By clicking “Okay”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Okay

Standard Terms and Conditions

Background

These Terms and Conditions shall apply to the provision of the services performed by ProspectBase UK Ltd with registered number: 15492457 whose registered office is: Wessex House, Teign Road,Newton Abbot, Devon, TQ12 4AA, UK (“Provider” or “Service Provider”) to you (“Client”).  No other terms and conditions shall apply to the provision of Services unless agreed upon in writing between Provider and the Client.

1. Definitions and Interpretation

1.1 In these Terms and Conditions, unless the context otherwise requires, the following expressions have the following meanings:

“Applicable Laws” means all laws, statutes, regulations, and similar instruments from time to time in force applicable to the Parties, the Services, and to the Contract;

“Business Day” means, any day (other than Saturday or Sunday) on which ordinary banks are open for their full range of normal business in the United Kingdom;

“Client” means the party procuring the Services from the Service Provider under the Contract;

“Client Materials” means any and all information, documents, and other materials provided by the Client to the Service Provider in relation to the provision of the Services;

“Commencement Date” means the date on which the Contract shall enter into effect, as set out in Clause 2 (Basis of Contract);

“Confidential Information” means, in relation to either Party, information which is disclosed to that Party by the other Party pursuant to or in connection with the Contract (whether orally or in writing or any other medium, and whether or not the information is expressly stated to be confidential or marked as such);

“Contract” means the contract entered into by the Service Provider and the Client for the provision of Services in accordance with and on the basis of these Terms and Conditions, any Schedules, relevant documents such as the Data Processing Agreement (“DPA”) mentioned in clause 10.4, and any appropriate Order or Statement of Work (“SOW”) connected with, and/or appended or attached to these Terms and Conditions;

“Data Protection Legislation” means all applicable legislation in force from time to time in the United Kingdom (or other region as appropriate) applicable to data protection and privacy including, but not limited to, the GDPR (EU)2016/679, the UK GDPR (as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018; the Data Protection Act 2018 (and regulations made thereunder); CCPA (& CPRA revisions), CASL, CAN-SPAM and the Privacy and Electronic Communications Regulations 2003 (“PECR”) as amended;

“Fees” means any and all sums due under the Contract from the Client to the Service Provider in consideration of the Services, asset out in Clause 5 (Fees, Payment, and Records);

“Intellectual Property Rights” means patents, rights to inventions, copyright and related rights, trade marks, business names, domain names, design rights, database rights, rights subsisting in software, rights to use confidential information and the right to protect the same, and any and all other intellectual property rights, whether registered or unregistered, including applications and the right to apply for (and be granted) renewals or extensions of, and rights to claim priority from, any such rights and any and all equivalent rights or other forms of protection subsisting now or in the future anywhere in the world;

“Order” means the Client’s order for the Services asset out on Provider’s order form attached with these T&Cs, or as provided by the Client on a purchase order, insertion order (“IO”) or relevant Statement of Work (“SoW”) in conjunction with these terms and conditions or other terms and conditions as agreed between the Client and Service Provider where applicable;

“Services”   means the services to be provided by the Provider to the Client in accordance with the Contract, as fully defined in the Specification;

“Specification” means the full description and specification of the Services as agreed in writing by the Client and the Service Provider.

2. Interpretation in these Terms and Conditions

Headings are for convenience only and shall not affect their interpretation. Words imparting the singular number shall include the plural and vice-versa.

3. Services

3.1 With effect from the commencement date stated in these Terms and Conditions (“T&Cs”) and in consideration of the Fees being paid in accordance with these T&Cs, the Provider shall provide the Services to the Client.

3.2 The Provider shall use reasonable care and skill in its performance of the Services and shall ensure compliance with applicable laws and relevant codes of practice.

3.3 The Provider shall use its best and reasonable endeavours to perform the Services; however, time will not be of the essence in the performance of these obligations.

3.4 The Service Provider shall act in accordance with all reasonable instructions issued by the Client. With regards to such instructions requiring the Provider to process Personal Data (as defined by the UK GDPR), Client acknowledges and accepts that it is the Data Controller and Provider is a Data Processor.

3.5 Dual Data Controller and Processor Roles:

a) Provider as Independent Data Controller: Provider operates and maintains its     proprietary database of business contact information ("Provider Database"). Provider  is the sole data controller for the Provider Database, including decisions regarding:

(i)      Collection, storage, and maintenance of business contact data;

(ii)      Data quality, verification, and enhancement procedures;

(iii)     Selection of tools, systems, and sub-processors for database management.

b)  Provider as Data Processor for Services: When performing Services under this Contract, Provider acts as a data processor on behalf of Client (the data controller) with respect to:

(i)      Contacts selected from the Provider Database based on Client's targeting criteria and instructio

(ii)     Execution of marketing campaigns to selected contacts using Client Materials (which includes messaging and content);

(iii)    Processing of any personal data provided by Client or collected during campaign execution.

c)     Clarification of "Means" vs "Purposes": Client solely determines the purposes and essential means of processing (target audience criteria, campaign objectives, permitted communication channels, messaging content). Provider determines only the technical and organisational means of executing Client's instructions (selection of email platform, telemarketing provider, delivery optimisation).

d)   No Joint Control: The Parties acknowledge they do not act as joint controllers. Provider's roleas processor does not diminish its independent controller obligations for the Provider Database outside the scope of Client instructions.

e)   Provider Warranties: Provider warrants that all contacts in the Provider Database were lawfully obtained and that Provider maintains appropriate legal bases for their processing.

