Legal Information

Master Services Agreement

G-CORE MASTER SERVICES AGREEMENT

Last updated: July 25, 2018

YOU MUST CAREFULLY READ THIS G-CORE MASTER SERVICES AGREEMENT (“AGREEMENT” or “MSA”) BEFORE SIGNING, EXECUTING OR OTHERWISE PLACING YOUR SERVICE ORDER FOR G-CORE SERVICES. BY ORDERING G-CORE SERVICES YOU AGREE TO BE BOUND BY THE LATEST AMENDED VERSION OF THIS AGREEMENT.

This Agreement is entered into between G-Core Labs S.A., incorporated under laws of Luxembourg, established and having its registered office at 2A, Rue Albert Borschette, L-1246, Luxembourg (hereinafter referred to as “G-Core”), and you, the Customer, who placed the Service Order or executed a similar document with reference to this Agreement (hereinafter referred to as “Customer”). G-Core and Customer are hereinafter referred to individually as a “Party”, or collectively as the “Parties”.

1.Definitions

"Acceptable Use Policy" (AUP) means the policy currently available at https://gcorelabs.com/legal, as it may be updated by G-Core from time to time.

"Accepted" or "Acceptance" means a Party’s authorized execution and acceptance of a document.

"Affiliate" means an entity directly or indirectly Controlled by, Controlling or under common Control with a Party, now or in the future. An entity will “Control” another entity when it owns more than 50% of the equity or other voting interests, or otherwise has management and operational control.

"Change of Control" means one or more transactions whereby (a) Control of a Party is transferred, directly or indirectly, whether by operation of law or otherwise, (b) all or substantially all of such Party’s assets or equity securities are acquired by a person, firm or entity or (c) such Party is merged or consolidated with or into another entity; provided, that, in any case, such Party’s equity owners of record immediately before such transaction(s) will, immediately after such transaction(s), hold less than 50% of the voting power of the succeeding, acquiring or surviving entity.

"Customer Content" means content, software, data, video or information of Customer and/or End Users, including third-party content, software, data and equipment, provided or made available to G-Core for storage, delivery or otherwise in connection with Services.

"Customer Data" includes all data that identifies Customer, or their respective End Users. Customer Data may include Customer name, employee contact information, End User Data, data necessary for account establishment, billing data or content transmission data when such data identifies Customer.

"Days" means calendar days unless otherwise indicated.

"Effective Date" means a date when this Agreement enters into legal force.

"End User" means a subscriber, member, end-user, customer or other visitor of an online site or service owned and/or operated by Customer.

"End User Data" includes End User name, address, contact information, usage, billing or any other data that personally identifies authorized End Users of the Services.

"Intellectual Property Rights" means all patents, copyrights, trade secrets, trademarks and trade names, goodwill and marketing rights related thereto, works of authorship, inventions, discoveries, improvements, enhancements, methods, processes, formulas, designs, techniques, derivative works, know how, all other intellectual property or proprietary rights (registered or not) and equivalents or similar forms of protection existing worldwide, and all applications for and registrations in such rights.

"Quotation" means a non-binding proposal communicated to Customer, specifying Services to be performed and the associated fees and charges (collectively “Fees”). Upon Customer’s approval of a Quotation, G-Core will send to Customer a Service Order for Acceptance.

"Service Order" means a service specification, price, quantity and Customer commitment for G-Core services, based on a mutually accepted Quotation, of standard or non-standard Services to be performed by G-Core for the specified time period.

"Service Start Date" means the Service start date set forth in the applicable Service Order.

"Service Level Agreement" (SLA) means all service level agreements that we offer with respect to the G-Core Services, currently available at https://gcorelabs.com/legal, as it may be updated by G-Core from time to time.

"Services" means all of the G-Core services as set forth in any applicable Service Order that G-Core provides to Customer pursuant to this Agreement.

"Services Specification" means the rights, limitations and restrictions and other service specific details for particular Services, currently available at https://gcorelabs.com/legal, as it may be updated by G-Core from time to time.

"Taxes" means any applicable foreign or domestic taxes, tax-like charges, tax-related charges and other charges or surcharges assessed in connection with Services, including all excise, use, sales, value-added and other fees, surcharges and levies.

2.Services

2.1 G-Core will provide Services to Customer as specified in a mutually Accepted Service Order, subject to the terms and conditions herein. Within five Days after Customer has submitted to G-Core an Accepted Service Order, G-Core will respond with Acceptance or reason for non-Acceptance. G-Core will not be bound to provide Services until the applicable Service Order has been mutually Accepted. However, if Customer begins using Services before the Service Start Date in an applicable Service Order, the provision and use of such Services nonetheless will be governed by the terms of this Agreement, the Services Specifications, the SLA, the AUP and the Service Orders.

2.2 Customer acknowledges that G-Core (a) does not own or control all local circuit links, leased co-location spaces, leased space cross-connects, Internet service providers (“ISP”) providing connectivity to G-Core, other networks outside the connectivity to G-Core or ISPs, or the Internet and except as set forth in the SLA, G-Core will not be responsible for performance or non-performance within such networks or within non-G-Core operated interconnection points between the connectivity and other networks, (b) is a mere intermediary (i.e., mere conduit in accordance with article 12 of Directive 2000/31/EC on E-Commerce and the implementing article 60 of Luxembourg E-Commerce Act of 14 August 2000) for transmission of Customer Content and does not exercise editorial or other control over such materials and (c) will not be responsible for, and expressly disclaims any liability arising from, any such materials or other data accessible on the Internet or for any actions taken on the Internet.

2.3 G-Core may at any time, and without notice, use the services of one or more Affiliates, suppliers or sub-contractors in connection with the performance of its obligations under this Agreement, and Customer’s obligations to G-Core extend to those parties when acting on G-Core’s behalf.

2.4 To be eligible for a Service Credit under the SLA as defined there, Customer must be in good standing with no delinquent invoices, in addition to any other SLA requirements. The SLA is also not applicable during any trial period.

2.5 Given the nature of the Services, Customer, and not G-Core, is solely responsible for (i) all bandwidth abuse, theft or other unauthorized usage or activity occurring on Customer ’s account (e.g., leeching or hotlinking/direct linking to content), (ii) all resulting Fees and costs, (iii) implementing any monitoring, defensive or protective tools or measures (whether offered by G-Core or a third party) related to Customer’s account and (iv) regularly monitoring all usage of bandwidth and Services and other activity on Customer’s account. G-Core makes available to Customer, through the G-Core reporting tools, data regarding Customer’s billable usage of bandwidth or Services; but G-Core is not responsible for notifying Customer of usage or activity patterns occurring on Customer’s account.

2.6 G-Core may modify the configuration of the Services, provided such modifications are necessary due to technical, economic or regulatory developments or to maintain the quality standard of Services and such modification will not affect the essential characteristic features of Services ordered. In such event, G-Core shall use commercially reasonable efforts to notify Customer prior to any such modification becoming effective. Customer’s continued use of Services following the modification will constitute Customer’s acceptance of the modification.

2.7 G-Core or any of its subcontractors will from time to time carry out routine maintenance or improvements to the network, software, facilities, servers, network equipment or other technical equipment required for the provision of the Services (“Scheduled Maintenance”). Scheduled Maintenance may cause interruptions to the Services in part or as a whole.

2.8 G-Core may carry out Scheduled Maintenance which is unlikely to affect the Services at its own discretion and without notice. Insofar as Scheduled Maintenance will likely cause interruptions to the Services in part or as a whole or any other problems for the Customer, G-Core will notify Customer at least seven Days in advance or with as much advance notice as reasonably possible in the event that G-Core receives a maintenance notification from an underlying provider. The notification will include time and date, duration and description of any such work. Notwithstanding the foregoing, if G-Core reasonably believes that timely providing such notice would result in an unacceptable risk of a defect, damage or loss of integrity to the G-Core’s network, G-Core may perform such work and may serve notice to Customer of the need to perform emergency maintenance on the network with a notice period reasonable under the given the circumstances.

2.9 For the purposes of this Agreement, one Kbps is equal to 1,000 bits; one Mbps is equal to 1,000 Kbps; one Gbps is equal to 1,000 Mbps etc; one KB is equal to 1,000 bytes; one MB is equal to 1,000 KB; one GB is equal to 1,000 MB; one TB is equal to 1,000 GB; one PB is equal to 1,000 TB etc.

3.Acceptable Use

3.1 As between the Parties, Customer is solely responsible for any Customer Content stored, reproduced, displayed or distributed using Services. All use of Services, unless otherwise indicated in a Service Order, is governed by the AUP, which is made a part of this Agreement.

3.2 If G-Core determines, in its sole reasonable discretion, that Customer Content or Customer’s use of Services violates the AUP or otherwise adversely impacts the Services, G-Core reserves the right to take remedial measures including blocking or disabling access. G-Core will use commercially reasonable efforts to limit the measures to the extent necessary to resolve the adverse impact without undue interruption of Services. The Parties will work together in good faith to resolve the problems or issues causing, in whole or part, the adverse impact.

4.Cooperation and Customer Obligations

4.1 For Services to function as intended, Customers must cooperate in good faith with G-Core to configure and enable Services. When Customer elects to send or receive Customer Content using Services, Customer is solely responsible for modifying its content identifiers, consistent with instructions that G-Core provides, to enable G-Core to deliver the selected content. This may include changing the alias information in Customer’s DNS record so that hostname addresses of page objects resolve to G-Core’s servers.

4.2 Customer acknowledges that the timely and successful performance of Services requires good faith cooperation by the Customer. Therefore, Customer will (a) furnish all information reasonably requested by G-Core, (b) comply with all laws, regulations, orders and statutes which may be applicable to Customer, and (c) timely perform its obligations as necessary to meet any schedule or deadline in the applicable Service Order. In the event that any failure by the Customer to comply with the provisions of this section 4 results in any delay, deficiency or interruption in the performance of Services, G-Core shall not be deemed in breach of the applicable Service Order for such delay and Customer shall be responsible for any costs reasonably incurred by G-Core in addressing and remedying such delay, deficiency or interruption.

4.3 The Services provided by G-Core pursuant to this Agreement and under any Service Order shall only be used for purposes assumed under this Agreement, and in accordance with applicable local legislation, rules and regulations. G-Core shall be entitled, at its reasonable option, to immediately suspend Services if in its sole opinion Services are being used in a manner that may result in liability or other damage for G-Core.

5.Fees and Payment

5.1 Customer will pay to G-Core all Fees incurred on Customer’s account in full, as set forth in this Agreement and any Service Order, without set-off, withholding or deduction by Customer. Customer bears all charges of its bank or the intermediary banks. G-Core will provide notice of all changes to the Services, including new features, functions or services. The new Services will be effective on the date set forth in the notice. For Services purchased without a monthly or other rate commitment or where such commitment has terminated or expired, G-Core will provide thirty Days’ notice of rate increases.

5.2 All charges are exclusive of Taxes, Customer is solely responsible for all Taxes payable in connection with Services. If Customer provides G-Core with a valid, duly executed tax exemption certificate, G-Core will exempt Customer from Taxes in accordance with the law, effective on the date G-Core receives the exemption certificate. If Customer is required by law to make any deduction or withholding from any payment due hereunder to G-Core, then, notwithstanding anything to the contrary contained in this Agreement, the gross amount payable by Customer to G-Core will be increased so that, after any such deduction or withholding for taxes, the net amount received by G-Core will not be less than G-Core would have received had no such deduction or withholding been required.

5.3 Upon mutual Acceptance of a Service Order, G-Core will begin billing Customer for all monthly recurring charges (each, a “MRC”). At the beginning of a calendar month, G-Core will bill Customer in advance for MRCs for the Services to be provided in that month. G-Core will invoice Customer for any overage and other usage charges, if applicable, the following month the usage occurred.

5.4 All Fees will be billed and payable in euros, unless otherwise mutually agreed in writing. Customer will pay all MRCs through the Term, regardless of whether or how much Customer uses the committed Services. If G-Core cannot begin timely delivery of Services for any reason caused by Customer, G-Core nonetheless may, in its sole discretion, begin billing Customer for MRCs as of the Service Start Date. Any Service Credit granted under the SLA for a Downtime (as defined in the SLA) will be applied to the next applicable invoice, against any charges for MRCs and/or overages.

5.5 Unless otherwise agreed to in writing by the Parties, Customer shall pay all invoices within fourteen Days of the invoice date by transferring the invoiced amounts to the bank account designated on the invoice. All invoices may be provided to Customer electronically. In respect of all due and unpaid invoiced amounts, G-Core reserves the right to charge (i) in addition to the legal interest, an interest of one and three-quarters percent (1.75%) per month of all invoiced amounts from the due date as set out above until full and final payment of such amounts and (ii) reasonable collection costs incurred in respect of such unpaid invoiced amounts, including but not limited to reasonable legal expenses.

6.Defects

6.1 A “Defect” occurs only in case a Service does not operate according to the applicable Service Levels or other levels agreed by the parties in writing.

6.2 In case of Defects, the claim of Service Credits, as defined in the SLA, shall be Customer’s sole and exclusive remedy. Customer may contact G-Core for notification of Defects by email (support@gcorelabs.com).

6.3 Customer has to notify G-Core in writing of any Defects immediately, but no later than three Days, upon Customer’s discovery of the Defects. The notification has to contain a Defect report (“Defect Report”) to G-Core that includes (a) Customer name and, as applicable, on-site technical contact information (telephone number, email address and hours of operation of the responsible Customer contact); (b) a reasonably detailed description of the Defect, together with any supporting information that Customer’s engineers believe will assist G-Core in its diagnostic process (including e.g. time of first occurrence of Defect, affected systems, error messages etc.); and (c) the date and time that Customer identified the Defect for the first time.

All communication between Customer and G-Core regarding Defect Reports and remedying of Defects shall be in English.

6.4 G-Core is not obliged to remedy Defects, and will not be held otherwise liable, and Service Credits will not be granted in connection with any failure or deficiency caused by or associated with the following, each an “Excluded Cause”: (a) equipment, software or other technology not provided by G-Core; (b) Customer’s equipment, software or other technology, including without limitation the Customer’s servers; (c) use of Services other than agreed with G-Core, in particular any use in violation of the Agreement; (d) actions, omissions or interventions by Customer or its agents, contractors or vendors, including without limitation, any negligence or willful misconduct; (e) any third party’s actions or interventions (excluding actions or interventions by G-Core’s Affiliates); (f) Scheduled Maintenance, emergency maintenance or Customer-requested service interruptions; (g) failure in local access circuits or cross connects connecting the Customer to G-Core’s network; (h) conditions at the Customer’s premises such as power supply, climate or housing; (i) false service outages and downtimes reported due to errors of any SLA measurement system; (j) an event of Force Majeure; and/or (k) the suspension, interruption or termination of Services in accordance with the Agreement.

