MSA

MASTER SUBSCRIPTION AGREEMENT

1. Definitions
The following definitions (and additional definitions provided below) will apply:

1.1. “Agreement” means the applicable Sales Order and this Master Subscription Agreement.

1.2. “Authorized Users” means either (i) employees or contractors of Customer for whom Customer provided details and created a unique username and password or (ii) participants of the partner’s training courses.

1.3. “Confidential Information” has the meaning set forth in section 8.1.

1.4. “Customer” means the Party entering the Agreement with PLAY IT, as identified in the Sales Order.

1.5. “Customer Data” means data, information or material provided or submitted by Customer to PLAY IT and which pertain to the activities of Customer.

1.6. “Data Controller” has the meaning set forth in section 5.

1.7. “Data Processor” has the meaning set forth in section 5.

1.8. “DPA” has the meaning set forth in section 5.

1.9. “Date of the Agreement” means the commencement date of this Agreement, set forth in the Sales Order.

1.10. “Fees” means the fees payable for the Service specified in the Sales Order.

1.11. “Feedback” refers to any suggestion or idea for modifying any of PLAY IT’s products or services, including without limitation all intellectual property rights in any such suggestion or idea.

1.12. “Intellectual Property Rights” means any and all now known or hereafter existing (a) rights associated with works of authorship, including copyrights, mask work rights, and moral rights, (b) trademark or service mark rights, (c) trade secret rights, know-how, (d) patents, patent rights, and industrial property rights, (e) layout design rights, design rights, (f) trade and business names, domain names, database rights, rental rights and any other industrial or intellectual proprietary rights or similar right (whether registered or unregistered), and (g) all registrations, applications for registration, renewals, extensions, divisions, improvements or reissues relating to any of these rights and the right to apply for, maintain and enforce any of the preceding items, in each case in any jurisdiction throughout the world.

1.13. “Master Subscription Agreement” means this master subscription agreement, including Schedule 1.

1.14. “Party” means PLAY IT or Customer, as applicable.

1.15. “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.16. “PLAY IT” means PLAY IT bv, with seat at Nelson Mandelaplein 2, 8500 Kortrijk, Belgium, registered with the Crossroads Bank for Enterprises under enterprise number 0671.574.550.

1.17. “PLAY IT Content” means supplied text, audio, video, graphics and other information and data available by means of the Service or on PLAY IT’s website.

1.18. “Renewal Term” means the period as specified in section 9.1.

1.19. “Sales Order” means the sales order form, or order written document, detailing the Services being procured by Customer, and which references this Agreement.

1.20. “Service” means an online cloud-based learning and content platform through gaming for employees and a management portal for the prevention advisor or learning and development manager.

1.21. “Subscription Date” means the start date of the subscription for the Service set forth in the Sales Order.

1.22. “Term” means the term of this Agreement as specified in section 9.1, extended with any Renewal Term(s), as the case may be.

1.23. “Third Party” means any legal or natural person, other than the Customer or the Authorized Users.

1.24. “Third Party Materials” means the term of this Agreement as specified in section 7.5.

1.25. “Third Party Services” means the term of this Agreement as specified in section 7.5.

1.26. “Virus” means a virus, cancelbot, worm, logic bomb, Trojan horse or other harmful component of software or data.

2. Subscription

2.1. Subject to the terms and conditions of this Agreement and timely payment of the Fees by Customer, PLAY IT hereby grants to Customer a renewable, limited, personal, non-exclusive, non-transferable, non-assignable license, without the right to sublicense, for the Term to permit Authorized Users to access and use the Service, for Customer’s direct business purposes.

PLAY IT reserves the right to make, in its sole discretion, changes and updates to the functionality and/or documentation of the Service from time to time.

2.2. Customer shall not have the right to (i) use the Service in whole or part for any other purpose, other than as provided herein or to make services available to Third Parties utilizing the Service, (ii) decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques or algorithms of the Service by any means whatsoever, or disclose any of the foregoing, or (iii) use the Service in any way that is unlawful, illegal, fraudulent or harmful, or (iv) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.