3.6 Marketing Compliance

a)       Provider shall ensure all marketing communications comply with:

      (i)      CAN-SPAM Act (UnitedStates);

      (ii)     Canada's Anti-Spam Legislation (CASL);

      (iii)    Privacy and Electronic Communications Regulations 2003 (PECR) as amended (United Kingdom);

      (iv)    Applicable regional and international marketing laws.

b)      Provider shall:

      (i)      Maintain valid legal basis and consent records for all contacts;

      (ii)     Include functional unsubscribe mechanisms in all email communications;

(iii) Honour opt-out requests within legally required timeframes (10 business days for CAN-SPAM, without delay for CASL);

      (iv)    Respect suppression lists provided by Client;

      (v)     Not contact individuals who have opted out of communications.

c)      Client warrants ithas lawful basis to engage Provider for marketing to its target audience andthat any materials, content, or instructions provided to Provider comply with applicable marketing laws.

d)    Each Party shall indemnify the other for violations of marketing laws caused solely by its own non-compliance, breach of warranty, or provision of non-compliant instructions/ materials.

4. Client Obligations

4.1 The Client shall use its best and reasonable endeavours to provide the Provider with access to any, and all relevant information, materials, properties, and other matters which are required to enable the Provider to provide the Services.

4.2 The Client shall use its best and reasonable endeavours to acquire any permissions, consents, licences, or other matters which are required to enable the Provider to provide the Services.

4.3 The Provider shall not be liable for any delay or failure to provide the Services where such delay or failure is due to the Client’s failure to comply with this Clause 4.

4.4 The Client will at all times comply with Applicable Laws, and immediately inform the Provider if it believes, for any reason, it can no longer comply, or has not complied with Applicable Laws.

5. Fees

5.1 The fees (“Fees”) for the Services are set out on the Order.

5.2 In addition to the Fees, the Provider shall be entitled to charge the Client interest for late payment of fees at an annual rate of 8%+ base rate.

5.3 The Fees are exclusive ofany applicable VAT and other taxes or levies which are imposed or charged by any competent authority.

6. Variation

6.1 If the Client wishes to vary any details of the Services it must notify the Provider in writing as soon as possible.  The Provider shall endeavour to make any required changes the Client agrees to pay any additional fees related to its request. Provider may accept variation requests at its sole discretion.

6.2 If, due to circumstances beyond its control, the Provider has to make any change in the Services or the arrangements relating to the provision thereof, it shall notify the Client immediately.  The Provider shall endeavour to keep any such changes to a minimum and shall seek to offer the Client arrangements as close to the original as is reasonably possible in the circumstances.

7. Payment

7.1 The Provider shall invoice the Client for the Fees each month in arrears for the provision of the Services rendered;

7.2 The Client shall pay the Fees due within 30 days of the date of the Provider’sinvoice.

7.3 Time for payment shall be of the essence of the Contract between the Provider and the Client.

7.4 If the Client fails to make payment within the period in sub-Clause 7.2, the Provider shall have the right to suspend any further provision of the Services until the balance due has been paid in full. The Provider may also cancel any future services which may have been ordered by, or otherwise arranged with, the Client if (a) the client has not paid all outstanding fees in full within 60 days of the date of the oldest invoice, or (b) the Client fails to make future payments on time and in full.

7.6 All payments must be made in £ GBP Sterling unless otherwise specified on an appropriate Order or as agreed in writing between the Provider and the Client.

8. Confidentiality

8.1 Each Party undertakes that, except as provided by sub-Clause 8.2 or as authorised in writing by the other Party (such authorisation not to be unreasonably withheld), it shall, at all times during the term of the Contractand for a minimum of three (3) years after its termination or expiry:

a)            keep confidential all Confidential Information;

b)            not disclose any Confidential Information to any other party;

c)          not use any Confidential Information for any purpose other than ascontemplated by the Contract; and

d)            ensure that (as applicable) none of its employees, directors, officers, agents, or sub-contractors does any act which, if done by that Party, would bea breach of the provisions of this Clause 8.

8.2 Subject to sub-Clause 8.3, either Party may disclose any Confidential Information to:

a)            any sub-contractors, substitutes, or suppliers;

b)            any governmental or other authority or regulatory body; or

c)            any employee or officer of that Party or of any of the aforementioned persons, parties, or bodies.

8.3 Disclosure under sub-Clause 8.2 may be made only to the extent that it is necessary for the purposes contemplated by the Contract, or as required by law. In each case, the disclosing Party must first inform the recipient that the Confidential Information is confidential. Unless the recipient is a body described in sub-Clause 8.2(b) or is an authorised employee or officer of sucha body, the Party disclosing the Confidential Information under sub-Clause 8.2 must obtain and submit to the other Party a written undertaking from the recipient to keep the Confidential Information confidential and to use it only for the purposes for which the disclosure is made.

8.4 Either Party may use any Confidential for any purpose, or disclose it to any other party, where that Confidential Information is or becomes public knowledge through no fault of that Party.

8.5 When using or disclosing Confidential Information under sub-Clause8.4, the Party using or disclosing that Confidential Information must ensure that it does not use or disclose any part of that Confidential Information which is not public knowledge.

8.6 The provisions of this Clause 8 shall continue in force inaccordance with their terms, notwithstanding the termination or expiry of the Contract for any reason.

9. Termination

9.1 Either party may terminate this Contract for convenience by providing the other party with at least thirty (30) days' written notice.

9.3 Either Party may terminate the provision of the Services immediately if:

a)            a material breach is committed by either party of its obligations under these T&Cs; or

b)            a party becomes the subject of a bankruptcy order or takes advantage of any other statutory provision for the relief of insolvent debtors.

c)            a party enters into a voluntary arrangement under Part 1 of the Insolvency Act 1986, or any other scheme or arrangement is made with its creditors; or

d)            a party convenes any meeting of its creditors, enters into voluntary or compulsory liquidation, has a receiver, manager, administrator or administrative receiver appointed in respect of its assets or undertakings or any part thereof, any documents are filed with the court for the appointment of an administrator in respect of the filing party, notice of intention to appoint an administrator is given by notifying party or any of its directors or by a qualifying floating charge holder (as defined in para. 14 of Schedule B1 of the Insolvency Act 1986), a resolution is passed, or petition presented to any court for the winding up of either party or for the granting of an administration order in respect of either party, or any proceedings are commenced relating to the insolvency or possible insolvency of either party.

