Terms of Service for Questback Leadership 360 1. General Provision These Terms of Service describe your rights and responsibilities when you access and use Questback’s leadership improvement solution “Questback Leadership 360” (hereafter “Questback Leadership 360” and/or the “Service(s)”). By accepting these Terms of Service, you (hereafter “you” or “Customer”) enter into a service agreement (hereafter ”Agreement” or “Subscription”) with Questback Limited, 7th Floor, 110 Cannon Street, London, EC4N 6EU, United Kingdom (hereafter referred to as “we” or “Questback”). We provide our Services exclusively to legal persons or individuals who have reached the age of 16. If you are younger than 16 years, we reserve the right to cease the provision of our Services at any time without notice. 2. Service and limitations You are granted a non-exclusive and non-transferable right to access and use the Services in accordance with these Terms of Service. The Services shall only be used by you personally, exclusively for the purpose of evaluating and enhancing your leadership skills to become a better manager or team leader. Questback grants no access or usage rights beyond those specifically listed in these Terms of Service. You are not entitled to lease, sell, or transfer any of your rights under this Agreement, or in other ways directly or indirectly make available to or charge a third party for any part of the Services. In particular, you may not share your access to Questback Leadership 360 or use Questback Leadership 360 to the benefit of third parties and/or charge third parties for services you perform by using Questback Leadership 360. Questback is entitled to terminate this agreement and stop providing its Services at any time without notice if you use or allow the use of the Service beyond the agreed terms and limits stated in this agreement. 3. Provision and Availability of the Service Questback will provide the Services with the functionality available in its most recent release. Questback reserves the right to make changes to the Services, including the right to change, improve or remove parts of the functionality of the Service, provided that the Services will maintain at least the same standard of quality and performance. We reserve the right to perform upgrades and maintenance of the Services (including version changes). This may lead to the Services being temporarily unavailable to the Customer and Respondents, i.e. individuals who receive an invitation for participating in a survey and/or provide their response through a survey. Questback may monitor the Customer’s use of the Services for performance assessments, to provide support, and ensure information security, development, enhancement to our Service, anonymous statistics, benchmarking, protection against misuse, i.e. any use outside the scope of the agreement, and unlawful use. Questback reserves the right to inspect, block or delete content or the entire user account, suspected of containing or distributing computer virus or malignant code or suspected of serving spam or any other form of misuse, while doing so taking into account the Customer’s justified interests. 4. Term and Termination (1) This agreement shall commence on the date of registration. (2) If you chose the Basic edition of Questback Leadership 360, you will be entitled to use our Service for a free trial period of 30 days (“Trial Period”). After the expiration of the Trial Period, your subscription will automatically extend for twelve (12) months (the “Term”), unless you have opted to cancel the Services in accordance with Section 4 (3). Subscriptions will renew after the initial term and after each subsequent Term for another twelve months period, unless it is terminated by either you or Questback prior to the end of the Term. During the Trial Period you may cancel your subscription at any time. To cancel your subscription, you can either send a termination notice to leadership360@questback.com or cancel your subscription under the My Subscriptions area of your profile. Questback may terminate the Agreement immediately i) in case of a breach of your obligations set forth in this Agreement if you fail to remedy such breach five days after service of a notice from Questback requiring it to be remedied, or ii) for any violation of Questback’s intellectual property rights, or iii) for using of the Services in violation of any applicable laws or regulations. (3) You are responsible to delete, copy or extract your data, in particular personal data, prior to the expiration of your Subscription. Upon the expiration of the agreement, Questback will delete and/or anonymize data that relates to you and your Respondents. 5. Rights and Ownership This Agreement provides a Subscription to our Services, and does not provide rights or ownership to any software, source code, data, methodology (e.g. “Questback’s Transformational Leadership Model”), information, documents, papers, reports or other material or work results, either physically or electronically, provided by Questback to Customer. Copyright notices and other proprietary rights notices in the Services shall not be deleted, replaced or modified. The source code from which the Services object code is derived will not be provided and remains a trade secret of Questback to which access is not authorized. You are not entitled to reverse engineer, reverse assemble or decompile the Services or in any way attempt to recreate the source code. All trademarks related to the Services provided by Questback to Customer are trademarks of Questback and/or its licensors. 