Capillary Named a Leader in The Forrester Wave™ Loyalty Platforms, Q4 2025 Report.    Read more >

Capillary: Recognized as a Leader in Everest Group’s PEAK Matrix® 2025    Read more >

Capillary Named a Leader in The Forrester Wave™ Loyalty Platforms, Q4 2025 Report.     Read more >

Invite for RFP/RFI

Master Service Agreement

This Master Service Agreement (“MSA”) forms an integral part of the Sales Order executed between the Customer (as defined in the Sales Order) and the Company (as defined in the Sales Order), for providing software as a service based solutions for implementing a customer relationship management (CRM) and consumer loyalty program (“Services”) as further defined in the mutually agreed upon the Sales Order executed by and between the Company and the Customer.

The Customer has agreed to these Service Terms and Conditions, by executing the Capillary Sales Order, that references these Service Terms and Conditions.

Company and the Customer shall be referred to as “Parties” collectively and “Party” individually. This MSA along with the Sales Order, and all schedules, exhibits attached hereto (collectively referred to as the “Agreement”) shall constitute the entire agreement between the Parties.

1. Definitions and Interpretation

Definitions

“Affiliate” means, for a Party, any other person that controls, is controlled by, or under common control with, the Party. For the purposes of this definition, the term “control” means the direct or indirect power to direct the affairs of the other person through at least 50% of the shares, voting rights, participation, or economic interest in this person.

“Agreement” means and includes the Sales Order, the Annexure, the statement of work, the applicable product specific licensing terms, together with any exhibits, schedules, addendums attached thereto, as modified and amended from time to time.

“Annexure” means the annexure to the Sales Order, as modified, and amended from time to time.

“Claim” means a claim, action, complaint, or legal regulatory body, administrative or judicial proceeding filed against a Party.

“Company” shall mean the Company defined in the Sales Order

“Confidential Information” means non-public or proprietary information about a disclosing Party’s business-related technical, commercial, financial, employee, or planning information that is disclosed by the disclosing Party to the other Party in connection with the Agreement, and (A) is identified in writing as confidential at the time of disclosure, whether in printed, textual, graphic, or electronic form; or (B) is not identified as confidential at the time of disclosure but is by its nature confidential or the receiving Party knows, or ought reasonably to know, is confidential (which may include Customer content). Any Company technology and the terms and conditions of the Agreement will be deemed Confidential Information of Company without any marking or further designation. Any Customer data will be deemed Confidential Information of Customer without any marking or further designation. “Confidential Information” does not include information that: (1) has become public knowledge through no fault of the receiving Party; (2) was known to the receiving Party, free of any confidentiality obligations, before its disclosure by the disclosing Party; (3) becomes known to the receiving Party, free of any confidentiality obligations, from a source other than the disclosing Party; or (4) is independently developed by the receiving Party without use of Confidential Information.

“Customer” shall mean the Customer defined under the Sales Order

“Customer Data” means all content, information and data in any format, that is submitted, uploaded or otherwise made available by Customer or Users to or through the Services to the Company

“Customer Personal Data” means data and/or information, other than confidential business information and, which is owned and controlled by or licensed to the Customer and is provided by or on behalf of the Customer (or its Affiliates) for processing to Company (or its Affiliates) under the applicable Agreement/Sales Order and that consists of information or data naming or identifying a natural person such as: (a) personally identifying information that is explicitly defined as a regulated category of data under any data privacy or Data Protection Laws applicable to the concerned Customer entity; (b) government issued information that can be used to identify the natural personal, such as a national identification number, passport number, social security number, driver’s license number, and voter identification number;. Provided that Customer Personal Data does not include information or data that is anonymized, aggregated, de-identified or compiled on a generic basis and that does not name or identify a specific individual or person. Customer Personal Data shall be processed by the Company in accordance with and subject to the provisions contained in this Agreement.

“Data Protection Laws” mean the laws such as GDPR, CCPA and Singapore PDPA and regulations of any jurisdiction regulating or applicable to the use, collection, storage or processing of Customer Personal Data (or similar data or information) where the Services are being performed or delivered. [and includes GDPR as well for the relevant Territory which are part of Customer locations including, in all cases, country, state or province].

“GDPR” means the European Union’s General Data Protection Regulation (2016/679), and includes all regulations made pursuant thereto.

“Information Security Incident” means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration or unauthorized acquisition, disclosure, misuse or access to unencrypted Customer Personal Data transmitted, stored or otherwise processed by Company.

“Sensitive Personal Data” means an individual’s financial information, sexual preferences, medical or health information protected under any health data protection laws, biometric data (for purposes of uniquely identifying an individual), personal information of children protected under any child protection laws and any additional types of information included within this term or any similar term (such as “sensitive personal information” or “special categories of personal information”) as used in applicable data protection or privacy laws.

“Subcontractor” means any third-party contractor, agent, partner or Affiliate of Company used in the performance of this Agreement.

“GST” means goods and services tax as defined under the Goods and Services Act, 2017.

“Intellectual Property Rights" means patents, trademarks, service marks, trade names, registered and unregistered designs, trade or business names, copyright (including, but not limited to, rights in software), software code base, database rights, design rights, rights in confidential information (including rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, and any other intellectual property rights whatsoever irrespective of whether such intellectual property rights have been registered or not and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future and which may subsist in any part of the world.

“Product” means Company Software and the associated computer programs, software, including relevant updates to the software, and associated materials and Documentation provided by Company to the Customer for limited use as per the terms contained herein.

“Sales Order” means the sales order form, statement of work, or other written document for the Products and Services that is executed between Company and Customer.

“Services” has the meaning ascribed to such term under the recital of the Annexure and as, more particularly described in the Sales Order executed between the Parties.

"Term” has the meaning ascribed to such term as under the Sales Order.

“Territory” has the meaning ascribed to such term as under the Sales Order.

Interpretation

a. The meanings of defined terms are equally applicable to the singular and plural forms of such defined terms, and words importing the masculine gender include the feminine and neuter genders and vice versa, and words importing individuals shall include juristic persons and vice versa;

b. The words “herein,” “hereto,” “hereof” and “hereunder” and words of similar import shall refer to this Agreement as a whole and not to any particular provision hereof;

c. References to clauses or schedules are references are to clauses and schedules to this Agreement;

d. Any reference to a statute or any provision of a statute includes that statute or provision as well as any rule, regulation or direction made pursuant to such statute or provision, as may be from time to time modified or re-enacted, whether prior to or after the date of this Agreement.

e. The term “including” is by way of example and not limitation;

f. The term “documents” includes any and all instruments, documents, agreements, certificates, notices, reports, financial statements and other writings, however evidenced, whether in physical or electronic form;

g. The subject headings of this Agreement are included for purposes of convenience only, and shall not affect the construction or interpretation of any provision hereof;

h. Whenever anything is required to be done or any action is required to be taken hereunder on or by a day which is not a Business Day, then such thing may be validly done, and such action may be validly taken on or by the next succeeding day that is a Business Day.

i. During the Term of the Agreement, each Party shall designate a representative (“Representative”) who will serve as its primary liaison for all day-to-day operational dealings and contacts with the other Party, in connection with the Agreement and matters related thereto and have primary responsibility for supervising the implementation of the Agreement (including in relation to the provision of Licensed Items). Each Party shall ensure that such Representative is suitably qualified and experienced, and each Party shall use commercially reasonable efforts to not change the Representative designated. In the event, a Party is required to change the Representative previously designated, said Party shall ensure that such Representative is promptly replaced by an individual with equivalent qualifications and experience as the outgoing Representative.

