Master Subscription Agreement This Master Subscription Agreement (further referred to as “MSA”) consists of the General Terms and Conditions (further referred to as “GTC”) with incorporated appendices and the Data Processing Agreement (further referred to as “DPA”) with appendices. General Terms and Conditions 1. Introduction 1.1. These General Terms and Conditions and incorporated appendices (the “GTC”) are entered into by Customer (as defined according to the Section 2 of the GTC) and Pagero AB, a company registered under number 556581-4695 in Sweden, having its principal office at Västra Hamngatan 1, SE-411 17 Göteborg, Sweden (“Pagero”). 1.2. The Customer acknowledges that the GTC may change from time to time and agrees to follow at any time applicable GTC. If Customer does not agree to such changes, Customer is entitled to terminate the Agreement. Customer must notify Pagero thereof within (30) days from the receipt of such change notification. 1.3. The following appendices are incorporated into the GTC and thus constitute an integral part of the GTC: - GTC Appendix 1 - Authorization for outsourced e-invoice issuance and validation - GTC Appendix 2 - Authorization for outsourced e-invoice issuance where an electronic signature is applied - GTC Appendix 3 - Authorization for outsourced signature validation 2. Customer 2.1. For any new co-operation (the “New Agreement”): The Customer is the organization stated in the Proposal. 2.2. For any new co-operation concluded directly in the Pagero Online environment (the “Online Agreement”): The Customer is the organization that has been defined in the Admin User Account in Pagero Online. 2.3. For any extension of existing co-operation, i.e. adding a new User Account under an already existing Agreement (the “Agreement Extension”): The Customer is the organization that has been defined in the Admin User Account in Pagero Online. 2.4. For the purpose of these GTC, wherever the term Customer is used it also includes Customer’s authorized users. 3. Agreement acceptance 3.1. For the New Agreement - according to the terms outlined in the Proposal. 3.2. For the Online Agreement and the Agreement Extension – acceptance in Pagero Online. 3.3. Irrespective of the way of acceptance, Customer agrees to comply with all the terms and conditions of the MSA, including all appendices. 3.4. In the event, the Agreement has already been concluded between the Customer’s authorized representative and Pagero and is still in force, while this MSA is being accepted online by a new end user of the Customer, only sections 4, 7-16, 22-26, 28 and 30 of the GTC are applicable to the individual end user. For the avoidance of doubt, where there is no existing Agreement in place between the Customer and Pagero, the MSA is considered to be accepted as a whole with no exceptions.   4. Definitions “Admin User Account” means the User Account created in Pagero Online by or on behalf the authorized representative of Customer in connection with concluding the Agreement with Pagero. “Agreement” means the MSA and, as the case may be, Proposal, Professional Services Agreement (the “PSA”), Service Level Agreement (the “SLA”), and other appendices and addendums. These documents are available at www.pagero.com/agreements and it is the most recent version which is binding for the Customer. "Affiliate" means a company, corporation or other entity which directly or indirectly controls, is controlled by or is under common control with, a Party to this Agreement. “Business Day” means any day which is not Saturday or Sunday, or a public holiday in the relevant country from which the Services are performed. “Change Request” means a process or a form under which the Customer requests Pagero to implement new or amend existing Software Services. “Customer Contact Data” means any kind of Personal Data that can be linked directly or indirectly to a natural person who is Customer’s employee or otherwise represents Customer towards Pagero or uses or administrates Pagero Online on behalf of Customer. “Customer Data” means the data Customer is processing via Pagero Online, such as E-messages and their content, payment files or user account details. “e-Invoice” means a document or dataset that can be considered an invoice under applicable legislation and which has been issued and/or received in any electronic format. “e-Message” means for the purpose of this Agreement an electronic business document exchanged between the Trading Partners, including but not limited to electronic orders, order confirmations, dispatch advises, delivery confirmations, electronic invoices, reminders and payment files. “Tax e-Invoice” means the e-invoice which is allowed to be used for the tax purposes by the Trading Partners as opposed to an e-invoice copy. “Pagero Group” means Pagero and its Affiliates as defined in this Agreement. “Pagero Online” means the E-message SaaS platform with ancillary Software Services, including but not limited to any related materials and documentation and services developed, modified and/or owned by Pagero. ”Pagero Partner” is a third party collaboration partner to Pagero, setting up and/or managing accounts in Pagero Online on behalf of Customer(s) under a separate agreement between Customer and the Pagero Partner. “Personal Data” means any kind of information that can be linked directly or indirectly to a natural person. “Professional Services” means provided professional services as defined in the Proposal or a Change Request, including but not limited to help desk and support. “Proposal” means a proposal regarding the provision of Professional and Software Services. “Recipient” means a party receiving an invoice or other electronic document, usually the buyer. “Sensitive personal data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation or Personal Data relating to criminal convictions and offences or related security measures. “Services” means Professional and Software Services collectively. “Software Services” means provided software services as defined in the Proposal or a Change Request, including but not limited to Pagero Online. “Supplier” means an organization that supplies goods or services to buyer and that may be obligated to issue and store an Invoice, as well as, where applicable, to report, account for, and pay output VAT. “Trading Partner” means either Supplier or Recipient, who together are referred to as “Trading Partners”. “User Account” means a logged-in environment within Pagero Online through which the Customer’s representative have access to E-messages distributed or received via Pagero’s network, as well as ordered Customer specific settings. 5. Grant of license 5.1. Subject to the terms and conditions of the Agreement, Pagero hereby grants Customer a non-exclusive, non-transferable and non-sub licensable license to use the ordered Software Services solely within Customer’s business during the Agreement Period. Pagero reserves all rights not expressly granted. 5.2. During the license period, Customer has the right to use the Software Services for the number of registered individual users specified in the Proposal. If no such specification is made, the right to use Pagero Online is limited to one individual user. 5.3. Software Services are provided as standard solutions but may be adapted in order to be integrated with a Customers ERP system or similar. Unless otherwise agreed, only Pagero or a company appointed by Pagero may conduct such adaptations. Any such adaption shall be owned by Pagero and will be included in the Software Services. Subject to the terms and conditions of the Agreement, Pagero hereby grants Customer a non-exclusive, non-transferable and non-sub licensable license to use such adaptions solely within Pagero Online and within Customer’s business, during the Agreement Period. 5.4. Pagero’s standard delivery does not automatically include new features and/or solutions in the Software Services. 6. Payment and remuneration conditions 6.1. Unless otherwise have been agreed between the Parties, payment shall have been made no later than twenty (20) days after the invoice date. 6.2. In event of delay in payment, Pagero shall be entitled to charge interest on any overdue amount from the due date until the date of payment at the rate determined by applicable late payment interest legislation. For areas where late payment interest may not be applied due to applicable mandatory legislation, including but not limited to the Gulf area, local legislation regarding late fees shall apply. 