NTT DATA SPAIN PRODUCTS GENERAL CONTRACTING TERMS & CONDITIONS THESE NTT DATA SPAIN PRODUCTS GENERAL CONTRACTING TERMS & CONDITIONS (THE “AGREEMENT”) GOVERN THE USE OF NTT DATA SPAIN PRODUCTS. THIS AGREEMENT IS BETWEEN EACH CUSTOMER WHO ACQUIRES AND USES NTT DATA SPAIN PRODUCTS (“CUSTOMER”) AND NTT DATA SPAIN S.L.U., A SPANISH COMPANY DOMICILED AT CAMINO FUENTE DE LA MORA 1, 28050, MADRID, SPAIN AND WITH TAX NUMBER B-82387770 (“NTT DATA SPAIN”). ACCEPTANCE. BY ACCESSING OR USING THE NTT DATA SPAIN PRODUCTS, BY EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, OR BY RENEWING AN EXISTING PRODUCT SUBSCRIPTION AND/OR PRODUCT LICENSE, YOU (FOR YOURSELF AND ON BEHALF OF THE CUSTOMER) ACCEPT THIS AGREEMENT AND AGREE TO BE BOUND BY IT. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ACCEPT AND ENTER INTO THIS AGREEMENT ON BEHALF OF THE CUSTOMER. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF EITHER YOU OR THE CUSTOMER DOES NOT AGREE WITH THE TERMS OF THIS AGREEMENT, YOU MAY NOT USE THE PRODUCTS. EFFECTIVE DATE. THIS AGREEMENT IS EFFECTIVE BETWEEN CUSTOMER AND NTT DATA SPAIN AS OF THE DATE IT IS ACCEPTED AS NOTEDBELOW. NTT DATA SPAIN RESERVES THE RIGHT TO UPDATE AND CHANGE THIS AGREEMENT FROM TIME TO TIME. ANY SUCH UPDATES AND CHANGES WILL NOT APPLY UNTIL CUSTOMER RENEWS ITS SUBSCRIPTION OR LICENSE. If there is any conflict or ambiguity between the English language version and any other language version of this Agreement, the English language version will prevail and it will be the authentic text for the purposes of interpretation. 1. Definitions 1.1 “Additional Services” means any professional services consisting, but not limited to, consultancy services, training, audits, development and/or handling, as well as the provision of other “customised” professional services to the Customer, which are described and catalogued in Schedule C of the Order Form. These Additional Services (a) relate to the Products; (b) shall be subject to a specific Order Forms; (c) are to be rendered by NTT DATA SPAIN or its Affiliates in the Territory. 1.2 “Affiliate” means an entity which controls, is controlled by, or is under common control with a party, where "control" means at least a 50% ownership interest in such entity, or the power to direct the management of such entity, whether through the ownership of voting securities, by contract, or otherwise. 1.3 “Agreement” means this document together with the Order Form(s), annexes, schedules and addenda. 1.4 “Confidential Information” means business, technical or financial information relating to NTT DATA SPAIN’ Products and services or the business relationship established between the parties that is by nature confidential or is designated as confidential by the Disclosing Party. Confidential Information does not include information that: (a) is in the public domain other than as a result of a disclosure by the Receiving Party or any of the Receiving Party’s representatives in violation of this Agreement; (b) was in the possession of the Receiving Party before disclosure by the Disclosing Party; (c) is acquired by the Receiving Party from a third party having no obligation of confidentiality to the Disclosing Party; (d) is hereafter independently developed by the Receiving Party, without reference to Confidential Information received from the Disclosing Party; or (e) the Disclosing Party expressly authorizes the Receiving Party to disclose. Proof of the foregoing cause shall be provided by the party involving same. 1.5 “Customer” means the entity that executes this Agreement and orders Products. 1.6 “Customer Data” means any data, information or other material (proprietary, copyrighted or otherwise) which is uploaded, entered, created or otherwise provided by Customer in the course of using the Products, including, but not limited to, any third-party data obtained by Customer and any personal data (i.e., data collected from or regarding an individual or any personally identifiable information about an individual). 1.7 “Disclosing Party” means the Party disclosing Confidential Information. 1.8 “NTT DATA SPAIN” shall mean the company of the NTT DATA SPAIN Group, who is directly entering into this Agreement and the Order Form with the Customer.. 1.9 “NTT DATA SPAIN Pre-existing IP” means all technology and information, deliverables, methodologies, data, designs, ideas, concepts, know-how, techniques, user interfaces, templates, documentation, software, hardware, modules, development tools and other tangible or intangible technical material or information that NTT DATA SPAIN owns prior to the commencement of this Agreement or which it develops independent of any activities governed by this Agreement, and any derivatives, modifications or enhancements made to any such property. 1.10 “NTT DATA SPAIN Website” means the website: es.nttdata.com 1.11 “Fee” means a sum of money that NTT DATA SPAIN shall perceive as consideration for the License, sale or use of the Products granted to the Customer and/or the rendering of Additional Services by NTT DATA SPAIN or its Affiliates to the Customer, as provided in the Order Form. 1.12 “Intellectual Property Rights” means any and all: (a) registered patents, designs, trademarks, utility models, copyright, know-how and rights in databases; (b) any other intellectual property rights and similar or equivalent rights anywhere in the world which currently exist or which shall exist in the future; (c) applications for registration, extensions and renewals regarding any of the aforementioned rights; and (d) the expression of any original work or creation, in any format, be it tangible or intangible, including, but not limited to, computer programs, source code, object code, technical documentation, instruction manuals, training materials, technical specification documents, plans, molds, codes or technical references and/or parts thereof, data formats, sketches, designs, logos, as well as the outcome of transformation, modification, updating, adaptation, new versions or changes to said works or creations. 1.13 “License” means the license granted by NTT DATA SPAIN to Customer to use the Software Products as set forth in this Agreement. 1.14 “Named User” means a specific individual authorized by Customer to access and use the Products on behalf of and for the benefit of the Customer, and for whom Customer has paid Fees. 1.15 “Order Form” means the proposal, ordering document or invoice issued to Customer by NTT DATA SPAIN, its Affiliates or one of their authorized resellers for purchase of the Products and/or Additional Services. 1.16 “Products” means the proprietary products and solutions developed and/or commercialized by NTT DATA SPAIN ordered by Customer under an Order Form and made available by NTT DATA SPAIN , as a SaaS Product, or as a Software Product. Under no circumstance the source code will be provided or made available to the Customer. 1.17 “Receiving Party” means the Party to which Confidential Information is disclosed. 1.18 “Resources” means user resources for Product training and self-learning. 1.19 “SaaS Product” means the Products or components of a Product (as defined below) that are provided as a cloud-based Software-as-a-Service (SaaS) offering and the related User Documentation, excluding Third Party Content. 1.20 “Software Product” means the Products or components of a Product that are provided under a software license and the related User Documentation, excluding Third Party Content. 1.21 “Subscription” means the license subscribed by Customer for the Subscription term in the Order Form and for which such subscription is provided by NTT DATA SPAIN through Customer’s use, under limited license, of Products. 1.22 “Territory” means the Territory specified in each case in the Order Form. 1.23 “Third Party Content” means third party components, standards, regulations and good practices, which have been obtained by NTT DATA SPAIN from publicly available sources or from their legitimate owners. 1.24 “User Documentation” means the user and technical help documentation -in any form- for the Products which is provided and/or made available by NTT DATA SPAIN. In particular, the Software Product’s source code is not included. 2. Products 2.1 Products. Subject to the terms and conditions of this Agreement, NTT DATA SPAIN will make the Products available to Customer’s Named Users for the subscription and/or license type(s) and term purchased by Customer as set out in an Order Form, either on a SaaS Product basis or on a Software Product basis. 2.2 Software Product. Subject to Customer compliance with this Agreement and payment of the applicable Fees, NTT DATA SPAIN grants to Customer, who unreservedly accepts a license to install, access and use the Software Products and all components thereof, in the Territory, during the Product license term set out in the Order Form. This license is defined as non-exclusive, non-transferable and non-assignable (except as otherwise expressly provided in this Agreement), and is granted solely for Customer’s internal business operations in the Territory, and the use of the Software Product is restricted to the number of Named Users for which Customer has purchased licenses, as set forth in the Order Form. 2.3 SaaS Products. Subject to Customer compliance with this Agreement and payment of the applicable Fees NTT DATA SPAIN will make the SaaS Products available in accordance with this Agreement during the SaaS Product subscription term, solely for Customer’s internal business operations in the Territory, subject to the Service Level Agreements referred to in the Order Form, and those provided by third-party suppliers. Indeed, and unless otherwise provided in this Agreement or in the Order Form, NTT DATA SPAIN shall not be held liable for any eventual unavailability of the Cloud Products caused by circumstances beyond NTT DATA SPAIN’ reasonable control, including, but not limited to, external forces affecting the reliability of the Internet, computer systems or other devices or mediums through which Customer accesses the Cloud Products, or temporary unavailability or interruption of operation of the Cloud Product´s services. 2.4 Third-Party Content. To the extent Third Party Content is made available to Customer, Customer is permitted to access and use such Third-Party Content solely as part of the Products. Customer may not copy, publish or distribute any Third-Party Content separate from Customer’s use of the Products or transfer it to any third party. Customer will not license or sell Third Party Content and will not remove or alter any copyright, trademark or other proprietary notice appearing on or within the Third-Party Content. Customer acknowledges and agrees that: (a) Third-Party Content may be added, amended or removed from time to time; (b) NTT DATA SPAIN is not responsible for and has no control over Third Party Content, other than making it available in connection with the Products; (c) NTT DATA SPAIN does not sponsor or endorse any Third-Party Content; (d) NTT DATA SPAIN makes no representations or warranties with respect to the accuracy, relevance or results of use of any Third Party Content; and the owners of Third-Party Content are third party beneficiaries of this Agreement and are entitled to enforce the terms of this Agreement as it pertains to their proprietary rights. 2.5 User Documentation. NTT DATA SPAIN grants to Customer a non-exclusive, non-transferable, revocable, royalty-free license in the Territory to use and display the User Documentation in hard copy and/or read-only soft copy formats solely for Customer’s internal business operations in the Territory to the extent that the User Documentation is required to use the Products. 