2.3. PLAY IT and its suppliers retain all Intellectual Property Rights, title and interest in and to the Service, Customized Company’s Service and PLAY IT Content, including any and all related Intellectual Property Rights, and all modifications and derivative works thereto. All rights in and to the Service, Customized Company’s Service and PLAY IT Content not expressly granted to Customer in this Agreement are reserved by PLAY IT. No license is granted to Customer except as to use of the Service as expressly stated herein. PLAY IT name, PLAY IT logo, and the product names associated with the Service are trademarks of PLAY IT or Third Parties, and they may not be used without PLAY IT’s prior written consent.

2.4. Customer hereby grants PLAY IT a perpetual, irrevocable, worldwide license to use any Feedback Customer communicates to Company during the Term, without compensation, without any obligation to report on such use, and without any other restriction. PLAY IT’s rights granted in the previous sentence include, without limitation, the right to exploit Feedback in any and every way, as well as the right to grant sublicenses.

2.5. Customer agrees that PLAY IT will set up a separate cloud account under the name of the Customer and with the credentials given by the Customer. The Customer agrees that it will treat the password and its account on a confidential basis so that Third Parties cannot make use of the account. This account will be exclusively linked to the Authorized Users of the Customer.

2.6. Access to the Service is initially limited to the Authorized Users, and must not exceed the number of users specified in the Sales Order.

3. Fees and Payment terms

3.1. Customer agrees to pay the Fees according to the payment terms in the Sales Order.

3.2. All payment obligations are non-cancellable and all amounts paid are non-refundable. All invoices for any charges under this Agreement are due and payable within 15 (fifteen) calendar days as of the respective invoice date. Amounts due are exclusive of all applicable taxes, levies, or duties, and Customer will be solely responsible for payment of all such amounts. All amounts are payable in Euro. Any amounts not paid when due shall bear interest at the rate of one percent (1%) per month. In addition, a lump sum of 10% of the invoice amounts is due with a minimum of EUR 50. If the actual costs and damages incurred by PLAY IT as a result of the (extra)judicial enforcement of Customer’s payment obligations are higher than 10% of the invoice amounts, the Customer will be held to pay this surplus to cover the actual damages suffered.

3.3. However, in the event of customization of PLAY IT’s Service at the request of the Customer (“Customized Company’s Service”), PLAY IT will only invoice 50% of the Customized Company’s Service on the Date of the Agreement, unless specified otherwise in the Sales Order. The remaining 50% will be invoiced 15 days before the delivery date of the Customized Company’s Service and has to be paid before the delivery date.

3.4. Any additional work not provided for in the Sales Order will be charged on a time and material basis at the hourly rate as set forth in the Sales Order. Any recurring Fees agreed upon between the Parties, shall be subject to a yearly revision, at the latest fifteen (15) days prior to each Renewal Term on the anniversary of the Date of the Agreement and in accordance with the Agoria “Referteloonkostenindex Digital” index (available at www.agoria.be). In case this index is no longer published, the index replacing it shall apply. The indexation will be done in accordance with the following formula: P = Po x (0.20 + 0.80 x (S/So)) ) Whereby: P = reviewed (annual- Fees (excluding VAT); Po = Fees as agreed in the Proposal; S = reference wages according to the Agoria-index applicable at the Date of the Agreement. The Parties agree that a negative index can under no circumstances impact the Fees agreed upon by the Parties. Indexation can thus never give cause to lower prices than the Fees agreed upon in the Sales Order.

3.5. PLAY IT may increase the Fee by an amount not to exceed up to PLAY IT’s prevailing prices to its customers generally for such services, at the latest fifteen (15) days prior to the commencement of a potential notice period, as set forth in Article 9.1. Such price adjustment will become effective from the commencement date of the next Renewal Term. In the event the Customer does not agree to such price revision, the Customer may terminate the Agreement in accordance with the provisions of this Agreement. No license rights for a Renewal Term will go into effect before payment of the applicable Fee.

3.6. If Customer believes that PLAY IT has incorrectly billed the Customer, Customer must contact PLAY IT as soon as possible and ultimately within 15 calendar days as of the respective invoice date. Customer is not entitled to offset or deduct any amounts from invoices of PLAY IT, until PLAY IT has issued a credit note for this disputed amount.