6.3. Pagero reserves the right to suspend Customer from the Services, in whole or in part, if Customer does not make timely payments, or if Customer commits any other breach of the Agreement. 6.4. For the Software Services, the annual license fees will be invoiced in advance, however, not earlier than the Agreement Date, and transaction fees in arrears. 6.5. Professional Services will be invoiced monthly in arrears. Unless expressly exempted in this MSA, the agreed hourly rates for Professional Services shall apply for all work performed by Pagero for the Customer, including but not limited to (i) change requests, (ii) work resulting in breach of Customer’s responsibility (iii) support services, (iv) general consulting. 6.6. Pagero’s regular hourly rate applies to the performance of Professional Services during Ordinary Working Hours (as defined further in this paragraph), while for Overtime 1 – multiplication factor 1,5 is applied and for Overtime 2 – multiplication factor 2 is applied: a) Ordinary Working Hours: • Europe: CET 08.00-17.00 • North America: CST 8.00 AM-5.00 PM b) Overtime 1: • Europe: CET 06.00-08.00 and 17.00-20.00 • North America: CST 6.00-8.00 AM and 5.00-8.00 PM c) Overtime 2: • Europe: CET 20.00-06.00 • ii) North America: CST 8.00 PM-06.00 AM 6.7. Customer will reimburse Pagero for verified expenses for travel, accommodation and subsistence incurred by Pagero in the performance of the Services provided that the expenses have been approved by Customer beforehand. Such expenses will be invoiced monthly in arrears. 6.8. Pagero has the right to unilaterally adjust existing or add new fees. In this case, Pagero shall inform Customer of any such adjustments no later than three (3) months before the change(s) come into force. If Customer does not agree to such changes, Customer is entitled to terminate the Agreement. Customer must notify Pagero thereof within (30) days from the receipt of such change notification.   7. Pagero’s responsibilities 7.1. Pagero shall starting from the agreed start date provide Software Services according to the Proposal. 7.2. Pagero reserves the right to undertake changes to the Software Services but shall inform Customer without undue delay of any material changes to Software Services affecting Customer. 7.3. Pagero shall offer standard updates or bug fixes of the Software Services during the Agreement Period and make such available to Customer without any additional charge. 8. Customer’s responsibilities 8.1. The Customer undertakes to: a) ensure that the environment integrated with or otherwise used by the Customer is updated according to the, at the applicable time, instructions provided by Pagero, b) ensure that all instructions provided by Pagero are followed, c) be solely responsible for any backup of Customer Data, d) ensure that the Customer Data passed through Software Services is free from any viruses and, or other similar harmful software and can have in no way a negative effect on Pagero or its Software Services, e) not attempt to use the Software Services with crawlers, robots, data mining or extraction tools other than those provided by Pagero. f) ensure that Customer Data in Pagero Online is provided according to, at that time applicable, Pagero’s instructions and recommendations, g) ensure that log-in credentials to the User Accounts are kept safe and that and all times sufficient security protocols and procedures are followed when Pagero Online is used, h) appoint a physical person (officer) for receiving the Log-in details for Pagero Online, and keep Pagero informed of the contact details to that person, i) be solely responsible for the communication between Customer and Pagero Online, including ensuring that Customer has the necessary equipment and software applications or access points to access and use Pagero Online, as communicated by Pagero to Customer from time to other, and j) update and correct information that has been submitted through Pagero Online including but not limited to the User Accounts and ensure that it is accurate at all times (outdated information may result in a User Account being blocked or otherwise invalidated). 8.2. The Customer undertakes to not: a) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software Services in any form or media or by any means, or b) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software Services, or c) access all or any part of the Software Services in order to build a product or service which competes with the Software Services, or d) use the Software Services to provide services to third parties, unless otherwise explicitly agreed with Pagero, or e) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Software Services available to any third party, or f) attempt to obtain, or assist third parties in obtaining, access to the Software Services and/or any related documentation. 8.3. The Customer shall use all reasonable efforts to prevent any unauthorized access to, or use of, the Software Services and, in the event of any such unauthorized access or use, promptly notify Pagero or its Affiliates. 8.4. Customer has full responsibility for the following aspects of e-Message: a) Timely delivery of the e-Message, especially payment instructions, to Pagero if certain time frames, e.g. bank holidays, must be observed, b) Customer is solely responsible to ensure that the content of the exchanged e-Messages is correct and complete, and that the e-Message otherwise fulfills the legal requirements, c) the right payment authority for VAT and any other applicable tax is used on e-Messages according to applicable laws, d) Customer has implemented and follows tailored business control processes, e.g. creation, issuance and receipt of invoices, credit notes, corrective invoices, etc., e) special requirements regarding self-invoicing (self-billing) and other indirect invoicing processes, are followed and complied with. 8.5. Customer, when acting as the Recipient of an e-Messages transaction, obliges itself to receive e-Messages in an electronic form and to treat these electronic documents as Tax e-Invoices for tax purposes, where applicable. 8.6. Customer acknowledges and confirms that they are fully liable towards the tax authorities for the e-invoice, VAT and other tax related consequences. Among other things, Customer is fully responsible for reporting and paying VAT and other taxes as appropriate in the same way as if the e-Invoice had been issued directly by Customer. Outsourcing of e-Invoice issuing or validation functions does not lead to any liability shift when it comes to Customer’s tax or accounting law obligations. 8.7. In respect of the payment instructions, Customer is responsible for activating the file approval service in Pagero Online if the file is automatically processed (without approval in the bank interface) in the bank/clearing house. 9. Error management in Pagero Online 9.1. Through Pagero Online, Pagero receives and delivers e-Messages between Trading Partners. Pagero will notify Customer of any failure in delivering any e-Message, regardless of the reason, by sending a notification in Pagero Online, an e-mail, or other agreed communication channel. Such notifications will be sent as soon as the failure is detected by Pagero. Thereafter Customer is responsible for taking appropriate actions. 10. Originals management 10.1. Unless otherwise agreed on between the Trading Partners and explicitly communicated to Pagero, Pagero will have the right to determine the Tax Invoice and its format, according to the applicable regulations or otherwise best e-Invoicing and where applicable other e-Messaging practice in the given country, industry or area. 10.2. Pagero will ensure appropriate document labelling in Pagero Online. 10.3. Any print-outs from Pagero Online shall constitute copies and shall be marked as such. 10.4. The invoice distributed via e-mail service shall constitute the Tax e-Invoice. 11. Duplicate control 11.1. Customer acknowledges and agrees that Pagero in order to perform its Services, or if requested or otherwise ordered by the Customer, has the right to perform necessary duplicate control of e-Invoice and where applicable other e-Message numbering, i.e. that the same e-Invoice and where applicable other e-Message identification number has not already been used during the same fiscal year. 12. Format, content and code list conversions 12.1. Customer acknowledges and agrees that Pagero in order to perform its Services, or if requested or otherwise ordered by the Customer, has the right to perform necessary conversions of the format as well as the content of the e-Messages and invoice data exchanged between the Trading Partners in order to ensure among others the correct delivery and originals management of e-Messages. 