1. SCOPE OF SERVICES 1.1. NVISO Belgium BV reg. no. 0723.542.596 provides security and risk-related IT services such as: - security assessments (including ‘penetration tests’); - security consulting; - security research and development; - security awareness and training; - security managed services; - security monitoring related services 1.2. Services provided to the Customer are limited to the ones enclosed in the particular statement of work agreed between parties (hereafter " Statement"). 2. RELATIONSHIPS BETWEEN PARTIES 2.1. NVISO will provide the services described in the Statement as an independent contractor and not as the Customer’s employee or agent. 2.2. NVISO may subcontract portions of the services to subcontractors who may deal with the Customer directly, after having obtained the Customer’s written prior approval on the services concerned and the identity of the subcontractor(s). Nevertheless, NVISO will be responsible to the Customer for the performance of the services and other obligations under the Statement. 2.3. NVISO will not assume any management responsibilities in connection with the services. NVISO will not be responsible for the use or implementation of the output of the services. 2.4. The Customer is responsible for all management decisions relating to the services, the use or implementation of the output of the services and for determining whether the services are appropriate for the Customer’s purposes. 3. EXECUTION AND TERMINATION OF THE STATEMENT 3.1. The Statement agreed between the parties applies to the services whenever performed. 3.2. Each party may suggest a change to the provision of services or other provisions of the Statement. NVISO is not obliged to take into account such change in its provision of services until the parties have reached full agreement in writing with respect to the consequences for the scope of the deliverables, the fees and/or planning of the envisaged changes. 3.3. The Statement shall terminate on the date specified in the Statement or upon the completion of the services, as applicable. Unless otherwise agreed in the Statement, either of the parties may terminate it, or any particular sub-services, earlier upon thirty (30) day’s prior written notice by registered letter to the other. 3.4. The Customer shall pay NVISO for all work-in-progress, services already performed and expenses incurred by NVISO up to and including the effective date of the termination of the Statement. 3.5. Upon termination or expiry of the Statement, NVISO shall return to the Customer all the Customer’s properties and all correspondence, notes and any other data (including Personal Data) or material that relate or refer to the Customer. 3.6. Without prejudice to its other rights and remedies under the Statement, NVISO may terminate the Statement, or any particular services, immediately and without court intervention upon written notice by registered letter to the Customer - if NVISO reasonably determines that it can no longer provide the services in accordance with applicable law, or regulatory policy (including any requirement or notice of any regulatory body). In this case, the Customer could not claim any damages or compensation of any kind. 3.7. Without prejudice to its other rights and remedies under the Statement, both Parties may terminate the Statement, or any particular services, immediately and without court intervention upon written notice by registered letter to the other Party - If the other party undergoes an insolvency event, it being understood that an insolvency event refers to (i) the other party passing a resolution for its liquidation, dissolution or winding up or suffering a winding-up order being made against it or going into administration; (ii) if a receiver or administrative receiver is appointed or an encumbrance takes possession of the undertaking or assets (or any substantial part thereof) of the other party; and/or (iii) if the other party is unable to pay its debts or ceases to, or threatens to cease to carry on its business or enters into a composition with its creditors. - If there is any change in the entity or entities having control of the other party (i) which has a material and/or adverse impact of the other party’s obligations under the Statement; (ii) which results in the other party being controlled by a competitor of the party that terminates the Statement conform this article 3.7, in relation to which the party that terminates the Statement has not provided its prior written consent which shall not be unreasonably withheld; and/or (iii) which results in the other party being controlled by an entity which the party that terminates the Statement, acting reasonably, considers is not sufficiently creditworthy and/or financially stable. 