3. Use of the Products 3.1 This Agreement only permits the use of the Products for the use for which they were designed, as set forth in the prior commercial information provided by NTT DATA SPAIN and the User Documentation. The License or Subscription granted to the Customer only allows the use of the Products for the purposes described in Clause 2 of this Agreement. The terms of this Agreement shall apply identically to any updates or modifications to the Products unless otherwise stated differently in the applicable Order Form. 3.2 Notwithstanding the fact that the Products may be subject to different licensing and exploitation terms, whose terms of use will be described in the Order Form, as regards subscription-based Products, the Parties do agree to the following terms of use: • When applicable, the Products may be accessed and used by up to the maximum number of Named Users for whom Customer has purchased Licenses/Subscriptions. • Customer shall be responsible for designating the Named Users and communicating to the Named Users the conditions of use of the Products in order to ensure compliance with the same. • Each Named User will be assigned a unique identifier for access to the applicable Product. A Named User’s ID and password may not be shared with any other individual. Sharing or pooling a Named User’s access between multiple individuals to allow for temporary use by multiple users in a department or organization is strictly prohibited. Customer may, however, permanently replace a Named User with another individual provided the number of Named Users does not exceed the number of Named Users for which Customer has paid the applicable Fees. If Customer exceeds, or wishes to increase, the number of Named Users using a Product, additional Fees will apply. Customer will provide accurate, current and complete information when activating its License/Subscription account for a Product. Customer will keep all Named User ID’s, passwords and other account information as Confidential Information and will cause its Named Users to change passwords periodically. Customer is responsible for all activities that occur under its Named User accounts and for any claims, issues or disputes arising out of the acts or omissions of its Named Users. Customer will notify NTT DATA SPAIN immediately if Customer becomes aware of any unauthorized use of any Product or account information. Use by Third Parties. NTT DATA SPAIN acknowledges and agrees that Customer’s Named Users may, subject to the terms of this Agreement, include Customer’s third-party service providers, independent contractors and consultants, provided that (a) Customer has informed NTT DATA SPAIN of the provider’s name, need to access and safety mechanism that Customer would implement in order to protect NTT DATA SPAIN’ Intellectual Property Rights; (b) provider is not in direct competition with NTT DATA SPAIN and NTT DATA SPAIN does not object said access within five (5) working days from the date Customer notified the provider’s identity; (c)such third parties agree to comply with the terms of this Agreement; and (d)such third parties use the Products only for Customer’s benefit and internal business operations. If requested by NTT DATA SPAIN, Customer will provide a list of any third parties that are using a Product pursuant to this Section to assist NTT DATA SPAIN in managing the licensing and administration of the Products. Customer will remain responsible and liable for the proper use of the Products by such third parties in accordance with this Agreement. 4. Documentation and Electronic Delivery 4.1 All Products and User Documentation are accessed and delivered or made available primarily via electronic means, although they may eventually be made available through other means to the Customer when required by the nature of the Products or services requested by the Customer in the Order Form. 4.2 Whenever Customer and NTT DATA SPAIN agree to alternative means of delivery, they shall provide for the form, date and validity of such delivery. 4.3 Customer is permitted to print and make a reasonable number of copies of the User Documentation for its internal use in accordance with this Agreement, provided that Customer reproduces all copyright and other proprietary notices that are on the original copy of such User Documentation. Customer acknowledges and agrees that its purchase is not contingent on the delivery of any future functionality or features and is not dependent on any oral or written public comments made by NTT DATA SPAIN or its employees, agents or representatives regarding future functionality or features of any of its Products. 5. Restrictions 5.1 Software Product License Restrictions. NTT DATA SPAIN reserves all rights not expressly granted to Customer in this Agreement. Subject to applicable laws, Customer agrees that it will not: (a) copy any Software Product, or reprint or reproduce all or any portion thereof, except as permitted under this Agreement and for Customer’s own internal business purposes; (b) modify, adapt, redistribute, or translate any Software Product, except as permitted under this Agreement; (c) de-compile, reverse engineer or disassemble or create derivative works any Software Product, or otherwise attempt to reduce such Software Product from object code to source code or reconstruct or discover any source code, underlying ideas, algorithms, file formats or programming interfaces of any Software Product by any means whatsoever (except and only to the extent that applicable law prohibits or restricts reverse engineering restrictions); (d) use any Software Product to develop any works which are functionally comparable or competitive to any Software Product, or create any works which are derived from Software Product (using the Software Product to produce reports or other tasks permitted by such Software Product are not deemed to be works derived from the Software Product); (e) lease, rent, loan, sell, sub-license or distribute the Software Product -at a standalone basis or bundled with another software-outside Customer’s organization to a third party (including, using the Software Product on a time-sharing basis, for service bureau purposes, or for the provision of a fee generating service directly or indirectly to third parties); (f) utilize any equipment, device, software, or other means designed to circumvent or remove any security mechanisms, or any form of copy or usage protection used by NTT DATA SPAIN or its third party licensors in connection with the Software Product; (g) combine the Software Product with any other software (including open source software), where the combined program is subject any FOSS license that requires the combined program or the Software Product and their source code to be made freely available; (h) publicly disseminate or disclose source code, object code, User Documentation, performance information or analysis on the Software Product, including any results of benchmark tests run on the Software Product; or (i) use the Software Product in any manner that violates applicable laws or regulations. The Customer shall ensure that its equipment (hardware), basic IT systems (operating systems, database management systems, security software, etc.), are suitable in order to make use of the Software Product and, where necessary, it shall be responsible for acquiring, at its own cost, IT equipment and systems with the minimum specifications set out in the Order Form. In particular, the Customer shall keep NTT DATA SPAIN informed of any change to its facilities, systems, environment or technology that might have an impact with regard to the Software Product. The Customer shall establish data back-up policies to protect itself from the loss of data and/or any malfunctions or mistakes that may result from the use of the Software Product, but under no circumstances shall it make back-up copies of the object code installed on-premise or on its proprietary cloud. 5.2 SaaS Product Use Restrictions. Customer will use the SaaS Products solely as contemplated by this Agreement and will not: (a) use the SaaS Products in violation of applicable laws or regulations; (b) knowingly send or store infringing, threatening, libelous or otherwise unlawful or tortious material, including material which violates any individual’s privacy rights; (c) interfere with or disrupt the integrity or performance of the SaaS Products or the data contained therein; (d) attempt to gain unauthorized access to the SaaS Products or related systems or networks,(e) use any other robot, spider, scraper, deep link or other automated data gathering or extraction tools, program, algorithm or methodology to access, acquire, copy or monitor any portion of the SaaS Products; (f) attempt to post or transmit any file which contains viruses, worms, Trojan horses or any other contaminating or destructive features, or that otherwise interfere with the proper working of the SaaS Products; or (g) conduct any tests or analysis on the security or performance of the SaaS Products without NTT DATA SPAIN’ prior written consent or publicly disclose the results of any such tests or analysis. NTT DATA SPAIN reserves the right to suspend Customer’s use of the SaaS Products or take other appropriate remedial action to address any violation or suspected violation of this Section. The same Restrictions shall cover the use, when applicable, of on-premise based Products. 5.3 Resource Restrictions. In addition to the restrictions in Sections 5.1 and 5.2, Customer and its Named Users will not: (a) disseminate or distribute Resources to anyone outside their organization or the NTT DATA SPAIN user community, as applicable; (b) license, sell or otherwise commercially exploit the Resources; (c) create internet “links” to the Resources or “frame” or “mirror” any Resource content on any other server or wireless or internet- based device; (d) post or transmit any material that is unlawful, defamatory, profane, discriminating, harassing, threatening, infringing of intellectual property, invasive of privacy, or otherwise objectionable; or (e) harvest or otherwise collect information about others, including names and email addresses. Named Users who participate in the peer community forums will behave professionally and will abide by any posted guidelines or policies related to acceptable use and conduct while using such forums. NTT DATA SPAIN reserves the right to modify, reject or remove any material posted in the community forums and to suspend use of the Resources, or take other appropriate remedial action, to address any violation or suspected violation of this Section. 5.4 User Documentation. Reproduction, relabeling, distribution, offer, import, sales, translation, modifications and derivative works of the User Documentation is strictly forbidden. 5.5 Special provision within the European Union: Should the Products, in whole or in part, consist of a database, Customer will have no right to make an extraction and/or re-utilization of the whole or of a substantial part, evaluated qualitatively and/or quantitatively, of said database. This exclusion only concerns the original data provided by NTT DATA SPAIN and will not prevent Customer from using results derived from the use of Products. 6. Intellectual Property Rights 6.1 All title, ownership rights and Intellectual Property Rights in and to the Products, the Resources, User Documentation, as well as NTT DATA SPAIN Pre-existing IP remain as Intellectual Property or trade secrets exclusively owned by NTT DATA SPAIN . NTT DATA SPAIN Pre-existing IP, in particular the Products, Resources and User Documentation are protected by copyright laws and international copyright treaties and NTT DATA SPAIN may incorporate certain measures in a Product or Resource to prevent unauthorized use. Customer is responsible for any copyright infringement it causes. 6.2 NTT DATA SPAIN reserves all Intellectual Property Rights, and rights, not expressly granted to the Customer in this Agreement. Consequently, nothing in this Agreement shall limit in any way NTT DATA SPAIN’ right to develop, use, license, enhance, modify, create derivative works of, otherwise exploit the Products, or to permit third parties to do so. In no event shall NTT DATA SPAIN be precluded to use its general knowledge, skills and experience and any ideas, concepts, know-how and techniques that are acquired or used in the course of this Agreement, or to reuse any general knowledge which is public and common to different companies in the same sector. 6.3 Customer acknowledges that any and all Intellectual Property Rights owned by NTT DATA SPAIN, or any other rights belonging to NTT DATA SPAIN or third parties, are and will remain the sole and exclusive property of NTT DATA SPAIN or third parties, whether or not they are protected under Intellectual Property laws applicable in the Territory or otherwise in other countries at any moment. 