13. Content validation 13.1. Customer acknowledges and agrees that Pagero in order to perform its Services, or if requested or otherwise ordered by the Customer, has the right to perform necessary content validation, e.g. control whether the mandatory data fields lack input, in order to ensure conformity of e-Invoices or, as the case may be, other e-Messages with the legislation as well as the Recipients’ requirements.   14. Content enrichment 14.1. Customer acknowledges and agrees that Pagero in order to perform its Services, or if requested or otherwise ordered by the Customer, has the right to perform necessary content enrichment, e.g. add missing data elements, in order to ensure conformity of e-Invoices or, as the case may be, other e-Messages with the legislation as well as the Recipients’ requirements. 15. Outsourcing authorizations 15.1. Where required and allowed by the local regulations, Customer, entitles Pagero or, as the case may be, Pagero’s subcontractors to perform certain services in the name or on behalf of Customer. 15.2. Details of such authorizations are stated in appendices to the GTC. 15.3. If it is necessary for compliance with applicable legislation, Customer agrees to sign further documentation as necessary to enable Pagero to provide its Services. 15.4. Customer acknowledges and agrees that the authorizations and other rights under this Agreement and its appendices have been provided to Pagero merely for the purpose of enabling correct E-message handling and issuance of electronic invoices. 16. Data Export 16.1. Customer may at any time request a Customer Data export from Pagero Online or, as the case may be, the archiving service. Pagero will assist Customer with providing such exports in accordance with current hourly fees. 16.2. Customer has been informed and confirms that when exports of Customer Data from Pagero Online are requested only data from the last ninety (90) days will be available. 17. Connection to eInvoicing platforms 17.1. In certain jurisdictions enabling electronic invoicing entails integration and creation of a user account with external eInvoicing infrastructure, either private or governmental (“eInvoicing platform”). 17.2. Where required and allowed, Customer entitles Pagero, or as the case may be Pagero’s subcontractors, to integrate with such eInvoicing platforms and, where needed, create such user accounts in the name and on the behalf of Customer. 17.3. Pagero will only create user accounts and are not liable to administer it. Any login credentials will be passed over to the Customer and will not be used by Pagero, other than as explicitly instructed by Customer. 18. Pagero Free Webportal 18.1. Customers using Pagero’s Free Webportal acknowledges and agrees that the initial thirty six (36) transactions (inbound and outbound calculated together) will be free of charge, thereafter Pagero reserves the right to charge a fee of EUR 0,50 (fifty Eurocent) per transaction, to be invoiced in local currency, unless otherwise stated in the Proposal. 19. External print 19.1. Customer may utilize External Print service at a fee of EUR 1,50 (one Euro and fifty Euro cents) per transaction, to be invoiced in local currency, unless otherwise stated in the Proposal. 20. Pagero Data Capture 20.1. Customer may utilize Pagero Data Capture at a price of EUR 2,50 (two Euro and fifty Euro cents) per transaction, to be invoiced in local currency, unless otherwise stated in the Proposal. 21. Pagero e-archive 21.1. Customer may utilize Pagero e-archive at a price of EUR 1,00 (one Euro) per transaction, to be invoiced in local currency, unless otherwise stated in the Proposal. 22. Intellectual property rights and know-how 22.1. Pagero retains all ownership and intellectual property rights to anything developed or modified by Pagero or its Affiliates and provided to, or accessed by, Customer. 22.2. Customer retains all ownership and intellectual property rights related to their software, content or data. 22.3. After termination of the Agreement, Customer undertakes to immediately remove and destroy all provided Log-in details, documentation and similar materials of Pagero and its Affiliates. 23. Third-Party Terms 23.1. Customer acknowledges that Pagero’s Software Services may contain software (including open source software) distributed under third party agreements (“Third-Party Components”), which contain terms regarding the rights to use certain portions of Software Services (“Third-Party Terms”). 23.2. Such Third-Party Components may require notices or acceptance of additional terms and conditions. Such notices or additional terms and conditions can be obtained by visiting www.pagero.com/third-party-components and are incorporated by reference into this agreement. 23.3. Should the Third-Party Terms conflict with the GTC the Third-Party Terms shall take precedence over the GTC. 23.4. Pagero is not responsible for updating or maintaining such Third-Party Components or for technical errors such as bugs or similar. 24. Subcontractors 24.1. Customer acknowledges and agrees to Pagero and its Affiliates may engage subcontractors for performance of ordered Services without any notification to or approval from Customer. 24.2. Pagero bares full liability towards Customers for the performance of each subcontractor or supplier that it engages. 25. Confidentiality 25.1. Each Party undertakes during the Agreement Period and five (5) years thereafter to not disclose, without written consent from the other Party, any information regarding, or connected to, the other Party that can be considered confidential information and/or business secrets, regardless of if the information is specifically marked as confidential or not. Information regarding price lists and price models provided by Pagero shall at all times be considered business secrets and confidential. 25.2. The Customer shall, upon becoming aware of any unauthorized disclosure of such information, promptly notify Pagero Group of such event, and provide reasonable assistance to Pagero Group in rectifying such unauthorized disclosure. 25.3. The confidentiality undertaking is not applicable for information which the Party can prove is or has become common knowledge, without any breach of this Agreement. Nor is the confidentiality undertaking applicable if a Party is obliged by law to reveal such information. In such event, the Party revealing the information shall, prior to revealing the information, inform the other party of the request if not prevented from doing so by, at the time applicable, legislation. 25.4. If Customer has received access to Pagero Online through a Pagero Partner and/or a Pagero Partner manages Customer’s Pagero account, Customer consents to Pagero disclosing Customer Data to the Partner. 25.5. Pagero and the Pagero Partner may use anonymized Customer Data and data aggregated with other customer’s data for enhancing the Services and for statistical and marketing purposes. 25.6. The Parties shall by confidentiality agreement, or other corresponding actions, assure that the confidentiality undertakings, according to the Agreement, are followed by employees, consultants, subcontractors and others performing under or in connection to the Agreement. 25.7. Pagero may use the Customer’s name for marketing purposes   26. Personal Data Protection 26.1. Handling of Personal Data a) The Parties agree and acknowledge that Customer will act as data controller and Pagero as data processor in respect of Personal Data processed under this Agreement, except of what is stated regarding Customer Contact Data which is outlined below. Customer is responsible for ensuring that their instructions to Pagero regarding the processing of personal data constitutes suitable measures for protection of personal data according to applicable personal data legislation. b) Customer is solely responsible for establishing the purposes of and means for Pagero’s (or its subcontractor’s, as appropriate) handling of personal data in connection with Pagero Online. c) Additional provisions regarding the handling of personal data are defined in the Data Protection Agreement. 