10. Data Protection and Intellectual Property

In this Clause 10, the terms “personal data”, “processing”, “data subject”, “controller”, “processor”, and “personal data breach” shall have the meanings defined in Article 4 of the UK GDPR, and the terms “Data Processor”and “Data Controller” shall have the same meanings as “processor” and “controller” respectively. The term “domestic law” means the law of the United Kingdom or a part thereof.

10.2 The Parties shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 10 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.

10.3 Data Controller and Processor Relationship. For the purposes of Data Protection Legislation and this Clause 10:

a)       Regarding the Provider Database: Provider is the data controller;

b)       Regarding Services performed under Client instructions:

(i)      Client is the data controller for campaign execution and results;

(ii)     Provider is the data processor executing Client's instructions.

c)       Regarding transferof leads to Client: Provider acts as a data controller transferring personaldata to Client (also a data controller) under legitimate interests (Article6(1)(f) UK GDPR).

d)            Each Party shall comply with its respective obligations under Data Protection Legislation corresponding to its role(s).

e)            Where Provider processes personal data as a processor, the provisions of Clauses 10.5 through 10.10 shall apply.

f)             Client acknowledges that Provider's status as data controller for its Provider Database does not create joint controller obligations for campaign execution activities.

10.4 The scope, nature, and purpose of the processing; the duration of the processing; the type(s) of personal data; and the category or categories of data subject shall be set out in Schedule 2.

10.5 Both Data Controller and Data Processor shall (without prejudice to the generality of sub-Clause 10.2) ensure all necessary consents and notices required are in place to enable the lawful transfer and receipt of personal data to and from one another, and for the lawful processing of personal data by the Data Processor for the purposes described in Schedule 1 and for itsprovision of Services under this Contract.

10.6 The Data Processor shall (without prejudice to the generality of sub-Clause 10.2), with respect to any personal data processed by it in relation to its performance of any of its obligations under the Contract:

a)            process the personal data only on the written documented instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data bydomestic law. The Data Processor shall promptly notify the Data Controller before carrying out such processing unless it is prohibited from doing so by that law;

b)            ensure that it has in place appropriate technical and organisational measures to protect the personal data from unauthorised or unlawful processing, accidental loss, damage, or destruction. Such measures shall be appropriate and proportionate to the potential harm resulting from such events and to the nature, scope, and context of the personal data and processing involved, considering the current state of the art in technology and the cost of implementing those measures.

c)            ensure that any and all persons with access to the personal data (whether for processing purposesor otherwise) are contractually obliged to keep that personal data confidential;

d)            not transfer anypersonal data outside of the UK without the prior written consent of the Data Controller (such consent to be freely provided upon entering into a Contract with Provider) and only if the following conditions are satisfied:

i.              the Data Controller and/or the Data Processor has/have provided appropriate safeguards for the transfer of personal data;

ii.             affected datasubjects have enforceable rights and effective legal remedies;

iii.            the Data Processor complies with its obligations under the Data Protection Legislation, providingan adequate level of protection to any and all personal data so transferred; and

 iv.           the Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data;

e)     assist the Data Controller, at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to impact assessments, security, breach notifications, and consultations with supervisory authorities or otherapplicable regulatory authorities (including, but not limited to, the Information Commissioner’s Office);

f)     notify the Data Controller without undue delay of any personal data breach of which it becomes aware;

g)    on the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination or expiry of the Contract unless it is required to retain any ofthe personal data by domestic law;

h)    maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 10 and to allow for audits, including inspections, by the Data Controller and/or any reasonable party designated by the Data Controller. TheData Processor shall inform the Data Controller immediately if, in its opinion, any instruction infringes the Data Protection Legislation.

10.7 The Data Processor shall not sub-contract any of its obligations with respect to the processing of personal data under this Clause 10 to another processor without the prior written consent of the Data Controller (such consent not to be unreasonably withheld. In the event that the Data Processor appoints another processor, the Data Processor shall:

a)     enter into a written contract with the other processor, which shall impose upon that other processor substantially the same obligations as are imposed upon the Data Processor by this Clause 10, which the Data Processor shall ensure shall reflect the requirements of the Data Protection Legislation at all times;

b)     ensure that the other processor complies fully with its obligations under that agreement and the Data Protection Legislation; and

c)      remain fully liable to the Data Controller for the performance of that other processor’s obligations and the acts or omissions thereof.

10.8 Sub-Processors.

a)       Any approved sub-processors used in the provision of Services shall be confirmed with the Client upon request and Provider shall notify Client at least 30 days before engaging new sub-processors or materially changing existing sub-processor arrangements. Client may object to new sub-processors on reasonable data protection grounds within 14 days of notification. If Client objects and Provider cannot provide alternative arrangements, Client may terminate the affected Services without penalty.

b)       Provider shall ensure all sub-processors are bound by written agreements imposing substantially the same data protection obligations as set out in this Clause 10.

c)        Provider remains fully liable for the acts and omissions of all sub-processors as if they were Provider's own acts and omissions.

10.9 Data Breach Notification.

a)        Provider shall notify Client within 24 hours of becoming aware of a personal data breach affecting personal data processed under this Contract.

b)        The notificationshall include:

(i)       Nature of the breach and categories and approximate volumes of data subjects and personal data records affected;

(ii)      Contact details of Provider's responsible contact;

(iii)     Likely consequences of the breach;

(iv)     Measures taken or proposed to address the breach and mitigate potential adverse effects.

c)         Provider shall provide reasonable cooperation and assistance to Client in investigating, mitigating, and remediating the breach, and in complying with any breach notification obligations to supervisory authorities or data subjects.

d)         Provider shall document all personal data breaches and make such documentation available to Client and supervisory authorities upon reasonable request.