2. Scope of Services

a. The Company agrees, undertakes, and confirms to provide the Services and do all acts and deeds as may be described in the relevant Sales Order. In case of any conflict between the terms of the Agreement and any Sales Order, the terms of the Sales Order shall prevail.

3. Term

a. The term of this Agreement shall commence from the Start Date mentioned in the Sales Order and shall be in force and effect till the End Date mentioned in the Sales Order, unless terminated in accordance with Clause 16 (Termination) of this MSA (“Term”). Except otherwise specified in the Sales Order, the Sales Order shall automatically renew for a period of 12 (twelve) months unless either party gives the other written notice at least 30 days before the End Date as specified in the Sales Order.

4. Consideration and Payment Terms

a. Service Fee: The Customer must pay the fees for the Services as provided under each applicable Sales Order and specific terms of payment, if any, (“Service Fee”) and shall be due by the Customer to the Company within 30 (thirty) days of date of invoice, unless otherwise mentioned in the Sales Order.

b. Payment Terms: All invoices will be raised in the frequency as mentioned in the Sales Order and the payments have to be made within the timelines as stated therein. All payments must be made by electronic transfer according to the remittance instructions on the invoice. All invoices will only be delivered electronically to Customer. Customer must bear any charges imposed by its bank for the payments. The Company shall have the right to charge interest at a rate of 1.5% per month, from the due date until the date the overdue amount is paid in full. Any fees that are unpaid as of the date of termination or expiration will be immediately due and payable. Customer shall provide a detailed remittance advice with each payment to the Company via email no later than the date of the payment. If Customer is not a publicly traded corporation, then upon the Company’s request, Customer must provide the necessary financial documents to allow the Company to ascertain the credit-worthiness of the Customer.

c. The Customer shall not deduct any taxes (hereinafter referred to as “WHT”) on payments to the Company unless the WHT relates to taxes of the Country in which the Company is registered. The Customer will share with the Company, all tax certificates, if any in order to enable the Company to claim any input credits, as may be applicable. The same shall be shared as and when deducted/ received. In case of any delay / failure at the Customer’s end to share the same with the Company, Customer agrees that the loss caused to the Company due to the reason attributable to the Customer shall be borne by the Customer alone and adjusted in subsequent billing.

d. The Company shall invoice all Fees / charges in advance as per the terms of the Sales Order or as per any future addendums, if any.

e. The Company is not responsible for non-usage of Software/Services by the Customer during the term of the Agreement. The Customer shall be liable to pay the Company for the full duration of the Agreement even if it prefers to not use it and also does not terminate as per provisions of this Agreement.

f. Failure to Pay. If the Customer fails to pay any amount due under the Agreement according to the payment terms in the Sales Order (which is not disputed), the Company will send the Customer a reminder notice. If Customer fails to pay within 15 (fifteen) days of the date of the reminder notice, the Company may, in its sole discretion, terminate the applicable Sales Order or suspend or restrict the provision of the Products and Services.

g. Disputes. If the Customer believes, in good faith, that the Company has incorrectly billed the Customer, the Customer shall contact the Company in writing within 5 (five) days of the invoice date, specifying the error. Unless the Customer has correctly notified the Company of the dispute, the Customer must reimburse the Company’s reasonable collection costs. Customer must pay the undisputed portion of the Company’s invoice as required by the Agreement.

h. Taxes: The Service Fee shall be exclusive of GST or other statutory deductions, if any at prevalent rates under applicable law, which shall be additionally borne by the Customer.

i. Purchase Order: In the event the Customer requires a purchase order (“PO") for the Service Fee invoices, the Customer shall raise a PO to the Company no later than the 26th (twenty sixth) of the particular month. If the PO is delayed beyond the 26th (twenty sixth) of such month, the Company shall proceed to send the invoice to the Customer and the same shall be payable within 30 (thirty) days from the date of issuance of such invoice, unless otherwise specified in the Sales Order.

j. Additional Costs: Additional Costs, if any shall be specified in the Sales Order and duly borne by the Customer.

k. Notification Charges: Short messaging services (SMS) /email/push notification charges as mentioned in the Sales Order may change during the Term of the Agreement as a result of rate revision by regulators or operators. Company shall intimate the Customer in writing regarding any such rate revision.

5. Grant of License and Intellectual Property Rights

a. License: Subject to the terms and conditions of the Agreement, the Company hereby grants to the Customer a non-exclusive, non sub-licensable, non-transferable, revocable and limited license to use the Services / Product (“Licensed Items”) without the right modify, make derivative works from, practice, and otherwise exploit in the Territory and to make, have made, sell, offer for sale and use the Licensed Items, throughout the Territory in the manner as agreed in the Agreement (“License”).

b. The License is granted to the Customer subject to: (i) the Customer performing its obligations under the Agreement and (ii) the requirements under applicable law.

c. Owner of the License: The Intellectual Property Rights under the License and / or in relation to the Licensed Items, shall always remain vested with the Company and/or its Affiliates, and in no circumstances, the Customer or any of its Affiliates shall claim any such Intellectual Property Rights and/or use any intellectual property of the Company under the pretext of the Agreement, without the prior written consent of the Company. The Company reserves all other rights, title and interest in the Intellectual Property Rights under the License not expressly granted in this Agreement.

d. License Conditions. Except to the extent expressly permitted under the Agreement, the Customer agrees as a condition of the License that it shall not:

i. use the Products and Services (1) in violation of any applicable law or regulation, or in connection with unlawful material (such as material that violates any obscenity, defamation, harassment, privacy, publicity, or intellectual property laws); or (2) in a manner that would cause a material risk to the security or operations of the Company or any of its customers, or to the continued normal operation of other Company’s customers;

ii. copy, use, distribute, republish, download, display, transmit, sell, rent, lease, host, or sub-license the Products and Services;

iii. offer, use, or permit the use of the Products and Services in a computer service business or third-party outsourcing service, on a membership or subscription basis, on a service bureau basis, on a time-sharing basis, as part of a hosted service, or on behalf of any third party;

iv. (1) attempt to interact with the operating system underlying the Products and Services, or (2) modify, create derivative works of, adapt, translate, reverse engineer (including monitoring or accessing the inputs and output flowing through a system or an application), decompile, or otherwise attempt to discover, the source code, data representations, or underlying algorithms, processes and methods. This restriction will not apply to the extent it limits any non-waivable right Customer may enjoy under applicable law;

v. remove, obscure, or alter any proprietary notices associated with the Products and Services (including any notices in reports);

vi. use any software components, modules, or other services that may be delivered with the Products and Services, but which are not licensed to Customer and identified in the Sales Order; or

vii. share its login IDs and passwords, or allow use of the same login ID simultaneously by two or more users, and Customer is responsible for unauthorised access to its login IDs and passwords;

viii. use the Company’s name, trademark, brand or logo on any of the advertising done by them in any way which might prejudice the Company’s goodwill or in any way cause damage, whether directly or indirectly to the premium position of the Company.