6. Data Protection Whenever you are using the Service to create, conduct and evaluate surveys and invite Respondents you will be the “Controller” of all processed personal data relating to your Respondents and other natural persons in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) and other applicable data protection legislation. Questback will process all personal data related to your account on your behalf and will be the “Processor” according to the GDPR. Being the Controller, you are exclusively responsible to process all personal data in compliance with all applicable data protection regulation, e.g. to determine the purpose, legal basis for data processing, to provide statutory information to data subjects and to service data subject rights. However, Questback will help you to fulfil some of these legal requirements, e.g. by providing notices to Respondents on your behalf. Article 28 GDPR requires you and Questback to enter into a separate data processing agreement (hereafter “DPA”) which will govern Questback’s processing of personal data on behalf of you being the Controller. Questback reserves the right to anonymize personal data after the completion of a survey and use such information for the purpose of performance monitoring, service enhancement, anonymous statistics, benchmarking, creating recommendations for users, software improvements, machine learning and analysis to enhance the overall experience and usefulness of Questback’s Services. In its anonymized and aggregated form, where data cannot never be attributed to either you or your Respondents, data will be kept and processed by Questback. Questback may integrate third party machine learning or artificial intelligence services as Questback sees fit, to provide additional functions e.g. text analytics for improved survey result analysis and evaluation. 7. Customer Warranties and Obligations When using our Service you shall at all times comply with all applicable laws and regulations regarding, without limitation, security, privacy, direct marketing and mass distribution. You are directly responsible for all data and other content you upload, collect, process and/or distribute via our Service. You warrant that the content will not infringe any applicable laws, regulations or third party rights (including Intellectual Property Rights) or include material which is in breach with applicable security or privacy regulations, offensive or defamatory under applicable law. You will indemnify Questback from all claims, losses, damages, demands, costs (including reasonable legal costs), expenses and liabilities incurred by Questback as a result of any action or claim that content collected, stored and distributed by you through the Services is illegal or inappropriate, or was collected, stored, or distributed in violation of applicable law, or that such content infringes third party Intellectual Property Rights. This section shall survive termination of the Agreement. You undertake and warrant that i) you are entitled to use the Services in your professional environment, ii) you are authorized to use the data you wish to process through this Service, and iii) processing this data does neither infringe or violate any intellectual property rights nor any contractual and/or statutory non-disclosure obligations. 8. Questback’s Warranties and Obligations Questback warrants that it has the right to license the Service to its Customers. The exclusive remedy for breach of this warranty is set forth herein. Questback warrants that the Services will substantially conform to its user documentation including any updates thereto. If it does not, at Questback’s discretion, Questback will as its exclusive remedy for breach of this warranty either make it conform, replace it with conforming services, or terminate the Agreement. Questback disclaims all other warranties and conditions, express or implied, including without limitation any implied warranties of merchantability, satisfactory quality and fitness for a particular purpose, or arising as a result of custom or usage in the trade or by a course of dealing. Without limiting the generality of the foregoing, Questback does not warrant or represent that use of the Service will result in compliance, fulfilment or conformity with the laws, rules, regulations, requirements or guidelines of any governmental agency. 9. Liability Each party’s liability in relation to the subject matter of this Agreement is limited to direct losses suffered by the other party, and caused by the other Party’s breach of obligations under this Agreement. With exception for liability arising from fraudulent misrepresentation or other fraud, gross negligence or wilful misconduct, breach of obligations or from personal injury or physical damage, neither Party shall be liable for special, incidental, indirect or consequential damages including but not limited to loss of profits and loss of data, however caused and under any theory of liability and whether or not the Party has been advised of the possibility of such loss. Under no circumstances will Questback be liable for punitive damages arising in contract or tort. Questback is not in control of the content collected, stored and distributed by Customer through the Services, and expressly disclaims any responsibility or liability for the content distributed, stored and/or collected through use of the Services, or the results generated. This section 9 shall survive termination or expiration of the Agreement. 