to the other genders.

(e)                  A reference to writing or written includes e-mail.

(f)                   References to Clauses are to the Clauses of the Service Terms & Conditions.

(g)                  A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this Agreement and as amended by any subsequent statute or statutory provision. Where a change to a statute or statutory provision results in the Supplier and/or any the Supplier Affiliates or sub-contractors incurring additional or increased costs to achieve compliance in relation to the Service, the Supplier reserves the right to charge fees to reflect such additional or increased costs on no less than thirty (30) days' prior written notice.

(h)                  Any phrase introduced by the expressions including, includes, in particular or any similar expression shall be construed as illustrative only and shall not limit the sense of the words preceding those terms.

(i)                   The terms "controller", "processor", "personal data" and "process" shall be interpreted in accordance with the GDPR, or other applicable Data Protection Legislation in the relevant jurisdiction.

SCHEDULE 2: DESCRIPTION OF THE PERSONAL DATA PROCESSING

Purpose of Data Processing:

The purpose of the processing of personal data is to provide the Customer with Service under the Agreement.

Categories of Data Subjects:

The Customer may submit Personal Data to the Supplier, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

·                  Employees or contact persons of the Customer’s prospective customers, customers, resellers, subcontractors, business partners, and Suppliers;

·                  Employees, agents, advisors, and freelancers of the Customer;

·                  Natural persons whose data is captured through scanning technologies, including images taken from ground level and aerial perspectives.

Categories of Personal Data:

The personal data processed may include, but is not limited to the following categories of data:

·                  Identification data;

·                  Connection data or localization data (including IP addresses whether dynamic or not);

·                  Contact information;

·                  Usage data (e.g., Service usage patterns, activity logs);

·                  Preferences and interests (e.g., user settings, preferred features);

·                  Scanned data, which may include any type of data captured through scanning technologies, such as images taken from ground level and aerial perspectives;

·                  Other data provided by the Customer for processing by the Service, including special categories of personal data if such data is provided by the Customer (e.g., sensitive personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation).

Data Processing Operations:

As appropriate for the provision of the Service by the Supplier to the Customer including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, anonymization, erasure or destruction of Personal Data for purposes of the provision of the Service by the Supplier to the Customer.

Duration of the processing:

Customer Personal Data shall be retained for no longer than necessary for the purposes for which it was collected, in accordance with the Agreement, unless a longer retention period is required or permitted by law.

SCHEDULE 3: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Technical Security Measures

LumiDB is developed and operated using industry-standard security practices, leveraging managed cloud infrastructure. Infrastructure-as-code is used to minimize human error in deployments.

Data Encryption

All data is encrypted in transit using TLS 1.2 or higher.

Access Control

Access to production systems and customer data is restricted based on role-based access control (RBAC). Access is logged and reviewed regularly. Principle of least privilege is applied across all services.

Network Security

LumiDB systems are hosted in isolated virtual private clouds (VPCs) with strict ingress/egress controls. Firewalls restrict access to essential services. All external access points are protected via HTTPS with valid certificates. Internal services communicate over secure protocols.

Backup and Data Recovery

The Supplier does not provide a data recovery plan or procedure for the Customer.

Organisational Security Measures

The Supplier maintains documented security policies covering data handling, access management, incident response, and vendor management. These are reviewed at least annually and updated as needed.

Employee Training and Awareness

All Supplier employees receive security onboarding covering data protection, phishing, and secure software development. Developers receive specific training on secure coding practices and secure cloud service configuration.

Physical Security Measures - Access Control to Facilities

As a cloud-native company, the Supplier does not operate physical data centres. Customer data is hosted in ISO 27001-certified cloud infrastructure providers. Access to Supplier’s own physical office facilities, where applicable, is restricted via keycard access and limited to authorized personnel only.