e. Third-Party Providers: The Customer is responsible for complying with any applicable terms and conditions of any third-party data, products, services, and platforms used by Customer in conjunction with the Products and Services.

f. Licensed Items Restrictions: The Customer agrees to (i) use the Licensed Items solely for its own internal business purposes and agrees not to rent, lease, sub-license, time-share or otherwise distribute the same to third parties, or otherwise make the Licensed Items available to third parties (ii) not to reverse-engineer, decompile, disassemble, modify, create derivative works of, or copy all or any part of the Licensed Items, and (c) take appropriate actions to protect the Licensed Items from any unauthorized copying, modifications, disclosure by its users and its third parties. Any such unauthorized usage or other security breach shall immediately be brought to the notice of Company by the Customer, failing which it shall be considered as material breach of the Agreement.

g. Changes to Licensed Items: No major changes will be made to the Licensed Items (or any assumptions related thereto) in the Sales Order, except by a change order signed by the authorized Representative of both parties (or of their respective Affiliates as the case may be).

6. Customer Content and Customer Data

a. Ownership: The Customer owns (or where applicable, must ensure it has a valid license to) the Customer Data and Customer Content, provided the Company shall own the underlying Intellectual Property Rights in the Licensed Items as set forth under Clause 5 of this Annexure.

b. Permitted Use

i. The Customer grants the Company and its Affiliates a non-exclusive, worldwide, royalty-free license to use, copy, transmit, sub-license, index, store, and display Customer Data: (1) to the extent necessary to perform its obligations (including, but not limited to, developing, modifying, improving, supporting, customising, and operating the Products and Services) or enforce its rights under the Agreement; or (2) where required or authorised by law.

ii. Company may use anonymized Customer Data for the purpose of developing, improving or customising the Products and Services.

c. Responsibility

i. Company does not communicate with Customer’s users directly. Customer is responsible for complying with (including giving any notifications, obtaining any consents, and making any disclosures required under) Data Protection Laws.

d. Consumer-Generated Content. If content generated by consumers of Customer is uploaded to Company’s Products, the following terms apply:

i. Company may access or disclose information about Customer, its consumers, or Customer’s use of the Services when it is required or authorised by law or regulation (e.g. when Company receives a valid subpoena or search warrant).

e. Customer’s Users/Privacy Policy. Customer must ensure it does not directly or indirectly cause Company or third-party providers that operate servers or host data for the Services or Products, as applicable, to breach any Data Protection Laws in the collection, storage, access, transfer, use or disclosure of Personal Data arising from or in connection with this Agreement. Where required under Data Protection Laws, Customer must ensure that:

i. each Customer Site contains a notice to its users that identifies the collection, use, disclosure, and transfer of their Personal Data by Customer, Company, or third-party host providers in connection with the Services and Products, as applicable; and

ii. Customer, when disclosing or transferring Personal Data from any source (including Customer Sites) to Company or third-party host providers, complies with the requirements for such disclosure or transfer.

f. Compliance with Personal Data Protection (PDP) Laws

Roles of the parties

i. Each party will comply with the requirements of the Data Protection Laws as applicable to such party with respect to the processing of the Customer Personal Data, attached hereto as

Schedule A - Data Processing Agreement
Schedule B - Supplementary Addendum to Data Processing Agreement
Schedule C - Standard Contractual Clauses
Schedule D - California Consumer Protection Act

ii. Customer warrants to Company that it has or will obtain prior to provision thereof, all necessary rights and permissions to provide the Customer Personal Data to Company for the processing to be performed in relation to the Services. Customer shall be responsible for obtaining all necessary consents, and providing all necessary notices, as required under the relevant Data Protection Laws in relation to the processing of the Customer Personal Data.

iii. In the event of (i) any change to (including generally-accepted changes in interpretation of) a Data Protection Law which requires any change in the manner by which Company is delivering the Services to Customer or (ii) any interpretation of a Data Protection Law by the Customer which requires any change in the manner by which Company is delivering the Services to Customer, or (iii) any material new or emerging cybersecurity threat which requires any change in the manner by which Company is delivering the Services to Customer, if such change is a major change, the parties shall agree upon how Company’s delivery of the Services will be impacted and shall make appropriate adjustments to the terms of the Agreement and the Services in accordance with the provisions of the Agreement related to such change.

iv. Use of Customer Personal Data. Company will not use Customer Personal Data other than to perform the Services in accordance with this Agreement and any applicable Sales Order. Customer acknowledges that the provision of Services includes benchmarking and improving Company’s offerings generally and, as a result, Company may anonymize, pseudonymize or aggregate Customer Personal Data (“De-Identified Data”) and use or disclose De-Identified Data as part of the Services, only if and to the extent such creation and use of De-Identified Data is consistent with the consents obtained by the Customer in relation to the underlying Customer Personal Data and is also fully consistent with applicable Data Protection Laws (and both the Customer’s and Company’s obligations thereunder). Subject to the foregoing, Company will not associate De-Identified Data with Customer’s identity or the personal data of Customer’s employees or end users.

v. Information Security Incidents. Company shall maintain procedures to detect and respond to Information Security Incidents. If an Information Security Incident occurs which may reasonably compromise the security or privacy of Customer Personal Data, Company will promptly notify Customer with complete details about the breach, within maximum 48 hours of knowledge of its incident occurrence, and in any event in accordance with Data Protection Laws applicable to both Company and the Customer. Company will cooperate with Customer in investigating the Information Security Incident within the aforesaid 48 hours and, taking into account the nature of the Services provided and the information available to Company, provide assistance to Customer as reasonably requested with respect to Customer’s breach notification obligations under any applicable Data Protection Laws.

vi. As applicable, the Laws of the Countries in operation may have rules around Do Not Call Registry (hereinafter referred to as the “DNC Provisions”), or of similar nature, which Customer is required to comply with and ensure it has obtained clear and unambiguous consent in evidential form. It is the obligation of the Customer to inform and keep the Company updated on any consent or Consent withdrawal by its end users via email. The Customer hereby indemnifies Company for any monetary penalties incurred by Company under the DNC Provisions as a result of Customer’s failure to comply with Obligations as stated above.