6.4 Customer shall not acquire any rights, title or interest in or on the NTT DATA SPAIN Pre-existing IP, including the Products, Resources and User Documentation except as set forth herein. 6.5 Customer shall not acquire any rights, title or interest in or on the Intellectual Property Rights which may be developed by NTT DATA SPAIN while this Agreement is in force (a) in the course of providing any technical services to the Customer; or (b) during the performance of its obligation under agreements with other parties; or (c) any updates, enhancements or modification made to the Products; or (iv) in the course of independent, internal research and developments. 6.6 Customer shall not seek to register as its own, in any jurisdiction, any Intellectual Property Rights owned by NTT DATA SPAIN or third parties, whether or not they are protected under the intellectual and/or industrial property laws having effect in the Territory or any other country at any time. 6.7 Customer will not delete or in any manner alter the copyright attribution notices, trademarks, and other proprietary notices of NTT DATA SPAIN in the Products, Resources and User Documentation. The Parties may not use any registered trademarks, logos, commercial names, Internet domain names or other distinctive sign of the other Party, without its prior, express and written consent. This consent will not be necessary in order for NTT DATA SPAIN to use the foregoing in any proposals and/or presentations to third parties, as a mere commercial reference, or in NTT DATA SPAIN’s internal Intranet, accessed by employees only, as long as the confidentiality obligations stipulated in this Agreement are not breached. 6.8 Title to any Third Party Content and all Intellectual Property Rights in and to them, are and will remain the exclusive property of its respective licensors. Nothing contained in this Agreement grants or confers, or will be construed to grant or confer, any rights in or to any Third Party Content, expressly or by implication. 6.9 When Third Party Content is licensed under a Free Open Source license (FOSS), the applicable FOSS license conditions prevail over any other terms and conditions covering the Product and therefore, such components may be used solely in accordance with the applicable licenses and not under the terms of this Agreement. All Third Party Content subject to FOSS licenses provided with the Product (along with their respective licenses) are listed in the applicable Order Form. 6.10 There could be other Third Party Content that is not provided with the Product and that the Customer may directly download and install to supplement the Product functionalities. Although these components may enhance the Product functionalities, they are not distributed within or linked to the Product but are completely separated features. These standalone components, whether proprietary or FOSS, are subject to their respective license terms and conditions that will be binding to the Customer directly. 6.11 Security Mechanism. NTT DATA SPAIN reserves the right to embed software security mechanisms within the Products and/or the NTT DATA SPAIN Website where they are delivered, to monitor the usage of the Products in order to verify compliance with this License. By means of this Agreement, Customer consents to the inclusion and/or operation of control and DRM (Digital Rights Management) or security measures. Only in the event of non-compliance may such a security mechanism store data relating to the use of the Software and the number of times it has been copied. NTT DATA SPAIN reserves the right to use a hardware lock device, license administration software and/or a license authorization key to control access to the Products. Customer may not take any steps to avoid or defeat the purpose of any such measure. Use of the Products without any required lock device authorization key provided by NTT DATA SPAIN is prohibited. 6.12 Suggestions. Customer may, from time to time, provide suggestions, enhancement or feature requests or other feedback to NTT DATA SPAIN with respect to the Products, services or related documentation (whether or not said products, services or documentations are disclosed or delivered by NTT DATA SPAIN to Customer under this Agreement) (collectively, “Feedback”). Customer agrees that all Feedback is and shall be given to NTT DATA SPAIN entirely voluntarily. NTT DATA SPAIN shall be free to use, disclose, reproduce, license or otherwise distribute and exploit the Feedback at its discretion, without restriction or obligation of any kind and nature. Feedback, even if designated as confidential by Customer shall not create any obligation of confidentiality for NTT DATA SPAIN, unless NTT DATA SPAIN expressly agrees so in writing. To the extent Customer, or any Named User, makes any suggestions regarding any features, functionality or performance that NTT DATA SPAIN adopts for any of its Products or Resources (expressly excluding Customer Confidential Information), Customer and such Named User hereby grant NTT DATA SPAIN a non-exclusive, royalty-free, worldwide, perpetual and irrevocable right and license to freely copy, use, make use of, publish, adapt, distribute, sell, license, create derivative works from and otherwise exploit such suggestions, including incorporating them into future versions of the Products or Resources. Customer and such Named User waive all moral rights and claims in respect of such suggestions. 7. Data Protection 7.1 The personal data of the representatives, employees or, if applicable, Named Users of the parties in this Agreement, to which the parties have access by virtue of the contractual relationship, will be used only for the purpose of executing, fulfilling and requesting the fulfilment of the obligations and responsibilities derived from the present Agreement, and managing the relationship between them, as well as, if necessary, for the defense of the interests of each party, legal advice and respective compliance systems. The personal data of the foregoing will be processed, respectively, by the entities identified in the heading, which will act, independently, as responsible for the processing of its. Such data will be processed in order to comply with the rights and obligations contained in this document, without any automated decisions being taken that could affect the aforementioned representatives. Consequently, the legal basis of the processing is to comply with the aforementioned contractual relationship for the provision of services. The data will be kept for the duration of the contractual relationship stipulated herein, and will be processed only by the parties and those third parties to whom they are legally or contractually obliged to communicate them. 7.2 For the purposes described in Section 7.1, the parties may process the following categories of data: identification data, corporate data, personal details (such as date of birth), employment or professional data (such as place of work and position), business information (such as activities and business or business licenses). The data processed shall be that provided between the parties or by the data subject and other natural or legal persons. 7.3 In any event, the parties agree to be bound and comply with the terms set forth in Schedule A to this Agreement, as the case may be depending on the nature of the required data processing activities relating to the Products or Additional Services as per the Order Form. The parties agree to enter into any required data protection-related agreements as the case be required in the Order Form. 7.4 The representatives of the parties may exercise, under the terms established by the legislation in force, the rights of access, rectification and deletion of data, as well as request that the processing of their personal data be limited, oppose it, or request the portability of their data by sending a written communication to each of the parties, to the addresses specified in this document, or failing that, to their registered office. In the event that they are not satisfied with the attention received from the parties after exercising any of the aforementioned rights, they may file a complaint with the Spanish Data Protection Agency or other competent authority. The representatives of the parties may contact the data protection delegate of NTT DATA SPAIN, S.L.U. at the following e-mail address: data.protection.office@nttdata.com, and the data protection delegate of the Customer at the following e-mail address: [*] 7.5 Where Customer’s use of the Products includes the processing of Customer Data by NTT DATA SPAIN it will be subject to the General Data Protection Regulation (EU) 2016/679 (GDPR). This data processing by NTT DATA SPAIN, as data processor, complies with the requirements of the aforementioned legislation. NTT DATA SPAIN shall process personal data on behalf of and in accordance with Customer’s instructions consistent with this Agreement. Hence, Schedule A and B shall govern the aforementioned data processing. 8. Fees and Payment 8.1 Fees. Customer will pay the Fees set out in each Order Form. Unless otherwise stated in the applicable Order Form, Fees are due within thirty (30) days from date of invoice and are non-cancelable and nonrefundable. 8.2 Taxes. All applicable taxes (excluding taxes on NTT DATA SPAIN’ net income), duties or other governmental fees are additional and payable by Customer and are based on the shipping address specified in the Order Form. If Customer is required to pay any withholding tax, charge, or levy in respect of any payments due to NTT DATA SPAIN hereunder, Customer shall gross up payments made such that NTT DATA SPAIN shall receive sums due hereunder in full and free of any deduction for any such withholding tax, charge, or levy. NTT DATA SPAIN will not charge tax from which Customer is exempt if Customer is a tax-exempt institution or entity and Customer provides the applicable tax exemption certificate. Customer acknowledges that its invoicing and shipping addresses are set out in the Order Form. 8.3 Overdue Fees. If any Fees are more than thirty (30) days overdue, NTT DATA SPAIN may, without limiting its other rights and remedies, suspend or terminate Customer’s access to and use of the Products, or related services, in respect of which Fees are overdue until such amounts are paid in full. NTT DATA SPAIN will provide at least seven (7) days prior notice that Fees are overdue before any such suspension and will not exercise such right if Customer is disputing the applicable Fees reasonably and in good faith and is cooperating diligently to resolve the dispute. Also, if payment has not been made within thirty (30) days following the date of issuance of the invoice, NTT DATA SPAIN may invoice late charges which shall be calculated by applying 3% per month of the amount of the charges to the days late, unless otherwise is established by law. 8.4 Change in pricing. NTT DATA SPAIN reserves the right to change, update or amend the Fees set out in each Order Form prior written notice of such price change to the Customer with at least two (2) months before the change takes place. 9. Term and Renewal 9.1 Term. Customer’s License/ Subscription for a Product, that being Software Product or a SaaS Product, is for the term set out in applicable Order Form. If no License/Subscription term is set out in the Order Form, the License/ Subscription term is one (1) year from the date of the Order Form. The Products contain a disabling mechanism that prevents use of the Products beyond the applicable License/ Subscription term. 9.2 Renewal. Customer’s License/ Subscription will renew at the end of each License/ Subscription term for a further one (1) year term (or such other term agreed by the parties in writing) for the same License/ Subscription type and number of Named Users unless: (a) NTT DATA SPAIN receives Customer’s notice of non-renewal at least thirty (30) days before the end of the then-current License/ Subscription term; or (b) NTT DATA SPAIN provides Customer with notice of non-renewal at least sixty (60) days before the end of the then-current License/ Subscription term. NTT DATA SPAIN will provide Customer with at least two (2) separate renewal notices ninety (90) and sixty (60) days prior to the end of the then-current License/ Subscription term setting out the Product, License/ Subscription type and quantity, and new pricing terms to permit Customer an opportunity to confirm renewal or notify NTT DATA SPAIN that Customer does not wish to renew its License/ Subscription. 