26.2. Handling of Customer Contact Data a) The Parties agree and acknowledge that they will both be acting independently as data controllers in respect to the Contact Data processed by them, respectively pursuant to the Agreement and that Pagero will be the data controller in respect to any Customer Contact Data received from Customer. b) Pagero will electronically process personal data pertaining to the contact persons of Customer, such as contact information, in order to provide Customer with the Services and to administer the business relationship with Customer. The data may also be used for statistical analysis and business reporting purposes and to comply with applicable laws and regulations. Pagero may disclose the information to its Affiliates, which may also use the information for the purposes described herein. Registered persons have, upon written request, right to access the data related to them. They also have the right to rectify such data. Further information may be obtained by contacting the controller of the data at dpo@pagero.com or at the registered address stated above. c) Pagero may use Customer Contact Data in order to send newsletters, to conduct product surveys, to advertise similar products or services of Pagero and for event invitations. Pagero is entitled to submit Customer data, including its contact persons, to its Affiliates which are entitled to use the data for the purposes described above, to the extent permitted by law. The recipient of such advertising can opt out from receiving further marketing communication by contacting marketing@pagero.com. 27. Compliance with laws, rules and regulations 27.1. Each Party shall at all times comply with all laws, rules and regulations in connection with and applicable to each Party’s performance and activities under this Agreement, including but not limited to: a) those concerning the furnishing of any documents or information required to comply with customs laws, rules and regulations, including required exportation or importation of documents, b) those concerning the filing of reports and documents with any taxing authority and the payment of all taxes, duties and charges (and any penalties thereon) resulting from Party’s activities in connection with this Agreement, including income and social security taxes, c) any security laws and regulations, d) any registration requirement. 28. Code of Conduct and other directives 28.1. Customer undertakes to comply with the applicable requirements in Pagero Group's at each time applicable code of conduct (the "Code of Conduct"), which will be provided to Customer upon request, or such equivalent code of conduct as jointly agreed by the parties. 28.2. If Customer does not comply with the Code of Conduct or equivalent code of conduct, Customer where reasonable and possible shall provide Pagero with a plan for implementation of the said Code of Conduct. 28.3. In the event Customer does not comply with Code of Conduct, and such non-compliance cannot be remedied by Customer and is of significant importance for Pagero, Pagero shall have the right to terminate this Agreement.   29. Force Majeure 29.1. If the Parties are prevented from fulfilling their obligations under this Agreement due to circumstances which the Parties have no control over (e.g. lightning strike, fire, changed legal provisions or regulations provided by authorities, intervention by authorities, strike, communication or transport disruptions, changes in exchange rates or natural disasters) the Parties shall be released from its liabilities until the circumstance given rise to the Parties’ inability to fulfill their respective obligations are no longer enforced. If a Party is prevented from fulfilling its obligation for a period longer than thirty (30) calendar days due to any such circumstance mentioned above, Parties shall have the right, to terminate the Agreement with immediate effect without being liable to pay compensation. 30. Limitation of Liability 30.1. If a Party does not fulfill its obligations under this Agreement, the other Party shall be entitled to claim damages. 30.2. Neither Party is liable for unforeseeable damages or damages atypical for the Agreement, in particular for indirect or consequential damages. 30.3. In any event, Pagero Group’s entire liability for any cause of action or non-action shall be limited to the value of all fees paid by Customer to Pagero during the past 12 months, or if 12 months has not passed, a calculated 12-month period containing fees paid and expected fees payable. 30.4. This limitation shall not apply to damages caused by Pagero Group’s gross negligence or willful misconduct. 30.5. For the avoidance of doubt, this Section 30 shall survive the expiration or termination of the Agreement 31. Notices under this Agreement 31.1. Notice of termination or any other correspondence under this Agreement shall be made in writing by letter or E-mail to the contact details provided in the Agreement or as agreed otherwise in writing. 32. Assignment of the Agreement 32.1. The Agreement cannot be transferred without a written approval from the other party. Notwithstanding the foregoing, Pagero may transfer its rights and obligations under this Agreement to its Affiliates and its right to receive payments under this Agreement to a third party. 33. Agreement period 33.1. The Agreement will initially be valid until the Contracted End Date as defined in the Proposal or, if no such Contracted End Date has been set out, for a period of twelve (12) months from the moment the Agreement became legally binding as defined in the Proposal and this MSA. 33.2. Unless cancelled by either Party with a written notice at least three (3) months before the expiry of the agreement period, the Agreement will thereafter be prolonged for a successive period of twelve (12) months. 34. Termination of the Agreement 34.1. Either Party may terminate the Agreement with immediate effect upon written notice if: a) the other Party materially breaches any provision of the Agreement, or b) the other Party repeatedly or continuously fails to meet its obligations under the Agreement and does not upon the other Party’s request remedy such failures within a reasonable time frame denoted by the other Party, or c) the other Party has provided incorrect or misleading information, or has concealed circumstances of importance, or d) the other Party, or its representatives, may be suspected of having committed a criminal offence in connection with the performance of the Agreement or usage of Software Services, or e) the other Party may be expected to go bankrupt, enter into corporate or composition proceedings, suspend payments or otherwise be deemed insolvent or have significant financial difficulties. 35. Effect of cancellation or termination of the Agreement 35.1. Upon cancellation or termination of this Agreement: a) Customer shall promptly cease use of Pagero’s Software Services, and Pagero has the right to cease all further Customer access to Software Services. b) All outstanding invoices immediately become due and payable by Customer. c) Customer shall promptly return to Pagero and/or destroy all Pagero property, including, but not limited to, all copies of Log-in details to Pagero Online and any other proprietary information of Pagero Group delivered under the Agreement. d) Customer acknowledges that, unless prevented by law, all Customer Data will be deleted after ninety (90) days after termination of the Agreement, except of payment instructions which will be deleted after twenty-four (24) months. Pagero may however keep anonymized and aggregated Customer Data for herein agreed purposes. e) Customer acknowledges that it is Customer’s responsibility to before the termination of the Agreement store any Customer Data that Customer wishes to keep after the termination. Pagero may upon Customer’s request at applicable remuneration assist in such preservation work (Data Export). f) In event of termination of the Agreement with immediate effect by Customer according to section 34, Pagero shall repay any outstanding annual fees from the date of termination. 36. Document hierarchy 36.1. This Agreement supersedes all existing agreements between the Parties on the subject matter hereof, whether written or oral, and all such prior agreements are hereby terminated by mutual consent by the Parties. 