7. Representations and Warranties of the Parties

a. Each Party hereby represents and warrants to the other as follows:

i. It has all requisite power and authority to enter into and perform all its obligations under this Agreement.

ii. It has taken all actions, obtained all regulatory, corporate and contractual authorizations, and submitted all notices or filings required to be submitted, for it to validly enter into this Agreement and perform all its obligations under this Agreement.

iii. The execution and delivery of, or the performance of obligations under, this Agreement do not and shall not violate or conflict with any statute, rule, regulation, directive, other law, judgment, order, decree or award applicable to it or to any provision of its constituent documents, or any agreement, contract, promise, covenant, undertaking, representation or warranty, applicable to or made by it.

iv. This Agreement constitutes legal, valid and binding obligations, enforceable against it in accordance with its terms.

b. The Company represents that it has no actual knowledge, at the time of execution of this Agreement, that any Licensed Items infringes any third party Intellectual Property Rights. The Customer understands and acknowledges that subject to the former actual knowledge-based representation, the Licensed Items are granted on license to licensee hereunder on an ‘as-is, where-is’ basis.

c. Company represents it has no actual knowledge, at the time of execution of this Agreement, that any third party has infringed, is infringing, threatening to infringe or claimed any Intellectual Property Rights in relation to the Licensed Patents.

d. Each of the representations and warranties contained in this Agreement are separate and independent and shall not be qualified or limited by any reference to any other representation or warranty, or any other provision of this Agreement.

8. Confidentiality

a. The Party disclosing the information shall be the Disclosing Party and the Party receiving the information shall be “Receiving Party”. It is mutually acknowledged and agreed that information shall not be considered "Confidential Information" to the extent, that such information:

(i) at the time of disclosure was in the public domain; or
(ii) is already known to the Receiving Party free of any confidentiality obligation at the time it is obtained from the other Party; or
(iii) after disclosure is or becomes publicly known or available through no wrongful act of the Receiving Party; or
(iv) is rightfully received from a Third Party without restriction; or
(v) is approved for release, disclosure, dissemination or use by written authorization from the Disclosing Party; or
(vi) is required to be disclosed pursuant to a requirement of a Governmental Agency or Law so long as the Parties provide each other, subject to permissibility of law, with timely prior written Notice of such requirement and provide all reasonable co-operation in regard to taking protective action against such disclosure requirement; or

b. Each Party shall treat Confidential Information with reasonable care and disclose only on a need-to-know basis or as permitted under the Agreement. The receiving Party will only use Confidential Information for the purposes of performing its obligations or as permitted under the Agreement. However, a receiving Party may disclose Confidential Information of the disclosing Party:

(i) if approved in writing by the Disclosing Party;
(ii) if required by law or regulation;
(iii) in the event of dispute between the Parties, as necessary to establish the rights of either Party; or
(iv) as necessary to provide the Services licensed by Customer.

In the case of (ii) and (iii), the Receiving Party will provide reasonable advance notice to the other Party and provide reasonable assistance to limit the scope of the disclosure unless prohibited by law or regulation.

c. Under this Clause 8 (Confidentiality) and the definition of “Confidential Information”, a reference to a Party means a Party and its Affiliates. The Receiving Party is responsible for ensuring that its representatives and Affiliates fully comply with the obligations of the receiving Party under this Clause 8 (Confidentiality).

9. Indemnity

a. Indemnification by Customer. Subject to the provisions of the Agreement, the Customer hereby indemnifies, and undertakes to defend and hold harmless Company and its employees and officers from and against all claims, suits, liabilities, damages, costs, and fees, including, without limitation, attorneys' fees, expenses or losses connected therewith, arising out of or resulting directly from: (i) any personal injury, death or damage to property caused by the gross negligence or willful misconduct of the indemnifying party or its agents and representatives, in the performance of the Agreement (ii) any actual infringement or alleged violation, infringement, unauthorized use or misappropriation of any third party’s copyright, patent, trademark, or other Intellectual Property due to acts or omission of the Customer including due to the use of the data belonging to the Customer; (iii) breach of applicable laws and regulations; (iv) use of the Licensed Items other than as permitted under this Agreement (v) breach of terms conditions and representations (vi) Further, the Customer confirms not to request sending any un-solicited/unwanted/undesirable information/e-mail/social post/SMS message through the Company and shall keep the Company indemnified for any penalties/dues imposed on Company for violation of any law resulting from content of the messages or to whom the message is sent

b. Indemnification by the Company. The Company shall defend, indemnify and hold harmless the Customer, its Affiliates and all of their respective officers, directors, agents and employees from and against any and all direct Claims relating to or based on (i) any personal injury, death or damage to property caused by the gross negligence or willful misconduct of the indemnifying party or its agents and representatives, in the performance of the Agreement (ii) breach of applicable laws and regulations; (ii) any actual infringement or alleged violation, infringement, unauthorized use or misappropriation of any third party’s copyright, patent, trademark, or other Intellectual Property Right; If the Company reasonably believes that the Customer’s use of the Licensed Items is likely to be enjoined, or if the Licensed Items are held to infringe such patent or any other Intellectual Property Rights of a third party and all use of such Licensed Items by the Customer is thereby enjoined, the Company shall, at its expense and at its sole option, (a) procure for the Customer, the right to continue using the Licensed Items, or (b) replace the Licensed Items with other non-infringing software or services of substantially equivalent functionality, or (c) modify the Licensed Items so that there is no infringement, provided that such modified software or services provide substantially equivalent functionality. If, in the Company’s opinion, the remedies in clauses (a), (b) and (c) above are infeasible or commercially impracticable, the Company may, in its sole discretion, refund the Customer, a pro-rated amount of the applicable Fees pre-paid by the Customer covering the whole months that would have remained, absent such early termination, in the Term following the effective date of such early termination and terminate this Agreement. The Customer shall not settle any matter without the prior written approval of the Company.

c. The Company shall not be liable in case of any intellectual property infringement claim, if it arises out of (i) any use of Licensed Items / Products and Services in violation of the Agreement; (ii) modification of the Products and Services by the Customer (or any third party acting on the Customer’s behalf); or (iii) failure by the Customer to install the latest updated version of the Product and / or Services as requested by the Company to avoid infringement; or (iv) third-party products, services, hardware, software, or other materials, or combination of these with Products and Services, if the Products and Services would not be infringing without this combination.

10. Limitation of Liability

a. Except as expressly set forth in the Agreement, the Company disclaims any and all promises, representations and warranties with respect to the Licensed Items, including its condition, conformity to any representation or description, the existence of any latent or patent defects therein, merchantability or fitness for a particular use or purpose, or any other warranty, express or implied.

b. Neither Party shall be liable for any indirect, incidental, special, or consequential damages or loss of revenues, profits or future business howsoever arising, even if it has been advised of the possibility of such damages.

c. Notwithstanding anything to the contrary contained herein, the Company’s maximum aggregate liability, under or in connection with this Agreement shall not exceed the total License Fees paid by the Customer for the Services under the applicable SOW in the preceding 12 (twelve) months, under which the claim arose.