10.10 Audits and Compliance.

a)        Client or its authorised auditors may audit Provider's compliance with this Clause 10 upon 30days' prior written notice, no more than once annually.

b)       Audits shall be conducted during Business Hours and in a manner that minimises disruption to Provider's operations.

c)       Provider may demonstrate compliance through:

(i)      Providing copies of relevant certifications (ISO 27001, SOC 2 Type II, etc.);

(ii)      Third-party audit reports;

(iii)     Completed compliance questionnaires;

d)        Client shall bearthe costs of audits.

e)        Both Parties shall maintain confidentiality of audit findings and use them solely for compliance verification purposes.

10.11 GDPR and California Privacy Rights.

a)        GDPR Compliance for EU/EEA Data Subjects: To the extent Provider processes personal data (as defined by the UK GDPR and EU GDPR) of individuals located in the EuropeanUnion, European Economic Area, or United Kingdom on Client's behalf, Provider shall:

(i)       Process personal data only in accordance with documented instructions from Client, unless required by law to process otherwise (in which case Provider shall inform Client before processing, unless prohibited by law);

(ii)      Ensure all persons authorised to process personal data are subject to appropriate confidentiality obligations;

(iii)     Implement appropriate technical and organisational measures as set out in Schedule 1 to ensure a level of security appropriate to the risk;

(iv)     Not engage sub-processors without prior authorisation from Client as set out in Clause10.8;

(v)      Assist Client in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) within 5 business days of receiving Client's request for assistance;

(vi)     Assist Client inensuring compliance with data protection impact assessments, prior consultation with supervisory authorities, and security breach obligations;

(vii)     Notify Client within 24 hours of becoming aware of any personal data breach as set out in Clause 10.9;

(viii)    Delete or return all personal data to Client after the end of provision of Services, unless retention is required by law;

(ix)     Make available to Client all information necessary to demonstrate compliance with Article 28 UKGDPR/EU GDPR and allow for audits as set out in Clause 10.10;

(x)     Immediately inform Client if, in Provider's opinion, any instruction from Client infringes UK GDPR, EU GDPR, or other Data Protection Legislation.

b)       CCPA/CPRA Compliance for California Residents: To the extent Provider processes personal information (as defined by the California Consumer Privacy Act as amended by the California Privacy Rights Act, collectively "CCPA") of California residents on Client's behalf, Provider shall:

(i)       Not sell or sharesuch personal information;

(ii)      Not retain, use, or disclose such personal information for any purpose other than performing the Services specified in this Contract;

(iii)     Not retain, use, or disclose such personal information outside of the direct business relationship between Provider and Client;

(iv)     Not combine such personal information with personal information received from or on behalf of another person, except as permitted by CCPA;

(v)      Comply with applicable provisions of the CCPA, including but not limited to Sections 1798.100 through 1798.199;

(vi)     Assist Client inresponding to verified consumer rights requests (access, deletion, correction, opt-out of sale/sharing, limit use of sensitive personal information) within 10 business days of receiving Client's request for assistance;

(vii)     Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorised or illegal access, destruction, use, modification, or disclosure;

(viii)    Notify Client within 24 hours of determining that it can no longer meet its obligations under CCPA;

(ix)      Certify annually upon Client's request that Provider understands and will comply with the applicable restrictions and obligations under CCPA;

(x)      Upon Client's reasonable request, provide information necessary for Client to demonstrate Provider's compliance with CCPA service provider obligations.

c)            Cross-Jurisdictional Application: Where personal data/information relates to individuals who may be subject to both GDPR and CCPA protections, Provider shall comply with the requirements of both subsections (a) and (b), applying the most protective standard where requirements conflict.

d)            Grant of Rights to Client: Provider grants Client the right, upon reasonable notice and at reasonable times, to take reasonable and appropriate steps to ensure that Provider uses personal data/information in a manner consistent with Client's obligations under GDPR and CCPA, including through audits as provided in Clause 10.10.

e)            Survival: These obligations shall survive termination of this Contract for so long as Provider retains any personal data or personal information processed on Client's behalf under this Contract.

f)             Sub-Processor Requirements: Provider shall ensure that any sub-processors engaged under Clause 10.8 are subject to the same data protection obligations set out in this Clause 10.11, whether through contractual arrangements or binding corporate rules.

10.12 Intellectual Property Rights.

a)            Background Intellectual Property: Each Party retains ownership of all intellectual property rights that existed prior to the Commencement Date or that are developed independently of this Contract ("Background IP").

b)            Provider Tools and Methodologies: Provider retains ownership of all proprietary methodologies, processes, software, tools, templates, databases (including the ProviderDatabase), and know-how used to provide the Services ("Provider IP").

c)            Client Materials: Client retains ownership of all Client Materials, including content, branding, messaging, creative assets, and confidential information provided to Provider.

d)            Deliverables andWork Product:

(i)      Upon full payment ofall Fees due, Client shall own all deliverables created specifically and exclusively for Client under this Contract, including:

·        Campaign strategies and marketing plans developed specifically for Client;

·        Custom reports, analyses, and insights specific to Client’s campaigns;

·        Lists of qualified  leads generated through the Services.

(ii)     Provider retains ownership of any deliverables that incorporate Provider IP, but grants Client aperpetual, non-exclusive, worldwide, royalty-free license to use such deliverables for Client's internal business purposes.

e)      License Grants:

(i)      Client grants Provider a non-exclusive license to use Client Materials solely to perform the Services during the Contract term.