4. Customer Data

4.1. All Customer Data submitted by Customer to PLAY IT will remain the sole and exclusive property of Customer.

4.2. Customer will have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness of and copyright permissions for all Customer Data. PLAY IT will not use the Customer Data for any purpose other than to provide the Service to Customer and for the reporting of user statistics.

4.3. The Parties shall comply with all applicable laws regarding Customer Data, use of the Service and the PLAY IT Content, including but not limited to laws involving data protection law.

4.4. Subject to the terms and conditions of this Agreement, Customer grants to PLAY IT a non-exclusive license to use, copy, store, transmit and display Customer Data to the extent reasonably necessary to provide and maintain the Service.

5. Data Protection

When performing its obligations under this Agreement, PLAY IT will process Personal Data on Customer's behalf. In this context, Customer shall be the data controller (“Data Controller”) and PLAY IT shall be the data processor (“Data Processor”).

Unless Parties agree to be bound by the terms and conditions of the data processing agreement of the Customer, by executing this Agreement, Parties acknowledge and agree that the processing of Personal Data will be governed by the data processing agreement, as set forth in Schedule 1 to this Agreement (“DPA”).

6. Indemnification

6.1. Customer agrees to defend, indemnify, and hold harmless PLAY IT (and its officers, directors, employees and agents) from and against any founded and well-substantiated third party claims, actions or demands (including, without limitation, costs, damages and reasonable legal and accounting fees) which result from any Customer Data infringing the rights of any third party (including infringement of intellectual property).

6.2. PLAY IT will defend, indemnify, and hold Customer (and its officers, directors, employees and agents) harmless from and against all costs, liabilities, losses, and expenses arising from any founded and well-substantiated third party claim, suit, action, or proceeding arising from the infringement of any European intellectual property rights by the Service or PLAY IT Content (other than that due to Customer Data). In case of such a claim, PLAY IT may, in its sole discretion, (i) procure a license that will protect Customer against such claim without cost to Customer, or (ii) replace the Service with a non-infringing Service, or (iii) if such remedies are not practicable, PLAY IT may cancel the Service and this Agreement, provided that in case of such cancelation, Customer will receive a pro-rata refund of the license fees prepaid for use of the Service not yet furnished as of the termination date, and PLAY IT shall compensate, without prejudice to the maximum liability of PLAY IT set forth in section 7.4 below, Customer for its reasonable internal and external integration and implementation costs of changing to a Third Party supplier of services equivalent to the Services, and Customer’s possible other costs and losses.

7. Disclaimers and Breach of Agreement

7.1. To the best of PLAY IT’s knowledge, the Service and/or PLAY IT Content do not, upon delivery to Customer, contain any Virus, and PLAY IT shall not knowingly program into any of the Service and/or PLAY IT Content any Virus or other software routine designed to permit unauthorized access to any Customer computer system or to disable, erase or otherwise cause damage to software, hardware or data or any back door, time bomb, software lockout key or device, drop dead device, or other software routine designed to disable a computer, either automatically or with the passage of time or under the control of any person, unless any such software routine is expressly requested in writing by Customer.

7.2. Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 7.1, PLAY IT MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THE USE OR PERFORMANCE OF THE SERVICE, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. PLAY IT does not warrant or represent that the Service will be compatible with any application, program or platform not specifically identified as compatible in the Service. CUSTOMER ACCEPTS THE SERVICE "AS IS".