10. Termination 10.1 Termination for Convenience. Both Parties may terminate this Agreement, and its Licenses/ Subscriptions to the Products, at any time for convenience by providing written notice to the other Party, except during the thirty (30) day period before the end of the then-current License/ Subscription term; however, there are no refunds of Fees paid in advance and Customer will remain liable for any unpaid Fees for the remaining unexpired term. 10.2 Termination for Cause. Either party may terminate this Agreement immediately if the other party: (a) is in material breach of its obligations under this Agreement (such as, failure to pay the required Fees) and fails to either cure the breach, or make substantial progress to the terminating party’s reasonable satisfaction to cure the breach, within thirty (30) days of receiving written notice from the terminating party; or (b) becomes insolvent or bankrupt, becomes the subject of any proceedings under bankruptcy, insolvency or debtors’ relief law, has a receiver, manager or receiver-manager appointed, makes an assignment for the benefit of its creditors or takes the benefit of any applicable law or statute in force for the winding up or liquidation of corporations. In addition, NTT DATA SPAIN may terminate this Agreement immediately if Customer breaches Section 3 (Use of the Products), Section 5 (Restrictions), Section 6 or Section 11 (Data Ownership) of this Agreement. If NTT DATA SPAIN terminates this Agreement for cause, Customer remains liable for all unpaid Fees that are payable for the entire License/ Subscription period. If Customer terminates this Agreement for cause, NTT DATA SPAIN will refund any prepaid Fees calculated from the effective date of termination to the end of the current License/ Subscription period, except that any refunds under Sections 13 (Limited Warranty) or Section 15.2 (Remedy for Infringement Claims) will be handled exclusively under those sections. 10.3 Effect of Expiration or Termination. Upon expiration or termination of a Product License/ Subscription or this Agreement, NTT DATA SPAIN will terminate Customer’s access to and use of such Product. Customer will destroy the original and all copies of such Product and User Documentation in its possession or control. NTT DATA SPAIN reserves all right to decide between the following options: (a) upon written request by NTT DATA SPAIN, an authorized signatory of Customer’s organization will, within thirty (30) days of such request, certify in writing to NTT DATA SPAIN that the original and all copies of the Product and User Documentation have been destroyed or returned to NTT DATA SPAIN. (b) Upon one-day prior notice, NTT DATA SPAIN or a third-party appointed by NTT DATA SPAIN will access the Customer’s premises in order to verify the destruction of the original and all copies of the Product and Documentation. Each party will immediately return to the other party all Confidential Information of the other party in its possession or control. When and if applicable, Customer is responsible for removing all Customer Data from the SaaS Products following expiration or termination of the Licenses/ Subscription. NTT DATA SPAIN will allow Customer to access the SaaS Products for a period of thirty (30) days after expiration or termination to facilitate such removal. Whenever it may not fall under Customer's obligation as stated above, NTT DATA SPAIN shall proceed to the elimination of all Customer Data provided under this Agreement. 10.4 Survival. The termination of this Agreement will not constitute a waiver of any Fees, amounts or charges due by Customer, nor will termination in any way reduce or compromise any other rights of either party pursuant to this Agreement. All terms that by their nature should survive termination of this Agreement will survive, including but not limited to Confidential Information, data protection, and Intellectual Property Rights. 11. Data Ownership 11.1 Customer Data. Customer has and will retain ownership and control of all Customer Data. Customer may not upload or process Customer Data in or with a Product, unless Customer has lawfully obtained such Customer Data and Customer complies with all applicable laws with respect to its use of such Customer Data. NTT DATA SPAIN does not have any duties nor responsibility on the data input by Customer in the Product(s). 11.2 Usage Data. NTT DATA SPAIN may collect, use, process and store technical and usage related content from the computer, mobile phone or other devices the Customer uses to download, install and access the Products, for improvement, for support purposes, and for verification of Software. This may include, but is not limited to, IP addresses and other information like Internet service, location, the type of browser and modules that are used and/or accessed (the “Usage Data”). Customer agrees that NTT DATA SPAIN may process Usage Data to create and compile anonymized, aggregated datasets and/or statistics about the Products, in order to maintain, monitor and improve the performance and the integrity of NTT DATA SPAIN’ Products. 12. Confidential Information 12.1 Confidentiality. Each party may have access to Confidential Information relating to the Products, the Customer’s needs or this Agreement. Each Party acknowledges that Confidential Information is proprietary and valuable to Disclosing Party and that any disclosure or unauthorized use thereof will cause irreparable harm and loss to Disclosing Party. Each party agrees to hold the other party’s Confidential Information in confidence during the term of this Agreement until such party returns or destroys all Confidential Information in its possession or control. Notwithstanding the foregoing, the parties undertake that any and all Confidential Information exchanged for purposes of this Agreement prior to execution of the Agreement shall be subject to the provisions concerning confidentiality set out in this clause. Neither party will disclose the other party’s Confidential Information to any third party or use the other party’s Confidential Information for any purpose other than for the purposes of this Agreement, except as may be required by law or valid government or court order pursuant to Section 12.2 below. The parties shall be jointly and severally liable, together with their employees, agents, and third parties for whom they are responsible, for all loss and injury arising as a consequence of non-compliance with the confidentiality obligation, without prejudice to whatever action the aggrieved Party may be entitled to take against the other Party or against Third parties under applicable law. The Receiving Party undertakes to use Confidential Information for the sole purpose of fulfilling this Agreement unless otherwise agreed to in writing by the Parties. 12.2 Compelled Disclosure. Each party further agrees to adopt reasonable security measures (such as sending information in a secure encrypted manner or masking the data) when sending Confidential Information.. If the Receiving Party is requested or required by applicable law or legal process to disclose any of the disclosing party’s Confidential Information, the Receiving Party will provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. Any such disclosure will be limited to the extent required and will be subject to confidentiality protections to the extent reasonably practicable. Disclosures of Confidential Information that are required by applicable law or legal process will not be breaches of this Agreement. 12.3 Publicity. Notwithstanding the provisions in Sections 13.1 and 13.2 above, the parties may agree, in the order form, to issue a press note or to publicly disclose via their respective websites, social network profiles, leaflets, or other promotional materials, the existence of this Agreement and the commercial relationship between them, the nature of the Products or Additional Services, and related circumstances. 13. Limited Warranty NTT DATA SPAIN warrants that the Products will perform during the License/ Subscription term substantially in compliance with the functional specifications set out in the applicable User Documentation for the Products; provided that, Customer administers, accesses and uses the Products in accordance with such User Documentation. Other than what it is provided in the Service Level Agreement referred to in Schedule E to the Order Form, NTT DATA SPAIN does not warrant that use of the Products will be uninterrupted or error-free. If a Product fails to operate as warranted in this Section, and Customer notifies NTT DATA SPAIN in writing of the nature of the non-compliance, NTT DATA SPAIN will make commercially reasonable efforts to promptly repair or replace the Product – or part of the Product – to remedy such non-compliance without charge. If, after a reasonable opportunity, NTT DATA SPAIN does not remedy the non-compliance, Customer may terminate its License/ Subscription to the non-conforming Product and receive a refund of any prepaid, unused Fees for the remaining License/ Subscription term of such Product prorated from the date of notice to the end of the then current License/ Subscription term. NTT DATA SPAIN is under no obligation under this warranty to make corrections or repairs or to replace the Product or part of it in the event that the fault or non-compliance is the result of: (i) the Customer’s own fault or negligence; (ii) the use of the Product in a way that is not specified in the User Documentation; (iii) causes that are external to the Product; or (iv) its inability to operate with other systems or applications of the Customer.The foregoing remedy provides the sole and exclusive remedy for breach of warranty. 14. Disclaimer 14.1 General. EXCEPT FOR THE EXPRESS WARRANTIES IN THIS AGREEMENT, THE PRODUCTS, USER DOCUMENTATION, RESOURCES, THIRD-PARTY CONTENT AND ANY SERVICES PROVIDED HEREUNDER ARE PROVIDED “AS-IS” AND ARE NOT WARRANTED TO BE ERROR-FREE, AND CUSTOMER ACCEPTS THE ENTIRE RISK AS TO THE QUALITY, PERFORMANCE, RELIABILITY, ACCURACY AND THE RESULTS OF THEIR USE. EXCEPT AS OTHERWISE RESTRICTED BY LAW, NTT DATA SPAIN AND ITS LICENSORS DISCLAIM ALL OTHER REPRESENTATIONS, WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, BY STATUTE OR OTHERWISE, REGARDING THE PRODUCTS, USER DOCUMENTATION, RESOURCES, THIRD PARTY CONTENT AND ANY SERVICES PROVIDED HEREUNDER, INCLUDING, BUT NOT LIMITED TO, THEIR FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, DURABILITY AND NON-INFRINGEMENT. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY NTT DATA SPAIN, ITS LICENSORS, OR THEIR RESPECTIVE EMPLOYEES, OFFICERS, DIRECTORS, CONTRACTORS, DISTRIBUTORS OR AGENTS, WILL INCREASE THE SCOPE OF THE EXPRESS WARRANTIES IN THIS AGREEMENT, OR CREATE ANY NEW REPRESENTATIONS, WARRANTIES OR CONDITIONS. NTT DATA SPAIN WILL NOT BE LIABLE FOR DAMAGES ARISING FROM THIRD PARTY SOFTWARE THAT OPERATES SEPARATELY BUT IN CONJUNCTION WITH A PRODUCT, AS THESE ARE LICENSED TO CUSTOMER UNDER SEPARATE AGREEMENTS. Some jurisdictions do not allow the exclusion of implied warranties, so the foregoing exclusions may not apply to Customer. In that event, any implied warranties are limited in duration for a ninety (90) day period commencing from the date Customer activates its Product License/ Subscription. 14.2 Third Party Content. USE OF THIRD-PARTY CONTENT IS SUBJECT TO THEIR PARTICULAR TERMS AND CONDITIONS , BY SO USING THEM, CUSTOMER RELEASES NTT DATA SPAIN AND ITS LICENSORS FROM ANY AND ALL LIABILITY THAT MAY ARISE IN CONNECTION WITH SUCH USE. IN PARTICULAR, NTT DATA SPAIN DISCLAIMS ALL WARRANTY AND LIABILITY REGARDING THIRD PARTY CONTENT BASED IN FOSS LICENSES. 