36.2. This Agreement consists of the following documents, and in case of conflict between the provisions of such, shall be given precedence in the order listed below: - The most recently dated amendments to the Agreement, - The Data Processing Agreement (DPA) and incorporated appendices, - The General Terms and Conditions (GTC) and incorporated appendices, - The Professional Services Agreement (PSA), - The Service Level Agreement (SLA), - The Proposal, - Other agreed appendices and addendums 36.3. In the event Pagero has provided a Convenience Translation of the Agreement or any other document (i.e. a version in a language different from the original language), the original text in ENGLISH remains the only legally binding text. 37. Severability clause 37.1. If for any reason a court of competent jurisdiction finds any provision of this Agreement, or any portion thereof, to be invalid, null or unenforceable, that provision or portion shall be enforced to the maximum extent permissible so as to affect the original intent of the Parties, and the remainder of this Agreement shall continue in full force and effect. 38. Dispute resolution 38.1. The Parties recognize that the amicable resolution of any disputes is in their mutual best interests. As such, the Parties agree to promptly notify the other Party of any dispute and to engage in good faith in consultations to resolve such disputes. 38.2. Would the Parties fail to reach such amicable resolution, either Party may refer any difference to be settled in accordance with section 39 of these GTC. 39. Governing law and dispute resolution 39.1. This Agreement shall be governed by and construed in accordance with the substantive laws of Sweden. 39.2. Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). 39.3. The Rules for Expedited Arbitrations shall apply where the amount in dispute does not exceed EUR 100,000. Where the amount in dispute exceeds EUR 100,000 the Arbitration Rules shall apply. The Arbitral Tribunal shall be composed of a sole arbitrator. The amount in dispute includes the claims made in the Request for Arbitration and any counterclaims made in the Answer to the Request for Arbitration. 39.4. The place of arbitration shall be Gothenburg. 39.5. The language to be used in the proceedings shall be English.   GTC Appendix 1 – Authorization for outsourced e-invoice issuance 1. Nature of this authorization 1.1. This authorization for outsourced issuance of e-invoices where no electronic signature is applied (hereinafter referred to as “e-invoice authorization”) has been drawn up for tax compliance purposes and does not address or affect rights and obligations concerning commercial or liability aspects of the e-invoice issuance or related electronic signature services provided to the Customer; such aspects have been regulated in the Agreement. 1.2. Unless explicitly stated herein or in the Agreement, this Mandate does not authorize Pagero to act in the name and on behalf of Customer. This e-invoice authorization can be revoked at any time and will remain valid until such revocation. 2. Terminology 2.1. Regarding Italian law specifically: Where this Outsourced Issuance Mandate (hereinafter referred to as “Mandate”) refers to issuance of invoices “in name and on behalf of” a party, this should be read as “on behalf of” in all instances where such activity is governed by the laws of Italy. 3. Authorization of e-invoice issuance and electronic signing 3.1. Customer hereby authorizes Pagero to receive Customer’s invoice data, not yet constituting a tax invoice, and issue electronic invoices “in the name and on behalf of” Customer. 3.2. Customer explicitly acknowledges and agrees: a) That Pagero will be the formal issuer of the invoice, in name and on behalf of Customer, where the invoice data provided by the Customer does not meet the regulatory content requirements or the Recipients system or business requirements. b) To the procedures for e-invoice issuance as described in this authorization. c) That the Customer’s e-invoices may include language specifying that e-invoice issuance has been outsourced. 4. Tax compliance and responsibility Customer acknowledges and agrees that: a) Customer remains fully responsible towards competent tax authorities for the invoice and its VAT and other tax implications. Among other things, Customer remains fully responsible for, where relevant, reporting and paying VAT and other applicable taxes as though the invoice were issued directly by Customer. b) Customer shall not directly or indirectly submit invoice data that under applicable law may not be used by a third party for issuing invoices “in the name and on behalf of” Customer. c) Customer shall within 48 hours of providing invoice data to Pagero inform the latter if Customer has not yet received its version of the original signed invoice issued in its name and on its behalf or has not yet been granted on-line access to the same. d) Customer shall within 48 hours from the moment that the invoice has become available to Customer, signal apparent errors in the e-invoice to Pagero. e) If Customer has not within the time limits stated in the previous bullet signalled an apparent error in the invoice, the invoice will be deemed to have been validly issued. Where possible under applicable law, Customer agrees to not challenge the valid issuance of an invoice if it is deemed to be correct in accordance with the foregoing. f) Customer agrees to inform Pagero of any changes in information pertaining to Customer that might be relevant to the validity of this mandate or to the correct issuance of Customer’s e-invoices under this mandate. g) Customer agrees to take all the necessary measures to ensure that its E-invoicing processes, as well as those of relevant Customer agents and service providers, that are not the subject of this Mandate, fulfil all applicable legal requirements. 5. No self-billing 5.1. Unless otherwise expressly agreed with the buyer, Customer hereby acknowledges and agrees: a) That issuance of invoices under this authorization does not include “self-billing” (the issue of the invoice by the buyer in name and on behalf of the Seller), and therefore is not subject to applicable legal requirements for self-billing. b) To present the activities performed under this agreement to tax authorities as straight invoicing from the Seller to the buyer, whereby issuance of the invoice is outsourced.   GTC Appendix 2 – Authorization for outsourced e-invoice issuance where an e-signature is applied 1. Identification 1.1. TrustWeaver AB is a company registered under number 556613-6262 in Sweden. Its principal offices are located at Kungsgatan 27, SE-111 56 Stockholm, Sweden. 2. Nature of this authorization 2.1. This is an authorization for outsourced e-invoice issuance where an electronic signature is applied to such invoice (hereinafter referred to as “e-Signature authorization”) and has been drawn up exclusively for tax compliance purposes. Pagero provides eInvoicing functionality to Customer, among which includes the creation and verification of electronic signatures through TrustWeaver. e-signature authorization can be revoked at any time and will remain valid until such revocation. 2.2. This authorization does not address or affect rights and obligations concerning commercial or liability aspects of the e-invoice issuance or related e-signature services provided to Customer; such aspects shall be regulated in a separate agreement. 2.3. TrustWeaver’s liability for the e-invoice issuance functions covered by this authorization is exclusively towards Pagero and all liability towards Customer is excluded. 2.4. Unless explicitly stated herein, this document does not authorize TrustWeaver and/or Pagero to act in the name and on behalf of Customer. This authorization can be revoked at any time by simple notification and it will remain valid until such revocation. 3. Terminology 3.1. Where this document refers to issuance of invoices “in name and on behalf of” a party, this should be read as “on behalf of” in all instances where such activity is governed by the laws of Italy. 4. Authorization of e-invoice issuance and electronic signing 4.1. Customer hereby authorizes TrustWeaver to receive Customer’s invoice data, not yet constituting a tax invoice, from Pagero and subsequently apply an electronic signature to this data in order to issue electronic invoices “in the name and on behalf of” Customer in accordance with the applicable laws. 4.2. Customer explicitly acknowledges and agrees: a) That TrustWeaver will apply such electronic signatures or seals with private keys corresponding to certificates issued by third party certification service providers to TrustWeaver. b) To the procedures for e-invoice issuance as described in this authorization. c) That the Customer’s e-invoices may include language specifying that e-invoice issuance has been outsourced. 