7.3. TO THE EXTENT LEGALLY PERMITTED UNDER BELGIAN LAW, AND NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, PARTIES SHALL NOT BE LIABLE TO EACH OTHER, FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES OF ANY NATURE ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, REGARDLESS OF THE CAUSE OF ACTION OR THE THEORY OF LIABILITY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, EVEN IF PARTIES HAVE BEEN NOTIFIED OF THE LIKELIHOOD OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, PLAY IT, ITS AFFILIATES AND THIRD PARTIES SHALL NOT BE RESPONSIBLE AND SHALL NOT BE LIABLE, DIRECTLY OR INDIRECTLY, FOR ANY LOSS OR DAMAGE, INCLUDING PERSONAL INJURY OR DEATH, AS A RESULT OF OR ALLEGED TO BE THE RESULT OF (I) ANY INCORRECT OR INACCURATE CONTENT POSTED IN THE SERVICE, (II) THE TIMELINESS, DELETION OR REMOVAL, INCORRECT DELIVERY OR FAILURE TO STORE ANY USER CONTENT, COMMUNICATIONS OR PERSONALIZATION SETTINGS; (III) THE CONDUCT, WHETHER ONLINE OR OFFLINE, OF ANY USER; (IV) ANY ERROR, OMISSION OR DEFECT IN, INTERRUPTION, DELETION, ALTERATION, DELAY IN OPERATION OR TRANSMISSION, THEFT OR DESTRUCTION OF, OR UNAUTHORIZED ACCESS TO, ANY USER OR USER COMMUNICATIONS; OR (V) ANY PROBLEMS, FAILURE OR TECHNICAL MALFUNCTION OF ANY TELEPHONE NETWORK OR LINES, COMPUTER ONLINE SYSTEMS, SERVERS OR PROVIDERS, COMPUTER EQUIPMENT, SOFTWARE, FAILURE OF EMAIL OR PLAYERS ON ACCOUNT OF TECHNICAL PROBLEMS OR TRAFFIC CONGESTION ON THE INTERNET OR AT ANY WEBSITE OR COMBINATION THEREOF, INCLUDING INJURY OR DAMAGE TO USERS OR TO ANY OTHER PERSON’S COMPUTER OR DEVICE RELATED TO OR RESULTING FROM PARTICIPATING OR DOWNLOADING MATERIALS IN CONNECTION WITH THE INTERNET AND/OR IN CONNECTION WITH THE SERVICE.

7.4. Without prejudice to sections 7.2 and 7.3 of the Agreement, in the event that liability is imposed on a Party its liability arising out of or in connection with this Agreement, regardless of the cause of action or the theory of liability, whether in tort, contract, or otherwise, shall not exceed the total fees paid by Customer under this Agreement during the 12 (twelve) months prior to the event that gives rise to a Party’s liability, provided that the aggregate indemnity obligation of each Party pursuant to this Agreement will be capped at the total fees paid by Customer under this Agreement during the 12 (twelve) months prior to the event that gives rise to a Party’s liability. As from the date of the Agreement, PLAY IT represents to the best of its knowledge, that no Third Party has any claims pertaining to the source code ownership of PLAY IT pertaining to the Service.

7.5. The Service may include gateways, links or other functionality that allows Customer to access Third Party services (“Third Party Services”) and/or Third Party content and materials (“Third Party Materials”). PLAY IT does not supply and is not responsible for any Third Party Services or Third Party Materials, which may be subject to their own licenses, end-user agreements, privacy and security policies, and/or terms of use. PLAY IT MAKES NO WARRANTY AS TO THIRD PARTY SERVICES OR THIRD PARTY MATERIALS.

8. Confidentiality

8.1. “Confidential Information” means non-public information, technical data or know-how of a Party and/or its affiliates, which is furnished to the other Party in written or tangible form in connection with this Agreement. Oral disclosure will also be deemed Confidential Information if it would reasonably be considered to be of a confidential nature or if it is confirmed at the time of disclosure to be confidential.

8.2. Notwithstanding the foregoing, Confidential Information does not include information which is: (i) already in the possession of the receiving Party and not subject to a confidentiality obligation to the providing Party, (ii) independently developed by the receiving Party, (iii) publicly disclosed through no fault of the receiving Party, (iv) rightfully received by the receiving Party from a Third Party that is not under any obligation to keep such information confidential, (v) approved for release by written agreement with the disclosing Party, or (vi) disclosed pursuant to the requirements of law, regulation, or court order, provided that the receiving Party will promptly inform the providing Party of any such requirement and cooperate with any attempt to procure a protective order or similar treatment.