(ii)     Provider grants Client a non-exclusive license to use any Provider IP embedded in deliverables for Client's internal business purposes, subject to full payment of Fees.

f)     Aggregated and Anonymised Data:

(i)      Provider may collect, use, and retain aggregated, anonymised, and de-identified data derived from provision of Services for:

·        Benchmarking and industry research;

·        Service improvement and development;

·        Internal analytics and reporting;

provided that such data does not identify Client, Client's customers, or any individuals, and cannot be reverse engineered to identify them.

g)       Infringement Indemnity: Provider shall indemnify and hold harmless Client from any claims that Provider IP infringes third-party intellectual property rights, provided Client:

(i)      Promptly notifies Provider of any such claim;

(ii)     Gives Provider sole control of the defence and settlement;

(iii)     Provides reasonable cooperation in the defence.

h)       Enforcement: Provider reserves the right to take such action as may be appropriate to restrain or prevent infringement of Provider IP by third parties.

 

11. Liability and Indemnity

11.1 Limitation ofIndirect Damages. Neither Party shall be liable to the other by reason of anyrepresentation, implied warranty, condition or other term, or any duty atcommon law or under this Contract, for any loss of profit, loss of revenue,loss of business opportunity, or any indirect, special, punitive, orconsequential loss, damage, costs, expenses or other claims (whether caused bythat Party's employees, agents or otherwise) in connection with the provisionor use of the Services or the performance of obligations under this Contract.

11.2 Nothing in the Contract shall limit or exclude either Party’sliability under or in relation to the Contract for any form of liability whichcannot be limited or excluded by law (without prejudice to the generality ofsub-Clause 11.1) including, but not limited to:

a)            death or personalinjury caused by negligence;

b)            fraud or fraudulentmisrepresentation;

c)            for the wilfulmisconduct of either that Party or that of its employees or agents

11.3 Mutual Liability Cap.

a)            Subject to Clause 11.2 (liabilities which cannot be limited or excludedby law), the total aggregate liability of either Party to the other under or inrelation to the Contract for any and all related or unrelated acts oromissions, whether in contract, tort (including negligence), breach ofstatutory duty, or otherwise, shall be limited to three (3) times the totalFees paid or payable under the Contract in the 12 months preceding the eventgiving rise to liability.

b)      The limitations in this Clause 11.3 shall not apply to:

(i)      Personal data breaches resulting from Provider's failure to implementsecurity measures required under Schedule 1;

(ii)     Either Party's violation of Data Protection Legislation due to its ownacts or omissions;

(iii)    Either Party's breach of Clause 8 (Confidentiality) or Clause 10.12(Intellectual Property Rights);

(iv)    Provider's breach of Clause 3.6 causing regulatory fines or penalties toClient;

(v)     Client's failure to pay Fees due under Clause 7;

(vi)    Fraud, wilful misconduct, or gross negligence by either Party.

c)      cFor clarity, the cap in subsection (a) applies per Party - each Party hasits own separate liability cap.

11.4 Insurance.

a)       Provider shall maintain throughout the Contract term and for 12 months thereafter:

(i)       Public and Product Liability Insurance with coverage of £2,000,000;

(ii)      Cyber Liability Insurance with coverage of £250,000;

(iii)     Employer's Liability with coverage of £10,000,000.

b)       All insurance policies shall be with reputable insurers authorised toconduct business in the United Kingdom.

c)        Provider shall provide Client with certificates of insurance upon request(no more than annually) and shall notify Client within 20 Business Days of anymaterial changes, cancellations, or non-renewal of required insurance coverage.

d)        Maintenance of insurance does not limit Provider's liability under thisContract.

12. Force Majeure

12.1.        Neither party shallbe liable for any failure or delay in performing their obligations where such failure or delay results from any cause that is beyond the reasonable control of that party.  Such causes include, but are not limited to: power failure, Internet Service Provider failure, industrial action, civil unrest, fire, flood, storms, earthquakes, acts of terrorism, acts of war, governmental action, pandemics, epidemics, government-mandated lockdowns, public health emergencies, and cyber-attacks on critical infrastructure or public utilities not caused by either Party's security failures or breach of this Contract or any other event that is beyondthe control of the Party in question.

12.2.        The affected Party shall: (a) Notify the other Party in writing within 48 hours of the Force Majeure event occurring; (b) Use commercially reasonable efforts to mitigate the impact and resume performance as soon as reasonably practicable; (c) Provide regular updates (at least weekly) on the status and expected duration of the Force Majeure event.

12.3.        If a Force Majeureevent continues for more than 60 consecutive days, either Party may terminate this Contract without penalty upon 14 days' written notice to the other Party. Upon such termination, Client shall pay Provider for all Services satisfactorilyperformed up to the termination date.

13. Communications

13.1 All notices under these T&Cs shall be in writing and signed by,or on behalf of, the party giving notice (or a duly authorised officer of thatparty).

13.2 Notices shall be deemed to have been duly given:

a)            when delivered bycourier, other messenger, or registered mail during the normal business hoursof the recipient;

b)            when sent, iftransmitted by fax or email and a successful transmission report or returnreceipt is generated;

c)            on the fifthbusiness day following mailing, if mailed by national ordinary mail; or

13.3 All notices under these T&Cs shall be addressed to the mostrecent address, email address or fax number notified to the other party.

14. No Waiver

14.1 No waiver by the Provider of any breach of these T&Cs by theClient shall be considered as a waiver of any subsequent breach of the same orany other provision.

14.2 No failure or delay on the part of either the Provider or theClient to exercise any right, power or privilege under these T&Cs shalloperate as a waiver of, nor shall any single or partial exercise of any suchright, power or privilege preclude any other or further exercise of any otherright, power, or privilege.

15. Severance

In the event that one or more of these T&Cs is found to be unlawful,invalid, or otherwise unenforceable, that / those provisions shall be deemed severed from the remainder of these standard terms and conditions (which shall remain valid and enforceable).

16. Law and Jurisdiction

16.1 These T&Cs (including any non-contractual matters andobligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.

16.2 Any dispute, controversy, proceedings or claim between the Provider and the Client relating to these T&Cs (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fallwithin the jurisdiction of the courts of England and Wales.