5. Tax compliance and responsibility 5.1. Customer acknowledges and agrees that: a) Customer remains fully responsible towards competent tax authorities for the invoice and its VAT and other tax implications. Among other things, Customer remains fully responsible for, where relevant, reporting and paying VAT and other applicable taxes as though the invoice were issued directly by Customer. b) Customer remains fully responsible for the data submitted being complete and correct and shall not submit such invoice data that under applicable law may not be used by a third party for issuing invoices “in the name and on behalf of” suppliers. c) Customer agrees to inform Pagero of any changes in information pertaining to Customer that might be relevant to the validity of this authorization or to the correct issuance of Customer’s e-invoices by TrustWeaver. d) Customer shall within 48 hours of providing invoice data to Pagero inform the latter if Customer has not yet received its version of the original signed invoice issued in its name and on its behalf or has not yet been granted on-line access to the same. e) Customer shall within 48 hours from the moment that the invoice, issued in its name and on its behalf by TrustWeaver, has become available to Customer signal apparent errors in the e-invoice to Pagero. f) If Customer has not within the time limits stated in the previous bullet signaled an apparent error in the invoice, the invoice will be deemed to have been validly issued. Where possible under applicable law, Customer agrees to not challenge the valid issuance of an invoice if it is deemed to be correct in accordance with the foregoing g) Customer agrees to take all the necessary measures to ensure that its eInvoicing processes, as well as those of relevant Customer agents and service providers, that are not the subject of this authorization fulfil all applicable legal requirements. h) The Customer or Pagero will apply invoice numbers to invoices before these are issued by TrustWeaver; agreement on the block/range of serial numbers to be used for the invoices is therefore not needed. 6. No self-billing 6.1. Unless otherwise expressly agreed with the buyer, Customer hereby acknowledges and agrees: a) That issuance of invoices under this authorization is not “self-billing” (the issue of the invoice by the buyer in name and on behalf of the Seller), and therefore is not subject to applicable legal requirements for self-billing. b) To present the activities performed under this agreement to tax authorities as straight invoicing from the Seller to the buyer, whereby issuance of the invoice is outsourced.   GTC Appendix 3 – Authorization for outsourced e-signature validation 1. Identification 1.1. TrustWeaver AB is a company registered under number 556613-6262 in Sweden. Its principal offices are located at Kungsgatan 27, SE-111 56 Stockholm, Sweden. 2. Nature of this authorization 2.1. Pagero provides e-invoicing functionality to Customer, among which is the verification of electronic signatures and seals through TrustWeaver. This is an authorization for outsourced validation of electronic signatures and seals (hereinafter referred to as “Validation authorization”) and has been drawn up exclusively for tax compliance purposes. 2.2. This authorization does not address or affect rights and obligations concerning commercial or liability aspects of the services provided to Customer; such aspects shall be regulated in a separate agreement as relevant. TrustWeaver’s liability for the validation functions covered by this authorization is exclusively towards Pagero and all liability towards Customer is excluded. 2.3. Unless explicitly stated herein, this document does not authorize TrustWeaver or Pagero to act in the name and on behalf of Customer. This authorization can be revoked at any time by notification to TrustWeaver or Pagero, and it will remain valid until such revocation. 3. Authorization for third party validation 3.1. TrustWeaver shall validate the electronic signatures or seals on the electronic invoices prior to sending or otherwise making the electronic invoice available to Customer. Validation will be performed as a separate process step for Customer and shall include a cryptographic check, as well as obtaining or re-using valid revocation status information from the issuing Certification Authority. The revocation status information is sent or otherwise made available to Customer in the agreed format together with the electronic invoice. All other activities that are required for Customer to comply with obligations in relation to receiving invoices under applicable law remain the responsibility of Customer.   Data Processing Agreement 1 Scope and order of precedence 1.1 This Data Processing Agreement, including its Appendices (1 and 2), constitutes the “Data Processing Agreement” or “DPA”. This DPA shall apply as a supplement to the Agreement currently in force and incorporated appendices thereto (referred to as the “Agreement”). 1.2 Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and the terms of this DPA, the relevant terms of this DPA shall take precedence. 1.3 This DPA serves as a written data processing agreement between Pagero and Customer, regulating Personal Data processed under or in connection to the Agreement, in the event Pagero can be defined as the Data Processor in the meaning of the at any time applicable Data Protection Laws and Regulations. It furthermore defines the applicable technical and organizational measures Pagero and its Sub-processors shall implement and maintain to protect Personal Data processed under the Agreement. 1.4 This DPA shall be effective for the term of the Agreement. 2 Definitions 2.1 “Agreement” means Proposal and the General Terms and Conditions currently in force and incorporated appendices thereto (the “GTC”). 2.2 “Customer” is specified in the Agreement. 2.3 “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data. 2.4 “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. 2.5 “Data Protection Laws and Regulations” means the applicable legislation protecting the fundamental rights and freedoms of persons and, in particular, their right to privacy, including; the EU Directive 95/46/EC and the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, repealing Directive 95/46/EC (GDPR). 2.6 “Data Subject” means an identified or identifiable living individual, as defined under the applicable Data Protection Laws and Regulations. 2.7 “Instruction” means a written instruction, issued by Customer to Pagero, directing Pagero to perform a specific action with regard to Personal Data. Instructions shall initially be specified in the DPA and may, from time to time thereafter, be amended, amplified or replaced by Customer in separate written instructions. 2.8 “Independent Data Processor” means an organisation – another Data Processor – that, by agreement or by law, performs certain processes in relation to the e-Message (e.g., receiving or sending) on behalf of another Data Controller (Pagero Customer’s Buyer or Supplier) and is appointed by this Data Controller to perform such actions. 2.9 “Personal Data” means any information relating to an identified or identifiable person, as defined by the Data Protection Laws and Regulations. 2.10 “Process” or “Processing” means any operation or set of operations upon Personal Data as defined by the Data Protection Laws and Regulations. 2.11 “Sub-processor” means any third-party suppliers (subcontractor) engaged by Pagero in accordance with Section 6. 2.12 “Pagero” means Pagero AB, registration number 556581-4695 with its registered office at Västra Hamnagatan 1, 411 17 Göteborg, Sweden or any of Pagero’s affiliates which means a company, corporation or other entity which directly or indirectly is controlled by Pagero. 2.13 “Data Protection Authority” means a national authority tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the European Union. 2.14 “Transfer” means a cross-border transfer of Personal Data outside the EU as set forth in Section 11. 