3.8. Without prejudice to any other rights or remedies a party may have under the Statement or at law, either party may terminate the Statement, or any particular services, immediately and without court intervention upon written notice by registered letter to other party if the other party commits a material breach of the Statement and (i) that breach is not capable of remedy or (ii) the other party fails to remedy that breach within thirty (30) days as from the receipt of a notice of default requiring it to do so. 4. SUSPENSION OF THE SERVICES 4.1. NVISO is entitled to suspend the provision of services in whole or in part, with immediate effect and without court intervention, in emergency situations (e.g. in case the Customer jeopardizes or threatens to jeopardize NVISO’s rights and/or provision of services to NVISO's customers). 4.2. Notwithstanding article 3.8 NVISO is entitled to suspend the provision of services in whole or in part, with immediate effect and without recourse to the courts, if the Customer fails to comply with one or more of the obligations under the Statement and fails to cure such breach within a period of thirty (30) calendar days following notice thereof by NVISO. 4.3. NVISO will notify the Customer of any suspension of the provision of services and where reasonably possible, NVISO will notify the Customer in advance of such suspension. 4.4. If the services are suspended for any reason beyond control of the Customer, the Customer will be released of payment of those suspended services. 5. OBLIGATIONS OF THE CUSTOMER 5.1. The Customer undertakes to: - Provide (or arrange others to provide) the information, resources and assistance (including access to technical specifications, data, systems and people) that NVISO reasonably requires to perform the services. This information and any amendments must be submitted to NVISO prior to performing the services to which they refer. - Give access to the premises and factories and in general offer all facilities to NVISO’s staff to perform the services. - Supply NVISO, on its request, all documentation needed to confirm the final cost of the works being performed. - Timely notify NVISO of any circumstances which may affect NVISO’s obligations, in particular with respect to the execution, timing, pricing and progress of the provision of services. - Comply with all applicable legislation and regulations (and in particular the laws and regulations applicable to the receipt and use of the services and deliverables). 5.2. All services and/or deliverables shall be deemed accepted if, within ten (10) calendar days after provision or delivery (as the case may be), the Customer has not provided to NVISO written notice identifying specifically any basis for not approving the services and/or deliverables. 5.3. If the services performed include security assessments or ‘penetration tests’, the Customer acknowledges that the nature of the services is such that NVISO will actively attempt to breach security controls in order to obtain access to the Customer’s systems and data. The Customer specifically consents to NVISO attempting to gain such access to the Customer’s systems and data. 5.4. If the services performed include security assessments or ‘penetration tests’, the Customer confirms that it has obtained – or will obtain prior to testing – all necessary authorisations for such services. 6. OBLIGATIONS OF NVISO 6.1. The obligations of NVISO regarding the provision of services are exhaustively defined in the Statement. 6.2. NVISO will perform the services using reasonable skill and care in accordance with applicable professional standards and the specifications set out in the Statement. 6.3. The services shall be performed in a professional and timely manner by qualified professional personnel. Said personnel always acts under the exclusive responsibility of NVISO and NVISO reserves the right to determine which staff members it involves for the provision of services and may replace them at any time. 6.4. Unless explicitly otherwise agreed, all obligations of NVISO are considered to be obligations of means ("middelenverbintenissen" / "obligations de moyens"). 6.5. The deliverables may contain advice and recommendations. Unless explicitly agreed otherwise in the Statement, the Customer bears full responsibility for the use and/or implementation of such advice and recommendations. None of the deliverables constitute a legal advice or opinion. 6.6. NVISO shall use reasonable endeavours to complete the services in accordance with the timeframes specified in the Statement. However, both parties acknowledge and agree that the nature of the services is such that it is not possible to provide absolute timeframes for completion of the services, and that the timeframes specified in the agreement have the status of best estimates. 6.7. NVISO does not give any guarantees in addition to the guarantees explicitly set out in these terms and conditions and the Statement. The parties agree that no other explicit or implicit guarantees or conditions apply, including implicit conditions or guarantees regarding the quality and fitness for a certain purpose or use envisaged by the Customer. 7. FEES AND PAYMENT CONDITIONS 7.1. The amount of NVISO fees and expenses as well as the payment conditions are set out in the particular conditions of the Statement. 