6.5 Customer acknowledges that Customer shall reimburse G-Core for any Services provided by G-Core if G-Core was not obliged to provide this Services due to an Excluded Cause. In particular, G-Core reserves the right to charge Customer for resources devoted by G-Core to the receipt, investigation, troubleshooting and/or clearance of Defects reported by Customer that are not attributable to G-Core (e.g., no Defect is found or the reported Defect is caused by an Excluded Cause). If a Defect reported by Customer is found not to be attributable to G-Core, then Customer shall compensate G-Core at G-Core’s then current hourly rates (depending on the level of technical qualification of G-Core’s personnel that investigated the alleged Defect) and for any expenses G-Core may have incurred (e.g. for using G-Core’s Affiliates and/or G-Core’s subcontractors) when investigating and/or remedying the alleged Defect. G-Core will invoice these charges for the Defect support and Customer shall make payment in accordance with the terms of the Agreement.

7.Grant of Rights, Intellectual Property

7.1 G-Core grants to Customer, as applicable, the non-exclusive right to access and use the Services during the Term solely for the purposes of this Agreement. As between the Parties and subject only to the rights of use expressly granted by G-Core herein, G-Core retains all worldwide rights, title and interest in and to the Services, G-Core equipment, network and methodologies, software or other Intellectual Property Rights embodied therein provided in connection with the Services, G-Core Confidential Information, all revisions thereto, derivatives thereof and all Intellectual Property Rights therein, whenever developed. Customer will not, except insofar as permitted by applicable law, and will require End Users to not, either directly or indirectly, reverse engineer, decompile, disassemble or otherwise attempt to derive source code or other trade secrets from Services or G-Core Confidential Information. Customer will provide reasonable assistance to G-Core, at G-Core’s cost, to secure protection of G-Core’s Intellectual Property Rights, including assistance in preparing and filing applications, registrations, assignments and other instruments to perfect title.

7.2 Customer grants to G-Core, and its agents, suppliers and subcontractors, the non-exclusive right to access and use, ingest, reproduce, format, store, distribute, display, perform and make modifications to Customer Content, including encoding, decoding, translating, compressing, decompressing, encrypting, decrypting, repackaging, encapsulating, de-encapsulating, chunking, segmenting, storing, transmitting, distributing, making derivative works of and otherwise managing instances of such Customer Content and associated metadata, solely for the purposes of this Agreement. The foregoing license includes the creation, storage, duplication, modification and distribution of packages that include Customer Content in connection with the performance by G-Core of the Services requested by Customer pursuant to this Agreement. As between the Parties and subject only to the licenses expressly granted by Customer herein, Customer or End Users, as applicable, retain all rights, title and interest in and to Customer Content, Customer Confidential Information and other Customer Intellectual Property Rights. Except insofar as permitted by applicable law, G-Core will not, either directly or indirectly, reverse engineer, decompile, disassemble or otherwise attempt to derive source code or other trade secrets from Customer Content or Customer Confidential Information.

8.Data Protection

8.1 In relation to the processing of any personal data under or in relation to this MSA, each Party agrees to comply with its respective obligations under the European Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "General Data Protection Regulation") and local laws and regulations where applicable (together with the General Data Protection Regulation, the "Data Protection Laws") and to co-operate with the other Party in putting in place any procedures or documents as may be required in this regard.

9. Processing by G-Core as a Data Contoller and Data Processor

9.1. The Parties understand that G-Core may process Customer Data which qualifies as personal data under Data Protection Laws in order to incorporate such Customer Data into databases controlled by G-Core and its Affiliates for the purpose of administration, billing and reconciliation, verification of Customer identity and solvency, maintenance, support and product development, fraud detection and prevention, sales, revenue and Customer analysis and reporting, marketing and Customer use analysis. In this regard, G-Core in principle acts as a data controller and ensures that it will honor its obligations under Data Protection Laws.

9.2. In this context, the Customer is requested to kindly communicate the information below to the natural persons to whom the Customer Data relate (the "Data Subject(s)") and/or to take note of such information to the extent that he/she is such a Data Subject.

9.3. The personal data collected and processed by G-Core shall include: name, position, title, contact information (phone, email, physical or postal address etc.), connection data, localization data, IP addresses, browser data, account data, and employer information (the "Personal Data")

9.4. In addition to transfers to Affiliates, G-Core will transfer the Personal Data to several service provider(s) acting as data processor(s) (the "Data Processor(s)") for the purposes of customer relations management (HubSpot Ireland Limited), marketing (Popcorn Metrics Limited, United Kingdom; Google Ireland Limited, Ireland), storage and transfer of information (Microsoft Ireland Operations Limited, Ireland), enterprise management, financial reporting and accounting (SAP Deutschland SE & Co. KG), internal communications and task tracking (Atlassian Pty Ltd, Australia; Slack Technologies Limited, Ireland), support (Intercom R&D Unlimited, Ireland; Zendesk Inc, United States). This list is subject to change, details can be obtained by sending a request to privacy@gcore.lu The Data Subject acknowledges that the Data Processor(s) act(s) on the instructions of G-Core and might have access to his/her Personal Data. The Data Subject further understand that his/her Personal Data might be disclosed to administration and public authorities, social security services, insurance, banking institutions, professional advisers and auditors of the Company (the "Recipients").

9.5. The Data Subjects are hereby informed that the Data Processor(s) and the Recipients might be located inside or outside of the EU/EEA in countries which are not deemed by the European Commission to provide for an adequate level of protection, meaning that is equivalent to the protection afforded under European data protection standards. G-Core has thus put in place contractual model clauses. The Data Subject may obtain a copy of such safeguard by sending a request to privacy@gcore.lu

9.6. The Personal Data of the Data Subjects shall be saved for the duration of this MSA and moreover, the business relationship between the Parties, and for a period of ten (10) years following the termination thereof.

9.7. The Data Subject has the right to request access to his/her Personal Data. He/she may require that his/her Personal Data are rectified in case of error.

9.8. The Data Subject may also request that his/her Personal Data are erased or that data processing be restricted if the Personal Data may no longer be legitimately held or processed. The Data Subject further has a right of objection and a right to data portability under the conditions laid down under Data Protection Laws.

9.9. The Data Subject may exercise his/her rights by writing to G-Core at the address mentioned on the first page of this MSA.

9.10. The Data Subject has the right to lodge a complaint with a supervisory data protection authority (for Luxembourg: Commission Nationale pour la Protection des Données).

9.11. The Parties understand that G-Core may process Customer Data and End User Data which qualifies as personal data under Data Protection Laws in connection with the provision of the Services to Customer, and thus for the avoidance of doubt excluding any processing of Customer Data for the purposes mentioned under point A above. The Parties agree that in this context, Customer will act as a data controller and G-Core as a data processor, acting upon instruction and on behalf the Customer. Provided that the Customer, as a data controller, has a legal obligation to enter into a data processing agreement with its data processors, the Parties have concluded such Data Processing Agreement which is included in Annex A of this MSA and which lays down the terms and conditions of the processing of personal data by G-Core as a data processor.

9.12. For the avoidance of doubt, such Data Processing Agreement forms an integral and essential part of this MSA.

10.Confidentiality

10.1 “Confidential Information” means, with respect to a Party (“Disclosing Party”), all non-public confidential information pertaining to such Party’s business (including such information of a Party’s subcontractor or a Party’s Affiliate), in particular information containing customer lists, customer information, technical information (including technical layouts and designs, configurations of cables, network etc.), pricing information, trade secrets, financial positions, customer communications or proposals, benchmarking information, satisfaction surveys or information relating to business planning or business operations and the terms of this Agreement including any Service Order. G-Core and Customer will comply with this section 10 when exchanging Confidential Information under this Agreement, including any Service Order. Confidential Information will be designated and/or marked as confidential when disclosed. However, any information that the Party receiving such information (“Receiving Party”) knew or reasonable should have known, under the circumstances, was considered confidential or proprietary by the Disclosing Party, will be considered Confidential Information of the Disclosing Party even if not designated or marked as such.

10.2 The Receiving Party shall preserve the confidentiality of the Disclosing Party’s Confidential Information and treat such Confidential Information with at least the same degree of care that Receiving Party uses to protect its own Confidential Information, but not less than a reasonable standard of care. The Receiving Party will use the Confidential Information of the Disclosing Party only to exercise rights and perform obligations under this Agreement. Confidential Information of the Disclosing Party will be disclosed only to those employees of the Receiving Party with a need to know such information. G-Core may, for the purpose of exercising rights and performing obligations under this Agreement, disclose Confidential Information of Customer also to G-Core’s Affiliates and G-Core’s subcontractors.

10.3 The Receiving Party shall not be liable to the Disclosing Party for the release of Confidential Information if such information: (a) was known to the Receiving Party on or before Effective Date without restriction as to use or disclosure; (b) is released into the public domain through no fault of the Receiving Party; (c) was independently developed solely by the employees of the Receiving Party who have not had access to Confidential Information; or (d) is divulged pursuant to any legal proceedings or otherwise required by law.

10.4 The Receiving Party’s obligation under this section 10 shall expire five years after termination of this Agreement.

11.Warranties

11.1 G-Core warrants that it shall provide Services in compliance with applicable laws and regulations and in a professional and workmanlike manner. G-Core shall use all commercially reasonable efforts to provide Services without interruptions (including the Service Levels) as set forth in the applicable SLA. The Parties acknowledge, however, that it may be technically impracticable to provide Services free of any defects or interruptions. Therefore, G-Core cannot and does not guarantee that Services will be uninterrupted or error free.

11.2 In the event of defects or interruptions of Services, Customer shall only be entitled to the remedies, if any, as specified in the relevant Service Order or the SLA.

11.3 Except as otherwise set forth in section 11, G-Core does not make and disclaims (i) all warranties that the Services will be uninterrupted, defect-free or completely secure, and (ii) the implied warranties of merchantability and fitness for a particular purpose. All Services are provided on an “as is” basis and Customer’s use of the Services is solely at its own risk.

11.4 Customer represents and warrants that it owns, controls or possesses all necessary rights to the Customer Content and any materials it supplies to G-Core, including the programs and any advertising therein, free and clear of any and all claims, rights and obligations whatsoever and is empowered to grant the rights, licenses and privileges granted in this Agreement.

12.Indemnification

12.1 Customer will, at its cost, defend, indemnify and hold harmless G-Core and its officers, directors, employees, agents and permitted successors and assigns (each a “G-Core Indemnitee”) through final judgment or settlement, from and against any third-party claim, action, suit, proceeding, judgments, settlements, losses, damages, expenses (including reasonable legal fees and expenses) and costs (including allocable costs of in-house counsel) (“Claim”) brought against a G-Core Indemnitee arising out of or based upon (a) bodily injury, death or loss of or damage to real or tangible personal property to the extent that such Claims were alleged to have been proximately caused by any negligent act, omission or wilful misconduct of Customer or their respective agents or employees; (b) operation or use of Customer’s products, websites or services; (c) Customer Content, including any allegation that Customer Content or any other data or information provided by Customer infringes any third party Intellectual Property Rights or otherwise violates applicable law; (d) Customer’s failure to comply in any material respect with the AUP or applicable law; (e) the unauthorized use of or access to Services by any person using Customer’s systems or network; (f) G-Core’s compliance with Customer specifications; (g) a combination or modification of the Services by or on behalf of Customer by anyone other than G-Core or its authorized agents; (h) distribution (including by sale or importation), decoding, decrypting, duplication, storage, display/playback, modification or any other use of Customer information by any entity other than G-Core; or (i) information, data, or other Customer Content provided by or on behalf of Customer to G-Core.

12.2 G-Core will, at its cost, defend, indemnify and hold harmless Customer and its officers, directors, employees, agents and permitted successors and assigns (each a “Customer Indemnitee”) from and against any third-party Claim brought against Customer Indemnitee based upon allegations that Services directly infringe any patent issued as of the Effective Date of this Agreement under the laws of the country in which the Services are being provided to Customer or any third party copyright. Notwithstanding the foregoing, G-Core will have no liability for any infringement of patents, copyrights or other intellectual property rights based upon or resulting from Customer Content, use of Services in a manner not specified in applicable G-Core documentation, or services or products not supplied by G-Core. If Services, or any material portion thereof are determined to infringe and the use enjoined, G-Core will have the option, at its sole cost, to (i) obtain the right for Customer to continue using Services, (ii) modify Services so that they are non-infringing, (iii) substitute functionally similar, non-infringing services or (iv) if none of the foregoing is available to G-Core on commercially reasonable terms, terminate the Agreement and return to Customer any unused Customer prepaid Fees for which Services have not been provided as of the date of termination.

12.3 The G-Core Indemnitee or Customer Indemnitee as applicable (each an “Indemnified Party”) will (a) promptly provide notice to the indemnifying Party (“Indemnifying Party”) of any Claim for which indemnity is claimed (provided, that, any delay in providing notice will not relieve the Indemnifying Party of its obligations hereunder, except to the extent that the Indemnifying Party is materially prejudiced by such delay); (b) permit Indemnifying Party to control the defense of any such Claim; and (c) provide reasonable assistance at Indemnifying Party’s reasonable cost. Subject to the foregoing, in any Claim for which indemnification is sought, Indemnifying Party may select legal counsel to represent Indemnified Party (such counsel to be reasonably satisfactory to Indemnified Party) and to otherwise control the defense. If Indemnifying Party elects to control the defense, Indemnified Party may fully participate in the defense at its own cost. If Indemnifying Party, within a reasonable time after receipt of notice of Claim, fails to defend Indemnified Party, Indemnified Party may defend and compromise or settle the Claim at Indemnifying Party’s cost. Notwithstanding the foregoing, Indemnifying Party may not consent to entry of any judgment or enter into any settlement that imposes liability or obligations on Indemnified Party or diminishes Indemnified Party’s rights, without obtaining Indemnified Party’s express prior consent, such consent not to be unreasonably withheld or delayed, other than cessation of infringing activity, confidential treatment of the settlement, and/or payment of money that is fully indemnified by the Indemnifying Party under this Agreement.