11. Dispute Resolution, Governing Law & Jurisdiction

The Parties shall resolve any difference or dispute arising out of the Sales Order and / or this Agreement by way of negotiations. If such negotiation process fails, then all disputes shall be resolved in the below mentioned manner:

United States: In case the Sales Order is executed between the Customer and Persuade Loyalty L.L.C., then this Agreement shall be governed in accordance with, the laws of State of Minnesota without having regard to the conflict of laws provisions thereunder. The courts of the State of Minnesota, Country of Hennepin shall have exclusive jurisdiction over all matters arising pursuant to this Agreement.

Singapore:

a. In case the Sales Order is executed between the Customer and Capillary Pte. Ltd. or Customer and Capillary Technologies (Malaysia) Sdn. Bhd. or Customer and PT Capillary Technologies Indonesia then this Agreement shall be governed by and construed in accordance with the laws of Singapore.

b. Subject to Clauses 11.2.3 and 11.2.4, the Parties agree to negotiate in good faith to resolve any dispute between them relating to this Agreement.

c. If, within 15 (fifteen) calendar days after one Party has notified the others in writing of such a dispute, the Parties are unable to resolve the dispute as aforesaid in clause 11.2.1, the disputes or differences shall be referred to final and binding arbitration at the request of either of the disputing Parties upon written Notice to that effect to the other. In the event of such arbitration:

(i) The arbitration shall be referred to and finally resolved by arbitration administered by Singapore International Arbitration Centre (“SIAC”) in accordance with the arbitration rules of the Singapore International Arbitration Centre ("SIAC Rules"), in force at the relevant time (which is deemed to be incorporated into this Agreement by reference);
(ii) All proceedings of such arbitration shall be in the English language and all documents submitted (including those submitted as filings, evidence or exhibits) shall be certified English translations if in a language other than English. The venue and seat of the arbitration shall be Singapore;
(iii) The arbitration shall be conducted by a Sole Arbitrator ("Arbitral Tribunal") appointed in accordance with the SIAC Rules;
(iv) The award shall be made in writing and published by the Arbitral Tribunal no later than 180 (one hundred eighty) days from entering upon the reference in terms of Rule 5.1 of the SIAC Rules. The Parties hereto shall be deemed to have irrevocably given their consent to the Arbitral Tribunal to make and publish the award within the period referred to hereinabove and the award of the Arbitral Tribunal shall be final and binding on the Parties.

India: In case the Sales Order is executed between the Customer and Capillary Technologies India Limited, the provisions of this Agreement shall be governed by and construed in accordance with Indian law. Any dispute, controversy or claims arising out of or relating to the Agreement or the Sales Order, shall be settled by arbitration in accordance with the provisions of the Arbitration and Conciliation Act, 1996. The arbitral tribunal shall be composed of a sole arbitrator to be appointed by both the Parties with mutual understanding. The place of arbitration shall be Bangalore and any award whether interim or final, shall be made, and shall be deemed for all purposes between the Parties to be made, in Bangalore. The award of the arbitrator shall be final and conclusive and binding upon the Parties, and the Parties shall be entitled (but not obliged) to enter judgment thereon in any one or more of the highest courts having jurisdiction. The Parties further agree (to the maximum extent possible and allowed to them) that such enforcement shall be subject to the provisions of the Arbitration and Conciliation Act, 1996 and neither Party shall seek to resist the enforcement of any award in India on the basis that award is not subject to such provisions. The rights and obligations of the Parties under, or pursuant to, the Agreement, including the arbitration agreement in this Clause, shall be under the exclusive jurisdiction of the courts located at Bangalore.

Dubai: In case the Sales Order is executed between the Customer and Capillary Technologies DMCC, the provisions of this Agreement shall be governed by and construed in accordance with the laws of Dubai. Any dispute arising out of or in connection or the interpretation of this Agreement or the Sales Order, shall be subject to exclusive jurisdiction of the Courts in Dubai.

12. Publicity

Neither party shall use the name and/or trademark/logo of the other party, its group companies, subsidiaries or associates in any sales or marketing publication or advertisement, or in any other manner without prior written consent of the other party. However, the Company shall be entitled to use the name / logo of the Customer in its advertising and marketing campaigns / brochures, website etc. strictly as one of the customers of the Company.

13. Independent Service Provider

The Agreement is on a principal-to-principal basis between the Parties hereto. Nothing contained in this Agreement shall be construed or deemed to create any association, partnership or joint venture or employer-employee relationship or principal-agent relationship in any manner whatsoever between the Parties. The Company acknowledges that its rendering of the Services is solely within its own control, subject to the terms and conditions agreed upon and agrees not to hold itself out to be an employee, agent or servant of Customer or any subsidiary or affiliate thereof.

14. Termination

a. Notwithstanding anything herein contained, either Party may, by giving thirty (30) days’ notice in writing, terminate this Agreement under any one or more of the following conditions:

(i) if either Party commits a Material Breach of this Agreement or its accompanying SOWs and fails to correct the breach within thirty (30) days of written specification of the breach, then the breaching party is in default and the non-breaching party may terminate this Agreement or the relevant SO under which the breach has occurred. The non-breaching party may agree at its sole discretion to extend the thirty (30) day period for so long as the breaching party continues reasonable efforts to cure the breach. Wherein, the breach is not rectified, therein the non-breaching party may at its sole discretion, opt to terminate the agreement with a sixty (60) days written notice to the breaching party (inclusive of the above 30 days period). Material breach under this clause shall mean a breach committed by either party in matters and clauses relating to intellectual property rights, non provision of services, breach of payment terms, breach of confidentiality and applicable laws.

(ii) If a petition for insolvency is filed against any Party and such petition is not dismissed within ninety (90) days after filing and/or if any Party makes an arrangement for the benefit of its creditors or, if the court receiver is appointed as receiver of all/any of any Party's properties;

b. In case of any premature termination of the SO or this Agreement in any manner not provided in this clause, the Customer shall be liable to pay the entire amount as required to be paid under the SO for the entire Term of the SO.

c. Neither Party shall be entitled to terminate the Sales Order without cause during the Term of the Sales Order.

15. Post Termination

a. The termination of this Agreement shall not:

i. in anyway affect or prejudice any right accrued to any Party against the other Parties, prior to such termination; and

ii. extinguish the rights and obligations that contemplates performance or observance by the Parties under the Agreement, which either expressly or by their nature survive the termination of the Agreement, unless any of such rights, obligations or liabilities, are waived in writing.

b. Upon termination of the Agreement for any reason:

i. all Sales Orders and or amended Sales Order, if any then in effect shall immediately terminate, unless expressly stated in contrary in the Sales Orders therein.

ii. the License and associated rights will immediately terminate.

iii. within 30 (thirty) days from the date of termination of the Agreement, the Customer shall hand over all the materials, if any, belonging to the Company, including but not limited to Confidential Information of the Company. The Customer hereby agrees that no copies of the materials, documents, data etc., shall be made or retained upon the termination or expiration of the Agreement.

iv. Upon termination of the provision of the Services, Company shall provide a copy of customer data in a mutually agreed format such as .csv or .txt within thirty (30) days and delete the customer data within ninety (90) days from the date of termination. Company may retain the data to the extent that it is required or authorized to do so under applicable law and/or regulation, in which case Company will securely isolate and protect such data from any further processing, except to the extent required by applicable law and/or regulation.

v. It is hereby agreed and understood by the Customer that the provisions of this Clause shall not limit or restrict, nor shall they preclude Company from pursuing such further and other legal actions, against the Customer for any breach or non-compliance of the terms of the Agreement.