17. Anti-Bribery and Modern Slavery

17.1.         Each Party shall:

a)             Comply with all applicable anti-bribery and anti-corruption laws, including the Bribery Act2010 (United Kingdom), Foreign Corrupt Practices Act (United States), and equivalent laws in all jurisdictions where Services are performed;

b)             Comply with the Modern Slavery Act 2015 and maintain policies and procedures designed to prevent modern slavery and human trafficking in its operations and supply chain;

c)             Not engage in anyactivity, practice, or conduct that would constitute an offense under the abovel aws if carried out in the United Kingdom;

d)             Maintain adequate procedures to prevent bribery and modern slavery and provide evidence of such procedures upon reasonable request;

e)             Promptly report tothe other Party any request or demand for any undue financial or other  advantage of any kind received in connection with the performance of this Contract.

17.2.           Each Party shall notify the other immediately upon becoming aware of any breach or suspected breach of this Clause 17.

17.3.           Breach of this Clause 17 shall constitute a material breach permitting the non-breaching Party to terminate this Contract immediately without penalty upon written notice.

17.4.           Each Party shall indemnify the other against any losses, liabilities, damages, costs, or expenses incurred by the other Party arising from any breach of this Clause .

 

18. Non-Solicitation

18.1.        During the term of this Contract and for 12 months following its termination or expiry, neither Party shall, without the prior written consent of the other Party:

a)            Directly or indirectly solicit, entice, or induce any employee, contractor, or consultant of the other Party who has been materially involved in the provision or receiptof Services under this Contract to leave their employment or engagement; or

b)            Directly orindirectly employ or engage any such person, whether as an employee, consultant, contractor, or otherwise.

18.2.        This Clause 18 shall not prevent:

a)            General advertising or recruitment campaigns not specifically targeted at the other Party's personnel;

b)            Unsolicited approaches by individuals responding to general advertisements;

c)            Hiring individuals whose employment or engagement with the other Party ended more than 6 months prior to commencement of discussions regarding employment;

d)            Engaging individuals made redundant or whose roles were eliminated by the other Party.

18.3.        As a genuine pre-estimate of liquidated damages (and not a penalty), if either Party breaches Clause 18.1, the breaching Party shall pay the other Party an amount equal to 6 months' salary (or equivalent fees for contractors/consultants) of the affected individual, calculated at the rate in effect immediately prior to their departure.

18.4.        The remedy in Clause 18.3 shall be without prejudice to any other rights or remedies available to the non-breaching Party, including injunctive relief.

SCHEDULE 1

 

This Schedule 1 sets out a description of the technical and organisational measures implemented by ProspectBase UK Ltd in accordance with the Applicable Laws.  ProspectBase UK Ltd takes information security and data protection seriously and these measures are designed to safeguard personal data during its processing. These measures ensure the security, confidentiality, integrity, availability and resilience of systems and services involved in the processing of Personal Data.

 

1.            Data Retention: (a) Personal data shall be retained only for the duration necessary to provide Services to Clients or as required by applicable law. (b) Retention periods: (i) Active client campaign data: Duration of Contract plus 30 days for final reporting; (ii) Provider Database contacts: Ongoing while lawful basis exists, reviewed at least annually; (iii) Contractual and financial records: 7 years from end of Contract (UK legal requirement); (iv) Marketing consent records: Duration of consent plus 3 years;(v) Data subject rights request records: 3 years from resolution. (c) Upon Contract termination or upon Client's written request, personal data processedon behalf of Client shall be securely deleted or returned within 30 days, unless retention is required by law. (d) Deletion methods shall comply with NIST SP 800-88 Guidelines for Media Sanitization or equivalent standards (secure overwriting, cryptographic erasure, or physical destruction). (e) Provider shall provide written certification of deletion upon Client's request. (f) Decommissioning procedures: All storage media containing personal datashall be securely sanitized before reuse or physically destroyed when retiredfrom service.

2.            Data SecurityMeasures: (a) Encryption and Pseudonymisation: (i) Data atrest: AES-256 encryption or equivalent; (ii) Data in transit: TLS 1.3 or higherfor all network communications; (iii) Pseudonymisation techniques applied where technically feasible and appropriate; (iv) Encryption key management: Keys stored separately from encrypted data with restricted access. (b) AccessControls: (i) Multi-factor authentication (MFA) required for all access tosystems containing personal data; (ii) Role-based access control (RBAC) limitingaccess to personal data based on job function and need-to-know principle; (iii) Unique user credentials for all personnel - no shared user accounts; (iv) Regular access reviews (at least quarterly) to remove unnecessary permissions; (v) Automated account lockout after 5 failed login attempts; (vi) Immediate revocation of access upon termination of employment. (c) System Security: (i)Security patches and updates applied within 7 days of release (critical patches within 3 days); (ii) Endpoint protection (anti-malware, EDR) deployed on alldevices accessing personal data; s;  (v) Automated alerting for suspicious activities or security events.

3.            Data Subject Rights:

a.            Provide mechanisms for data subjects to exercise their rights, including the right to access, rectification, erasure, and restriction of processing.

b.            Designate an individual (or team) responsible for overseeing compliance with data subject rights and GDPR requirements.

4.            Contractual Obligations: Ensure that contracts with clients and third-party vendors include GDPR-compliant clauses regarding data processing, security, and confidentiality.

5.            Data Transfer Safeguards: Implement appropriate safe guards  for international data transfers, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), when transferring personal data outside the UK or the EEA.