7.2. The amounts mentioned in the Statement are expressed in euro and exclusive of VAT and any other taxes, duties and levies which apply at the moment of invoicing. 7.3. Unless agreed otherwise in the Statement, costs and expenses incurred by NVISO in the execution of the Statement, including but not limited to transport, accommodation and logistics costs, are payable by the Customer based on evidence (e.g. invoices, bills), but subject to the Customer’s prior approval. Travel expenses are payable at public transport fees or at a kilometre rate in the event of transportation by car. Transportation by air travel is payable on the basis of economy class fares 7.4. The Supplier reserves the right to charge additional fees at its then prevailing standard daily rate in the event that the scope of the services agreed is increased by the Customer, or if the work required to perform the services is the result of the Customer’s failure to provide information or resources reasonably required by the Supplier to undertake the services agreed. The Supplier will notify the Customer of any additional fees before these are incurred. 7.5. Unless otherwise agreed in a Statement, recurrent fees are indexed each year at the anniversary date of the Statement based on the following formula: Indexed fees = Initial fees x (0,8 x (National reference hourly wage plus social charges as published by Agoria for the month before the anniversary date / National reference hourly wage plus social charges as published by Agoria for the month before the date of signature by the last party of the Statement) + 0,2), provided that the indexation of fees incurred for services provided in Belgium is limited to 80%. 7.6. The fees are due and must be paid within thirty (30) calendar days counting from the date on which the invoice relating to them is issued. 7.7. If payment is not made within this period, the fees shall bear - automatically and without notice interest at the legal interest rate for late payment in commercial transactions. 7.8. In the event of a dispute with respect to a part of the invoice, the part of the invoice that is not disputed shall be paid in accordance with this article 7. 7.9. In case of non-payment of any undisputed invoice, NVISO shall have the right to suspend the performance of the services from the 15th day following the sending of a registered letter announcing the suspension. Provision of the services will start again the day after the one of full payment of the sums owed and at the earliest one month after the sending of the aforementioned registered letter. 7.10. In case of non-payment of the invoice one (1) month after the sending of the registered letter foreseen in article 7.9, NVISO may proceed to the unilateral and definitive termination of the Statement without court intervention. 7.11. In case of definitive termination of the Statement by the Customer that does not respect the termination procedure set forth in article 3 (Execution and Termination of the Statement), NVISO may require the payment of damages assessed ex aequo et bono. Those damages will include the cost of supplies ordered by NVISO or any other expenses incurred by NVISO and compensation for loss of earnings equivalent to 70% of the amount NVISO could have charged if the Statement had not been terminated. 8. INTELLECTUAL PROPERTY RIGHTS 8.1. NVISO and/or its licensors hold and retain all the rights, titles and property in the services and deliverables. These General Terms and Conditions and the Statement do not transfer to the Customer any rights of ownership in or related to the services and/or deliverables. 8.2. Subject to the payment of all fees due to NVISO under all Statements, NVISO hereby grants to the Customer: - a non-exclusive, royalty-free, worldwide, perpetual, non-transferable, revocable license to use and copy the deliverables in accordance with the Statement for the Customer’s internal business purposes; and - a non-exclusive, royalty-free, worldwide, non-transferable, revocable license for the duration of the Statement to use the services in accordance with the Statement for the Customer’s internal business purposes. 8.3. The Customer acknowledges and agrees that NVISO may use free and open source software for the provision of services and/or may integrate open source software in the deliverables. NVISO will inform the Customer of any specific license terms of NVISO and/or third parties applicable to the use of the services and/or deliverables, including any license terms applicable to open source software. The use of the services and deliverables by the Customer must at all times be in compliance with the applicable license terms, the Statement and these General Terms and Conditions. 8.4. To the extent NVISO is reasonably required to use materials provided by the Customer for the provision of the services and/or deliverables in accordance with the Statement, the Customer grants to NVISO for the duration of the Statement a royalty-free, non-exclusive, non-transferable, worldwide license, which may be sub-licensed to subcontractors, to use, modify, change and reproduce any such materials in the framework of the provision of services and/or deliverables. 