10. Severability If a provision of the Agreement is or becomes illegal, invalid or unenforceable in any jurisdiction, this shall not affect: the legality, validity or enforceability in that jurisdiction of another provision of the Agreement; or the legality, validity or enforceability in other jurisdictions of that or any other provision of the Agreement. 11. Complete Agreement The Agreement constitutes the entire Agreement between the parties. No other terms and conditions of the Customer will be deemed agreed even if Questback fails to explicitly reject them. 12. Assignment Customers may not assign the Agreement or any of its rights or obligations hereunder without Questback’s written permission, which permission will not be unreasonably withheld. 13. Choice of law and legal venue Where this Agreement is not subject to any specific compulsory governing law or to a particular court jurisdiction, this Agreement shall be governed by the laws of UK and Customer hereby accepts the exclusive jurisdiction of the courts in London in relation to any dispute arising under this Agreement or in connection with its terms, unless mandatory legal provisions require the application of another law and the choice of another legal venue. ***** Version 1.0 November 2019   Appendix A – Data Processing Agreement Questback Leadership 360 This Data Processing Agreement (“DPA”) forms part of Questback’s provision to Customer of access to its services referred to as Questback Leadership 360 (hereafter “Service(s)”), as specified in the Terms of Service between Customer and Questback, (hereafter “Agreement”). Customer acknowledges and agrees that Customer is the Controller of Personal Data being processed when using the Service, whereas Questback is the Processor using Personal Data on behalf of the Customer. Questback will process Personal Data in accordance with all applicable data protection laws. For any enquiry relating to this DPA please contact our Data Protection Team at dataprotection@questback.com. 1. Guarantees Questback will carry out processing on behalf of the Customer, and guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of applicable data protection laws and ensure the protection of the rights of the data subject. 2. Definitions “Agreement” means the separate agreement(s) between Questback and Customer including the Terms of Service where the content and scope of the services provided by Questback to Customer is agreed. “Controller” means “controller”, as defined in Article 4 GDPR. The parties agree that Customer may become Controller under this Data Processing Agreement when using the Service, and that Customer therefore must adhere to obligations for Controllers following the GDPR. “Data Subject” means “data subject” as defined in Article 4 GDPR. Data Subjects may include all individuals that are selected by Customer to participate in her/his surveys. “GDPR” means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. “Personal Data” means “personal data”, as defined in Article 4 GDPR. “Processing” means “processing” as defined in the Article 4 GDPR. “Processor” means “processor”, as defined in Article 4 GDPR. The parties agree that Questback is Processor under this Data Processing Agreement, and that Questback therefore must adhere to obligations for Processors following the GDPR. “Respondent” means a Data Subject who provides data by entering data into surveys made available to them by Customer. “Sensitive Personal Data” means special categories of data as defined in Article 9 GDPR. “Software” means the standard online software Questback Leadership 360 for MS Teams to which Customer is granted access in the Agreement. “Sub-processor” means a third party subcontractor engaged by any member of Questback Group which Processes Personal Data on Questback’s behalf. “Questback Affiliates” mean members of the Questback Group that may assist in the performance of the Agreement. “Questback Group” means, for the purpose of this data processing agreement, Questback Holding AS, Questback AS, and any wholly or fully owned subsidiaries of Questback AS. “Customer” means the individual subscriber to Questback Leadership 360 for MS Teams who has entered into a valid Agreement with Questback. Other terms have the definitions provided for them in the GDPR, the Agreement or as otherwise specified below. 3. The subject-matter and nature of the processing The Subject-matter of the processing is for Questback to provide access to its Service to Customer, and enable Customer to collect, process, store and analyze feedback from individuals to evaluate and enhance leadership skills in accordance with the Agreement. 4. The duration of the processing Unless the Customer instructs otherwise in writing, all personal data will be deleted i) if you chose to do so yourself, or ii) at the end of your Subscription following Questback’s then-current deletion routines. 5. The purpose for the processing Questback and its Sub-processors will process Personal Data for the purpose of fulfilling the Agreement with Customer, and shall not otherwise process and use Personal Data for purposes other than those set forth in this DPA, the Agreement, or as instructed in writing by Customer. 6. Categories of Data Subjects Data subjects whose personal data is being processed may include team members, supervisors, co-workers, trainees, contractors and/or other individuals interacting with Customer in his/her professional environment who are selected by Customer to participate in surveys. 