6.            Staff Training: (a) All employees, contractors, and personnel with access to personal data shall complete mandatory data protection and information security training: (i) Upon commencement of employment or engagement (within first 30 days); (ii) Annually thereafter as refresher training; (iii) Upon significant changes to Data Protection Legislation or Company policies. (b) Training shall cover: (i) Data protection principles and UK GDPR/CCPA requirements; (ii) Company's data protection policies and procedures; (iii) Information security best practices; (iv) Acceptable IT usage policies; (v) Recognizing and reporting security incidents and data breaches; (vi) Handling data subject rights requests; (vii) Social engineering and phishing awareness. (c) Training completion records shall be maintained for audit purposes for minimum 3 years. (d) Specialized training for personnel in data protection, security, or high-risk roles shall be provided as appropriate.

7.            Third Party Vendor Management. (a) All sub-processors, service providers, and vendors with access to personal data must meet security standards equivalent to those set out in this Schedule 1. (b) Vendor due diligence shall be conducted prior to engagement, including: (i) Security questionnaire or assessment; (ii) Review of relevant certifications (ISO 27001, SOC 2, etc.); (iii) Contractual data protection obligations. (c) All vendors with access to personal data shall be subject to written agreements requiring: (i) Compliance with Data Protection Legislation; (ii) Implementation of appropriate technical and organisational measures; (iii) Assistance with data subject rights requests; (iv) Notification of data breaches; (v) Deletion or return of dataupon contract termination. (d) Vendor security performance shall be reviewed atleast annually or upon any security incident.

SCHEDULE 2

This Schedule 2 describes the scope and nature of personal data processing carried out by the Service Provider in connection with its Servicesunder the Contract. It also identifies the applicable Standard Contractual Clauses (SCCs), specifically Modules ONE and FOUR, depending on the type of transfer. The Service Provider acts as a Data Controller for its proprietary Provider Database (as defined in Clause 3) and as a Data Processor when processing personal data strictly in accordance with Client instructions. For clarity, the Provider determines the technical and organisational means for service delivery, while the Client defines the purposes and essential parameters of processing.

 

1.            Scope and Data Sources: Only necessary personal data (Business Contact Data) shall be processed for providing the Services to the Client. Data is obtained from the following sources: (a) Public business registries (e.g.,Companies House, EDGAR, similar governmental registries); (b) Company websites and publicly accessible business information pages; (c) Professional networking platforms where users have made their profiles publicly available (e.g., LinkedIn public profiles); (d) Business directories, trade publications, and industry databases; (e) Publicly available business contact information published by companies or individuals; (f) Reputable third-party data providersthat operate lawfully under Data Protection Legislation and warrant appropriatelegal bases for collection and sale of business contact information; (g)Client-provided data (where Client has obtained appropriate legal basis andwarrants lawful transfer to Provider). Provider warrants that: (i) All datasources comply with applicable data protection laws; (ii) Appropriate legalbasis exists for collection, storage, and processing of all data in theProvider Database; (iii) Data is verified for accuracy and updated regularly; (iv)Individuals whose data is processed have not opted out of Provider's databaseor requested deletion (subject to ongoing monitoring).

2.            Nature: “Processing” means collecting, recording, organising, structuring,storing, adapting or altering, retrieving, consulting, using, disclosing bytransmission, disseminating, aligning or combining, restricting, erasing ordestroying. The technical and organisational measures in Schedule 1 ensureprocessing is compliant.

3.            Purpose ofProcessing: Personal data is processed for the following purposes: (a) Provider asData Controller (“Provider Database”): To maintain a database of businesscontact information for the purpose of providing B2B demand generation andmarketing services to clients. Legal basis: Legitimate interests (Article6(1)(f) UK GDPR) - facilitating B2B marketing and business development. (b)Provider as Data Processor (Service Delivery): To provide Services as detailedin a Contract between the Service Provider and Client, which may include one ormore of the following: (i) Content Syndication; (ii) ABM (Account-BasedMarketing) Display; (iii) Email Marketing; (iv) Tele-Marketing; (v)Cost-per-click (CPC) or Cost-per-impression (CPM) campaigns; (vi) DataConcierge Services (building, data hygiene, enhancement, rectification,verification, etc.); (vii) Brand Promotion; (viii) Intent Solutions; (ix) OtherB2B demand generation and lead generation services as agreed. Legal basis:Performance of contract between Provider and Client (Article 6(1)(b) UK GDPR)and Provider processing under Client's lawful instructions. (c) Provider asData Controller (Lead Transfer to Client): To transfer qualified leads(individuals who have opted in to receive Client's marketing materials andcommunications) to Client as a controller-to-controller transfer. Legal basis:Legitimate interests (Article 6(1)(f) UK GDPR) – facilitatingbusiness-to-business connections and Client's legitimate interest in receivingqualified leads. Provider conducts Legitimate Interests Assessments (LIAs)balancing business purposes against data subjects' rights and freedoms,ensuring: (i) Data subjects are business contacts acting in professionalcapacity; (ii) Processing is reasonably expected within B2B marketing context;(iii) Opt-in consent obtained from leads before transfer to Client; (iv) Datasubjects' rights are respected (opt-out, access, deletion).

4.            Duration: Ongoing for as long as the Services are provided to the Client; and,beyond such provision of services or termination of Contract where legallyrequired (to comply with local laws).