8.5. NVISO shall indemnify, defend and hold harmless the Customer in accordance with the provisions of this article 8 (Intellectual Property Rights) from and against any third party claim asserted against the Customer that the services and/or deliverables (when used in accordance with the applicable license terms, the Statement and these General Terms and Conditions) directly infringe or misappropriate the intellectual property rights of such claimant (hereafter an "IP Claim"). NVISO will pay those costs and damages finally awarded or settled (upon terms acceptable to NVISO) against the Customer based on such IP Claim, within the limits set forth in article 11 (Limitation of Liability) and provided that: (a) the Customer promptly notifies NVISO in writing of such IP Claim; (b) NVISO has sole control of and the Customer reasonably cooperates in all respects in the defence of each such IP Claim and all related settlement negotiations and the Customer does not make any admission or disclosure or otherwise take any action prejudicial to NVISO; and (c) such IP Claim does not relate to any act of the Customer, including (without limitation) a change in the services and/or deliverables, a combination of the services and/or deliverables with other materials, products or software not developed and supplied by NVISO, or failure to install an update where installation would have removed the cause of the infringement, or any breach of this Statement or General Terms and Conditions by the Customer. 8.6. If a final judgment is entered against the Customer on any such IP Claim, or if in NVISO’s reasonable opinion the Customer is likely to become subject to a successful IP Claim, then the Customer shall permit NVISO, at NVISO’s option and expense, either: (a) to procure for the Customer the right to continue using the services and/or deliverables; or (b) to replace or modify the same so that it becomes non-infringing. If these options are not reasonably available, NVISO or the Customer may terminate the Statement and NVISO will provide a pro-rata refund of any pre-paid fees for periods after the effective date of termination of the Statement. 8.7. The foregoing provisions of this article 8 (Intellectual Property Rights) set forth the entire and exclusive liability of NVISO with respect to any IP Claim. 8.8. Without prejudice to NVISO’s other rights and remedies under applicable law, the Statement and the General Terms and Conditions, the Customer will defend NVISO against any third party claim and pay any damages and costs finally awarded against NVISO by a court of competent jurisdiction or that are included in a settlement approved by the Customer to the extent the Customer-provided materials or NVISO’s access or use thereof is held to infringe intellectual or industrial property rights of any third party. 9. CONFIDENTIALITY AND NON-SOLICITATION 9.1. NVISO acknowledges that during the course of performing the services, NVISO will gain access to information relating to the Customer’s systems, data and business operations of a highly confidential nature. Accordingly, NVISO undertakes that it will treat all information relating to or held by the Customer as confidential. 9.2. The Customer acknowledges that information relating to NVISO’s methodologies for services and its commercial terms are confidential. 9.3. Any report, advice, information, communication, etc. provided by NVISO to the Customer is strictly confidential and can in no case, except NVISO’s prior written consent, be disclosed to a third party. 9.4. It is agreed that information shall not be regarded as “confidential” for the purposes of the Statement if it is lawfully disclosed to the recipient by a third party or is in the public domain. 9.5. The obligations of confidentiality applying to both NVISO and the Customer hereunder shall apply for a period of five (5) years. 9.6. Either party shall in no case and in no way solicit any employee of the other party to employ or hire him or her during the course of the Statement and for a period of two (2) years following its termination. 10. DATA PROTECTION 10.1. Within this article 10, "Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the applicable national laws implementing and/or supplementing the aforementioned legal instrument. "Data Controller", "Data Processor", "Personal Data", "Personal Data Breach" and "Data Subjects" have the same meanings as in the Data Protection Laws. 10.2. Regarding the parties' rights and obligations under the Statement, unless otherwise agreed in the Statement, the Customer is the Data Controller and NVISO is the Data Processor. Each Party shall meet its obligations set out in the Data Protection Laws in relation to the Statement. 