16. Force Majeure

The Parties shall not be liable for any failure or delay in performance under the Agreement resulting directly or indirectly from causes beyond its reasonable control due to act of God, war declared, civil or political disturbance, lockouts, industry wide labour strike, drought, floods, fire, theft, accidents, pandemics and other exceptional circumstances. In such a situation, both Party’s liability ceases under the Agreement and further both the Parties shall discuss and mutually agree on further course of action.

17. Miscellaneous

a. Amendment and Waiver: Any material provision of the Agreement, prejudicially impacting the Customer, may be amended or waived only if such amendment or waiver is in writing and signed, in the case of an amendment by each Party, or in the case of a waiver, by the Party against whom the waiver is to be effective. The Company may however, without prior notice or consent to the Customer, make any non-material amendments to the provisions of the Agreement, such as to remove any inconsistencies or conflicts or which are typographical in nature or clerical omissions, mistakes or errors contained herein. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.

b. Cumulative Rights: No failure or delay by any Party in exercising any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise of any other right, power or privilege. The rights and remedies herein provided shall be cumulative and not exclusive of any rights or remedies provided by law.

c. Successors: The provisions of the Agreement shall be binding upon and inure to the benefit of the Parties hereto and their respective successors and permitted assigns. Where specified in a Sales Order and intimated to the Company, the Customer may allow its Affiliates to use and access the Product and Services.

d. Notices: Unless otherwise provided herein, all notices or other communications under or in connection with this Agreement shall be given in writing and may be sent by personal delivery or post or courier or facsimile or electronic mail. Any such notice or other communication will be deemed to be effective if sent by personal delivery, when delivered, if sent by post, two days after being deposited in the post and if sent by courier, one day after being deposited with the courier, and if sent by facsimile/electronic mail, when sent (on receipt of a confirmation to the correct facsimile number/email address).

e. Entire Agreement: The Agreement, being the Annexure with all the Sales Order (as amended from time to time) constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior written agreements, understandings and negotiations, both written and oral, between the Parties with respect to the subject matter of the Agreement. No representation, inducement, promise, understanding, condition or warranty not set forth herein has been made or relied upon by any Party hereto.

f. Neither the Agreement nor any provision hereof is intended to confer upon any Person other than the Parties to the Agreement any rights or remedies hereunder.

g. Non-solicitation: The Parties will not solicit the employment of other Party’s employees / Personnel during the Term of this Agreement, including renewals and extensions, if any and for a period of 1 (one) year thereafter, except that this Section will not restrict the employment of any person as a result of that person making an unsolicited response to a bona fide published general recruitment advertisement not specifically directed at such person.

h. No Agency. Nothing in this Agreement is intended to constitute a fiduciary relationship, agency, joint venture, partnership, or trust between the Parties. No Party has authority to bind the other Party.

i. Severability: The invalidity or unenforceability of any provisions of the Agreement in any jurisdiction shall not affect the validity, legality or enforceability of the remainder of the Agreement in such jurisdiction or the validity, legality or enforceability of the Agreement, including any such provision, in any other jurisdiction, it being intended that all rights and obligations of the Parties hereunder shall be enforceable to the fullest extent permitted by law.

SCHEDULE A

Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Sales Order, as updated from time to time between Customer (hereinafter referred to as the “Customer” or “Controller”) and Company (hereinafter referred to as the “Company” or “Processor”), or other agreement between Customer and Company governing Customer’s use of the Service Offerings. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Company.

WHEREAS

(A) The Customer acts as a Controller for consumer personal data the Controller provides to the Processor, and provides specific processing instructions to the Processor.

(B) Vide the Sales Order, the Customer has contracted certain Services, detailed therein to the Processor.

(C) The Services include the processing of consumer personal data by the Processor in the course of providing services under the Sales Order executed by the Customer.

(D) The Parties seek to implement a Data Processing Agreement that complies with the requirements of the current applicable legal framework on the protection of privacy of natural persons when processing personal data.

(E) The Parties also wish to lay down their rights and obligations relating to such processing of consumer personal data.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 "DPA" means this Data Processing Agreement;

1.1.2 "Consumer Personal Data" means any Personal Data processed by the Processor on behalf of the Customer detailed in Annexure B;

1.1.3 "Data Protection Laws" means EU GDPR, the data protection or privacy laws of applicable countries (US, Singapore etc.,) considering the origin, scope and nature of processing of personal data;

1.1.4 "Data Transfer" means:

1.1.4.1 a transfer of Consumer Personal Data between the Customer and the Processor; or

1.1.4.2 an onward transfer of Consumer Personal Data from the Processor to a Subprocessor, or between two establishments of the Processor,

in each case, where such transfer would be permitted by Data Protection Laws (or permitted by the terms of data transfer agreements put in place to address any data transfer restrictions placed by Data Protection Laws);

1.1.5 Sales Order means the Sales Order, to which this Agreement is an integral part and duly executed between the Company and the Processor;

1.1.6 "Services" means the services pursuant to or in connection with the Sales Order.

1.1.7 "Subprocessor" means any person or third-party organization appointed by or on behalf of a Processor to process Personal Data on behalf of Controller in connection with the Agreement.

1.2 The terms "Controller", Processor, "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in EU GDPR and the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.

2. Processing of Consumer Personal Data

2.1 The Customer has instructed the Processor to process personal data collected pursuant to or in connection with the Sales Order.

2.2 Each party shall comply with their respective obligations under Data Protection Laws.

2.3 In processing Consumer Personal Data, the Processor shall not Process Consumer Personal Data other than on the Customer’s documented instructions.

2.4 The Customer shall instruct the Processor through documented processing instructions in the Sales Order or through other agreed documents such as Scope of Work (SoW), Business Requirement Document (BRD) etc., the modalities of processing Consumer Personal Data.

2.5 The Customer shall indemnify and hold the Processor and any Subprocessors harmless against any third-party actions or claims relating to the processing of Consumer Personal Data, so long as such processing is in strict compliance with the abovementioned documented processing instructions provided by the Customer and Data Protection Laws.

3. Processor Personnel

Processor shall take reasonable steps to ensure that access to the Consumer Personal Data is strictly limited to those individuals who need to know / access the relevant Consumer Personal Data, as strictly necessary for the purposes of the Sales Order. The Processor shall ensure compliance with Data Protection Laws in the context of that individual's duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 The Processor shall use the appropriate technical and organizational security measures as required by ISO 27001:2013 Standard in accordance with the applicable Data Protection Laws.