12.4 This section 12 provides the sole and exclusive remedy of Customer and the exclusive obligations of G-Core in connection with any third party claim, action, suit or other demand asserted against Customer as described in subsection 12.2 above (in respect of G-Core’s obligations to indemnify Customer only) and G-Core disclaims all other warranties and obligations with respect thereto. G-Core’s obligations under this section 12 are subject to the limitations in section 13 below.

13.Liability

13.1 With the sole exception of wilful misconduct or fraud and without prejudice to any limitation of liability contained elsewhere in this Agreement or in any other contractual documents being part of this Agreement, especially in any relevant Service Order concluded hereunder, G-Core’s total liability to Customer in the aggregate for the entire Term as defined in section 15 below (regardless of whether the claims are brought during or after the term) with respect to all claims arising from or relating to the subject matter of this Agreement (including any relevant Service Order hereunder) will at no time exceed fifty per-cent (50%) of the amount of Fees actually paid by Customer to G-Core under this Agreement and any Service Orders concluded hereunder. As a further limitation, G-Core’s maximum liability for any claims relating to Services offered or provided by G-Core (i) for non-recurring Fees shall not exceed the amount of the Fees for the Services provided on the occasion giving rise to the claim; (ii) for recurring Fees shall not exceed the amount of Fees due for one month for the Services provided on the occasion giving rise to the claim.

13.2 Subject only to the exception of wilful misconduct or fraud, G-Core shall under no circumstances be held liable for any (a) economic loss, loss arising from or in connection with loss of revenues, profits, contracts, goodwill, customers or business or from failure to realize anticipated savings; (b) loss or corruption of any software; (c) loss or corruption of any data; (d) loss of use of hardware or other equipment, of software or data; (e) wasted administrative time or management time; (f) cost of procuring or migrating to substitute services; and (g) any indirect, consequential or special loss.

13.3 Customer’s liability claims shall expire after one year following the damaging incident.

13.4 The limitations of liability set forth in this section 13 apply to all claims and causes of action by Customer with respect to all claims arising from or relating to the subject matter of this Agreement (including any relevant Service Orders thereunder), regardless of whether for breach of contract, tort (including negligence) or for any other reason.

14.Force Majeure

14.1 Force Majeure means any circumstance not within a party’s reasonable control including, without limitation: (a) acts of God, flood, drought, earthquake or other natural disaster; (b) epidemic or pandemic; (c) terrorist attack, civil war, civil commotion or riots, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or breaking off of diplomatic relations; (d) nuclear, chemical or biological contamination or sonic boom; (e) any law or any action taken by a government or public authority, including without limitation imposing an export or import restriction, quota or prohibition, or failing to grant a necessary licence or consent; (f) collapse of buildings, fire, explosion or accident; (g) any labour or trade dispute, strikes, industrial action or lockouts; and (h) non-performance by suppliers or subcontractors (other than by Affiliate of party seeking to rely on this section).

14.2 Provided it has complied with subsection 14.3, if a party is prevented, hindered or delayed in or from performing any of its obligations under this agreement by an event of Force Majeure (Affected Party), the Affected Party shall not be in breach of this agreement or otherwise liable for any such failure or delay in the performance of such obligations. The time for performance of such obligations shall be extended accordingly.

14.3 The Affected Party shall:

(a) as soon as reasonably practicable after the start of the event of Force Majeure but no later than three Days from its start, notify the other party in writing of the Force Majeure, the date on which it started, its likely or potential duration, and the effect of the Force Majeure on its ability to perform any of its obligations under the agreement; and

(b) use all reasonable efforts to mitigate the effect of the Force Majeure Event on the performance of its obligations.

If the Force Majeure prevents, hinders or delays the Affected Party’s performance of its obligations for a continuous period of more than six weeks, the Party not affected by the Force Majeure may terminate this agreement by giving one weeks’ written notice to the Affected Party.

15.Term and Termination

15.1 This Agreement will commence on the Effective Date and will remain in effect for the initial period of 12 months, unless another initial subscription period is agreed in the Service Order (“Initial Subscription Period”). The Services will renew automatically for periods equal to the Initial Subscription Period (each, a “Renewal Term”) unless, at least thirty Days before expiration of the Initial Subscription Period or, subsequently, the Renewal Term, either Party provides notice of non-renewal. The Initial Term and all Renewal Terms are collectively, the “Term”. If the Parties enter into a Service Order that expires after the Term, the Term will be deemed to expire on the same date as such Service Order.

15.2 Customer may terminate this Agreement for cause, upon notice to G-Core, if (i) a receiver or administrator is appointed for G-Core or its property; (ii) G-Core makes a general assignment for the benefit of its creditors; (iii) G-Core commences, or has commenced against it, proceedings under any bankruptcy, insolvency or debtor’s relief law which are not dismissed within sixty Days; (iv) G-Core is liquidated or dissolved; (v) G-Core ceases to do business or otherwise terminates its business operations; or (vi) G-Core materially breaches this Agreement and such breach continues unremedied for twenty Days after receipt of notice from Customer. For clarity, a Downtime (as defined in the SLA) is not grounds to terminate this Agreement for cause; Customer’s sole remedy for a Downtime is set forth in the SLA.

15.3 G-Core may terminate this Agreement for cause and/or suspend Services upon notice to Customer if (i) a receiver or administrator is appointed for Customer or its property; (ii) Customer makes a general assignment for the benefit of its creditors; (iii) Customer commences, or has commenced against it, proceedings under any bankruptcy, insolvency or debtor’s relief law which are not dismissed within sixty Days; (iv) Customer is liquidated or dissolved; (v) Customer ceases to do business or otherwise terminates its business operations; (vi) Customer fails to pay all invoiced Fees within thirty Days from the invoice date; (vii) any use of Services, including Customer Content, actually or allegedly infringes or misappropriates any Intellectual Property Rights or otherwise violates the AUP or any applicable law, regulation or order; or (viii) Customer otherwise materially breaches this Agreement and such breach continues unremedied for twenty Days after receipt of notice from G-Core. G-Core may terminate, interrupt or suspend Service without prior notice if necessary to (1) prevent or protect against fraud, (2) protect G-Core’s personnel, facilities, equipment, network or services, (3) prevent violation of section 10 or infringement upon the rights of others or (4) prevent potential material liability.

15.4 Upon expiration or termination of the Agreement for any reason, (i) all rights to access or use Services and any other G-Core Intellectual Property Rights will terminate and G-Core will cease providing same, (ii) Customer will pay to G-Core all Fees accrued but unpaid as of the date of expiration or termination, (iii) all liabilities accrued before the date of expiration or termination will survive and (iv) Customer will return or destroy, and certify in writing to G-Core such destruction of, all copies of G-Core Confidential Information.

15.5 If Customer terminates the Agreement without cause or if G-Core terminates the Agreement for cause pursuant to section 15.3, Customer will be billed and pay to G-Core an amount equal to Customer’s MRCs from the effective Service Orders multiplied by the number of months remaining in the applicable committed term or subscription term (“Early Termination Fee”). The Parties agree that G-Core’s damages in the event of the foregoing will be difficult or impossible to ascertain; therefore, the foregoing is intended to establish liquidated damages in such event and is not a penalty. If Customer terminates the Agreement for cause pursuant to subsection 15.2, Customer will not be obligated to pay Early Termination Fee.

15.6 In preparing a final invoice to Customer, which Customer will pay pursuant to the terms of this Agreement, G-Core will (i) calculate the balance due, (ii) deduct from such balance the unused portion, if any, of any prepaid Fees or Customer deposit and (c) bill Customer for the remaining balance due. If there remains an unused portion of any prepaid Fees or Customer deposit after satisfaction of the balance due, G-Core will refund to Customer such unused portion.

16.Suspension of Services

16.1 G-Core may, upon giving notice to Customer, without prejudice to any of G-Core’s rights to terminate this Agreement or any Service Order hereunder, suspend provision of all or any of Services in the event that

(a) suspension of Services is required in order to comply with the directive of an authority and/or court;

(b) G-Core has grounds for suspecting that Customer is committing any illegal or unlawful act in connection with the use of Services;

(c) if Customer is in default with its payment obligations under any Service Order for more than thirty Days, and/or

(d) any other provision within this Agreement or Service Order allows G-Core to suspend provision of all or any of Services.

16.2 If any Services are suspended as a consequence of Customer’s act or omission, (i) Customer shall remain liable to pay the respective Fees as if Services had been properly provided by G-Core, and (ii) Customer shall reimburse G-Core for any additional charges and expenses incurred due to the suspension and/or recommencement of Services.

17.Miscellaneous

17.1 During the Term, G-Core may publicize the existence of the relationship between the Parties for the purpose of its marketing activities. Subject to the foregoing, neither Party shall make any press announcements concerning the Agreement or publicize the Agreement in any way without the prior written consent of the other Party.

17.2 All notices, requests, approvals, consents and other communications required or permitted herein will be in writing and in English. Either Party may change its contact information upon notice to the other Party. For clarity, if a notice is not received because the receiving Party has failed to notify the other Party per the preceding sentence or because receipt is refused, such notice nonetheless will be deemed to have been conclusively made seven Days after delivery was reasonably initiated.

17.3 If any provision of this Agreement is held by a court of competent jurisdiction to be unenforceable or contrary to law, such holding will not render the Agreement unenforceable or contrary to law as a whole, and, in such event, such provision will be changed and interpreted so as to best accomplish the objectives of such provisions within the limits of applicable law.

17.4 Neither Party may assign this Agreement, in whole or in part, without the other Party’s express prior consent except that G-Core may freely assign any and all of its rights and obligations under this Agreement (a) to a parent or Affiliate or (b) in connection with a Change of Control. This Agreement will be binding upon and inure to the benefit of all permitted successors and assigns. Unless expressly permitted in writing by G-Core, Customer may not assign, transfer, distribute, resell, lease or otherwise provide access to the G-Core Services to any third party.

17.5 Each Party acknowledges that the Services, Confidential Information, hardware, software, technology, devices or other materials or information obtained from or provided to the other Party under this Agreement may be protected under, and subject to, import and export control laws of the European Union, its member states, or the United States, as well as those of equivalent in other jurisdictions; accordingly, their use, import, export and reexport, may be restricted, prohibited or necessitate securing licenses which either Customer or G-Core, as applicable, will obtain or provide information for the securing of such licenses, depending on who is designated as the importer and exporter in the transaction. Each Party agrees not to directly or indirectly export, re-export or cause to be exported or re-exported, any such Confidential Information, Services, hardware, software, technology, device or other such materials or information to any destination or entity prohibited or restricted under the laws of the European Union, its member states, or of the United States, unless it will have first obtained express prior consent of the disclosing party, the applicable agency or governmental body, either in writing as required hereunder or as provided by applicable regulation, as the same may be amended from time to time).

17.6 This Agreement, the Services Specifications, the SLA, the AUP and all Service Orders between the Parties are incorporated herein by reference, constitute the entire agreement between the Parties with respect to its subject matter and supersede all other prior or contemporaneous representations, understandings or agreements; and there are no other representations, understandings or agreements between the Parties relative to such subject matter.

17.7 From time to time this Agreement, including all Services Specifications, the SLA and the AUP can be modified by G-Core. Such modifications will not apply retroactively. The Customer will be notified by G-Core by email or a written notice in the Customer’s account in the G-Core system.

17.8 If there is an irreconcilable conflict between the terms and conditions of the Agreement and any other documents referenced herein, the conflict will be resolved in the following order of precedence: (a) this Agreement; (b) Services Specification; (c) SLA; and (d) AUP. If a provision of this Service Order conflicts with the aforementioned documents, those documents will take precedence, unless the conflicting provision in the Service Order explicitly amends Agreement, the Services Specification, the SLA or the AUP respectively.

17.9 This Agreement and any Service Order hereunder shall be governed by the laws of the Grand Duchy of Luxembourg, without regard to International Private Law. All disputes arising out of or in connection with the present contract shall be finally settled under the Rules of arbitration of the Arbitration Center of the Luxembourg Chamber of Commerce by three arbitrators appointed in accordance with said rules. Each Party waives any objection (on the grounds of lack of jurisdiction, forum non conveniens or otherwise) to the exercise of such jurisdiction over it by any such courts. The United Nations Convention on Contracts for the International Sale of Goods will not apply to the interpretation or enforcement of this Agreement and any Service Order hereunder.
ANNEX 1 TO THE MSA: DATA PROCESSING AGREEMENT

Between:

You, [______________________] (the «Customer»), a company organised under the laws of [________________], whose corporate seat is at [________________], who placed the Service Order or executed a similar document with reference to the MSA (hereinafter referred to as «Customer» or “Controller”)

And:

G-Core Labs S.A., a company organised under the laws of Luxembourg, whose corporate seat is at 2A, Rue Albert Borschette, L-1246 Luxembourg (hereinafter referred to as «G-Core» or “Processor”)

Controller and Processor are jointly referred to as “Parties” and singly as a “Party”.

WHEREAS

Processor will Process (as defined hereafter) Customer Data and End User Data which will mostly qualify as Personal Data (as defined hereafter) on behalf of Controller in the provision of the Services.

Controller has the legal obligation to enter into a data processing agreement with its processors.

Therefore, Parties wish to enter into the Data Processing Agreement (as defined hereafter) and lay down the terms and conditions of the Processing of Personal Data by Processor.

NOW THEREFORE, THE PARTIES HAVE AGREED AS FOLLOWS:

1 DEFINITIONS

1.1 Confidential Information as defined in the main body of the MSA includes, for the avoidance of doubt all documents, information or data exchanged under this Data Processing Agreement as well as the existence and content thereof.

1.2 Data Processing Agreement means this data processing agreement and its schedules.

1.3 Data Subject shall have the meaning given to it in the General Data Protection Regulation (EU) 2016/679.

1.4 Process/Processing shall have the meaning given to it in the General Data Protection Regulation (EU) 2016/679.

1.5 Personal Data shall have the meaning given to it in the General Data Protection Regulation (EU) 2016/679. A list of the Personal Data Processed by Processor and the Data Subjects concerned is set out in Schedule A.

1.6 Security Incident shall have the meaning as given to it in Article 6.

1.7 Any other capitalized notions that are not defined in this Data Processing Agreement shall have the meaning given to them in the main body of the MSA and/or the General Data Protection Regulation (EU) 2016/679.

2 SUBJECT MATTER

2.1 The Data Processing Agreement determines the rights and obligations of the Parties with regard to the Processing of Personal Data in the provision of the Services. The details of the Processing are set out in Schedule A.