10.3. NVISO will only process Personal Data as required for the provision of the services and in accordance with the instructions from the Customer (which may be specific instructions or instructions of a general nature) provided to NVISO in writing and the provisions of the Data Protection Laws. The Customer warrants that its instructions shall at all times comply with the Data Protection Laws. NVISO will notify the Customer in case it is of the opinion that an instruction of the Customer infringes the Data Protection Laws. 10.4. NVISO will not transfer the Personal Data outside of the European Economic Area unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws. Such measures may include transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorisation in accordance with the Data Protection Laws, or to a recipient that has executed the standard contractual clauses adopted or approved by the European Commission, subject to an appropriate risk assessment. 10.5. NVISO will ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality. 10.6. NVISO will implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 10.7. The Customer explicitly authorises NVISO to engage Microsoft Ireland Operations Limited as third party subprocessor to Process the Personal Data for the provision of the services. NVISO uses the following Microsoft services: Microsoft Office 365 for e-mail and document management (region: Europe) and Azure as hosting provider (mode: Infrastructure as a Service, data residency: data at rest stored in region North Europe). NVISO will notify the Customer of any intended changes concerning the addition or replacement of subprocessors and will give the Customer the opportunity to object on reasonable grounds relating to the protection of Personal Data. In that case, NVISO and the Customer will enter into good faith discussions on the replacement of such subprocessor. NVISO shall impose appropriate data protection terms on any subprocessor it appoints and shall remain liable for any breach of this article 10 that is caused by an act, error or omission of its subprocessors. 10.8. At Customer’s request and cost, NVISO will reasonably cooperate with Customer in dealing with requests from Data Subjects regarding NVISO’s Processing of Personal Data on behalf of Customer. 10.9. At Customer’s request and cost, NVISO will assist the Customer in ensuring compliance with its obligations pursuant to articles 32 to 36 taking into account the nature of processing and the information available to NVISO (e.g. when Customer is required to perform a data protection impact assessment or prior consultation with supervisory authority). 10.10. Upon becoming aware of a Personal Data Breach, NVISO will notify the Customer without undue delay and cooperate with the Customer and take such reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation and remediation of that Personal Data Breach. 10.11. After termination of the Statement, NVISO shall at the choice of the Customer delete or return Personal Data to the Customer, unless applicable law requires retention. 10.12. NVISO is regularly audited against ISO 27001 standards by independent third party auditors. Upon reasonable request, NVISO shall supply a copy of its ISO 27001 certificate to the Customer. Such evidence shall be treated as confidential information by the Customer. NVISO will also respond to any written audit questions submitted to it by the Customer, provided that the Customer shall not exercise this right more than once in any twelve (12) calendar month period. . 10.13. The Customer shall indemnify and hold NVISO harmless against all losses, fines and regulatory sanctions arising from any claim by a third party or regulator arising from any breach by the Customer of this article 10 (Data protection). 11. LIMITATION OF LIABILITY 11.1. Except if the damage arises out of fraud, gross negligence or wilful misconduct, NVISO can in no case be held liable for direct damages to an amount exceeding the aggregate fees included in all invoices relating to the services that caused the damage and issued within the six months prior to the day the damage is claimed. 11.2. Under no circumstances will NVISO be held liable for any indirect or consequential loss or damage including, without limitation and especially (the following enumeration not being exhaustive), damages for loss of business revenues, business profits, business interruption, loss of time, loss of data, rise in general costs, disruption of commercial activity, damage to reputation, loss – also in the future – of savings, employees costs or loss of opportunities. 11.3. Except if the damage arises out of fraud, gross negligence or wilful misconduct, the Customer acknowledges and agrees that NVISO is not liable for any loss or damage suffered by the Customer as a result of NVISO accessing or seeking to access its systems or data within the scope of the services provided. 11.4. According to article 6, the opinion, or any statement that can be considered as such, issued by NVISO during the course of security assessments (including ‘penetration tests’) or security monitoring related services is such that it cannot be considered as exhaustive, meaning that other security weaknesses or security events than those discovered by NVISO can exist. 