3 Processing of personal data 3.1 Purpose, Types and Categories. The nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under the scope of this DPA and the Agreement is further defined in Appendix 1. 3.2 Data Controller. Customer acts as, and as between Customer and Pagero will at all times remain, the Data Controller concerning any Personal Data provided by Customer under or in connection with the applicable Agreement. Customer is responsible for the accuracy, quality, and legality of the Personal Data and the means by which Customer acquired the Personal Data. 3.3 Data Processor. Pagero and its Sub-processors acts as, and shall as between the Customer and Pagero remain Data Processor(s), and shall only Process Personal Data on behalf of and in accordance with the by the Customer’s provided lawful instructions, applicable Data Protection Laws and Regulations, or other applicable mandatory legislations 3.4 Processing purposes. Customer shall determine the purposes of Processing Personal Data under the applicable Agreement. The purposes for Processing Personal Data by Pagero and its Sub-processors under this DPA are limited to: a) fulfilling the agreed obligations under the applicable Agreement, such as for example providing a system or software, consultancy services, maintenance services, support services and other services to the extent agreed by the Parties under the applicable Agreement; b) setting up, operating, and monitoring the underlying infrastructure (hardware, software, servers, environments, connectivity, etc.) required to provide the relevant services under the applicable Agreement and to meet the technical, security and organizational requirements for the Processing of the Personal Data; c) communicating to Customer and Customer’s personnel; d) executing Instructions of Customer in accordance with Section 3.5 below; and e) addressing service issues, technical problems or incidents. 3.5 Instructions. Customer is responsible for issuing Instructions to Pagero regarding the Processing of Personal Data under the applicable Agreement. Pagero shall only Process such Personal Data in accordance with the terms of this DPA and the from time to other given Instructions provided by Customer to Pagero. If Pagero thinks that an Instruction from the Controller is not compliant with Data Protection Laws and Regulations, it shall point this out to the Customer without unreasonable delay. 4 Pagero Staff 4.1 Confidentiality. Pagero shall ensure that its and its Sub-processors’ staff who have access to Personal Data are informed of the confidential nature of Personal Data and have entered into appropriate confidentiality agreements. 4.2 Limitation of Access. Pagero shall ensure that Pagero’s and its Sub-processors’ access to Personal Data is limited to the individuals performing services in accordance with the Agreement. 5 Protection of Personal Data 5.1 Technical and Organizational Measures. When Processing Personal Data on behalf of Customer in connection with the applicable Agreement, Pagero and its Sub-processors shall implement and maintain appropriate administrative, physical, technical and organizational security measures for the protection of the rights of the Data Subjects in compliance with the Data Protection Laws and Regulations and in particular article 32 of the GDPR. These measures shall be implemented to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access and against all other unlawful forms of Processing. Further details on the administrative, physical, technical and organizational security measures that shall be implemented and maintained by Pagero when Processing Personal Data under the Agreement are described in Appendix 2 of this DPA.   5.2 Rights of Data Subjects. Pagero will promptly notify Customer if it receives a request from a Data Subject for information regarding, access to, correction, amendment or deletion of that individual’s Personal Data. Pagero will not respond to any Data Subject request without Customer’s prior written consent except to confirm that the request has been received and sent to Customer. To the extent legally permitted, Pagero shall provide Customer with cooperation and assistance in relation to handling of a Data Subject’s request. 5.3 Communication with supervising authorities. Except as otherwise required by law, Pagero will notify the Customer without undue delay as to any contacts or requests from any Data Protection Authority, concerning or of significance for the Personal Data Pagero is Processing on Customer’s behalf. At Customer’s request, Pagero will provide Customer with relevant information in its possession relating to the contact or request, and any assistance reasonably required for the Customer to respond to the Data Protection Authority in a timely manner. Pagero has no right to represent the Customer, or to act on behalf of the Customer. 6 Sub-processors 6.1 Use of Sub-processors. Pagero may from time to other contract Sub-processors to meet the obligations under the applicable Agreement. Pagero shall provide Customer with a list of contracted Sub-processors upon Customer’s request. 6.2 Change of Sub-processor. Pagero may decide to remove, replace or appoint additional Sub-processors. Pagero shall provide Customer with a notification in writing before authorizing any new Sub-processor(s) to Process Personal Data under the scope of the applicable Agreement. If Customer does not accept the change and/or appointment of a Sub-processor, Customer has a right to terminate the parts of the Agreement affected by the change by notifying Pagero thereof in writing within ten (10) days of receiving the change notification, with thirty (30) days’ notice. 6.3 Responsibility. Pagero shall be responsible and accountable for the acts or omissions of Sub-processors to the same extent Pagero is responsible and accountable for its own actions or omissions under this DPA. 7 Independent Data Processors 7.1 In order to fulfil obligations under the Agreement, Pagero may from time to other have to exchange data with Independent Data Processor(-s). 7.2 Pagero can under no circumstance be held responsible for such Independent Data Processor’s processing of personal data. 8 Audit rights 8.1 Audits. Customer is entitled to audit Pagero’s Processing under the Agreement to ensure compliance with this DPA, subject to the provisions below. Pagero shall always allow for and cooperate with any audits conducted or required by a Data Protection Authority responsible for monitoring Customers’ Processing of Personal Data. 8.2 Customer Audits. Pagero shall provide Customer or Customer’s independent third-party auditor with such information and access to its premises as may reasonably be required to satisfy that Pagero is complying with the obligations referred to in this DPA. - Prior to such audits, Customer shall provide Pagero with reasonable written notice (at least 30 days unless a Data Protection Authority requires Customer’s earlier control under mandatory laws). 8.3 Customer Audit Restrictions. The following audit restrictions shall apply: a) Unless required by mandatory Data Protection Laws and Regulations or the Customer has a reason to suspect that Pagero or a Sub-processor does not comply with the obligations referred to in this DPA, an audit pursuant to Section 8.2 is limited to once in any twelve-month period. b) Customer shall conduct the audit under reasonable time, place and manner of conditions, during regular business hours and subject to Pagero’s security policies and may not unreasonably interfere with Pagero’s business activities.   c) Customer shall bear all costs for an audit under Section 8.2, except if an audit finds that Pagero or a Sub-processor is in breach of its obligations under this DPA because of intent or gross negligence, in which case Pagero shall bear all of its own costs. Pagero’s internal costs shall be based on the then-current daily professional service rates as applicable to Customer or, in lack of such agreement, on Pagero’s price list. 8.4 Audit Findings. Without prejudice to any other of the Customers rights or remedies, Pagero shall without unreasonable delay remedy if an audit determines that Pagero or a Sub-processor has breached its obligations under this DPA. If Pagero can’t remedy an audit remark Pagero must notify the Customer. The customer is then entitled to terminate the agreement without any compensation. 