2.2 Nothing in the Data Processing Agreement relieves a Party of its own direct responsibilities and liabilities under the General Data Protection Regulation (EU) 2016/679.

2.3 This Data Processing Agreement forms an integral part of the MSA and complements the main body of the MSA in relation to data protection. In case of discrepancy or conflict between the provisions of the main body of the MSA and/or any other contractual documentation entered into between the Parties and the provisions of the Data Processing Agreement, the latter will prevail. Any general matters, meaning non-specific to data protection, that are not specifically dealt with in this Data Processing Agreement (e.g. confidential information, intellectual property, liability, boiler plate clauses, etc. are dealt with in and in accordance with the main body of the MSA.

3 TERM OF THE DATA PROCESSING AGREEMENT

3.1 The Data Processing Agreement is entered into for the duration of the Services.

3.2 Articles 2, 12.2, 13, 14 shall survive termination of this Data Processing Agreement.

4 GENERAL OBLIGATIONS OF PROCESSOR

4.1 Processor and the persons acting under its authority (as specified in Schedule A) shall only Process Personal Data insofar as strictly necessary for the performance of the Services and only upon written instructions of Controller, subject to EU or EU member state statutory provisions to the contrary in which case Processor shall inform Controller of such legal requirement before Processing the Personal Data unless such law prohibits such information on important grounds of public interest.

4.2 Processor is not allowed to Process the Personal Data for any other purpose and acts as a processor as defined in the General Data Protection Regulation (EU) 2016/679. Processor shall immediately inform Controller if, in Processor’s opinion, an instruction breaches EU or EU member state data protection provisions.

4.3 Processor shall implement appropriate procedures and any associated measures that will ensure that Controller’s instructions can be complied with, including but not limited to measures enabling compliance with any request of a Data Subject.

4.4 Processor shall assist Controller, where necessary and upon Controller’s first request, in ensuring compliance with any data protection obligations including but not limited to the performance of a data protection impact assessment or the prior consultation of a supervisory or other competent authority.

4.5 Processor shall notify Controller immediately of, and provide details of, any investigation of any supervisory authority or other competent authority insofar as this is allowed pursuant to applicable laws, rules and regulations.

5 SECURITY MEASURES

5.1 Processor shall ensure that all necessary technical and organisational measures are in place, as described in Schedule B, to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and all other unlawful forms of processing, each incident in relation to the aforementioned being referred to hereafter as a “Security Incident”.

6 NOTIFICATION AND HANDLING OF SECURITY INCIDENTS

6.1 Processor shall promptly notify Controller in writing of any Security Incident affecting Personal Data Processed by Processor pursuant to the Data Processing Agreement within 48 hours following the occurrence of the Security Incident or immediately upon learning of the Security Incident, whichever is later. The notice shall summarise in reasonable details the impact of the Security Incident on Controller and any Data Subjects who may be affected by it.

6.2 Processor shall reasonably cooperate with Controller in the latter’s investigation of the Security Incident.

7 AUDIT

7.1 Controller is entitled to periodically inspect compliance with the Data Processing Agreement (including the security measures taken), upon giving a 15 days prior written notice. Controller may contract out this inspection to an external independent auditor. The conditions of the audit will be agreed between the Parties on a case by case basis. Processor shall at all times make available all information necessary to demonstrate compliance with its obligations and shall provide all reasonable assistance.

7.2 Processor shall grant competent supervisory and other authorities who have the legal right to carry out an investigation of Controller’s or Processor’s processing activities, such access to its premises, computer and other information systems and records as may be reasonably required.

8. REQUESTS AND COMPLAINTS BY DATA SUBJECTS

8.1 Processorshall notify Controller immediately in writing upon receipt of a request to access or correct Personal Data or an objection from a Data Subject. Processorshall assist Controller in taking any reasonable action the latter deems appropriate in dealing with such a request or objection, including immediately providing Controller, upon request, with a copy of any Personal Data it holds in relation to the relevant Data Subjects and a written description of the processing activities involving such Personal Data since the collection thereof.

8.2 Processor shall:

a) immediately notify Controller, in writing, of any complaint received from a Data Subject relating to the Processing of Personal Data or any allegation by a Data Subject that Controller or Processordo not comply with any applicable law relating to the protection of Personal Data;

b) assist Controller in taking any reasonable action it deems appropriate to deal with such a complaint or allegation, including immediately providing Controller with a description of any Personal Data it holds in relation to the relevant Data Subjects and processing activities involving such Personal Data since the collection

9 TRANSFER/ACCESS OUTSIDE THE EUROPEAN UNION

9.1 Controller understands and agrees that Processor, its Affiliates and their respective agents may Process Personal Data in countries outside the European Union/EEA that are not deemed by the European Commission to provide for an adequate level of protection. Controller understands and agrees (that it will need) to take any measures required to legitimize such transfer of Personal Data outside the European Union/EEA under the General Data Protection Regulation (EU) 2016/679 and any other applicable data protection regulations (e.g. via the conclusion of an agreement based on EU Standard Contractual Clauses).

9.2 This obligation is subject to EU or EU member state contrary statutory provisions in which case Processorshall inform Controller of such legal requirement before granting access to or transferring Personal Data, unless such law prohibits such information on important grounds of public interest.

10 SUBCONTRACTING

10.1 Controller authorises Processor to rely on the following subprocessors:the Affiliates of G-Core and independent service providers for various purposes: customer relations management (HubSpot Ireland Limited), marketing (Popcorn Metrics Limited, United Kingdom; Google Ireland Limited, Ireland), storage and transfer of information (Microsoft Ireland Operations Limited, Ireland), enterprise management, financial reporting and accounting (SAP Deutschland SE & Co. KG), internal communications and task tracking (Atlassian Pty Ltd, Australia; Slack Technologies Limited, Ireland), support (Intercom R&D Unlimited, Ireland; Zendesk Inc, United States). This list is subject to change, details can be obtained by sending a request to privacy@gcore.lu Processor shall remain fully and unconditionally liable for the performance by any subcontractor of the obligations or parts of it arising out of any agreement between Controller and Processor.

10.2 Prior to using any subcontractor(s), Processorshall also enter into a written agreement with such subcontractor which obliges this subcontractor to comply with all relevant obligations imposed on Processorin this Data Processing Agreement. Processor shall provide Controller with written confirmation thereof either by providing a copy of the data processing agreement entered into with the subcontractor(s) or by providing a signed statement in this respect.

11 CONFIDENTIALITY

11.1 Anyone acting under the authority of the Processor, as well as the Processoritself, where they have access to Personal Data, may only Process such Personal Data if they are required to treat as confidential the Personal Data which comes to their knowledge, except where the communication of such Personal Data is required by the proper performance of their duties under EU or EU member state law to which Processoris subject, in which case Processor shall inform Controller of such legal requirement before communicating the Personal Data unless such law prohibits such information on important grounds of public interest.

12 RETENTION OF PERSONAL DATA

12.1 Processor shall retain the Personal Data provided by Controller or collected for or on behalf of Controller only for as long as necessary in order to provide the Services.

12.2 Upon termination of the Services, all Personal Data and all other information provided by Controller including all copies in whatever form in the Processor’s possession or control shall further and according to the instructions of Controller at Controller’s choice either be i) destroyed, ii) returned to Controller, or iii) returned to a processor designated by Controller, upon Controller’s first request, unless EU or EU member state law requires Processorto keep the data. In the latter case, Processorshall inform Controller of such legal requirement unless such law prohibits such information on important grounds of public interest.

12.3 When the Personal Data is returned, all existing copies in the Processor’s information systems must be destroyed. Once destroyed, the Processor must demonstrate, in writing, that this destruction has taken place.

13 RETENTION OF PERSONAL DATA

13.1 The provisions of the main body of the MSA regarding liability and indemnification apply to this Data Processing Agreement.

14 GOVERNING LAW

14.1 The provisions of the main body of the MSA regarding governing law apply to this Data Processing Agreement.

This Data Processing Agreement may be executed in any number of counterparts, including scanned PDF documents. Each such counterpart shall be deemed an original instrument, and all of such counterparts, together, shall constitute one and the same executed Data Processing Agreement.

SCHEDULE A. — OVERVIEW OF PERSONAL DATA AND DATA SUBJECTS

1 THE NATURE AND THE PURPOSE OF THE PROCESSING

Processor is a provider of content delivery network (CDN), hosting, IT security and similar services. Processor may process Personal Data in accordance with the terms of the main body of the Master Services Agreement and other contractual documents in place between the Parties.

2 DURATION OF THE PROCESSING

For the term of the Services

3 PERSONAL DATA PROCESSED BY PROCESSOR

The Personal Data may include: name, position, title, contact information (phone, email, physical or postal address etc.), connection data, localization data, IP addresses, browser data, account data, and employer information

4 DATA SUBJECTS CONCERNED

The Data Subjects concerned may include: End Users, the Customer (natural persons), employees of the Customer (legal person); contractors, consultants and agents who are natural persons of the Customer and their employees; third parties who are natural persons with which Customer conducts business and their employees; any other natural person who receives access to G-Core’s Services or software upon authorization by the Customer.

SCHEDULE B. — TECHNICAL AND ORGANIZATIONAL MEASURES

1 PHYSICAL ACCESS CONTROL

Measures to prevent unauthorized persons from gaining access to data processing systems for processing or using Personal Data:

a) Definition of persons who are granted physical access;
b) Electronic access control;
c) Issuance of access IDs: cards within a centralized access system is provided by landlord in the Luxembourg and Perm office, self-issued by G-Core Labs in its Moscow office;
d) Alarm device or security service outside service times in the headquarters in Luxembourg;
e) Security doors (electronic door opener, ID reader);
f) Implementation of measures for on-premise security (e.g. intruder alert/notification).

2 LOGICAL ACCESS CONTROL

Measures to prevent that unauthorized persons use data processing equipment and –procedures:

a) Definition of persons who may access data processing equipment;
b) Implementation of policy for external individuals;
c) Password protection of personal computers.

3 DATA ACCESS CONTROL

Measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights:

a) Allocation of separate terminals/work stations and of ID-parameters exclusively to specific functions;
b) Implementation of partial access rights for respective Personal Data and functions;
c) Requirement of identification vis-à-vis the data processing system (e.g. via ID and authentication;
d) Implementation of policy on access- and user-roles;
e) Evaluation of protocols in case of damaging incidents.

4 DATA TRANSFER CONTROL

Measures to ensure that data (including Personal Data) cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of personal data by means of data transmission facilities can be established and verified. Encryption is enabled in certain instances.

Transport, transfer and transmission of Personal Data is further described in the privacy policy and the applicable provisions of the Master IT-Services Agreement. For the purpose of security, remote access to the network and resources is provided through VPN.

5 ENTRY CONTROL

Measures to ensure that it is possible to check and ascertain whether data (including Personal Data) have been entered into, altered or removed from data processing systems and if so, by whom:

a) Logging of data entry.

6 CONTROL OF INSTRUCTIONS

Measures to ensure that Personal Data processed on behalf of others are processed strictly in compliance with Controller’s instructions:

a) Documentation of distinction of competences and obligations between Controller and Processor;
b) Formal assignment process;
c) Control of work results.

7 AVAILABILITY CONTROL

Measures to ensure that data (including Personal Data) is protected against accidental destruction or loss:

a) Realization of a regular backup schedule;
b) Implementation and regular control of emergency power systems and overvoltage protection systems;
c) Implementation of an emergency plan;
d) Protocol on the initiation of crisis- and/or emergency management.

8 CONTROL OF DATA SEPARATION

Measures to ensure that data (including Personal Data) collected for different purposes can be processed separately.

a) Logical separation of data of each of Processor’s clients.
Colocation Services Specification

G-CORE COLOCATION SERVICES SPECIFICATION

Last updated: July 25, 2018

G-Core Labs S.A. (“G-Core”) and the Customer of G-Core (“Customer”) will comply with the following Colocation Services Specification (“Specification”) with respect to Customer’s use of the Services provided by G-Core pursuant to the G-Core Master Services Agreement (“MSA”) and any Service Order thereunder concluded between G-Core and Customer.

The Colocation Services Specification is part of the MSA. Terms not defined herein shall have the same definition as within the MSA.

1.Definitions

Accompanying Person(s) means any person(s) other than Authorized Personnel accompanying Customer while at a G-Core Data Center.

Authorized Personnel means any member of staff of G-Core, G-Core’s affiliates or subcontractors that is providing Escorted Access to Customer and/or who is otherwise in charge or entitled to give instructions to customers at the respective G-Core Data Center.

Cross Connect means a physical or wireless interconnection within a G-Core Data Center that (i) exits Customer's cage or (ii) connects Customer to another G-Core customer.

Customer Cross Connect means a physical interconnection, including cables, connections, and other wiring, that (i) does not exit Customer's cage; (ii) does not connect Customer to another G-Core customer; and (iii) interconnects (a) Customer’s Equipment or (b) G-Core-provided SDP Equipment in Customer's cage with Customer's Equipment.

Customer’s Equipment means all network, computer and other equipment provided, leased, owned or otherwise directly or indirectly controlled by Customer, Customer’s affiliates or subcontractors or Accompanying Persons (including wiring and connections between such equipment and Customer’s demarcation equipment) located at a G-Core Data Center, excluding Cross Connects and G-Core’s SDP Equipment.

Limit means for any power circuit, the lesser of (i) the power rating for such power circuit stated in the respective Service Order (80% of the rated capacity for power circuits in G-Core Data Centers in the Asia Pacific region) or (ii) the rated capacity pursuant to the applicable local codes.

Service Delivery Point Equipment or SDP Equipment means (1) patch panels, DSX panels for category 5 twisted pair, co-axial, single and multi-mode fiber, or (2) other appropriate (as reasonably determined by G-Core) point of demarcation for interconnection or power distribution equipment.

Ports mean all wiring, connections, circuitry and utility ports at the SDP Equipment.

Redundant Power Circuit Pair means two identical power circuits installed in the same cabinet or rack (neither of which are part of another pair of circuits in the same cabinet or rack) that are fed from diverse power busses and are powering only equipment with redundant power supplies capable of auto-failover.

Unordered Service means a G-Core service used by Customer without coverage by an Service Order for such service.

G-Core Data Center means the data centers of G-Core, G-Core’s Affiliates or subcontractors in which Customer receives Services from G-Core pursuant to an Service Order.

G-Core Data Center Property means the real property on which, and the building in which, a G-Core Data Center is located.