5. Data Subject Rights

5.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organizational security measures (refer to 4.1), for the fulfillment of the Company obligations to comply with Data Subject Access Requests under the Data Protection Laws.

5.2 Processor shall:

5.2.1 promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Consumer Personal Data; and

5.2.2 ensure that it does not respond to the Subject Access Requests except on the documented instructions of the Company or as required by applicable Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by the applicable law, inform Customer of that legal requirement before the Processor responds to the request.

6. Personal Data Breach

6.1 Processor shall notify Customer promptly upon Processor becoming aware of a Personal Data Breach affecting Consumer Personal Data, providing Company with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach as required by the Data Protection Laws.

6.2 The Processor shall cooperate with the Customer and take reasonable steps as directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7. Liability and Indemnification

7.1 The Processor recognizes and acknowledges that the disclosure, misappropriation or unauthorized use of Confidential Information of the Controller by Processor shall cause serious injury to the Controller and the Controller shall be entitled to seek injunctive and other equitable relief to prevent the breach or the threatened breach of any of the terms and provisions hereof and shall also be entitled to claim or recover from Processor any losses, damages, costs and expenses suffered/incurred by the Controller as a result of the breach by the Processor of its obligations hereunder. The Processor shall not be liable for non-performance of any of the Processing Instructions or Services pursuant to any injunction orders.

7.2 The Processor shall exercise all of its rights and perform all its obligations under this Agreement in an ethical manner, in accordance with the terms and intent of this Agreement and in compliance with all Applicable Laws.

7.3 The Processor shall not make any express or implied representation on behalf of the Controller without prior permission. Any such representation or information given by The Processor or its Representatives shall not create any liability or loss of goodwill whatsoever on the Controller.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required under the provisions of the Data Protection Laws, in each case solely in relation to Processing of Consumer Personal Data by, and taking into account the nature of the Processing and information available to the Processor.

9. Deletion or return of Customer Personal Data

9.1 Subject to this Article, the Processor shall promptly and in any event within 90 days of the date of cessation of any Services involving the Processing of Consumer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Consumer Personal Data.

9.2 Processor shall provide written certification and evidence of deletion of Consumer Personal Data to the Customer that it has fully complied with this Article within 90 days of the Cessation Date.

10. Audit Rights

10.1 Customer acknowledges and notes that it expressly retains its rights to obtain assurance pursuant to the Sales Order, by way of an annual audit SOC 2 Type 2 Privacy report by a third party audit firm, appointed by the Processor, to audit the Processor’s compliance with the Data Processing Agreement (DPA) and Standard Contractual Clauses (SCC). If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Company written notice as provided for in the Agreement.

If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.

11. Data Transfer

11.1 Subprocessor: The Data Processor shall impose by way of a written agreement the same level of obligations (privacy and security controls) on the Subprocessors as are imposed on the Data Processor under the Clauses. The Data Controller hereby provides a General Written Authorization for the list of Subprocessors listed in Annexure A. The Data Processor shall notify the Data Controller 30 days in advance of onboarding a new Subprocessor, including transfer of personal data outside the country of origin (only if the new Subprocessor involves processing of Personal Data of the Data Controller) and the Data Controller must inform the Data Processor in writing within 15 days of notification any disagreement / concerns related to the use of the new Subprocessor by the Data Processor. If the Data Controller does not agree to the use of the new Subprocessor, the Data Controller and Data Processor shall review the disagreements and make reasonable efforts to resolve the disagreements. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses.

12. General Terms

12.1 Confidentiality - Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

12.2 Notices - All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email. Controller shall be notified by email sent to the address related to its use of the Service under the Sales Order. Processor shall be notified by email sent to the address: guardians@capillarytech.com.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the applicable laws as per the relevant provisions of the Sales Order

13.2 Any dispute arising in connection with this Agreement, will be resolved as per the relevant provisions of the Sales Order except in relation to Liability and Indemnification which shall be governed as per the provisions of this agreement.

Annexure A

List of Subprocessors:

Subprocessor Entity Name Subprocessor Processing Locations Subprocessor processing purpose
Amazon Web Services (AWS) Region: Virginia, Singapore, EU
(Subject to changes for location specific contracts)		 Cloud hosting services

SCHEDULE B

Supplementary Addendum to Company Data Processing Agreement

The purpose of this supplementary addendum (this “Addendum”) is to outline supplemental measures that Company takes to protect Consumer Personal Data. This Addendum supplements, but does not modify, the Data Processing Agreement (the “DPA”) or other agreement between Customer and Company governing the processing of Consumer Personal Data. Unless otherwise defined in this Addendum, all capitalized terms used in this Addendum will have the meanings given to them in the Company DPA.

1. Requests for Consumer Personal Data

1.1 If Company receives a valid and binding order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Consumer Personal Data, Company will use every reasonable effort to redirect the Requesting Party to request Consumer Personal Data directly from the Company.

1.2 If compelled to disclose Consumer Personal Data to a Requesting Party, Company will:

(a) promptly notify the Customer of the Request to allow the Customer to seek a protective order or other appropriate remedy, if Company is legally permitted to do so.

(b) challenge any overbroad or inappropriate Request (including where such Request conflicts with the law of the European Union or applicable Member State law).

1.3 If, after exhausting the steps described in Section 1.2, Company remains compelled to disclose Consumer Personal Data to a Requesting Party, Company

1.4 will disclose only the minimum amount of Consumer Personal Data necessary to satisfy the Request.

2. Data Subject Rights

Nothing in this Addendum restricts Customer’s data subjects from exercising their rights under the GDPR, including their rights to compensation from Company for material or non-material damage under, and in accordance with, Article 82 of the GDPR.

3. Warranty

Company agrees and warrants that it has no reason to believe that the legislation applicable to it, or its sub-processors, including in any country to which Consumer Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from Customer and its obligations under this Addendum and the DPA and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Addendum and the DPA, Company will promptly notify the change to Customer as soon as Company is aware.

4. Entire Agreement; Conflict

Except as supplemented by this Addendum, the DPA and the Agreement will remain in full force and effect. This Addendum, together with the DPA and the Agreement: (a) is intended by the parties as a final, complete and exclusive expression of the terms of their agreement, and (b) supersedes all prior agreements and understandings between the parties with respect to the subject matter hereof. If there is a conflict between the DPA and this Addendum, the terms of this Addendum will control.

SCHEDULE C

Standard Contractual Clauses (SCC)

This forms part of the Company Data Processing Agreement, or other agreement between Customer and Company governing the processing of Customer Data.

(a) The parties agree that Personal Data transferred between and among the parties shall be subject to the standard contractual clauses to the extent applicable.

(b) The parties acknowledge the importance of the protection of Personal Data and the legal restrictions on international transfers of Personal Data.

Applicable Modules

With respect to Processing of Personal Data,

A. When Customer is a Data Exporter and Controller, and Company is a Data Importer and Processor - Module 2 Transfer controller to processor shall apply.