7. The types of Personal Data On behalf of the Customer, Questback processes Personal Data such as name(s), e-mail address(es), other Personal Data that Data Subjects voluntarily disclose when participating in a survey, and Personal data that is explicitly requested and collected by Customer when creating its own surveys (Enterprise edition). Questback’s service is not designed to collect and process special categories of personal data (“sensitive data”). If the Customer wishes to collect sensitive data, Customer is responsible to comply with data protection regulation and instruct Questback accordingly. 8. Instructions Questback processes Personal Data based on instructions provided by Customer when using the software of, if necessary, based on written instructions (e.g. by email). Questback will comply with such instructions without additional charge, to the extent necessary for Questback to comply with applicable data protection laws. Any other instructions or changes to the Services may be subject to separate agreement and additional fees. Questback is not obligated to perform legal research and/or to provide legal advice to Customer. 9. Customer ‘s obligations The control of Personal Data that is collected on behalf of Customer remains with Customer, and Customer will at all times remain the Controller for the purposes of Personal Data processed under the Agreement, and this Data Processing Agreement. Customer is responsible for compliance with its obligations as Controller under the GDPR and other applicable data protection laws, such as documentation duties, legal basis for any processing, notifications towards Data Subjects. 10. Questback’s obligations Questback is the Processor for Personal Data processed on Controller’s behalf under the Agreement and this Data Processing Agreement. Questback is responsible for compliance with its obligations as Processor under the GDPR and other applicable data protection laws, hereunder to process data according to written instructions from Customer. In particular, Questback will: a) Process the Personal Data only on documented instructions from the Customer (which includes implied instructions by using the software), b) Not transfer the Personal Data to a third country or an international organisation that does not ensure an adequate level of protection in accordance with GDPR Article 45, or within the safeguards defined in GDPR Article 46, c) Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality d) Ensure where a (sub-)processor is engaged, the similar data protection obligations as set out in this Data Processing Agreement shall be imposed on that other processor by way of a contract e) Take into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in GDPR Chapter III f) Assist the Customer in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of processing and the information available to the processor g) Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for annual audits by the Customer upon prior written requests. h) Immediately inform the Customer if, in Questback’s opinion, an instruction infringes the GDPR. Questback will assist the Customer in ensuring compliance with applicable law, including assisting the Customer with: a) Complying with duty of notification to supervisory authorities and data subjects in case of a personal data breach; b) Conduct data privacy impact assessments; c) Conduct prior consultations with supervisory authorities when a privacy impact assessment makes it necessary; d) Notice to the Controller if the Processor is of the opinion that an instruction from the Controller is non-compliant with applicable data protection regulations. Assistance as set out above, shall be carried out to the extent necessary, taking into account the Controller’s need, the nature of the processing and the information available to the Processor. 11. Right to edit or delete Personal Data Customer may, to the extent permitted by applicable law, provide detailed written instructions to Questback to delete, release, correct or block access to Data Subject’s Personal Data. In such event, Questback is entitled to delete the entire account of the data subject. 12. Data Transfer within EEA With respect to Personal Data stored by the Questback Group in data centres in the European Economic Area (EEA), Questback will ensure compliance by members of the Questback Group as follows: (i) for members of the Questback Group, Questback and other relevant entities have binding intra-company agreements requiring compliance with all applicable security and data privacy policies and standards, and (ii) for Sub-processors, Questback Group has entered into contracts with Sub-processors which provide that the Sub-processor will undertake data protection and confidentiality obligations consistent with Questback’s security standards. 13. Data Transfer outside the EU / EEA If Questback chooses to transfer Personal Data outside the EU or EEA, it will ensure that the transfer of data takes place based on a adequacy decision by the European Commission as defined in GDPR Article 45, or appropriate safeguards defined in GDPR Article 46 are in place for such transfer. 