G-Core Power Distribution System means any and all Hendry panels (or other data center distribution panels that are compliant with G-Core specifications), locks, and power strips and electrical, utility, or power distribution systems and items that are installed by G-Core.

2.Scope of Colocation Services

2.1 G-Core provides Customer with space, facilities and services necessary to install and operate Customer’s equipment and/or equipment of G-Core rented by Customer at the data center(s) of G-Core, G-Core’s Affiliates or G-Core’s subcontractors, including security control, environmental control, connectivity and power supply (including back-up power) (“Colocation Services”).

2.2 A Service Order will usually set forth the following: (a) the Colocation Services to be provided, (b) any Specifications pertaining to such Colocation Services, including the location where the Colocation Services will be provided at and the areas within that location (together the “Licensed Space”), (c) the term for the Colocation Services, (d) the Fees for the Colocation Services and (e) any other terms mutually agreed upon by the Parties.

2.3 G-Core shall provide the Colocation Services in accordance with the Service Levels set out in the SLA, provided by G-Core to Customer.

2.4 Physical access to the Licensed Space is restricted to G-Core personnel and designated personnel of Customer. G-Core personnel will accompany and supervise the designated personnel of Customer at all times during access to the Licensed Space (“Escorted Access”). G-Core will provide Escorted Access to Customer only for the purpose of removing Customer’s equipment from the Licensed Space and/or for testing, resetting, modifying and/or configuring the Customer’s equipment and/or equipment of G-Core rented by Customer located within the Licensed Space. During Escorted Access, Customer must comply (i) with all rules and procedures applicable to the Licensed Space, in particular any applicable acceptable use policy, and (ii) with all related orders and directions of G-Core’s personnel. Escorted Access will be charged with G-Core’s then current hourly rates (depending on the level of technical qualification of G-Core’s personnel to accompany and supervise Customer) and has to be requested by Customer at least five Days in advance. Instead of G-Core personnel, G-Core may also use personnel of G-Core’s subcontractors to provide Escorted Access to Customer and may charge G-Core’s respective expenses to Customer.

2.5 G-Core will provide Colocation Services only up to the relevant location at which G-Core’s responsibility to provide equipment and Services ends and where Customer’s responsibilities begin (“Service Delivery Point”), as identified within the Specifications, and shall not be responsible for providing any Colocation Services on Customer’s side of the Service Delivery Point or for providing in-house cabling or conduits unless agreed otherwise in the Service Order.

2.6 Unless agreed otherwise in the Service Order, Customer is solely responsible for providing and maintaining all necessary electronic communications required to linking the Colocation Services, including wiring, communication line access and networking devices.

2.7 The Colocation Service shall be provided subject to G-Core’s Acceptable Use Policy, available at https://gcorelabs.com/legal. Customer agrees to use the Colocation Services only in compliance with Acceptable Use Policy.

2.8 The Parties agree that if G-Core, in its sole discretion, determines that an emergency action is necessary to protect G-Core’s network, G-Core may block any path over G-Core’s network used by Customer.

2.9 While Customer has no right to use the Colocation Services after the Service Order expires or terminates, if G-Core permits Customer to do so in its sole discretion, Customer will remain bound by the terms of the MSA, including, without limitation, all payment obligations and such continued use may be terminated by G-Core immediately upon notice.

3.Delay of Colocation Services

3.1 Any tentative commencement date for provision of the Colocation Services (e.g. the Estimated Delivery Date) or lead-time provided by G-Core to Customer which is not specified as “Committed Commencement Date” by G-Core shall be deemed a target date for commencement of the Colocation Service and shall not be binding on or create any liability for G-Core.

4.Service Delivery

The ready for service date (“RFS Date”) for a Colocation Service shall be the date (a) on which G-Core sends a notification via email to Customer, confirming that the respective Licensed Space is ready for Customer’s use as agreed in the applicable Service Order, or (b) on which Customer starts using the Colocation Service without such notification by G-Core, whichever (a) or (b) is earlier.

5.Removal of Customer’s Property

Customer will remove all of Customer’s property, in particular any of Customer’s equipment, from the Licensed Space on or before the expiry or termination of the Service Order. Unless G-Core otherwise agrees in writing, failure to remove Customer’s property within seven Days from the expiry or termination of the Service Order or within twenty Days if the Service Order is terminated due to G-Core’s material breach, will be deemed an abandonment of Customer’s property and G-Core will be entitled to pursue all available legal remedies, including, without limitation and at Customer’s risk and costs, (i) immediately removing Customer’s property and storing it at Customer’s costs at another location of G-Core’s reasonable choice, (ii) shipping Customer’s property to Customer, or (iii) upon thirty calendar days prior written notice to Customer liquidating Customer’s property and retaining the proceeds.

6.Remote Hands Services

6.1 With respect to any hardware and/or hardware components and/or any other integral or ancillary technical equipment (including any storage media) and/or Colocation Services and/or Connectivity Services which are located at and/or provided at the Licensed Space of Customer, G-Core will provide upon request by Customer the following Services (together “Remote Hands Services”): (a) the installation and setup of new equipment for operational use by Customer, including the installation of software, drivers or firmware necessary for operational use of such new equipment, (b) the modification, (re-)configuration, resetting and/or power cycling of equipment, Colocation Services and/or Connectivity Services, including respective cabling and/or connections, and (c) exchanging removable storage media (e.g. hard drives etc.).

6.2 During the Service Times and via the means of communications as set forth in the Service Order, Customer may contact G-Core to issue a request for particular Remote Hands Services (each a “Service Request”). A Service Request shall include (a) Customer name and on-site technical contact information (telephone number, email address and hours of operation of the responsible Customer contact), (b) the specific date and time at which Customer wants G-Core to perform the requested Remote Hands Service, (c) any available serial numbers of the installed and/or new components to be installed, removed or otherwise modified or (re-)configured during the requested Remote Hands Service, and (d) a reasonably detailed description of the requested Remote Hands Service, together with any supporting information that Customer’s engineers believe will assist G-Core in its fulfillment of the Service Request.

6.3 Following G-Core’s receipt of the Service Request, G-Core will commence Remote Hands Services by analyzing the Service Request and providing Customer with the estimated time frame to complete the necessary Remote Hands Services. Any date and time specified by Customer for G-Core to perform the requested Remote Hands Service shall only be an Estimated Delivery Date.

6.4 Customer acknowledges that the timely and successful fulfillment of a Services Request requires good faith cooperation and frequent communication between the Parties as well as precise technical directions and orders by Customer. Remote Hands Services will be performed by G-Core solely as instructed by Customer. Further, Customer will furnish all information reasonably requested by G-Core to provide the respective Remote Hands Service, including provision of access to all relevant technical information, competent and qualified Customer personnel, facilities, equipment and software that G-Core or its personnel or subcontractors may reasonably request. Upon Customer’s request, G-Core will keep Customer informed on the progress regarding any Service Request.

6.5 G-Core reserves the right to reject a Service Request submitted by Customer, in particular if, in G-Core’s sole judgment, (a) G-Core lacks sufficient facilities, material, equipment, capacity or regulatory authority to fulfill the Service Request, (b) the requested Remote Hands Service would endanger technical equipment of G-Core or any third party, and/or (c) Customer does not provide sufficient information in accordance with subsection 6.4 above for G-Core to fulfill the respective Service Request.

6.6 After completion of a Service Request, G-Core shall notify Customer thereof via email. The date of that email shall be the RFS Date with respect to the Remote Hands Services provided when processing that Service Request.

6.7 G-Core will only provide Remote Hands Services as instructed by Customer. G-Core therefore does not make and disclaims (i) all warranties that the Remote Hands Services will be performed defect-free or completely secure, and (ii) the implied warranties of merchantability and fitness for a particular purpose. All Remote Hands Services are provided on an “as is” basis and Customer’s use of the Remote Hands Services is solely at its own risk. Section 11 of the MSA remains unaffected.

7.Conduct within G-Core Data Centers

7.1 Customer will:

(a) comply with all rules, regulations and procedures in effect at the G-Core Data Center;

(b) comply with all applicable laws in its use of its Licensed Space and its activities in the G-Core Data Center, and comply with all signs posted at any time (including changes in such signs) at the G-Core Data Centers concerning security procedures relating to the G-Core Data Centers;

(c) have full responsibility and liability for all acts or omissions of the designated personnel of Customer, including, as the case may be, any Accompanying Persons, and all such acts or omissions will be attributed to Customer for all purposes, including for the purposes of determining whether Customer has breached (i.e. failed to abide by) the MSA. Without limiting the foregoing, Customer is responsible and must ensure that Customer’s designated personnel, including, as the case may be, any Accompanying Persons, do not take any actions that Customer is prohibited from taking under the Policies;

(d) be responsible for and will use its Licensed Space only for configuring, providing, placing, installing, upgrading, adding, maintaining, repairing and operating Customer’s own technical equipment, or, as the case may be, rented hardware from G-Core, in a safe and lawful manner to the extent permitted by and subject to the terms of the MSA and any applicable Service Order concluded thereunder;

(e) use the restrooms, any shared work area, and any other common spaces in the G-Core Data Centers and the parking areas outside of the G-Core Data Centers in accordance with the terms of the MSA and any applicable Service Order concluded thereunder, and any rules or signs then posted in or near such areas in the respective G-Core Data Center;

(f) maintain its Licensed Space in an orderly and clean manner and in good repair and condition (reasonable wear and tear only excepted);

(g) deposit litter in designated receptacles or in appropriate locations outside the G-Core Data Centers;

(h) behave in a courteous and professional manner within the G-Core Data Centers and the G-Core Data Center Properties;

(i) immediately notify G-Core of any damage or risk of damage to the G-Core Data Centers or the G-Core Data Center Properties, or damage to any equipment or property of any person in the G-Core Data Centers or the G-Core Data Center Properties;

(j) comply with all applicable property control procedures, which may include providing Authorized Personnel with a description and the serial numbers of items brought into an G-Core Data Center that are valued by the Authorized Personnel at more than EUR 1,000 (or equivalent local currency) and/or providing the Authorized Personnel with the name, contact number and signature of the person removing such items;

(k) if applicable, be responsible for maintaining the confidentiality of Customer’s account numbers and passwords for using G-Core’s customer care website and for restricting and granting access thereto. Notwithstanding anything to the contrary, Customer is responsible and liable for all activities that occur under Customer’s account (including all payments owed for any orders for Services that are placed under Customer’s account), regardless of whether such activities are conducted by Customer or any other third party, and regardless of whether such orders are authorized by Customer. G-Core does not have any obligation to verify that anyone using Customer’s account and password has Customer’s authorization.

7.2 Customer will ensure that it does not do any of the following:

(a) install, touch, access, tamper with, damage, adjust, repair, interfere with, or breach the security of, the Licensed Space of other customers of G-Core or the equipment, property or services of any other customers, vendors, contractors or other parties that license, sublicense, lease or sublease space or otherwise utilize space at the G-Core Data Center or the G-Core Data Center Properties, or provide services or products to those who do;

(b) alter, tamper with, damage, adjust, repair, interfere with, or breach the security of Customer’s Licensed Space, the G-Core Data Centers or the G-Core Data Center Properties (including, without limitation, the electrical and other building systems of the G-Core Data Centers or the G-Core Data Center Properties), or any equipment or property leased, licensed or owned by G-Core (including, without limitation, any Cross Connects and the G-Core Power Distribution System, which only G-Core will install, repair or alter);

(c) install or otherwise perform any Cross Connects;

(d) affix or maintain labels to any Ports or any SDP Equipment that connects Customer’s Equipment to equipment belonging to other customers (G-Core will affix and maintain such labels, which will contain information as determined by G-Core, including circuit identification and other information needed to identify each G-Core-provided Port);

(e) encumber or obstruct the pathways, driveways, yards, entrances, hallways, stairs or any common areas in or around the G-Core Data Centers or the G-Core Data Center Properties;

(f) unless G-Core expressly consents, use any common areas at the G-Core Data Centers or the G-Core Data Center Properties (other than a shared work area where G-Core permits customers to repair their equipment) for any purpose other than access and exit to and from its Licensed Space;

(g) use a shared work area that G-Core permits customers to use for any purpose other than to repair their equipment;

(h) use the Services to compete with any services offered by G-Core, G-Core’s affiliates or G-Core’s subcontractors who operate, as the case may be, the specific G-Core Data Center;

(i) create any nuisances at the G-Core Data Centers or the G-Core Data Center Properties;

(j) manufacture, generate, treat, transport, dispose of, release, discharge, or store on, under or about the G-Core Data Centers, the G-Core Data Center Properties or any surrounding properties, any hazardous materials;

(k) eat, drink or use tobacco products within the G-Core Data Centers except within areas designated for such purposes;

(l) bring recording equipment in, or take photographs of (whether by use of a camera, video camera, cell phone, wireless handset or otherwise), any part of the G-Core Data Centers;

(m) place furniture in its Licensed Space except as permitted by the G-Core Data Center site manager in his/her reasonable discretion. In the event that Customer places furniture G-Core may at any time thereafter notify Customer that the furniture must be removed within three Days following such notice. If Customer fails to remove the furniture within that period, G-Core may remove the furniture, charge Customer Remote Hands Service rates for doing so, and store the furniture at Customer's expense;

(n) install any surveillance cameras or other surveillance equipment without G-Core's prior consent. G-Core reserves the right to require Customer to remove or relocate any surveillance cameras or surveillance equipment that G-Core deems to threaten or impede the security of the G-Core Data Center (including the security of other G-Core customers);

(o) block any exit route or aisle way or create a fire hazard;

(p) use VRLA (valve-regulated lead-acid) batteries within the G-Core Data Centers, unless the batteries are a manufacturer-installed and integrated part of equipment that is an express exception to this rule according the applicable G-Core Data Center rules;

(q) use circuit splitters on any G-Core-provided power circuit;

(r) use UPS (uninterrupted power supply) systems that are not provided by G-Core;

(s) use 48v DC rectifiers that are not provided by G-Core without obtaining advance approval from G-Core;

(t) connect a power circuit to a cabinet other than the cabinet specified by G-Core for such power circuit;

(u) consume power beyond the Limit of any power circuit or Redundant Power Circuit Pair.