15. Indemnity 15.1 Infringement Indemnity. NTT DATA SPAIN will defend any claim made against Customer which asserts that a Product, when used in accordance with this Agreement, infringes any Intellectual Property Right of a third party in the Territory, and will indemnify Customer from actual damages and costs (including reasonable legal fees) finally awarded against Customer in respect of such claim, or settlement amount agreed to be paid in settlement of such claim, provided that: (a) Customer gives NTT DATA SPAIN prompt notice of the claim; (b) NTT DATA SPAIN has sole control of the defense and all negotiations for its settlement or compromise (provided this does not require an admission of guilt or liability by Customer); and (c) Customer provides NTT DATA SPAIN with reasonable assistance, at NTT DATA SPAIN’ expense. NTT DATA SPAIN will have no obligations to Customer if the infringement claim is based on or relates to: (a) Customer’s continuing use of a version of the Product which is no longer commercially released by NTT DATA SPAIN, if NTT DATA SPAIN makes available a newer version of a Product that would avoid or reduce the infringement claim; (b) use or combination of any Product with other programs, components or products not provided or authorized by NTT DATA SPAIN if such use or combination results in the infringement claim; (c) Customer’s misuse, misappropriation or improper disclosure of Customer Data; or (d) use of a Product which is in breach of this Agreement or which is not in accordance with the applicable User Documentation. 15.2 Remedy for Infringement Claims. Upon notice of an infringement claim, or if in NTT DATA SPAIN’ opinion such a claim is likely, NTT DATA SPAIN has the right, at its option and expense, to either: (a) procure the right for Customer to continue using the affected Product; or (b) replace or modify such Product so that it provides substantially the same, or greater, functionality and performance as the affected Product, but is no longer subject to a claim of infringement. If, in NTT DATA SPAIN’ opinion, neither of the above options is commercially reasonable in the circumstances, NTT DATA SPAIN may terminate Customer’s License/ Subscription upon thirty (30) days written notice to Customer and will provide a pro-rata refund of any prepaid, unused Fees for the remainder of the current License/Subscription term. The pro-rata refund will be calculated from the date NTT DATA SPAIN is notified of the infringement claim to the remainder of the then current License/ Subscription term. Sections 15.1 and 15.2 comprise NTT DATA SPAIN entire obligation and liability with respect to the infringement of third parties’ Intellectual Property Rights and proprietary rights. 15.3 Customer Indemnity. Customer will defend any claim made against NTT DATA SPAIN (including its employees, directors, agents and representatives) which arises from or relates to: (a) Customer’s collection and use of Customer Data in connection with the Products, or (b) Customer’s breach of Section 2.4 (Third Party Content) or Section 5 (Restrictions). Customer will indemnify NTT DATA SPAIN from actual damages and costs (including reasonable legal fees) finally awarded against NTT DATA SPAIN in respect of any such claim, or settlement amount agreed to be paid in settlement of any such claims, provided that: (a) NTT DATA SPAIN gives Customer prompt notice of the claim; (b) Customer has sole control of the defense and all negotiations for its settlement or compromise (provided this does not require an admission of guilt or liability by NTT DATA SPAIN); and (c) NTT DATA SPAIN provides Customer with reasonable assistance, at Customer’s expense. This indemnity will not apply to the extent such claim arises solely from a Product itself or is caused by NTT DATA SPAIN breach of this Agreement. 16. Mutual Limitation of Liability 16.1 No Consequential or Indirect Damages. THE PARTIES, AND THEIR LICENSORS AND AFFILIATES (INCLUDING THEIR RESPECTIVE EMPLOYEES, OFFICERS, DIRECTORS, CONTRACTORS, DISTRIBUTORS AND AGENTS), WILL NOT BE LIABLE TO EACH OTHER FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR REVENUES, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION OR CORRUPTION OR LOSS OF DATA OR COSTS OF SUBSTITUTE GOODS OR SERVICES, ARISING OUT OF OR IN CONNECTION WITH CUSTOMER’S USE OF OR INABILITY TO USE THE PRODUCTS, USER DOCUMENTATION, RESOURCES, THIRD PARTY CONTENT, ANY SERVICES PROVIDED HEREUNDER, OR ANY TRANSACTION CONTEMPLATED BY THIS AGREEMENT, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some jurisdictions may not allow the exclusion or limitation of incidental or consequential damages, so portions of this limitation may not apply. 16.2 Limit on Direct Damages. EACH PARTY (AND THEIR RESPECTIVE LICENSORS’, AFFILIATES’, EMPLOYEES’, OFFICERS’, DIRECTORS’, CONTRACTORS’, DISTRIBUTORS’ AND AGENTS’) AGGREGATE CUMULATIVE LIABILITY FOR ANY CLAIMS ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL BE LIMITED TO DIRECT DAMAGES ONLY NOT EXCEEDING THE LOWER AMOUNT BETWEEN THE FEES PAID BY CUSTOMER DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM FOR THE APPLICABLE PRODUCT WHICH GAVE RISE TO THE CLAIM OR THE TOTAL AMOUNT PROVIDED IN THE ORDER FORM FROM WHICH THE DAMAGES RESULT . 16.3 Exclusions. The limit on direct damages in Section 16.2 will not apply: (a) to the Customer’s indemnification obligations under this Agreement; (b) if Customer breaches any of NTT DATA SPAIN’s intellectual property rights with respect to the Products, including, but not limited to a breach of Section 5 (Restrictions); (c) to any Fees owed on termination; (d) to any gross negligence or willful misconduct of a party; or (e) to liability for death or personal injury. 17. Access to the Customer’s systems. 17.1 In order for the Customer to gain access to the Products or NTT DATA SPAIN to provide Additional Services, NTT DATA SPAIN may require access to the Customer's systems, and therefore the Customer undertakes to facilitate NTT DATA SPAIN access and connection to its systems under the following conditions: (a) In all cases, NTT DATA SPAIN shall follow and observe the Customer's security policies, which shall be communicated to it by the Customer. (b) The Customer shall configure and provide NTT DATA SPAIN with access and connection permissions to its systems, limited to the members of the team that may require it at any given time. In the event of rotation, access and passwords assigned to team members shall be inactivated within 48 hours of their departure. (c) NTT DATA SPAIN shall access the Customer’s systems only to install the Product and/or perform the Additional Services. (d) Access to the systems granted to NTT DATA SPAIN does not authorise NTT DATA SPAIN, except as otherwise stated in this Agreement, to: a. reproduce or copy, distribute, modify, transfer or publicly communicate the information contained in the systems, unless expressly authorised by the Customer. b. use the information contained in the systems for any commercial purpose whatsoever, or to identify potential customers within the Customer's sector of activity, or the Customer's suppliers for the purpose of making proposals for services, or to market such information in any way whatsoever c. remove, circumvent or manipulate the data identifying the rights of the Customer or its owners incorporated therein (including, but not limited to, copyright symbols, watermarks or similar measures). d. remove, evade, manipulate the technical protection devices, firewalls, encryption mechanisms, digital fingerprints, antivirus, or any other protection mechanisms. e. disassemble, decompile or invert the databases in which the information of the systems is contained. f. engage in activities that may be considered illegal, immoral or contrary to public policy. These impermissible activities include, but are not limited to, the following: i. Sending offensive, abusive or threatening communications ii. Unlawful access to third party computer systems; iii. Installation of computer viruses or software intended to cause damage to data or computer systems or to violate the privacy of third parties or to unlawfully overcome security and/or protection systems; iv. Dissemination of computer viruses or software intended to cause damage to data or computer systems or to infringe the privacy of third parties or to unlawfully overcome security and/or protection systems; v. Access to and/or dissemination of child pornography; vi. Apology for terrorism; vii. Access to and/or dissemination of content of a racist or xenophobic nature; g. Using the systems and the information contained therein to carry out activities that may damage the image of the Customer. (e) The remote provision of the Products or the Additional Services by NTT DATA SPAIN shall require a VPN or similar connection to the Customer's systems. (f) In the event that the Customer makes available to NTT DATA SPAIN any facilities, software, hardware, infrastructure or other resources for NTT DATA SPAIN to provide the install the Products and/or Additional Services, the Customer shall ensure that it obtains any licenses or approvals relating to such resources that may be necessary for NTT DATA SPAIN to perform its obligations under the Order Form and this Agreement. NTT DATA SPAIN shall not be liable for any failure to perform any obligation affected by the Customer's failure to promptly obtain such licenses or approvals. (g) In the event that NTT DATA SPAIN makes available to the Customer any software or tools for the Customer to receive the Products or Additional Services, NTT DATA SPAIN shall ensure that it obtains any licenses or approvals relating to such resources that may be necessary for the Customer to receive the Products and/or Additional Services from NTT DATA SPAIN. The Customer shall not be liable for any failure to perform any obligation which is affected by NTT DATA SPAIN' failure to promptly obtain such licenses or approvals. 17.2 Security: At all times the parties shall cooperate to ensure the security of the systems and data handled by the Customer. Thus, the Customer shall implement the security measures suggested by NTT DATA SPAIN in order to duly use the Products, as provided in the proposal contained in the Order Form, where applicable, to reinforce its systems and protect the Products. 18. Access to the Customer’s premises 18.1 Most of the Services contracted by the Customer shall be provided from NTT DATA SPAIN' premises and/or at the Customer's head office. NTT DATA SPAIN's team may carry out the implementation work mainly from the Customer's premises. The Customer's premises will host the team when necessary for meetings, specific tests, or other specific needs. To this end, the Customer undertakes to provide NTT DATA SPAIN with free and secure access (including remote access) to the Customer's premises, to the extent necessary for the fulfilment of the contractual obligations. In particular, the Customer must temporarily set up a project room on its premises to facilitate communication and the performance of this Agreement. 18.2 NTT DATA SPAIN shall not be liable for any delay in the performance or failure to perform its obligations when caused by a delay on the part of the Customer in providing such access. 18.3 The Customer shall arrange for the necessary permits and accreditations to allow NTT DATA SPAIN physical access to its premises. In order to carry out this clearance, NTT DATA SPAIN shall provide the Customer -within four (4) days prior to the scheduled visit to the Customer's premises- with a list of the members of the team to be accredited, as well as all reasonable information required by the Customer in order to manage the access permits to the building in which the Customer's premises are located. 18.4 The Customer shall not be liable for any delay in the clearance referred to in the above paragraphs where such delay is due to NTT DATA SPAIN's delay in supplying the necessary data. NTT DATA SPAIN acknowledges that failure to provide the information required by the Customer may result in the prohibition of access to its facilities to members of the team affected by the failure to provide the required data, without any cost or liability being attributable to the Customer. 18.5 NTT DATA SPAIN undertakes to comply with the security rules for access to and exit from the Customer's facilities, and any other instructions for the use of technical resources and facilities provided for this purpose by the Customer, which shall be supplied by the Customer on a timely basis. NTT DATA SPAIN shall be responsible for the proper use by the Equipment of the access authorisations, and for any damage that its workers may cause on the Customer's premises. 