8.3. Neither Party will use the other Party’s Confidential Information except as reasonably required for the performance of this Agreement. Each Party will hold in confidence the other Party’s Confidential Information by means that are no less restrictive than those used for its own confidential materials. Each Party agrees not to disclose the other Party’s Confidential Information to anyone other than its employees or subcontractors who are bound by confidentiality obligations and who need to know the same to perform such Party’s obligations hereunder. The confidentiality obligations set forth in this section will survive for one year after the termination or expiration of this Agreement. Notwithstanding the foregoing, PLAY IT is entitled to communicate at its sole discretion that it services the Customer (including but not limited to advertising related to the marketing and distribution of its Service) as per the Term of this Agreement, without revealing any Confidential Information.

8.4. Upon termination or expiration of this Agreement, except as otherwise agreed in writing or otherwise stated in this Agreement, each Party will, upon the request of the disclosing Party, either: (i) return all of such Confidential Information of the disclosing Party and all copies thereof in the receiving Party’s possession or control to the disclosing Party, or (ii) destroy all Confidential Information and all copies thereof in the receiving Party’s possession or control. The receiving Party will then, at the request of the disclosing Party, certify in writing that no copies have been retained by the receiving Party, its employees or agents.

8.5. In case a Party receives legal process that demands or requires disclosure of the disclosing Party’s Confidential Information, such Party will give prompt notice to the disclosing Party, if legally permissible, to enable the disclosing Party to challenge such demand.

9. Term and Termination

9.1. This Agreement will begin on the Subscription Date and will end in accordance with the term mentioned in the Sales Order (the “Initial Term”). This Agreement will then automatically renew itself for successive periods equal to the Initial Term, unless provided otherwise in the Sales Order (each a “Renewal Term” and together with the Initial Term, hereinafter referred to as the “Term”) beginning at the end of the Initial Term, respectively Renewal Term, unless either Party provides notice of termination three (3) months before the end of the Initial Term, respectively current Renewal Term, as applicable.

9.2. Each of the Parties may terminate this Agreement with immediate effect (or alternatively, in its sole discretion, suspend the access to the Service, in the event applicable) due to any material breach of the rights and obligations of the other Party under this Agreement.

9.3. Notwithstanding the above, either Party may terminate this Agreement by written notice to the other Party if the other Party materially breaches this Agreement and fails to cure such breach within sixty (60) calendar days from receipt of a default notice.

9.4. Either Party may terminate this Agreement by written notice to the other Party, effective as of the date of delivery of such notice, if the other Party becomes the subject of a voluntary or involuntary bankruptcy, insolvency or similar proceeding or otherwise liquidates or ceases to do business.

9.5. Upon termination of this Agreement for whatever reason (i) Customer shall promptly pay PLAY IT all Fees and other amounts earned by or due to PLAY IT pursuant to this Agreement, up to and including the date of termination, (ii) all user rights granted to Customer pursuant to this Agreement, including the rights to use the Service as per section 2, shall automatically terminate and Customer shall return all copies of the Service (In a directory structure file with the original data, all the reports in PDF, all documents in the same format (pdf, xls, doc, …) as uploaded in the service, delivered to the client on USB/DVD), if any. Termination of this Agreement on whatever ground shall be without prejudice to any right or remedy that has accrued prior to the actual termination.

9.6. The provisions of this Agreement that are expressly or implicitly intended to survive termination shall survive any expiration or termination of this Agreement.

10. Miscellaneous

10.1. Applicable law and Jurisdiction. This Agreement will be interpreted fairly in accordance with its terms, without any strict construction in favor of or against either Party and in accordance with Belgian law, without giving effect to any laws of conflict. Any dispute arising out of or in connection with this Agreement that will not be amicably settled by the Parties through good faith negotiations within three (3) months after notification in writing by any of the Parties, will be finally settled under the CEPANI Rules of Arbitration by three (3) arbitrators appointed in accordance with those Rules. The seat of the arbitration will be Kortrijk, and the arbitration will be conducted in the Dutch language. Notwithstanding the foregoing, any Party may seek immediate injunctive or other interim relief from any court of competent jurisdiction with respect to any matter for which monetary damages would not adequately protect such Party’s interests or otherwise to enforce and protect Intellectual Property Rights owned by or licensed to such Party.

10.2. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) will be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.

10.3. No Agency. No joint venture, partnership, employment, or agency relationship exists between Customer and PLAY IT as a result of this Agreement or use of the Service.