9 Incident management and security breach notification 9.1 Incident management. Pagero shall evaluate and respond to events suspected to lead to unauthorized access to or handling of Personal Data (“Incidents”). If there is a risk that the Incident may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, Pagero will promptly notify Customer and provide relevant information regarding the Incident. Pagero will define appropriate activities to address Incidents, and work with Customer when appropriate to protect the Personal Data. The objective of the Incident response will be to restore the confidentiality, integrity, and availability of the related service and Personal Data. 10 Return and deletion of Customer data 10.1 Return and deletion. Pagero shall upon Customers’ request return all stored Personal Data provided by Customer under the scope of the Agreement to Customer and then delete all such data, including any data in backups or similar, within ninety (90) days after the termination of the Agreement or this DPA, unless otherwise agreed in writing. Due to a different nature of such files, payment instructions which will be deleted after twenty-four (24) months. 11 Transfer of personal data 11.1 General. Pagero and its Sub-processors shall not Process or Transfer Personal Data outside of the EU or the EU Approved Countries (“Third Country data transfer”) without a written mandate from the Customer. 11.2 Mandate. Pagero is hereby mandated by Customer to Transfer Personal Data to Sub-processors located in a country or territory outside of the EEA or the EU Approved Countries, and to allow such Sub-processors to access and process Personal data from a country or territory located outside of the EEA or the EU Approved Countries, solely for the purposes stated in Section 3.4, and if: a) the recipient itself has been found to ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Personal Data through the Privacy Shield framework, or; b) the Transfer is governed by and in accordance with a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including without limitation Binding Corporate Rules for Processors; or c) the Transfer is governed by and in accordance with the Standard Contractual Clauses as further set forth in Section 11.3 below. 11.3 Standard Contractual Clauses. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. For the avoidance of doubt, the Standard Contractual Clauses will only apply to transfers of Personal Data.   DPA Appendix 1 1. Data subjects The processing of personal data covered by this DPA concerns the following categories of data subjects (please specify): Pagero will only process personal data on Data subjects provided by the Data Controller. 2. Categories of data The processed personal data concerns the following categories of data (please specify): Pagero will only process categories of personal data for purposes established by the Customer Processing operations. For example, the categories may consist information about customers, employees and customer contacts at the supplier. 3. Special categories of data (if appropriate) Pagero will only process personal data for purposes established by the Customer Processing operations. The processed personal data will be subject to the following basic processing activities (please specify): The personal data will be processed within the framework of the provision and operation of a Pagero Online and its value-added services. The system will be available to the Customer in its daily operations, and for Pagero to provide support and maintenance. The personal data will be stored and processed, for example, in different e-messages, including but not limited to orders and invoices. 4. List of Sub-processors The processing of personal data covered by this DPA may be performed by one or several of Pagero’s Sub-processors. By agreeding to the terms of this DPA, Customer approves Pagero’s current list of Subprocessors: Current list of Sub-processors can be found here under www.pagero.com/sub-processors To access the list, please, enter the password: Compliance (MAY NOT BE DISCLOSE TO UNAUTHORIZED)   DPA Appendix 2 Description of the technical and organizational security measures to be implemented for the protection of Personal Data. The purpose of this document is to describe the technical and organizational security measures regarding the Data directive (EU 2016/679) that are in place within all services that Pagero Group offers to our customers. 1. Risk assessment regarding data protection Pagero conducts a documented risk assessment per product and services that is used within the Pagero Group and for all products that are offered to our customers. The risk assessment is reviewed on a regular basis. Based on the findings in the risk assessment different security measures may be implemented, documented and reviewed per product or service in order to fulfill legal requirements. 2. Security measures As a part of our information security management system (ISMS) Pagero has made a part of the documentation available upon request for our customers. The documentation that is available is classified as public or restricted information. All documentation within Pagero ISMS is reviewed on a yearly basis as a part of our ISAE audit program and our Cyber Essential certification. The ISAE audit is performed by an independent auditor and is based upon the trust service principles Confidentiality, Integrity and Availability. The ISAE audit report is available upon request for our customers and prospects. The following security measures has been implemented based on the EU directive 2016/679. 3. Pseudonymizing and encryption of personal data Pagero is using pseudonymizing and/or encryption where possible to protect customers personal data and to reduce the risk of data exposure. The security measures are varying between different services and products depending of risk level, technical demands, and type of product. 4. Confidentiality, Integrity and Availability Multiple security controls must be in place to secure that a person only can access the data he/she is authorized to view. 5. Data centers Only authorized staff with valid business reasons have access to our data centers. The data is protected from accidental or illegal destruction by physical and environmental controls. The physical and environmental controls are reviewed on a yearly basis as a part of our ISAE audit report. Remote access to our data centers secured by a2-factor login process which is mandatory with username, password and access rights are different than those used for Pagero Network. 6. Pagero Online Pagero Online and Primelog TMS are our cloud services and they are hosted in a private cloud. Only authorized staff within the Pagero Group have access to the environment and a 2-factor login process is mandatory for these user groups. The data is protected from accidental or illegal destruction by physical and environmental controls. The physical and environmental controls are reviewed on a yearly basis as a part of our ISAE audit report. The cloud service is built upon 2 independent data centers where one of the data center is a “warm” standby data center. The data is backed-up according to industry standards and is protected from accidental or illegal destruction by physical and environmental controls. The backup process is tested on a regular basis in order to secure that it is possible to restore the data in an effective manner. 7. Internal system within Pagero Group Internal systems within the Pagero Group are only accessible via our secure intranet solution and access to our intranet is protected by a 2-factor VPN solution. External Pagero tools hosted in the cloud outside Pagero intranet are protected by one or several of the following standards; Active Directory Federation Services (AD FS), 2-factor login, approved IP ranges, username and password handling. 8. Business Continuity In order to secure system availability and access to personal data in the event of technical or physical incidents Pagero has backup processes in place and also independent secondary warm standby data centers to secure access to personal data in our cloud services. Pagero has defined how business continuity should be achieved in the event of a critical system failure in order to provide our customers with high availability to the cloud services. The business continuity plan is tested on a regular basis, 2-4 times per year, in order to minimize manual steps and to make the plan as effective as possible. The business continuity plan is reviewed on a yearly basis by an independent auditor as a part of our ISAE audit report.