18.6 The costs of maintenance and upkeep of the facilities, including those arising from their use, shall be borne by the Customer. NTT DATA SPAIN shall not be liable for any damage which may occur through use alone and through no fault of its own. 18.7 In the event that the Customer requires the displacement of members of the team to its facilities to carry out functional tasks such as training, user testing, support for critical processes, NTT DATA SPAIN provides this on-site support provided that there is a minimum notice of two (2) working days to NTT DATA SPAIN. 19. Notices 19.1 Any notice that either party is required or permitted to give to the other party under this Agreement will be in writing and be delivered to NTT DATA SPAIN at its address set out on page 1 of this Agreement (Attention: Legal Department) and to Customer at the address provided on the Order Form when Customer subscribed to, or renewed, its License/Subscription. 19.2 Either party may, from time to time, change their address for notice by providing written notice of the change to the other party, which notice may be sent by fax, regular mail or email (provided that no automated or other response is received indicating non-delivery or the absence of the recipient). 19.3 The delivery of notice for any other purpose will be by personal delivery, courier, registered mail or confirmed e-mail. Delivery will be deemed effective upon receipt, if delivered personally, or by courier; or five (5) business days from sending, if delivered by registered mail; or upon confirmed receipt, if delivered by e-mail (provided that no automated or other response is received indicating non-delivery or the absence of the recipient). 20. Governing Law and Jurisdiction 20.1 This Agreement shall be governed by and construed in accordance with Spanish law. 20.2 Any conflict, dispute or claim arising out of or relating to this Agreement, or the breach, termination or invalidity thereof shall be resolved by the Courts of the city of Madrid (Spain). 21. Compliance 21.1 The Parties hereby shall fully comply with all the legislation and regulations in force (including international regulations), that may be applicable, for the execution of this Agreement and during its validity, especially the Spanish Criminal Code and the Anti-Corruption, Anti Money Laundering, Import/Export law, Competition law, Labour and Environmental regulations. 21.2 Each Party undertakes to conduct its professional activity under the principles of ethics and integrity and to implement appropriate measures for the identification, prevention and control of compliance risks (including crimes) within its organization. The Parties prohibit any act of corruption or bribery, directly or indirectly, in both the public and private sectors and agree to comply with all the principles of the United Nations Global Compact. 21.3 In addition, within the framework of the present contractual relationship, the Parties agree to avoid any conflict of interest, whether of a personal or professional nature. 21.4 Any failure to comply with the provisions of this Clause, provided that it is duly accredited, shall entitle the non-breaching party to automatically terminate this Agreement, as well as to claim what is legally appropriate in the event of being affected by such failure. 22. General 22.1 Complete Agreement. This Agreement, is the complete and exclusive statement of the agreement between the parties with respect to Customer’s License/ Subscription to the Products, and supersedes any prior discussions or agreements, oral or written, between the parties. The terms of any Customer purchase order or other general terms of Customer will not be binding on the parties and will not be construed to modify this Agreement. Any changes to this Agreement must clearly state that it is an addendum to the Agreement and must be signed by both parties before it is considered executed and binding on the parties. If the parties have entered into a written agreement or addendum with respect to the Products, which is signed by both Customer and NTT DATA SPAIN, such written agreement or addendum will take precedence over this Agreement to the extent expressly stated in such written agreement or addendum. 22.2 Waiver and Severability. No waiver of any right under this Agreement is effective unless in writing and signed by a duly authorized representative of the party to be bound. No waiver of any past or present right arising from any breach or failure to perform will be deemed to be a waiver of any future right arising under this Agreement. If any section of this Agreement is unenforceable, that section will be construed, limited, modified or, if necessary, severed to the extent necessary to eliminate its unenforceability and the other sections of this Agreement will remain in full force. 22.3 Assignment. NTT DATA SPAIN may assign this Agreement upon prior written notice to Customer. Customer may not assign this Agreement without NTT DATA SPAIN’ prior written consent, except to a corporate successor by merger, purchase of assets and assumption of liabilities, acquisition, reorganization, or otherwise; provided that, Customer notifies NTT DATA SPAIN in advance and such corporate successor agrees to be bound by this Agreement. In addition to the foregoing, Customer may only assign this Agreement if the assignee is not a competitor of NTT DATA SPAIN, Customer ceases use of the Products, and the usage of the Products does not exceed the number of Named Users for which Customer has purchased Licenses/ Subscriptions. Neither party will be considered in breach of the confidentiality provisions of this Agreement by reason of such assignment. This Agreement will inure to the benefit of and be binding upon the parties and their respective legal representatives, successors, executors, heirs and permitted assigns. 22.4 Additional Services. Additional Services, including but not limited to specific software consultancy or technical support, may be agreed upon on an applicable Order Form. These Additional Services shall be governed by the terms set in this Agreement and any other applicable terms and conditions stipulated in the Order Form and any applicable Annexes. 22.5 Force Majeure. Neither party will be liable to the other for any delays in performing or failing to perform any obligation under this Agreement in the event of and for so long as the performance of any such obligation is prevented or delayed by any cause beyond the reasonable control of such party (which expressly excludes a lack of sufficient funds), provided that the party prevented or delayed from performance immediately notifies the other party of such disability and resumes performance as soon as possible following removal of the disability. 22.6 No Third-Party Beneficiaries. Except as expressly provided in this Agreement, no person, other than a party to this Agreement, will be entitled to enforce any term of this Agreement. IN WITNESS WHEREOF, each Party hereto has caused this Agreement to be executed in duplicate in English, as of the Effective date, by its duly authorized representative. Signed for and on behalf of the Customer Signed for and on behalf of NTT DATA SPAIN, S.L.U. Signature: Signature: By (Name): By (Name): Title: Title: Date: Date:   SCHEDULE A – DATA SECURITY SCHEDULE These data protection procedures (the "Procedures") define the security protocols that the Customer and NTT DATA SPAIN shall follow to maintain the security and privacy of the personal data for the processing of which the parties may be responsible during the provision of the Products and Additional Services under the Agreement. 1. Security Policy The parties shall follow globally applicable policies, standards and procedures to protect its own and the other party’s data. These policies cover, among other areas: - System security - Information security and acceptable use of systems - Confidentiality - Data privacy - Data management 2. Organization of information security 2.1. Responsibilities The data protection executives of the parties (hereinafter referred to as the "Executives") listed below shall be responsible for confirming the implementation of and compliance with these Data Protection Procedures: - Customer's Executive: Mr./Ms. [*], as the Customer's designated officer - NTT DATA SPAIN's Executive: Mr./Ms. [*], as the designated officer of NTT DATA SPAIN. Notifications relating to the obligations of each Party with respect to personal data for the processing of which the Customer is the controller shall be made as follows: - communications relating to ordinary obligations shall be given in writing by email or written notice to each of the Executives; - communications regarding changes to the terms of these Procedures or to each Party's obligations under the Agreement with respect to personal data for the processing of which the Customer is responsible shall be given in accordance with Section 17. - in any event by email or written notice to the Executives. The Customer shall be responsible for the Systems under its control. Each party shall assume the responsibilities assigned to it in the following table as they relate to its employees, its subcontractors and computer equipment owned, controlled or used by each party to perform its obligations under this Agreement. Each party shall notify the other as soon as possible of any proposed changes to these Procedures in accordance with the provisions of Section 17 of this Agreement, as well as of any comments regarding possible gaps or weaknesses in the information security environment. Any substantial modification of these Procedures shall be subject to the mechanisms for modification of the Agreement and its annexes, as provided for in the Agreement: Control Responsible Party NTT DATA SPAIN Customer 1. Information classification 1.1 For each job description, the Customer shall communicate to NTT DATA SPAIN the types of personal data for the processing of which the Customer is responsible and which NTT DATA SPAIN is required to process. Such communication shall be made in writing or verbally (with subsequent written confirmation) to NTT DATA SPAIN when providing NTT DATA SPAIN with data of this nature. X 2. Human resources security 2.1 Training 2.1.1 The team and the personnel of its Affiliates and subcontractors assigned to the project shall receive NTT DATA SPAIN’ standard training on data protection, which shall include a test of understanding of the contents given. Similarly, if deemed necessary, Customer may provide training on its personal data management and protection processes to the team and the personnel of its subcontractors assigned to the project.. X X 2.1.2 All Customer personnel assigned to the project shall receive the training specified in the Procedures. X 3. Physical security 3.1 Physical security controls required by the security regulations of each site where personal data of the Customer is processed shall be adopted. X X 3.2 All staff must be registered and wear identification badges. X X 4. Communications and operations management 4.1 Network security management 4.1.1 Access control lists will be maintained for network devices. X X 4.1.2 Network traffic shall pass through firewalls that are monitored and protected by intrusion prevention/detection mechanisms to maintain a log of network traffic. X X 4.1.3 Access to network devices for administration purposes shall be protected with at least 128-bit encryption.. X X 4.1.4 Anti-spoofing filters shall be enabled. X X 4.1.5 Authentication passwords on networks, applications and servers shall have the level of complexity required by each party. X X 4.1.6 Transport Layer Security (TLS) shall be enabled between the Customer's and NTT DATA SPAIN’ email domains. X X 4.2 Virtual Private Networks ("VPN"). If remote access to NTT DATA SPAIN's or the Customer’s network is required to process the Customer's personal data and a VPN between sites has been agreed, both Parties shall install VPN servers with the following or similar features: 4.2.1 Connections shall be protected with at least 128-bit encryption. X X 4.2.2 Connections from the Customer to NTT DATA SPAIN' service centres shall be established