10.4. No Waiver. The failure of a Party to enforce any right or provision in this Agreement will not constitute a waiver of such right or provision unless acknowledged and agreed to by that Party in writing.

10.5. Force Majeure. Except for the payment by Customer, if the performance of this Agreement by either Party is prevented, hindered, delayed or otherwise made impracticable by reason of any flood, riot, fire, judicial or governmental action, labor disputes, act of God or any other causes beyond the control of such Party, that Party will be excused from such to the extent that it is prevented, hindered or delayed by such causes.

10.6. Assignment. This Agreement (or any part thereof) may not be assigned, transferred or sub-licensed by either of the Parties without the other Party’s prior written consent. Such consent is not to be withheld unreasonably, however, it is highly important to Customer that this Agreement in whole or in part will not be assigned, transferred or sub-licensed to a direct or indirect competitor to Customer. This agreement may be enforced by and is binding on permitted successors and assigns.

10.7. Notice. Each Party must deliver all notices or other communications required or permitted under this Agreement in writing to the other Party at the address listed on the Sales Order by courier, by certified or registered mail (postage prepaid and return receipt requested), or by a nationally-recognized express mail service. Notice will be effective upon receipt or refusal of delivery. If delivered by certified or registered mail, any such notice will be considered to have been given five (5) business days after it was mailed, as evidenced by the postmark. If delivered by courier or express mail service, any such notice shall be considered to have been given on the delivery date reflected by the courier or express mail service receipt. Each Party may change its address for receipt of notice by giving notice of such change to the other Party.

10.8. Entire Agreement. This Agreement, together with any applicable Schedule(s) and Appendix(es), comprises the entire agreement between Customer and PLAY IT and supersedes all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, between the parties regarding the subject matter contained herein. No amendment to or modification of this Agreement will be binding unless in writing and signed by an authorized representative of each Party.

Schedule 1 – DPA

Capitalized terms shall have the same meaning as in the Agreement, except for the following words and expression which shall have the following meaning in this DPA.

“Annexes”: the annexes to this DPA, which forms an integral part thereof and which describes the further details with respect to the Processing of the Personal Data.

“Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the same meanings as in the Data Protection Legislation. “Processed” and “Process” shall be construed in accordance with the definition of “Processing”.

“Data Protection Legislation” means any legislation in force within the European Union on the protection of personal data, including Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”).

“Third Party” means any person or entity which is not a party to the Agreement, including any contractors (including Sub Contractors).

“Services” means the services, functions, responsibilities and outputs to be provided and fulfilled by Processor under the Agreement.

“Sub Contractor” means a Third Party engaged by Processor as sub-contractor to provide the Services or any part of them.

1. The Data Controller requests the Services of the Data Processor, by which the Data Processor will Process Personal Data on behalf of the Data Controller. The Data Controller determines the purposes and means of the Processing and expressly acknowledges and warrants that it has all necessary rights to provide the Personal Data to the Data Processor, and that one or more lawful bases set forth in the Data Protection Legislation supports the lawfulness of the processing. The Data Processor shall without undue delay inform the Data Controller if, in its opinion, an instruction infringes this DPA, Data Protection Legislation or other EU or Member State data protection provisions.

2. Where Personal Data is Processed by Data Processor, its agents, Sub Contractors or employees under or in connection with the Agreement, Data Processor shall, and shall procure that its agents, Sub Contractors and employees shall:

a. only Process the Personal Data or disclose or permit the disclosure of the Personal Data to any Third Party:

- in accordance with the instructions of the Data Controller as stated in this DPA and Annex 1; or

- where required by EU or Member State law to which Data Processor is subject, in which case Data Processor shall inform Data Controller of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest;

b. take reasonable steps to ensure that all employees, agents and Sub-Contractors who may have access to the Personal Data:

- are informed of the confidential nature of the Personal Data; and

- are subject to confidentiality undertakings or professional or statutory obligations of confidentiality that apply with respect to (the Processing of) such Personal Data;

c. except where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Data Processor to a Data Controller, notify Data Controller without undue delay upon becoming aware of a Personal Data Breach, and otherwise assist Data Controller taking into account the nature of Processing and the information available to Data Processor, in meeting its obligations regarding the notification, investigation, mitigation and remediation of a Personal Data Breach under the Data Protection Legislation, without prejudice to Data Processors right to charge Customer any reasonable costs for such assistance;

d. co operate as reasonably requested by Data Controller, to the extent necessary to enable Data Controller to comply with any exercise of rights by a Data Subject under the Data Protection Legislation in respect of Personal Data Processed by Data Processor under the Agreement or comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, including by any regulator, subject to reasonable advance notice and without prejudice to Data Processor’s right to charge Customer any reasonable costs for such assistance;

e. only authorise Sub-Contractors to Process the Personal Data (“Sub-Processor”) not objected to by Data Controller, subject to:

- informing Data Controller of the identity of the proposed Sub-Processor. This is set out in Article 3. Data Processor informs the Data Controller of all intended changes with regard to the addition or replacement of other Sub-Contractors. The Data Controller has the right to object to such changes; and

- including terms in the contract between Data Processor and the Sub-Processor which are mutatis mutandis as those set out in this DPA; and

- Data Controller remaining liable to Data Controller in accordance with the terms of the Agreement relating to liability, for any failure by a Sub-Processor to fulfil its obligations in relation to the Processing of any Personal Data;

f. cease Processing the Personal Data upon the termination or expiry of the Agreement or, if sooner, the Service to which it relates and, at Data Controller’s option, either (if technically possible) return or delete the Personal Data and any copies of it or of the information it contains, without prejudice to any EU or Member State legal obligations for Data Processor to store or archive such Personal Data.

3. The nature and purpose of the Processing, type of personal data and categories of Personal Data to be Processed are further detailed in Annex 1.

4. Data Controller authorizes the use of third party sub-processors to process personal data on its behalf. Data Processor shall notify Data Processor has currently appointed, as sub processors, its affiliates and third parties as listed in Annex 2. Upon execution of this Agreement, Data Controller explicitly gives its written authorization to engage those sub-processors to Process personal data on Data Controller’s behalf.

5. Data Processor shall notify Data Controller by email of any intended changes concerning the addition or replacement of its current sub-processors prior to any such changes. Data Controller will be allowed to object to such addition or replacement on reasonable grounds relating to the protection of personal data within 30 days after the notification by submitting an email to privacy@playitsafe.eu. The Data Controller’s failure to object within this timeframe shall be deemed to have waived its right to object and to have authorized Data Processor to engage such sub-processor.

6. If Data Controller does notify Data Processor of such an objection, Parties will discuss Data Controller's concerns with a view to achieving a reasonable resolution. If no such resolution can be reached, Data Processor will, at its sole discretion, either not appoint the new sub-processor, or permit Data Controller to suspend or terminate the affected Service in accordance with the termination provisions without liability to either Party (but without prejudice to any fees incurred by Data Controller prior to suspension or termination of the Agreement).

7. Data Processor can only be held liable for an infringement of this DPA that is directly attributable to them, or the provisions that apply directly to Data Processor on the basis of the applicable Data Protection Legislation insofar as Data Controller has complied with its own obligations as set out in this DPA and the applicable Data Protection Legislation. The liability provision set out in the Agreement is fully applicable. In the event no limitation of liability was agreed in the Agreement, the liability that Data Processor may incur shall be limited to the value of the Agreement.

8. Upon request, Data Processor shall make available to Data Controller all information necessary to demonstrate compliance with its obligations under Article 32 to 36 of the GDPR and allow for and contribute to audits conducted by Data Controller or another auditor mandated by Data Controller (which may be refused by Data Processor if this is a competitor of Data Processor or if there is a conflict of interest with this mandated auditor) for the purpose of verifying the compliance with its obligations under this DPA without prejudice to Data Processor’s right to charge Data Controller any reasonable costs for such assistance. An audit may not take place more than once per contract year and must be notified at least 60 days in advance. All audit costs are exclusively borne by the Data Controller. Data Processor may limit the access of Data Controller to the premises of Data Processor to a space provided by Data Processor and the auditor may not copy or delete documents from Data Processor without the prior approval and consent of Data Processor. Data Controller shall guarantee that the audit is carried out in such a way that the inconvenience for Data Processor is kept to a minimum. Data Controller will impose sufficient confidentiality obligations on its auditors. In addition, Data Processor has the right to require the auditors to sign a non-disclosure agreement before the start of the audit. In all cases, it is essential to protect the confidential information of Data Processor. Data Controller must, or will request that its external auditors, send a draft version of the audit report to Data Processor. Data Processor has the right to submit its comments within a timeframe as agreed between the Parties. The auditor shall take the comments of Data Processor into account.

9. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall implement the measures stated in article 32 of the GDPR and ensure that its agents, Sub Contractors and employees implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account in particular the risk of accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to the Personal Data. The Data Controller and Data Processor shall take steps to ensure that any natural person acting under the authority of the Data Controller or the Data Processor who has access to personal data does not process them except on instructions from the Data Controller, unless he or she is required to do so by EU or Member State law.

10. Any transfer of Personal Data to a third country or international organisation may only take place in accordance with the principles set out in the applicable Data Protection Legislation and this DPA. The Data Controller grants the Data Processor permission to transfer Personal Data to a third country or to an international organisation, as set out in the Annex 1. Any change or addition to the list as stated in the Annex 1, as proposed or required by the Data Processor, will be communicated to the Data Controller before such transfer takes place. The Data Controller has the right to object to such transfer within five (5) days of notification of the change. The Parties agree on whether or not to proceed with the transfer and the consequences thereof for the provision of the Services in terms of scope, timing and budget. Any transfer to a third country or international organisation can take place on the following grounds:

a. An adequacy decision by the Commission;

b. Appropriate safeguards, including the availability of enforceable rights of Data Subjects and effective legal means. Appropriate safeguards must be adhered to in the following cases: (i) binding corporate rules; (ii) standard data protection clauses adopted by the Commission or by a Supervisory Authority and approved by the Commission; or (iii) an approved code of conduct or an approved certification mechanism.

11. If there is new guidance or a change in the Data Protection Legislation or case law that renders all or part of the Services illegal, Data Processor may terminate the Agreement unless the Parties reach agreement to change the Services whereby the Services are no longer illegal.

12. If a provision of this DPA is proven to be invalid or unenforceable in whole or in part, it will be regarded as severable (insofar as it is invalid or unenforceable) and the validity of the other provisions of this DPA and the remainder of the provisions in question will remain unaffected. If the invalid provision is of fundamental importance for achieving the goal of this DPA, the Parties shall negotiate in good faith to remedy the invalidity, illegality or unenforceability of the provision or otherwise change this DPA to achieve its purpose.

ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA

1. The nature and purpose of the Processing of Personal Data

The services facilitates an online cloud-based learning platform through gaming for employees and a management portal for administrators.

2. The categories of Personal Data to whom Personal Data relates

Customers

Employees of customers

Prospects

3. The Personal Data concern the following categories of Personal Data

First Name;

Last name;

E-mail address;

Date of birth;

Position;

Department;

Language;

Educational attainment;

Details on completed courses;

Details on most common mistakes.

4. Transfer(s) of Personal Data

Personal Data are transferred to the following third countries (outside the EEA): cf. annex 2 – sub-processors.

ANNEX 2: SUB-PROCESSORS

- Microsoft Corporation, a company organized and existing under the laws of USA, with its address at One Microsoft Way, Redmond, WA 98052, used as cloud provider (AZURE).

- Pipedrive OÜ, a company organized and existing under the laws of Estland, with its address at Mustamäe tee 3a, Tallinn 10615, used as CRM.

- Twilio, a company organized and existing under the laws of USA, with its address at 375 Beale St #300, San Francisco, used for email communication (SendGrid).

- Unity Technologies, a company organized and existing under the laws of USA, with its address at 30 3rd Street, San Francisco, CA 94103, used as game engine and analytics (error tracking) provider.

- Functional Software Inc., a company organized and existing under the laws of USA, with its address at 132 Hawthorne St, San Francisco, CA 94107, used for real time error tracking (Sentry)

- Verizon Digital Media Services, a company organized and existing under the laws of USA, with its address at 13031 W Jefferson Blvd, Building 900, Los Angeles, CA 90094 used for CDN.