7.3 Redundant Power Circuit Policy: A power circuit is a redundant power circuit only if at all times it meets both of the following conditions: (a) It is part of a Redundant Power Circuit Pair, and (b) The aggregate draw of such Redundant Power Circuit Pair does not exceed the Limit of one of the power circuits in the Redundant Power Circuit Pair. Accordingly, if a power circuit is originally a redundant power circuit but subsequently fails to meet conditions a and b simultaneously, such power circuit will thereafter be deemed a primary power circuit that will be treated as an Unordered Service.

7.4 Use of Unordered Services: In the event that Customer uses an Unordered Service, G-Core will so notify Customer (which notification may be delivered only by e-mail or regular mail as indicated in the relevant Service Order, notwithstanding anything to the contrary in the MSA) and provide Customer with a Service Order which lists the Unordered Service. If Customer does not execute such Service Order and return it to G-Core within five Days of the date of such notification, in addition to all other remedies available to G-Core, G-Core may charge Customer for such Unordered Service at its then current list price commencing on the date Customer began using the Unordered Service. Use of a power circuit beyond its Limit and use of a Redundant Power Circuit Pair beyond the Limit of one of the circuits in such Redundant Power Circuit Pair shall be considered an Unordered Service.

8.Handling of Customer Equipment

8.1 Customer will ensure that:

(a) all Customer’s Equipment will be installed, operated, maintained and repaired in compliance with all applicable laws and manufacturer specifications and requirements;

(b) the installation and use of Customer’s Equipment complies with applicable safety codes and product safety agency listings;

(c) all of the cables and wiring (including Customer Cross Connects and Customer power cords) in its Licensed Space, other than any Cross Connects or G-Core’s SDP Equipment, are neatly wrapped and tied together (if Customer fails to do so, G-Core may at its sole option neatly wrap and tie such wires and cables, and G-Core may charge Customer Remote Hands Service rates for doing so);

(d) Customer’s Equipment is not stacked or resting on any other equipment;

(e) all of Customer’s Equipment is securely fixed onto a cabinet or rack in a manner reasonably satisfactory to G-Core. If Customer’s Equipment is too large or heavy for a rack or cabinet, including but not limited to large servers, G-Core may affix such equipment directly to the floor, and G-Core may charge Customer Remote Hands Service rates for doing so;

(f) appropriate air management products (including, but not limited to, blanking plates, grommets and brushes) are installed in cabinets to minimize any potential mixing of cold and hot air between a cabinet and any source of cooling to that cabinet and, where these have not been installed, G-Core may install or replace (as appropriate) such air management products;

(g) where practical, the heaviest and/or hottest (when in operation) of Customer’s Equipment is installed in the lower sections of a cabinet to make the most effective use of the supplied cooling system;

(h) where practical, cables and wiring (including Customer Cross Connects and Customer power cords) should only run from Customer’s Equipment out of the back of the cabinet or rack. If this is unavoidable, Customer will ensure that appropriate air management products are installed to make the most effective use of the supplied cooling system.

8.2 Customer may install and maintain Customer Cross Connects. G-Core has no obligation to install, maintain or repair any Customer Cross Connects.

8.3 G-Core may require Customer to remove from any G-Core Data Center Customer’s Equipment that, in G-Core’s sole discretion, (i) causes a threat to safety (including any risk of fire or other hazard) to the operations of the G-Core Data Center or the G-Core Data Center Property, or (ii) unreasonably interferes with the operations of G-Core, another customer or any other person or entity that is licensing, sublicensing, leasing or subleasing space or otherwise utilizing any portion of the G-Core Data Center or the G-Core Data Center Property.

8.4 If Customer wants to identify Customer’s Equipment or its Licensed Space, the means of identification will be subject to G-Core’s prior approval before Customer uses such means of identification. G-Core will not identify the location of Customer’s Equipment in the G-Core Data Center, and G-Core will not be responsible for labeling Ports except that G-Core is responsible for connecting Customer’s Equipment to equipment belonging to other G-Core customers at a G-Core Data Center.

8.5 G-Core will not touch, maintain, use, upgrade, repair or operate Customer’s Equipment, except in an emergency, or where explicitly or implicitly authorized by Customer’s use of Remote Hands Service, or as otherwise agreed in the MSA.

8.6 Customer is solely responsible for any loss or theft of or damage to Customer’s Equipment left unattended outside of the Licensed Space in a shared cage.

8.7 G-Core is not responsible for any electronic interference that may occur with respect to Customer’s use of wireless communications equipment.

9.Shipping Policy

9.1 Customer will comply with the shipping and receiving policies in effect at the G-Core Data Center.

9.2 Customer will ensure that all shipments (including the boxes) are clearly labeled with the company name and/or identifier of Customer (as required by the G-Core Data Center) and with a reference to G-Core and the licensed space. Customer will not list G-Core as a recipient of any shipment or identify G-Core as a recipient to any shipping carrier. Unidentified packages or packages that list G-Core as the recipient may be rejected.

9.3 G-Core reserves the right to visually and/or physically inspect any and all shipments to or from the G-Core Data Centers when such shipments arrive at the shipping/receiving area. Shipments containing liquids, combustibles and any hazardous materials are prohibited, and, to the extent G-Core is so aware of the contents of such shipments, will not be accepted at any time.

9.4 At the time of G-Core’s inspection of any shipments to or from the G-Core Data Centers, G-Core may record serial numbers for Customer’s Equipment. Accordingly, when packing Customer’s Equipment for shipping, Customer should be aware that G-Core personnel may need access to the serial numbers on Customer’s Equipment being shipped, prior to the boxes being sealed.

9.5 Customer is responsible for moving its shipments from the shipping/receiving area to its Licensed Space and from its Licensed Space to the shipping/receiving area, and Customer’s failure to do so in accordance with the shipping/receiving policies applicable to the G-Core Data Center may result in charges as set forth in such policies.

9.6 Unless prior arrangements are made with G-Core by Customer in accordance with the shipping/receiving policies applicable to the G-Core Data Center, G-Core reserves the right to ship the shipment back to the “shipped from” address, at Customer’s expense.

9.7 G-Core is not responsible or liable for any missing or damage to Customer’s Equipment which may occur during the packaging and/or shipment of such equipment.

9.8 Customer is responsible for all duties, charges, fees, taxes and customs requirements associated with international shipments.

10.Network System Numbers

10.1 G-Core strongly encourages Customer to have its own autonomous system number as designated by the American Registry of Internet Numbers, the Réseaux IP Européens (RIPE), or the Asia Pacific Network Information Centre or their successors.

10.2 Customer will be responsible for obtaining telecommunications services as needed from the carrier of its choice. G-Core will not be responsible for providing or installing such services except as otherwise agreed upon in any Service Order.

11.Data Traffic

11.1 Unless agreed otherwise by the Parties in writing, billing of traffic is based on the metered data traffic model. Customer is offered a traffic package for a server as part of the monthly server charge. If the traffic package amount is exceeded, either as inbound or outbound traffic, then Customer shall pay for each GB in excess of the package. Data usage in excess of the traffic package will be billed at the end of the month.
Hardware Rental Specification

G-CORE HARDWARE RENTAL SPECIFICATION

Last updated: April 28, 2017

G-Core Labs S.A. (“G-Core”) and the Customer of G-Core (“Customer”) will comply with the following Hardware Rental Specification (“Specification”) with respect to Customer’s use of the Services provided by G-Core pursuant to the G-Core Master Services Agreement (“MSA”) and any Service Order thereunder concluded between G-Core and Customer.

Hardware Rental Specification is part of the MSA. Terms not defined herein shall have the same definition as within the MSA.

1. Scope of Hardware Rental

1.1 This Specification sets forth the terms and conditions for the rental of hardware and/or hardware components and/or other integral or ancillary technical equipment by Customer from G-Core (“Hardware Rental”).

1.2 The Service Order will usually set forth the following: (a) the equipment which G-Core will rent to Customer (“Rented Hardware”), (b) the Fees (i.e. the rental fees and any additional costs) for the Hardware Rental, (c) the destination at which the Rented Hardware shall be set up and used (“Setup Location”), (d) the term of the Service Order, and (e) any other terms mutually agreed upon by the Parties.

1.3 G-Core rents the Rented Hardware to Customer for Customer’s use for the duration of the service term. Upon expiry or termination of the Service Order, Customer immediately has to return the Rented Hardware to G-Core and Customer has to bear any shipping costs that accrue.

1.4 Insofar as the Setup Location is situated on the premises of G-Core, G-Core’s affiliate(s) or G-Core’s subcontractor(s), physical access to the Setup Location is restricted to G-Core personnel and designated personnel of Customer. G-Core personnel will accompany the designated personnel of Customer at all times during access to the Setup Location (“Escorted Access”). G-Core will provide Escorted Access to Customer only for the purpose of testing, resetting, modifying and/or configuring the Rented Hardware. During Escorted Access, Customer must comply (i) with all rules and procedures applicable to the Setup Location, in particular any applicable acceptable use policy, and (ii) with all related orders and directions of G-Core’s personnel. Escorted Access are subject to an additional agreement of the Parties and will be charged with G-Core’s then current hourly rates (depending on the level of technical qualification of G-Core’s personnel to accompany and supervise Customer) and has to be requested by Customer at least five Days in advance. Instead of G-Core personnel, G-Core may also use personnel of G-Core’s subcontractors to provide Escorted Access to Customer.

1.5 The Parties agree that if G-Core, in its sole discretion, determines that insofar as an emergency action is necessary to protect G-Core’s network, G-Core may block any path over the Rented Hardware.

1.6 Unless agreed otherwise in the Service Order, Customer is solely responsible (i) for procuring, providing and maintaining, at its own expense, the space, the level of power (including the necessary grounding as is required for the installation), heating and air conditioning, and humidity levels necessary to maintain the proper environment for any Rented Hardware, and (ii) for providing and maintaining all necessary electronic communications required to linking the Rented Hardware, including wiring, communication line access and networking devices.

1.7 While Customer has no right to use the Rented Hardware after the Service Order expires or terminates, if G-Core permits Customer to do so in its sole discretion, Customer will remain bound by the terms of the MSA, including, without limitation, all payment obligations and such continued use may be terminated by G-Core immediately upon notice.

2. Delay of Hardware Rental

2.1 Any tentative commencement date for the Hardware Rental (e.g. the Requested Delivery Date) or lead-time provided by G-Core to Customer which is not specified as “Committed Commencement Date” by G-Core shall be deemed a target date for commencement of the Hardware Rental and shall not be binding on or create any liability for G-Core.

3. Acceptance

3.1 The date on which the Rented Hardware has been delivered to the Setup Location (and, as the case may be, has been set up as ready for use by G-Core) shall be the ready for acceptance date (“RFA Date”). In case the Setup Location is located at premises of G-Core or G-Core’s Affiliates or G-Core’s subcontractors, G-Core will send a notification via email to the Customer contact designated in the relevant Service Order confirming that the Customer may now use the Rented Hardware. The ready for service date (“RFS Date”) for the Hardware Rental provided by G-Core shall be the earlier of (a) two Days after the RFA Date, (b) the date on which Customer notifies G-Core of its acceptance of the Hardware Rental, or (c) the date on which Customer begins using the Rented Hardware. Unless Customer notifies G-Core in writing within such two Day period that the Rented Hardware is not in compliance with the specifications, Customer shall be deemed to have accepted the Rented Hardware.

3.2 In case of rejection of acceptance, Customer has to detail in its notification in which way the relevant Rented Hardware has failed to meet the acceptance criteria. G-Core shall then rectify the problem and notify Customer of a new RFA Date. Subsection 3.1 above applies accordingly.

3.3 In case Customer rejects acceptance only regarding parts of the Hardware Rental and partially accepts the remaining Hardware Rental, Fees for the Hardware Rental shall be reduced on a pro-rata basis to apply only to the Hardware Rental accepted by Customer.

3.4 Customer may not reject acceptance by reason of minor cases of non-compliance of a Service with the applicable acceptance criteria.

4. Retention of title

4.1 G-Core always retains title to the entire Rented Hardware, unless expressly agreed otherwise in the Service Order.

4.2 Customer is obliged to handle the Rented Hardware with care and only within the scope of the Service Order.

4.3 Customer is obliged to inform G-Core of any third-party access to the Rented Hardware, as in the case of a seizure or any damage to or destruction of the Rented Hardware. Customer is not allowed to remove the Rented Hardware from the current Setup Location without G-Core’s prior written approval. Any change in title regarding the current Setup Location must be reported to G-Core immediately.

5. Defects

5.1 A “Defect” occurs each time the Rented Hardware becomes defective and such defect materially limits Customer’s use of the Rented Hardware during the service term. In the event of a Defect, Customer’s sole remedy and G-Core’s sole obligation is that G-Core shall use its best efforts to remedy the Defect, either by repair or replacement of the Rented Hardware, whereas such remedying may be provided at the Setup Location or via remote access to the Rented Hardware. If, in G-Core’s view and at its sole discretion, remedying of the Defect is or becomes technically impossible and/or commercially unreasonable, then either G-Core or Customer may insofar terminate the Service Order in writing. In such case, (a) G-Core will refund any respective prepaid Fees on a pro-rata basis, and (b) in case the Setup Location is at the premises of Customer or at the premises of Customer’s subcontractor(s), Customer will, at G-Core’s discretion and at the cost of Customer, return to G-Core or dispose of the defective Rented Hardware; otherwise, G-Core will remove the defective Rented Hardware.

5.2 In addition to Excluded Causes stated in subsection 6.4 of the MSA, G-Core is not obliged to remedy Defects caused by any use of the Rented Hardware other than agreed with G-Core, in particular any use at or any relocation of the Rented Hardware to a location other than the Setup Location.

G-CORE CDN SERVICE LEVEL AGREEMENT

Last updated: April 28, 2017

G-Core Labs S.A. (“G-Core”) and the Customer of G-Core (“Customer”) will comply with the following Service Level Agreement with respect to Customer’s use of the CDN Services provided by G-Core pursuant to the G-Core Master Services Agreement (“MSA”) and any Service Order thereunder concluded between G-Core and Customer.

The SLA is part of the MSA. Terms not defined herein shall have the same definition as within the MSA.

1. Definitions

"Base Fee" consists solely of the committed base monthly fee paid by Customer for the Services and excludes all other fees that might be paid by Customer including, but not limited to, charges for additional services, incremental bandwidth usage and any other type of optional additional services.

"Customer Content", for purposes of this SLA, means objects delivered from a Delivery Server.

"Delivery Server" means G-Core-owned or operated servers for delivering Customer Content located on the CDN at G-Core’s Points of Presence (each, a “POP”).