using exclusively NTT DATA SPAIN' VPN servers. X X 4.2.3 Split Tunneling functionality shall be disabled. X X 4.2.4 The use of two-factor authentication shall be required. X X 4.3 Devices 4.3.1 For transmission of the Customer's personal data: 4.3.2 Data shall be protected by at least 128-bit encryption, unless prevented by local regulations or otherwise agreed between the parties. X X 4.3.3 As far as possible, the use of portable external media to transmit Customer personal data shall be avoided. Where necessary, data transmitted on external recordable or portable media shall be encrypted during transmission, using encryption keys which shall be transmitted separately. All Customer personal data transmitted between the parties shall be transported using either a secure, encrypted storage device or a file transfer mechanism accepted by the Data Protection Officers. The data shall be protected with at least 128-bit encryption. As far as possible, business-to-business e-mails shall be avoided. X X 4.3.4 Where commercially feasible and agreed by the Executives, the Customer shall take measures such as masking or anonymisation of the Customer's personal data before providing access to NTT DATA SPAIN. Customer shall identify situations where open/unencrypted data is used outside of production environments before providing access to NTT DATA SPAIN. If production data is used in testing, compensating controls will be agreed and implemented. X 4.4 Physical transport of data 4.4.1 A professional courier with documented chain of custody shall be used for the transport by third parties of hard copies or mobile media containing personal data of the Customer. X X 4.5 Data disposal 4.5.1 NTT DATA SPAIN shall carry out a review of the devices and accounts provided to team members leaving the project, who shall return and/or destroy all files, documents, statements, extracts, summaries, notes, in any medium or support, containing personal data for which the Customer is responsible and which are in their possession X 4.5.2 NTT DATA SPAIN shall keep copies of records containing personal data for which the Customer is responsible for processing in its archives for as long as necessary or as part of the normal back-up processes to ensure that NTT DATA SPAIN fulfils its obligations under the Agreement. NTT DATA SPAIN shall inform the Customer when it retains such data in its files and shall protect or conceal the Customer's personal data in those files by masking or other methods. NTT DATA SPAIN shall also treat such data as Confidential Information and shall restrict and control access to such data within its organisation. NTT DATA SPAIN shall have no obligation to keep copies of Customer databases or other compilations or repositories of Customer personal data in its files. X 4.5.3 NTT DATA SPAIN shall destroy paper copies of the Customer's personal data, using a paper shredder or secure shredding system, when they are no longer required for the provision of the Services.. X 4.6 Management of third party services 4.6.1 Subcontractors employed for the provision of the Services shall comply with similar contractual terms and conditions as those imposed on the parties in respect of privacy and security. X 4.6.2 NTT DATA SPAIN shall ensure that communications and information technology providers who provide general services to NTT DATA SPAIN, and who are not specifically contracted for the provision of the Products or the Additional Services (such as telecommunications and email providers), shall comply with contractual conditions on privacy and security that are reasonable from a legal point of view, taking into account the nature of the personal data in question. X 4.7 Back-up copies 4.7.1 In the event that NTT DATA SPAIN provides storage services for production databases and backups are made to magnetic tape or other external media, the backups shall be protected with a minimum of 256-bit encryption (unless there are legal requirements to the contrary) at the Customer's expense X X 5 Access control 5.1 User Access Control 5.1.1 The Customer shall use commercially viable means to ensure that NTT DATA SPAIN can only access personal data for the processing of which the Customer is responsible and which is necessary for NTT DATA SPAIN to fulfil its obligations under the Agreement. X 5.1.2 User account creation and deletion procedures, with appropriate authorisations, shall be implemented to grant and deny access to all of the Customer's internal Systems, data and applications used during the project. A person will be designated with the necessary authority to authorise the creation of new user IDs or to increase the access level of existing IDs. X X 5.1.3 An access control list containing access details of persons assigned to the project (team members and subcontractors) and detailing the type of access as well as the date access was granted or revoked to team members and/or subcontractor. X 5.1.4 The access control list shall be reviewed at least quarterly or as otherwise agreed in writing by the parties to confirm that access levels continue to be appropriate and that access revocations for personnel who have left the project have been properly processed. X 5.1.5 Access of personnel who have left the project shall be revoked within a maximum of two (2) working days or as required by the Contract. X X 5.1.6 Where necessary, a logical separation between environments (development, test, production) shall be defined so that a person can only access one of them. X X 5.1.7 Each person accessing a system or application shall have their own user IDs and passwords. The sharing of both user IDs and passwords shall be prohibited. X X 5.1.8 Two-factor authentication shall be required to access the Customer's internal network environment from non-Customer/NTT DATA SPAIN sites. In general, an internal network environment will be the network environment that a person can access from the Customer's offices or data centres. X X 5.1.10 To the extent possible, the access methods employed by the Customer shall control downloading, printing, copying and other forms of extraction of personal data from the Customer (e.g. Citrix/VDI/firewall at application layer). X 6. Password management 6.1 Electronic communications of passwords shall be protected by at least 128-bit encryption. X X 6.2 Initial user passwords shall be changed on first access. The sharing of user IDs and passwords shall be prohibited. X X 7.1 Encryption 7.1.1 Transmissions of Customer personal data between the Parties shall be protected by at least 128-bit encryption.. X X 7.1.2 Mobile phones and tablets will be PIN-protected, the number of emails that can be stored on the device will be limited and remote wiping will be enabled. X 7.1.3 Hard disks shall be protected with at least 256-bit encryption on all workstations used for the provision of Services (NTT DATA SPAIN', rented, Customer-owned or subcontractor-owned workstations) X X 8 Information Security Incident Management 8.1 Security Incident Reporting 8.1.1 Any actual or potential security incident that causes or may cause the loss, misuse or unauthorised acquisition of the Customer's personal data (such as theft or loss of a laptop computer) shall be reported immediately. X 8.1.2 Other security incident reporting requirements under the Agreement shall be identified and communicated to project personnel.. X X 9 Compliance 9.1 Compliance with legal requirements 9.1.1 The Customer's personal data shall not be used for any purpose that exceeds the contracted services or that is not required by applicable law. X 9.1.2 For each job description, the business, operational and technical requirements arising from data privacy laws with which the Customer must comply shall be identified as part of the design and/or definition of business process requirements. X 9.1.3 Controls required by data privacy laws applicable to NTT DATA SPAIN as a service provider shall be complied with. X SCHEDULE B – DATA PROCESSING AGREEMENT This present Schedule forms an integral part of the Agreement made between [ADD NAME OF CLIENT] (the “Client”) and NTT DATA SPAIN, S.L.U. (“NTT DATA SPAIN”) on [COMPLETE] (hereinafter, the “Agreement”), and it shall apply to all the Personal Data Processing that is performed in order to provide the services described in the Agreement (hereinafter, the “Services”). The parties hereby undertake to comply with the obligations set out in the Applicable Regulations and to process the Personal Data in accordance with the clauses set out below: 1. DEFINITIONS “Supervisory Authority”: the independent public authority established by a member State for the purposes of protecting the fundamental rights and freedoms of natural persons with regard to the processing of personal data and permitting the free circulation of such data within the European Union. “Personal data”: any information relating to an identified or identifiable natural person. “Interested Party”: an identified or identifiable natural person to whom the Personal Data pertains; an identifiable natural person shall be understood to be any person whose identity can be directly or indirectly determined, particularly by means of a specific identifier, such as a name, identification number, location data, online identifier or one or more of the elements that form the physical, physiological, genetic, mental, economic, cultural or social identity of that person. “Processing”: any operation or series of operations performed on personal data or sets of personal data, whether or not such operations involve the use of automated procedures, such as the collection, registration, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication via transmission, broadcast or any other means of allowing access, comparison or interconnection, restriction, suppression or destruction of the data in question. “Data Controller” or “Controller”: the natural person or body corporate, public authority, service or other body which, either alone or in conjunction with others, determines the purpose and means to be used for processing. “Data Processor” or “Processor”: the natural person or body corporate, public authority, service or other body which processes personal data on behalf of the Data Controller. “Applicable regulations”: i. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) or any other provision governing the protection of data in the European Union and its member States. ii. Spanish Personal Data Protection Act 3 of 5 December 2018, on the Protection of Personal Data and guarantee of digital rights. iii. Any other legal provision that may apply to the Processing of Personal Data, and any others that amend, replace or implement previous provisions. “Security Breach”: any breach of security that leads to the destruction, loss or accidental or unlawful alteration of the Personal Data being transferred, preserved or otherwise processed, the unauthorised communication of such data or access thereto. 2. STATUS OF THE PARTIES For the purposes of this present Schedule, the Client shall act as Data Controller and NTT DATA SPAIN as Processor. Notwithstanding the foregoing, the Client may also be acting as Data Processor, when it is processing Personal Data on behalf of a third party Data Controller (hereinafter, the “Third Party”) in order to provide some of the services that it is subcontracting wholly or in part to NTT DATA SPAIN. In this case, the Client acts in the name and on behalf of the Third Party, with the latter’s authorisation to subcontract the Services to NTT DATA SPAIN, which shall act as data sub-processor. 3. PURPOSE OF THE MANDATE For the sole purpose of providing the Services forming the subject of the Agreement, the Client hereby authorises NTT DATA SPAIN to process the Personal Data described in Appendix I to this present Schedule, on behalf of the Client or the Third Party. The parties expressly agree that, in all matters that relate to the Processing of Personal Data within the framework of the provision of the Services, the conditions agreed in this present Schedule shall take precedence in all cases over the contents of the Agreement. In the event that any of the clauses in the Agreement contradict this provision, the parties hereby agree to render the clause in question without effect. 