14. Sub-processors Some or all of Questback’s obligations under the Agreement may be performed by Questback Affiliates. Questback may also engage third party Sub-processors to assist in the provision of Service. Customer consents to Questback’s use of the following Questback Affiliates and Sub-processors in the performance of the Agreement in accordance with this Data Processing Agreement. Sub-processor Address Role of sub-processor Location Akamai Technologies GmbH Parkring 29 D-85748 Garching, Munich, Germany Service provider for performance-enhanced access to server/data Germany DATAGROUP Data Center GmbH Hanauer Landstraße 310, 60314 Frankfurt am Main, Germany Hosting provider Germany DATAGROUP Bremen GmbH Mary-Somerville-Straße 8, 28359 Bremen, Germany Hosting provider Germany Questback GmbH Gustav-Heinemann-Ufer 72a, 50968 Köln, Germany Access by Support personnel, and access by Consultants Germany, Austria, Switzerland Questback AS Bogstadveien 54, 0366 Oslo, Norway Access by Support personnel, and access by Consultants Norway Questback OY Keilaranta 1, 02150 Espoo, Finland Access by Support personnel, and access by Consultants Finland Questback Sweden AB Kungsgatan 48, 111 35 Stockholm, Sweden Access by Support personnel, and access by Consultants Sweden Questback reserves the right, and Customer hereby consents, to engage further subprocessors without further notification to Customer, for example i) hosting and cloud provider (e.g. Microsoft, AWS, Oracle, Google, Salesforce), ii) IT service providers to enhance performance, connectivity, availability, security of the Service, iii) AI and machine learning applications (e.g. text, audio and video analytics) to provide certain features of the Services or parts thereof. If Questback plans to change sub-contractors or to engage a new sub-contractor, Questback will notify the Customer in writing 30 days prior to any Processing by the new sub-contractor and the Controller is entitled to object to the change of sub-contractors within 30 days upon the announcement is first published. To the extent Controller does not terminate the Agreement, the change of sub-processor shall be deemed approved by Customer. 15. Technical and Organizational Measures Questback shall ensure that it implements and maintains compliance with appropriate technical and organizational measures for the Processing of Customer’s or Respondent’s Personal Data. 16. Incident Management and Breach Notification Questback shall without undue delay upon becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by Questback, notify the Customer: Where the information is available for Questback, the notification shall at least: a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned; b) communicate the name and contact details of the data protection officer or other contact point at the Data Processor where more information can be obtained; c) describe the likely consequences of the personal data breach; d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. To the extent required under the GDPR, and upon Customer’s request, Questback will assist Customer in its obligation to notify the supervisory authority of a personal data breach 17. Requests from Data Subject Considering the nature of the Processing, Questback shall implement appropriate technical and organisational measures to support the Customer’s obligation to respond to requests regarding exercising the rights of the data subject. Customer hereby instructs Questback to execute and fulfil all Respondent’s request for their individual rights under the GDPR (Art. 15 et seq.) without further notice. Questback will provide Customer with reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use or receipt of the Services. 18. Security of processing Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Questback will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate: • the pseudonymisation and encryption of personal data; • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Questback shall take steps to ensure that any natural person acting under Questback’s authority who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by applicable EEA law. 19. Personnel and Data Protection Officer Questback shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ engagement with Questback. Questback shall ensure that Questback’s access to Personal Data is limited to those personnel who require such access to perform the Agreement. Questback has appointed an external data protection officer who can be contacted at dataprotectection@questback.com. 20. Service and Data Analyses and Benchmarking Questback may (i) compile statistical and other information related to the performance, usability, operation and use of the Service provided under the Agreement, and (ii) use data from the software environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes, and iii) anonymize and aggregate personal data; in its anonymized and aggregated form, data will be kept and processed by Questback for the purpose of anonymous statistics, benchmarking, recommendations, software improvement, text analyses, machine learning and analysis to enhance the overall experience and usefulness of Questback’s or its Sub-processor’s Services. However, any analyses or further processing will not incorporate Customer’s Content or Confidential Information in a form that could serve to identify Customer or any Data Subject, and Service Analyses do not constitute Personal Data, unless Personal Data was provided voluntarily by Customer or Respondent. Questback retains all intellectual property rights in analyses described herein. 21. Choice of law and legal venue Where this DPA is not subject to any specific compulsory governing law or to a particular court jurisdiction, this DPA shall be governed by Norwegian law and Customer hereby accepts the exclusive jurisdiction of the courts in Oslo in relation to any dispute arising under this Agreement or in connection with its terms. ***** Version 1.0 November 2019