"Downtime" means complete unavailability of transmission of Customer Content through CDN Services covered by the uptime guarantee for more than fifteen consecutive minutes.

"Origin Server" means either G-Core’s or Customer’s server, where Customer Content is stored for retrieval by Delivery Servers.

2. Guarantee of Uptime

Subject to the SLA exceptions set forth in the MSA, G-Core provides a 99.99% uptime guarantee to Customer. Availability in this SLA is calculated based on the cumulative Downtime for a given calendar month. Subject to the terms and conditions of this SLA and the MSA, G-Core shall issue to Customer a credit for a Downtime (“Service Credit”) based on the percentage availability in a given monthly billing period as follows (credit amounts expressed as a percentage of the fee for the affected Service).

Availability	Service Credit:
99.99% – 99.90%	5%
99.89% – 99.00%	10%
less than 99.00%	15%

The following time periods do not count as Downtime:

· Non-compliance of Services with the Service Levels due to any Excluded Cause according to the MSA, available at https://gcorelabs.com/legal;

· Time spent by G-Core resolving reports by Customer which do not specify a Defect.

3. Service Credits

To receive Service Credit under this Services SLA, Customer must submit a request in writing via e-mail to support@gcorelabs.com. The request must include Customer’s (a) company name, (b) contact name, (c) e-mail address and (d) phone number, as well as (e) the date of the suspected Downtime and (f) a reasonably detailed description of the reason for the Service Credit request. G-Core must receive the Service Credit request within 30 Days after the suspected Downtime has occurred. The suspected Downtime must be capable of confirmation by G-Core’s measurement tools. Any issued Service Credit shall be applied to Customer’s next applicable invoice after G-Core initially received and reviewed the Service Credit request. Service Credits are exclusive of any Taxes charged to Customer or collected by G-Core.

4. Miscellaneous

Service Credits shall not entitle Customer to any refund, reimbursement or other payment from G-Core. Service Credits shall not be applied or transferred to other accounts of the Customer or of third parties. A Service Credit will be applicable and issued only if the credit amount for the applicable monthly period is greater than twenty five euros (EUR 25.00).

Notwithstanding anything in this SLA to the contrary, total Service Credits issued to Customer in connection with any calendar month shall not exceed the Base Fee paid by Customer for such month. All Service Credit is calculated on the basis of a 30-day month. To be eligible for Service Credit, Customer must follow G-Core’s published instructions for use of Services and the MSA; improper use shall result in ineligibility. Service Credit shall not be issued if Customer is in breach of the MSA or the applicable Service Order, including breach for non-payment. Service Credit will only be issued if Customer has paid in full for Services covering the time period within which the Service Credit is requested. G-Core reserves the right to periodically change the measurement points and methodologies it uses. This SLA sets forth Customer’s sole and exclusive remedy for a Downtime or other service outage.

Hosting SLA

G-CORE HOSTING SERVICE LEVEL AGREEMENT

Last updated: September 22, 2017

G-Core Labs S.A. (“G-Core”) and the Customer of G-Core (“Customer”) will comply with the following Service Levels Agreement with respect to Customer’s use of the Hosting Services provided by G-Core pursuant to the G-Core Master Services Agreement (“MSA”) and any Service Order thereunder concluded between G-Core and Customer.

The SLA is part of the MSA. Terms not defined herein shall have the same definition as within the MSA

1.Reporting of Defects

Customer shall report to G-Core any Defect as soon as possible. When reporting a Defect to G-Core, Customer will send a Defect report (“Defect Report”) to G-Core that includes (a) Customer name and on-site technical contact information (telephone number, e-mail address and hours of operation of the responsible Customer contact), (b) any available serial numbers of the defective components of the Service, (c) a reasonably detailed description of the Defect, together with any supporting information that Customer’s engineers believe will assist G-Core in its diagnostic process (including e.g. time of first occurrence of Defect, affected systems, error messages etc.), and (d) the date and time that the Defect Report is submitted to G-Core.

Customer may contact G-Core for submission of Defect Reports during the following service times (“Service Times”):

24/7/365

Customer shall contact G-Core for submission of Defect Reports during the Service Times in any case via email in order to provide G-Core with a text version of the Defect Report. After reporting the Defect via email to G-Core, Customer may also contact G-Core via phone or other voice service for any follow-up queries or updates regarding the reported Defect. G-Core’s contact details are as follows:

email: support@gcorelabs.com

For the purposes of this SLA, Availability is calculated as follows, subject to specific provisions outlined further below:

Hosting SLA

Downtime is calculated as the time from G-Core receiving a Defect Report from Customer via email on non-compliance of the Services with the Service Levels specified below and G-Core’s subsequent confirmation of a Defect until remedying of this respective Defect.

The following time periods do not count as Downtime:

· Non-compliance of Services with the Service Levels due to any Excluded Cause according to the MSA, available at https://gcorelabs.com/legal;

· Time spent by G-Core resolving reports by Customer which do not specify a Defect.

2.Specific Availability

Hardware Replacement

G-Core will repair or replace the failed hardware components provided by G-Core upon identification of the hardware fault by G-Core. Hardware is defined as the hardware: (i) switches, firewalls, load balancers and servers; (ii) direct attached storage devices; (iii) network attached storage devices; and (iv) storage area networks (“SAN”). Hardware repair or replacement will begin within two (2) hours of problem identification for switches, firewalls, load balancers, servers and direct attached storage devices, and within five hours of problem identification for network attached storage devices. For SAN hardware failures, G-Core guarantee that we will have a technical specialist and necessary parts onsite to begin repairs within eight hours of problem identification. This commitment does not include the time required to rebuild the Customer’s system, such as the time required to configure a replacement device, rebuild a RAID array, reload the operating system, reload and configure applications, and/or restore from backup (if necessary).

If G-Core fails to meet the required commitment for Hardware Replacement and the failure materially and adversely affects the performance of the Customer’s servers, then the Customer shall be entitled to a Service Credit as set forth below. Any Service Credit issued will be calculated as follows: 5% of the monthly recurring fee for the affected server(s) per 30 minutes of additional hour of Downtime (after the initial two hours or five hours for repair or replacement, as applicable, or, for SAN, the additional hour of delay in beginning repairs)

Colocation

G-Core will ensure Colocation Availability in the form of A/C power available to the outbound port on the Customer’s serving power distribution unit (PDU) 100% of the time. Power includes UPSs, PDUs and cabling, but does not include the power supplies on the Customer’s servers. Colocation Downtime exists when a particular server is shut down due to power problems. This Availability is calculated monthly beginning with the first full calendar month of provision of Services.

If G-Core fails to meet the required Colocation Availability in a particular calendar month and the failure materially and adversely affects the performance of the Customer’s servers, Customer shall be entitled to a Service Credit as set forth below (each a “Service Credit”). Any Service Credit issued will be calculated as a percentage of the monthly recurring fee for the affected server(s) for such month and will be determined as follows:

Availability	Service Credit
< 99.9%	5% per 30 minutes of Colocation Downtime

Network

G-CORE will ensure a 99% Network Availability for Customer per calendar month. “Network” means the portion of the network extending from the outbound port on the Customer’s edge device to the outbound port on the border router and includes G-Core managed switches, routers, and cabling. “Network Availability” is defined as the ability to pass TCP/IP traffic with less than 3% packet loss and less than 50ms latency across the specific data center network. This Availability is calculated monthly beginning with the first full calendar month of provision of Services.

If G-CORE fails to meet the required Network Availability in a particular calendar month and the failure materially and adversely affects the performance of the Customer’s server(s), Customer shall be entitled to a credit as set forth below (each an “Service Credit”). Any Service Credit issued for a particular calendar month will be calculated as a percentage of the actual monthly fees of the affected Hosting Service for such month and will be determined as follows:

Availability	Service Credit
< 99.0%	5% per 30 minutes of Network Downtime

3.Service Level Measurement

Packet Loss and Network Latency are measured by sending approximately 1000 UDP-Datagrams with a length of 96 bytes every 10 minutes to designated servers located at IP Backbone core nodes, which are primary nodes in the network designated by G-Core or G-Core’s subcontractors. The Customer’s interface in IP Backbone routers/switches will be measured using Simple Network Management Protocol (“SNMP”). The term “UDP-Datagram” refers to the User Datagram Protocol, a connectionless transport-layer protocol in the TCP/IP protocol suite.

4.Credits

To receive Service Credits under this SLA, Customer must submit a request in writing via email to support@gcorelabs.com. The request must include Customer’s (a) company name, (b) contact name, (c) email address, and (d) phone number, as well as (e) the date of the suspected Downtime and (f) a reasonably detailed description of the reason for the Service Credit request. G-Core must receive the Service Credit request within 30 Days after the suspected Downtime has occurred. The suspected Downtime must be capable of confirmation by G-Core’s measurement tools. Any issued Service Credit shall be applied to Customer’s next applicable invoice after G-Core initially received and reviewed the Service Credit requests. Credits are exclusive of any Taxes charged to Customer or collected by G-Core.

5.Miscellaneous

Service Credits shall not entitle Customer to any refund, reimbursement or other payment from G-Core. Service Credits shall not be applied or transferred to other accounts of Customer or of third parties. A Service Credit will be applicable and issued only if the credit amount for the applicable monthly period is greater than twenty five euros (EUR 25.00).

Notwithstanding anything in this SLA to the contrary, total Service Credits issued to Customer in connection with any calendar month shall not exceed the monthly recurring fee for the affected server(s) paid by Customer for such month. All Service Credit is calculated on the basis of a 30-day month. To be eligible for Service Credit, Customer must follow G-Core’s published instructions for use of Services and the MSA; improper use shall result in ineligibility. Service Credit shall not be issued if Customer is in breach of the MSA or the applicable Service Order, including breach for non-payment. Service Credit will only be issued if Customer has paid in full for Services covering the time period within which the Service Credit is requested. G-Core reserves the right to periodically change the measurement points and methodologies it uses. This SLA sets forth Customer’s sole and exclusive remedy for a Downtime or other service outage.

Acceptable Use Policy

G-CORE ACCEPTABLE USE POLICY

Last updated: April 28, 2017

G-Core Labs S.A. (“G-Core”) and the Customer of G-Core (“Customer”) will comply with the following Acceptable Use Policy (“AUP”) with respect to Customer’s use of the Services provided by G-Core pursuant to the G-Core Master Services Agreement (“MSA”) and any Service Order thereunder concluded between G-Core and Customer.

The AUP is part of the MSA. Terms not defined herein shall have the same definition as within the MSA.

1. General

1.1 Customer is expected to use the Services in accordance with reasonable industry standards and shall be responsible for its use of the Services as well as the activities of its subscribers, end users or customers. Customer agrees and acknowledges that the violation of this AUP by Customer’s subscribers, end-users or customers shall be deemed to be a violation by Customer of the AUP. Customer is solely responsible for the content of any postings, data, or transmissions using the Services, or any other use of the Services by Customer. Nothing in this AUP obligates G-Core to monitor, edit or censor Customer’s use of the Services and/or such respective content.

1.2 G-Core makes no guarantee regarding, and assumes no liability for, the security and integrity of any data or information Customer transmits via the Services or over the Internet.

1.3 These AUP contain provisions on Customer’s obligations to G-Core as (i) the provider of Services, (ii) the owner of equipment, or (iii) otherwise responsible for any property, subject-matters, actions or omissions relating to the Services. These obligations of Customer also extend to, as the case may be, G-Core’s Affiliates or subcontractors. However, G-Core shall serve as Customer’s point of contact for matters related to the Services. All Services provided through an Affiliate and/or subcontractor shall be subject to, and governed by, these AUP as if such Services were furnished directly by G-Core.

1.4 G-Core will use reasonable efforts to notify Customer of any violations of the AUP and to give Customer an opportunity to correct any violations before taking action, provided that G-Core shall reserve the right to suspend or block Services in cases where G-Core believes that G-Core’s property or the property of other parties, G-Core’s reputation or the integrity of its network is threatened by Customer’s violation of the AUP, including, but not limited to, cases where Customer’s violation of this AUP involves illegal activities, or cases where Customer is unavailable or there have been repeated violations of the AUP involving unsolicited commercial e-mail (“UCE”)/SPAM, mail relaying, alteration of IP address information, or denial of service attacks.

2. Limitations of use of the Services

Customer is not allowed to:

(a) Use any Service in a manner that violates any applicable law, statute, ordinance or regulation;

(b) Use any Service in a manner that infringes any third party’s copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy;

(c) Use any Service to commit any act that is defamatory, discriminatory, libelous, false, fraudulent, misleading, deceptive, threatening, harassing, or obscene; use any Service to host, distribute, upload, post, transmit, disseminate, or otherwise make available information which involves excessive violence or threat or incitement of violence, sexually explicit or morally repugnant content, illegal gambling, illegal drugs, arms trafficking, or terrorism.

(d) Use the Services to distribute unsolicited emails, chain letters, mailbombs or SPAM (including in particular unsolicited bulk e-mail (“UBE”) and/or UCE);

(e) Use the Service in a manner that interferes with, disrupts, or causes an excessive or disproportionate load on the infrastructure of G-Core, G-Core’s Affiliates or subcontractors;

(f) Use the Services to commit, or attempt to commit, acts of non-authorized relays through any third party system, or otherwise violate the acceptable use policies of any network, hardware or services provider accessed through G-Core’s network;

(g) Use the Services to forge electronic mail (including the use of fraudulent “from addresses”) or to overburden a recipient or computer system by sending mass amounts of electronic mail or data with the intent to disable the recipient system or provoke a denial of service;

(h) Operate open relay/unsecure mail servers which provide SMTP functionality to third parties;

(i) Host or be involved with web sites and services sending or transmitting SPAM;

(j) Use the Services to distribute viruses, Trojan horses, worms or other similar harmful or deleterious programming routines (including portscanning);

(k) Use the Services in an effort to gain unauthorized access to, or attempt to interfere with or compromise the normal functioning, operation, or security of any network, system, account, computing facility, equipment, data, or information, or to use the Service to engage in any activities that may interfere with the ability of others to access or use the Service or the Internet;

(m) Use the Services to "mine" bitcoins and other cryptocurrencies;

(l) Use the Services in a way that creates a risk to an individual’s safety or health, public safety, or interferes with activities of law enforcement bodies.

G-CORE PRIVACY POLICY

Last updated: April 12, 2018

G-Core Labs S.A., 2 Rue Albert Borschette, 1246 Luxembourg (”We”) is committed to protecting and respecting your privacy.