4. TERM This present Schedule shall have the same term as the one determined for the Agreement. 5. OBLIGATIONS OF NTT DATA SPAIN With regard to any Personal Data that is subject to Processing as a consequence of the provision of the Services, NTT DATA SPAIN undertakes, as Processor, to comply with the following obligations: a) To process the Personal Data that is subject to Processing solely for the purpose of providing the Services, and the use of such data for any personal purposes or in any way that is incompatible with the purpose for which consent was given is prohibited. b) To process the Personal Data in accordance with the written instructions passed on to it by the Client and pursuant to the Applicable Regulations. If NTT DATA SPAIN believes that any of the instructions received by the Client infringes the Applicable Regulations, NTT DATA SPAIN shall inform the Client so that the latter may amend its instructions in such a way that they are in line with the Applicable Regulations. c) Not to pass on the Personal Data to third parties unless it has received express authorisation from the Client or the Third Party in their capacity as Data Controller, and this conforms to the Applicable Regulations. When requested to do so by the Client, NTT DATA SPAIN may forward the Personal Data to other Processors authorised by the same Data Controller, in accordance with the instructions issued by the Client. In this case, the Client shall identify, in advance and in writing, the company to which the Personal Data is to be passed on, the Personal Data to be forwarded and the security measures to be applied in order to proceed with the forwarding of the data. If, in order to provide the Services, NTT DATA SPAIN has to transfer Personal Data to a third country or international organisation on the grounds that this is mandatory under EU Law or the applicable legislation of the member states by which it is bound, it shall inform the Client of this legal obligation in advance, unless the legislation in question prohibits this for reasons of public interest. d) If it becomes necessary either wholly or partially to subcontract any kind of Processing of Personal Data, NTT DATA SPAIN must first notify the Client of this fact in writing, at least thirty (30) days in advance, indicating the types of Processing that are to be subcontracted and identifying the subcontractor company’s name and contact details in a clear and unequivocal manner. The subcontracting arrangement may be entered into if the Controller does not expressly state its objection within the aforementioned period. The subcontractor, which shall also have the status of Data Processor, shall be equally bound to comply with the obligations by which NTT DATA SPAIN is bound under this Schedule and the written instructions issued by the Client. NTT DATA SPAIN is responsible for regulating this new arrangement, in such a way that the subcontractor or sub-processor is subject to the same conditions and obligations by which NTT DATA SPAIN is bound under the terms of this present Schedule. In the event of a breach by the data sub-processor of any of its obligations, NTT DATA SPAIN shall remain fully liable vis-à-vis the Client or the Third Party. e) NTT DATA SPAIN shall ensure that the people authorised to process Personal Data have undertaken to respect confidentiality. In this regard, the Processor undertakes to give the necessary training on personal data processing issues to the authorised people in question, and to instruct its personnel to process any Personal Data in accordance with the conditions set out in this present Schedule and, in all cases, pursuant to the provisions contained in the Applicable Regulations. f) NTT DATA SPAIN shall assist the Client and/or Third Parties in responding to the exercise of rights of access, correction, deletion and objection, limitations on processing, data portability and the right not to be subject to automated personalised decisions (including the creation of profiles), when the Client requests this as part of the Services, pursuant to the conditions established in the Agreement itself. When affected parties exercise their aforementioned rights vis-à-vis NTT DATA SPAIN, NTT DATA SPAIN shall send notification of this by email to the Client at […@...]. This notification must be sent without any undue delay. g) NTT DATA SPAIN shall notify the Client, without any undue delay, in the event of a Breach of the Security the Personal Data being processed, from the moment that it becomes aware of the Breach in question, including all of the information available to it, so that the Data Controller may notify the relevant Supervisory Authority. NTT DATA SPAIN shall send this notification by email to the following address: […@...]. Where available, the following information shall be supplied: • A description of the nature of the Personal Data Security Breach, including, whenever possible, the categories and the approximate number of Interested Parties affected, and the categories and the approximate number of Personal Data records affected. • The name and contact details of the data protection officer or another contact point from which more information may be obtained. • A description of the possible consequences of the Personal Data Security Breach. • A description of the measures adopted or proposed to remedy the Personal Data Security Breach, including, where applicable, any measures adopted to mitigate the possible adverse effects. If it is not possible to provide all of this information simultaneously, the information will be provided gradually. The Client or, where applicable, the Third Party, shall be responsible for informing Interested Parties that a Security Breach has occurred, when necessary. NTT DATA SPAIN shall provide any support required in order to allow the aforementioned information to be passed on as quickly as possible. h) To offer support to the Client when it is making impact assessments relating to data protection, where necessary. i) To offer support to the Client when it is making prior consultations with the Data Protection Authority, where necessary. j) To provide the Client with all the information necessary to demonstrate compliance with its obligations, and to collaborate with the Client so that the Data Controller may carry out any audits or inspections that become necessary. The Client shall inform NTT DATA SPAIN of such audits or inspections at least 30 days in advance, and they must take place during office hours and be carried out in a way that causes as little disturbance as possible. k) To provide the Client with information, where applicable, regarding the name of the data protection officer or the collegiate body that performs the duties thereof, along with their contact details. l) Once the contracted services have been completed and, in all cases, upon termination of the Agreement, NTT DATA SPAIN undertakes to destroy the Personal Data, unless the Client expressly requests their return or the need to return them can be concluded from the nature of the Services. Notwithstanding the foregoing, NTT DATA SPAIN may keep a copy, with the Personal Data duly blocked, for as long as any liability may arise as the result of the performance of its services, whenever this is required under the terms of EU law or the law of member States. 6. OBLIGATIONS OF THE CLIENT The Client and/or Third Parties shall have the following obligations: • To provide NTT DATA SPAIN with the Personal Data referred to in Appendix I of this Schedule or provide it with access thereto. • When required under the Applicable Regulations, to carry out a Personal Data protection impact assessment on the Processing operations to be performed by NTT DATA SPAIN. • Where necessary, to complete any prior consultations required under the Applicable Regulations. • To determine that the security measures applied by the Data Processor are adequate and sufficient and, where applicable, indicate any additional measures. • To ensure, both before and during the entire processing operation, that NTT DATA SPAIN offers the necessary guarantees to comply with the Applicable Regulations. • To oversee the Processing of the Personal Data, including the completion of inspections and audits. 7. SECURITY MEASURES NTT DATA SPAIN shall apply the necessary technical and organisational measures to any Personal Data that it processes on behalf of the Client or, where applicable, the Third Party, in order to guarantee an adequate level of security against any risk, always taking account of the current technical state of the art, application costs and the nature, extent, context and purpose of the data processing carried out, along with the probability and severity of the various risks to the rights and freedoms of natural persons. The Client undertakes to pass on any risks detected in relation to the Personal Data processing carried out by NTT DATA SPAIN, along with information on the security measures recommended as a result of its report as regards: • Ensuring the confidentiality, integrity, availability and permanent resilience of the processing systems and services; • Restoring availability and access to personal data quickly, in the event of a physical or technical incident; • Verifying, assessing and appraising the effectiveness of the technical and organisational measures in order to guarantee secure processing. The aforementioned assessment of security risks relating to the information shall extend to all the data processed by NTT DATA SPAIN on behalf of the Client or, where applicable, the Third Party. Security systems shall cover the protection of information systems as well as the protection of any manual systems and the filing of documentation. The security measures that NTT DATA SPAIN shall apply to the processing of the data belonging to its Clients or, where applicable, Third Parties, are listed in Appendix I of this present Schedule, depending on the nature of the Personal Data processed and the characteristics of the Services. The said security measures shall be understood to be sufficient and adequate by the Client, either in its own name or in the name of the Third Party, in order to ensure the security of the Personal Data, unless otherwise indicated in the said Appendix I. 8. RECORD OF PROCESSING ACTIVITIES NTT DATA SPAIN shall keep a record of all the types of processing activities carried out on behalf of the Client or, where applicable, the Third Party, which shall contain: • The name and contact details of the processor or processors and each controller on whose behalf the processor is acting and, where applicable, the representative of the controller or the processor and the data protection officer. • The types of processing carried out on behalf of each controller. • Where applicable, the personal data transfers made to a third country or international organisation, including the identification details of the said third country or international organisation and, where applicable, documentation that accredits the adoption of the proper guarantees. • A general description of the technical and organisational security measures applied. 9. LIABILITY Each party shall assume their own liability for any breach of the obligations by which they are bound under the terms of this present Schedule or the obligations by which they are bound under the Applicable Regulations. In any case, any such liability, both between the parties and vis-à-vis third parties, shall be limited to the damage directly caused by a direct action or omission and shall solely apply to the party in breach, with a maximum limit equivalent to the price of the Services, except where there is illegality or serious negligence. Neither party shall be liable vis-à-vis the other for indirect and/or consequential damage, including: i) reputational damage; ii) lost revenues; iii) lost income, lost profit or the loss of goodwill; and iv) the loss of data. 10. MISCELLANEOUS Where a matter is not provided for in this present Schedule, the provisions set out in the Agreement shall apply. In witness whereof, the parties hereby sign this present Schedule, together with Appendix I, in duplicate and to one sole effect, in XXXXXXXX on XX XX 2017. NTT DATA SPAIN, S.L.U. THE CLIENT ________________________ [……] ________________________ [……]