11.5. Except if the damage arises out of fraud, gross negligence or wilful misconduct, NVISO can in no case be held liable for damages caused by intrusions in the Customer’s systems or electronic devices, whatsoever the cause of such intrusions or the methods used performing them. 11.6. In case of loss or corruption of Customer data following the provision of services, NVISO is only obliged to assist the Customer with restoring such data based on the most recent available back-up. Unless parties explicitly agreed in the Statement that NVISO was responsible for making back-ups, the Customer is fully responsible for making the necessary back-ups in order to avoid loss and/or corruption of Customer data. Under no circumstances is NVISO obliged to input or reconstruct Customer data. 11.7. Solely the Customer shall be responsible in case of any claim by a third party which is related to, arises out of, or is in any way associated with the services, except in the situation described in article 8.5 and as otherwise explicitly agreed in writing. 11.8. A party shall not be liable for delays or failure to perform its obligations under the Statement, if such delay or failure is caused by Force Majeure. 11.9. "Force Majeure" is any event beyond the reasonable control of one of the parties that affects the execution of its obligations under the Statement, including but not limited to, natural disasters, riots, war and military operations, national or local emergencies, pandemics, actions or omissions of the government, economic disputes of whatever nature, actions of employees, fire, flooding, lightning, explosions, collapses, the reduced or non-functioning of networks, systems and equipment of third parties as well as any action or omission of a person or entity beyond the reasonable control of the affected party. The parties explicitly agree that the situation where the Customer cannot meet its payment obligations, does not qualify as Force Majeure. 11.10. The party which invokes Force Majeure, must immediately notify the other party in writing of these circumstances. The execution of the obligation which cannot be carried out due to Force Majeure, will be suspended for the duration of the Force Majeure and must be resumed as soon as the Force Majeure has disappeared. The Party which invokes the Force Majeure, must also notify the other Party of the cessation of these circumstances. If a Force Majeure event remains for a period of more than twenty (20) working days, the other party is entitled to terminate the Statement immediately and without court intervention upon written notice by registered letter to other party. 12. MISCELLANEOUS 12.1. Without prejudice to article 2.2, no party shall be allowed to assign the Statement, in whole or in part to a third party. 12.2. The invalidity of any applicable contractual articles between the Customer and NVISO will not affect the validity of the remaining articles. 12.3. In case of contradiction between the provisions of the Statement and these General Terms and Conditions, the ones of the Statement shall prevail. 12.4. Any variations to these General Terms and Conditions and/or to the Statement shall only be effective and binding on the parties if they are evidenced by written agreement signed by both parties. 12.5. These terms and conditions apply to the exclusion of all other terms and conditions, including the terms and conditions of the Customer. 12.6. The articles of these General Terms and Conditions which are intended to remain in effect on or after the termination or expiry of this Statement, such as but not limited to articles 8 (Intellectual property rights), 9 (Confidentiality and non-solicitation), 10 (Data protection), 11 (Limitation of liability) and 12 (Miscellaneous), shall survive termination, expiry, full execution or nullity of the Statement. 12.7. All mandatory or permitted notifications under the Statement will be considered to be communicated legitimately provided that such notification was made in writing and was delivered personally or by courier, by mail, and/or by email with confirmation by mail to the parties using the address mentioned in the Statement. 12.8. Subject to the Customer’s consent, NVISO has the right to use the name and logos of the Customer on reference lists and in publicity regarding its provision of services. The Customer shall not unreasonably withhold its consent. 12.9. The situation where a party does not claim, invoke or apply a right, sanction or procedure, and where NVISO does not submit a claim, shall not be considered to constitute a waiver or renunciation of rights. 12.10. In case of dispute between the parties, Belgian law shall apply exclusively. 12.11. Any dispute concerning the validity, interpretation, execution or termination of the Statement between the parties shall be submitted to the Brussels Courts who will have exclusive jurisdiction to judge the issues.