This policy (together with our Master Services Agreement, available at https://gcorelabs.com/legal and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting gcorelabs.com you accept that your personal data are processed as described in this policy.

1. INFORMATION WE COLLECT FROM YOU

We may collect and process the following personal data about you:

• Information you give us. This is information about you that you give us by filling in forms on gcorelabs.com and other G-Core websites (our site) or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you register to use our site, subscribe to our service, use our services, search for a product, place an order on our site, enter a competition, promotion or survey, and when you report a problem with our site. The information you give us may include your name, address, email address and phone number, financial information, personal description and photograph, as well corporate information.

• Information we collect about you. With regard to each of your visits to our site we will automatically collect the following information, by means of cookies or similar technologies,:

• technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

• information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.

• Information we receive from other sources. This is information we receive about you if you use any of the other websites we operate or the other services we provide. We are working closely with third parties (including, for example, business partners, subcontractors in technical, payment and delivery services, analytics providers, etc.). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.

2. COOKIES

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. Where required, we will ask for your consent before placing the relevant cookie. More information about the cookies used on our website is available here.

You can control and/or delete cookies as you wish – for details, see for example aboutcookies.org. Various web browsers offer ways to restrict and delete cookies. For more information, please visit the appropriate link below.

Firefox
Google Chrome
Internet Explorer
Safari

3. USES MADE OF THE INFORMATION

We use information held about you in the following ways:

• Information you give to us. We will use this information:

• to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;

• to manage our relationship with our customers which includes processing information for the purposes of customer administration, analysis and reporting on the basis of our legitimate interest to build and maintain strong customer relationships;

• to incorporate your information in our databases for the purposes verification of customer identity and solvency, fraud detection and prevention on the basis of our legitimate interest to ensure that we only contract with trustworthy customers and/or legal obligations;

• to provide you with information about other services or products we offer that are similar to those that you have already purchased or enquired about on the basis of our legitimate interest to market our products and services;

• to provide you, or permit selected third parties to provide you, with information about services or products we feel may interest you. If you are an existing customer, we will only contact you by electronic means with information about services or products similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this;

• to notify you about changes to our service on the basis of our legitimate interest to ensure a good client relationship or where necessary in the context of a contract entered into between you and us;

• to ensure that content from our site is presented in the most effective manner for you and for your computer on the basis of our legitimate interest to provide users with a positive user experience;

• Information we collect about you. We will use this information:

• to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

• to improve our site to ensure that content is presented in the most effective manner for you and for your computer;

• to allow you to participate in interactive features of our service, when you choose, and therefore consent, to do so;

• as part of our efforts to keep our site safe and secure;

• to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;

• to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.

Where required we will obtain your consent for the abovementioned purposes. Otherwise, the use of your information for the abovementioned purposes is based on our legitimate interest to ensure the good performance of our site and to display advertising.

• Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).

4. DISCLOSURE OF YOUR INFORMATION

You acknowledge that we may share your personal information, for the abovementioned purposes, with:

• Any member of our group, which means our subsidiaries, our ultimate holding company, its subsidiaries, and other affiliates.

• Selected third parties including:

• business partners, suppliers and subcontractors for the performance of any contract we enter into with them or you;

• analytics and search engine providers that assist us in the improvement and optimisation of our site.

We will disclose your personal information to third parties:

• In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.

• If G-Core Labs S.A. or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.

If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Master Services Agreement, available at https://gcorelabs.com/legal, or to protect the rights, property, or safety of G-Core, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

We will not sell, purchase, provide, exchange or in any other manner disclose your account or transaction data, or personal information about you as a cardholder to anyone, except, the payment intermediaries, for instance, acquirer and Visa/Mastercard Corporations. We may use SSL and other security measures to protect such information.

5. WHERE WE STORE YOUR PERSONAL DATA

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (”EEA”) in the context of the processing activities described above. It will also be processed by staff operating outside the EEA who work for us or for one of our suppliers. We have staff located outside the EEA in the the Russian Federation (G-Core Rus LLC, OGRN number 1137746982966). The staff includes personnel engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you acknowledge that your personal data may be transferred outside of the EEA. G-Core will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. Furthermore, where required, G-Core will put in place appropriate safeguards such as data transfer agreements based on the EU model clauses. For further information or to obtain a copy of the EU model clauses, please contact G-Core at support@gcorelabs.com

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

6. YOUR RIGHTS

You have the right (i) to obtain confirmation whether we hold your personal data and the right to access those data; (ii) to request correction of inaccurate personal data; (iii) under the conditions provided in the General Data Protection Regulation, to ask for deletion of your personal data, to request the restriction of the processing of your personal data and to portability.

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at support@gcorelabs.com.

Where processing is based on consent, you have the right to withdraw your consent

You also have the right to lodge a complaint with the competent data protection authority.

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

7. HOW LONG WE KEEP YOUR DATA

We keep personal data of our customers for the term of the customer relationship and an additional period which depends on the applicable statutory retention and limitation periods.

Personal data collected by means of cookies are kept for the term indicated in the cookie table.

Other personal data is kept for the term necessary to achieve the purpose for which the personal data was collected.

For more information with regard to the retention of your data, please contact us at the email address given below.

8. CHANGES TO OUR PRIVACY POLICY

From time to time this Privacy Policy can be modified by G-Core. Such modifications will not apply retroactively.

9.CONTACT

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to support@gcorelabs.com

Exhibit 1. Cookie table.

Cookie name	Source	Purpose	Expiration	Category
__hssc	hubspot.com	Cookie for keeping track of sessions. This is used to determine if we should increment the session number and timestamps in the __hstc cookie. It contains: the domain, viewCount (increments each pageView in a session), session start timestamp.	30 min	Performance cookies
__hstc	hubspot.com	The main cookie for tracking visitors. It contains: the domain, utk (see below), initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session)	2 years	Performance cookies
__hssrc	hubspot.com	Whenever HubSpot changes the session cookie, this cookie is also set. We set it simply to the value “1”, and use it to determine if the user has restarted their browser. If this cookie does not exist when we manage cookies, we assume it is a new session.	None.	Session cookies
hubspotutk	hubspot.com	This cookie is used for to keep track of a visitor’s identity. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.	10 years	Performance cookies
_ga	google analytics	Visitor identification	2 years	Performance cookies
_gat	google analytics	Throttling request rate	1 minute	Performance cookies
_gid	google analytics	User journey	24 hours	Performance cookies
_gat_UA-102412478-2	google analytics	Throttling request rate	1 minute	Performance cookies
_gat_gtag_UA-102412478-2	google analytics	Throttling request rate	1 minute	Performance cookies
messagesUtk	hubspot.com	HubSpot Analytics	2 years	Performance cookies
_ym_uid	Yandex Metrica	user ID	None	Performance cookie
_ym_isad	Yandex Metrica	ad blocker presence	1 day	Performance cookies
_ym_visorc	Yandex Metrica	Yandex.Webvisor ID.	30 minutes	Performance cookies
ajs_anonymous_id	deliveroo	This helps us count how many people visit Deliveroo by tracking if you’ve visited before	1 year	Performance cookies
ajs_group_id	deliveroo	This doesn’t currently store anything	1 year	Performance cookies
ajs_user_id	deliveroo	This allows segment.io to collect data about your usage of Deliveroo	1 year	Performance cookies
intercom-id	Intercom	Intercom ID	10 years	Performance cookies
confirmed_cookie	gcorelabs.com	1 – read the message about cookie 2 – not read it	1 month	Performance cookies. Website functionality cookies
hosting_refer	gcorelabs.com	Refer ID from reselling system of hostig.gcorelabs.com	1 year	Performance cookies. Website functionality cookies
linkedin_oauth	LinkedIn	Visitor identification	1 year	Performance cookies
utm_params	gcorelabs.com	UTM parameters from contextual advertising	1 year	Performance cookies. Website functionality cookies

Copyright Policy

G-CORE COPYRIGHT POLICY

Last updated: April 28, 2017

1.REPORTING CLAIMS OF COPYRIGHT INFRINGEMENT

We take claims of copyright or other intellectual property infringement seriously. We will respond to notices of alleged copyright infringement that comply with applicable law. If you believe any materials accessible through our services infringe your copyright, you may request removal of those materials (or access to them) by submitting written notification to the address designated below. (For the ease of reference, “copyrights infringement” for the purposes of this document also means violations of other intellectual property rights.)

Your written notice must include substantially the following:

1. Your physical or electronic signature.

2. Identification of the copyrighted work you believe to have been infringed or, if the claim involves multiple works, a representative list of such works.

3. Identification of the material you believe to be infringing in a sufficiently precise manner to allow us to locate that material.

4. Adequate information by which we can contact you (including your name, postal address, telephone number, and, if available, email address).

5. A statement that you have a good faith belief that use of the copyrighted material is not authorized by the copyright owner, its agent, or the law.

6. A statement that the information in the written notice is accurate.

7. A statement, under penalty of perjury, that you are authorized to act on behalf of the copyright owner.

Notices should be sent to:

G-Core Labs S.A.

2A, rue Albert Borschette

L-1246, Luxembourg, or to

abuse@gcorelabs.com

If you fail to comply with all of the requirements your notice may not be effective.

Please be aware that if you knowingly materially misrepresent that material or activity is infringing your copyright, you may be held liable for damages (including costs and attorneys' fees).

2.COUNTER-NOTIFICATION PROCEDURES

If you believe that material you posted though our services was removed or access to it was disabled by mistake or misidentification, you may file a counter-notification with us (“Counter-Notice”) by submitting written notification to our copyright agent (identified below). The Counter-Notice must include substantially the following:

1. Your physical or electronic signature.

2. An identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access disabled.

3. Adequate information by which we can contact you (including your name, postal address, telephone number, and, if available, email address).

4. A statement under penalty of perjury by you that you have a good faith belief that the material identified above was removed or disabled as a result of a mistake or misidentification of the material to be removed or disabled.

5. A statement that you will consent to the jurisdiction of the competent court of Luxembourg for the judicial district in which your address is located, or if your address is outside of Luxembourg, the judicial district in which G-Core Labs S.A. is located, and will accept service of process from the claimant.

Completed Counter-Notices should be sent to:

G-Core Labs S.A.

2A, rue Albert Borschette

L-1246, Luxembourg, or to

abuse@gcorelabs.com

Please be aware that if you knowingly materially misrepresent that material or activity was removed or disabled by mistake or misidentification, you may be held liable for damages (including costs and attorneys' fees).
Online Payment, Return & Refund Policy

Last updated: March 28, 2018

Thank you for choosing the services of G-Core Labs.

Our fees will be invoiced to you with electronic billing descriptor gcorelabs.com

Notice to users from the European Union, who are subject to Consumer Rights Directive, only:

If you are not entirely satisfied with you purchase and are a consumer in the meaning of the Consumer Rights Directive 2011/83/EU, you have fourteen (14) calendar days to withdraw from the contract you have entered into with G-Core Labs. The withdraw period will start on the day of the conclusion of the contract. If the last day of the period of fourteen (14) days is a Sunday or a public holiday, the next business day shall be considered the effective last day to withdraw.

G-Core Labs will refund the amounts paid by you, without prejudice to your obligation to provide restitution for services requested and already performed and/or supplied by G-Core Labs, for the period prior to the withdrawal. The amount of the refund will be reduced in proportion to what has been supplied by G-Core Labs, in comparison with the full coverage of the contract.

We will make commercially reasonable efforts to refund through your original method of payment or otherwise will work out a reasonable alternative.

Questions, comments and requests regarding this policy and payments are welcomed and should be addressed to support@gcorelabs.com or by post to 2 Rue Albert Borschette, 1246 Luxembourg.
G-CORE LABS CANDIDATE PRIVACY NOTICE

Last updated: May 02, 2018

WHAT IS THE PURPOSE OF THIS DOCUMENT?

G-Core Labs S.A. is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. You are being sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).

DATA PROTECTION PRINCIPLES

We will comply with data protection law and principles, which means that your data will be:

• Used lawfully, fairly and in a transparent way.

• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

• Relevant to the purposes we have told you about and limited only to those purposes.

• Accurate and kept up to date.

• Kept only as long as necessary for the purposes we have told you about.

• Kept securely.

THE KIND OF INFORMATION WE HOLD ABOUT YOU

In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:

• The information you have provided to us in website job application form, your curriculum vitae and covering letter.

• The information you have provided on our application form, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications.

• Any information you provide to us during an interview.

HOW IS YOUR PERSONAL INFORMATION COLLECTED?

We collect personal information about candidates from the following sources:

• You, the candidate.

• Search consultancies, recruitment agencies or background checking agencies, from which we collect the following categories of data: contact details, curriculum vitae and cover letter

• Your named referees

HOW WE WILL USE INFORMATION ABOUT YOU

We will use the personal information we collect about you to:

• Assess your skills, qualifications, and suitability for the work or role.

• Carry out background and reference checks, where applicable.

• Communicate with you about the recruitment process.

• Keep records related to our hiring processes.

• Comply with legal or regulatory requirements.

It is in our legitimate interests to decide whether to appoint you to work since it would be beneficial to our business to appoint someone to that role or work.

We also need to process your personal information to decide whether to enter into a contract with you.

Having received your CV and covering letter or your application form, we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role or work. If we decide to offer you the role or work, we will then take up references and background check before confirming your appointment.

If you fail to provide personal information

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION

We will use your particularly sensitive personal information in the following ways:

• We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.

INFORMATION ABOUT CRIMINAL CONVICTIONS

We do not envisage that we will process information about criminal convictions.

AUTOMATED DECISION-MAKING

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

DATA SHARING

Why might you share my personal information with third parties?

We will only share your personal information with the following third parties for the purposes of processing your application: a search consultancy, recruitment agency or background checking agency. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

DATA RETENTION

How long will you use my information for?

We will retain your personal information for a period of five years after we have communicated to you our decision about whether to appoint you to role or work. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.

RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us via privacy@gcorelabs.com in writing.

RIGHT TO WITHDRAW CONSENT

When you applied for this role, you provided consent to us processing your personal information for the purposes of the recruitment exercise. You have the right to withdraw your consent for processing for that purpose at any time. To withdraw your consent, please contact privacy@gcorelabs.com. Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely.

I,___________________________ (candidate name), acknowledge that on _________________________ (date), I received a copy of [EMPLOYER]’s Candidate Privacy Notice and that I have read and understood it.

Signature

………………………………………………

Name

…………………………………………………