B. References to Modules 1, 3 and 4 in the Standard Contractual Clauses shall not apply and language referencing these modules shall not be treated as part of this Agreement.

By entering into the SCHEDULE, the Parties are deemed to be signing the applicable Standard Contractual Clauses, full version located at the following link: Standard Contractual Clauses (European Commission).

APPENDIX
Annex I

A. List of Parties

Data Exporter(s):

Name: The entity identified as “Customer” in the Data Processing Agreement (DPA)

Address: The address for Customer as specified in the Sales Order

Contact person’s name, position and contact details: The contact details as specified in the Sales Order

Activities relevant to the data transferred under these Clauses: The activities specified in Section 1 of the Data Processing Agreement (DPA)

Signature and date: By using the Services to transfer Customer Data to Third Countries, the data exporter will be deemed to have signed this Annex I.

Role (controller / processor): Controller

Data importer(s):

Name: Company as identified in the Data Processing Agreement (DPA)

Address: The address for Company specified in the Sales Order

Contact person’s name, position and contact details: The contact details as specified in the Sales Order

Activities relevant to the data transferred under these Clauses: The activities specified in Section 1 of the Data Processing Agreement (DPA)

Signature and date: By transferring Customer Data to Third Countries on Customer’s instructions, the data importer will be deemed to have signed this Annex I.

Role (controller / processor): Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred
Categories of data subjects are described in Section 1 of the Data Processing Agreement (DPA).

Categories of personal data transferred
The personal data is described in Section 1 of the Data Processing Agreement (DPA).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures
The data exporter might include sensitive personal data in the personal data described in Section 1 of the Data Processing Agreement (DPA).

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Personal data is transferred in accordance with Customer’s instructions as described in Section 1 and 11 of the Data Processing Agreement (DPA)

Nature of the processing
The nature of the processing is described in Section 1 of the Data Processing Agreement (DPA).

Purpose(s) of the data transfer and further processing
To provide the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data exporter determines the duration of processing in accordance with the terms of the Data Processing Agreement (DPA).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing are described in Section 1 of the Data Processing Agreement (DPA).

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

ANNEX II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons

The technical and organizational measures (including the certifications held by the data importer) as well as the scope and the extent of the assistance required to respond to data subjects’ requests are described in the Data Processing Agreement (DPA).

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

The technical and organizational measures that the data importer will impose on sub-processors are described in the Data Processing Agreement (DPA).

ANNEX III

Additional Clauses

The Limitations of Liability section of the Agreement is an additional clause pursuant to Clause 2 of these Clauses.

SCHEDULE D

Company CCPA Terms

These Company CCPA Cal. Civ. Code §§ 1798.100 et seq Terms (“CCPA Terms”) supplement the Sales Order or other agreement between you or the entity you represent (the “Customer”) and Company (the “Processor”) governing your use of the Service Offerings when the California Consumer Privacy Act of 2018 (“CCPA”) applies to your use of the Services to process “Personal Information” (as defined in CCPA). Unless otherwise defined in these CCPA Terms, all capitalized terms used in these CCPA Terms will have the meanings given to them in the Company Data Processing Agreement (DPA).

a). Company (“Service Provider” as per CCPA) shall not "sell" (as such term is defined in the CCPA), disclose, release, transfer, make available or otherwise communicate any Consumer Personal Data to another business or third party without the prior written consent of the Company unless and to the extent that such disclosure is made to an authorized subcontractor in accordance with the terms of the DPA and the Services agreed to be provided to Company under the Sales Order. Notwithstanding the foregoing, nothing in this document shall restrict the Service Provider's ability to disclose Consumer Personal Data to comply with Applicable Laws or as otherwise permitted by the CCPA.

b). Company (“Service Provider” as per CCPA) shall promptly (and in any event within two business days) forward to the Customer and otherwise cooperate with and assist the Customer promptly with any request from a Data Subject relating to the Data Subject’s right of access, right to knowledge, right of deletion, or right to opt out of “sale” (as such term is defined in the CCPA).

Array
(
    [_gcl_au] => 1.1.1047873190.1781271660
    [_mkto_trk] => id:005-GYU-207&token:_mch-capillarytech.com-53065c29306d360f81aa7d4c6b6519a7
    [hubspotutk] => ca62812664746f6f64e151fd917f6d7b
    [_zitok] => 29f8b15b3de2c212130a1781271661
    [_lfa] => LF1.1.fa8466d5f1ff3974.1781271661970
    [_hjSessionUser_1125201] => eyJpZCI6ImY0NDYwMzkyLTZiN2MtNTM3Zi1hZDI4LWFkZmUwZTIzZDEyMiIsImNyZWF0ZWQiOjE3ODEyNzE2NzcwMzYsImV4aXN0aW5nIjp0cnVlfQ==
    [__cf_bm] => M68mzt1GY3p_cc8AclCTnLwaAh0_1PKiaNjeGXYEoCg-1782817555.331608-1.0.1.1-cW56.pYrUt8.wLvcQTrOOd1VLU9w2Gkf0K0wS6ccD7ZizMoLmt_sc1Xwz6fqhUAkgdnpL0hptiT0o1s1VHL14OAnr1irxBdJBh_rhtIPu3HT.mVbzIjzg2cUlXLq7Q4S
    [_gid] => GA1.2.1500432642.1782817557
    [_gat_UA-41962711-1] => 1
    [_hjSession_1125201] => eyJpZCI6ImNjMTcyZWFjLTUxMjUtNDYzZC1hZTJkLTIwZjBiYWJmODcwOSIsImMiOjE3ODI4MTc1NTY3NzgsInMiOjAsInIiOjAsInNiIjowLCJzciI6MCwic2UiOjAsImZzIjowLCJzcCI6MX0=
    [__hstc] => 148884456.ca62812664746f6f64e151fd917f6d7b.1781271661191.1781271661191.1782817559062.2
    [__hssrc] => 1
    [_ga] => GA1.2.1503631658.1781271660
    [__hssc] => 148884456.2.1782817559062
    [icwp-wpsf-notbot] => notbotZaltchaZexp-1782818192
    [ph_phc_66osOdYGIaEhFJqGovTvbT4NUDfFEUByR64aZg62Xsq_posthog] => {\"$device_id\":\"019ebc10-8e53-7c01-add1-2af524e8273e\",\"distinct_id\":\"019ebc10-8e53-7c01-add1-2af524e8273e\",\"$sesid\":[1782817578064,\"019f1835-1007-778d-b404-54dc19293c5f\",1782817558535],\"$epp\":true,\"$initial_person_info\":{\"r\":\"https://www.capillarytech.com/trust-center/capillary-msa/\",\"u\":\"https://www.capillarytech.com/trust-center/capillary-msa/\"}}
    [_ga_2NYY591EBG] => GS2.1.s1782817555$o3$g1$t1782817579$j36$l0$h0
    [wp-wpml_current_language] => en
)