5.            Types and Categoriesof Personal Data: (a) Types of Personal DataProcessed: (i) First Name, Surname; (ii) Job Title, Job Function, Job Role,Department; (iii) Business Email Address; (iv) Company/Employer Name; (v)Company Phone Number, Direct Dial Number, Mobile Number; (vi) Business Address;(vii) IP Address (for tracking campaign engagement); (viii) Social MediaHandles (e.g., public LinkedIn profile URLs); (ix) Cookie Identifiers andsimilar tracking technologies (where applicable for campaign tracking andengagement measurement). (b) Firmographic and Technographic Information(Non-Personal Data): Industry, Company Size, Revenue, Region, Country, HQLocation, Technology Stack, etc. (c) Categories of Personal Data: Non-SensitivePersonal Data and Personally Identifiable Information (PII) as detailed insubsections (a) and (b), collectively forming Business Contact Data ofemployees and directors of businesses. (d) Cookie and Tracking Technologies:Where Services involve use of cookies, pixels, or similar trackingtechnologies: (i) Provider shall implement cookie consent mechanisms compliantwith PECR (UK), ePrivacy Directive, and applicable state privacy laws (e.g.,CCPA); (ii) Strictly necessary cookies may be placed without consent; (iii)Non-essential cookies (analytics, marketing, targeting) shall only be placedwith prior opt-in consent from data subjects; (iv) Provider shall maintainrecords of consent for audit purposes; (v) Provider's cookie policy isavailable at https://www.prospectbase.com/legal/cookies-policy and complies with applicable transparency requirements;  (vi) Data subjects may withdraw consent andrequest deletion of cookies at any time.

6.            Legal Basis forProcessing Under UK GDPR: (a)Controller-to-Controller Transfers (Provider Database to Client Leads): Article6(1)(f) - Legitimate Interests: (i) Provider's legitimate interest: OperatingB2B demand generation business and providing qualified leads to businessclients; (ii) Client's legitimate interest: Receiving qualified business leadsfor sales and marketing purposes; (iii) Balancing test: Processing is limitedto business contacts acting in professional capacity; data subjects reasonablyexpect B2B marketing in this context; opt-in obtained before transfer; minimalprivacy impact; appropriate safeguards in place (opt-out, transparency). (b)Controller-to-Processor Transfers (Client to Provider): Article 6(1)(b) -Performance of Contract: Processing necessary for Provider to perform Servicesunder Contract with Client, and for Client to execute lawful instructions toProvider. (c) Provider's Processing of Provider Database: Article 6(1)(f) -Legitimate Interests: Provider's legitimate interest in maintaining accurate,up-to-date database of business contact information to facilitate provision ofB2B marketing and demand generation services to clients. (d) LegitimateInterests Assessments: Provider conducts and maintains Legitimate InterestsAssessments (LIAs) for all controller activities, documenting: (i) Purpose andnature of processing; (ii) Legitimate interests pursued; (iii) Necessity andproportionality of processing; (iv) Balancing test considering data subjects'rights, freedoms, and reasonable expectations; (v) Safeguards to protect datasubjects; (vi) Conclusion that legitimate interests are not overridden by datasubjects' interests. (e) Additional Legal Bases (as applicable): Article6(1)(a) - Consent: Where data subjects have provided specific, informed, freelygiven consent (e.g., opt-in to receive Client's marketing materials). Article6(1)(c) - Legal Obligation: Where processing is necessary to comply with legalobligations (e.g., tax, accounting, regulatory requirements).

7.            Data Subject Rights Procedures: (a) Provider facilitatesexercise of data subject rights under Data Protection Legislation, including:(i) Right of access (Article 15); (ii) Right to rectification (Article 16);(iii) Right to erasure / "right to be forgotten" (Article 17); (iv)Right to restriction of processing (Article 18); (v) Right to data portability(Article 20); (vi) Right to object (Article 21); (vii) Rights related toautomated decision-making (Article 22); (viii) CCPA/CPRA rights (for Californiaresidents). (b) Data subjects may exercise rights by: (i) Emailing: privacy@prospectbase.com; (ii) Writing to: Privacy Team,ProspectBase UK Ltd, Wessex House, Teign Road, Newton Abbot, Devon, TQ12 4AA,United Kingdom; (iii) Using online form at: https://www.prospectbase.com/ccpa (for California residents), (iv)Opting out via unsubscribe links in marketing communications. (c) ResponseTimeframes: Provider shall respond to data subject rights requests within: (i)1 month of receipt (UK GDPR/GDPR), extendable by 2 months for complex requestswith explanation to data subject; (ii) 45 days of receipt (CCPA/CPRA),extendable once by 45 days with notice to consumer; (iii) As otherwise requiredby applicable Data Protection Legislation. (d) Verification: Provider mayrequest additional information to verify identity of data subject makingrequest, using reasonable means proportionate to risk. (e) Requests Relating toClient Campaigns: (i) For data processed on Client's instructions (processorrole), Provider shall forward data subject requests to Client within 2 BusinessDays; (ii) Provider shall assist Client in responding to such requests within 5Business Days of Client's request for assistance; (iii) Costs of assistanceborne by Client unless request resulted from Provider's error or non-compliance.(f) Requests Relating to Provider Database: For data in Provider Database(controller role), Provider shall handle requests directly and take appropriateaction (provide access, correct, delete, restrict, etc.) within timeframes insubsection (c). (g) Fees: Provider does not charge fees for data subject rightsrequests unless requests are manifestly unfounded, excessive, or repetitive, inwhich case reasonable administrative fees may apply as permitted by law. (h)Record-Keeping: Provider maintains records of all data subject rights requestsand responses for minimum 3 years for audit and compliance purposes.

8.            Distinction BetweenProvider Controller and Processor Activities:

a. Provider Controller Activities (Provider Database): Scope: Sourcing, verifying, enriching,maintaining, and storing business contact data in Provider Database.Activities: Acquiring business contact data from public sources and third-partyproviders; Verifying data accuracy and enriching with additional businessinformation; Storing and securing Provider Database; Determining retentionperiods for database records; Responding to data subject rights requestsregarding Provider Database; Deciding purposes for which Provider Database isused (B2B marketing services); Selecting sub-processors and vendors fordatabase management. Legal Basis: Legitimate interests (Article 6(1)(f) UKGDPR) - Provider's legitimate interest in operating B2B demand generation business.Data Subject Information: Provider provides transparency through privacy policyat https://www.prospectbase.com/legal/privacy-policy explaining collection, use, legal bases, and data subject rights.

b.            Provider Processor Activities (Service Delivery Under Client Instructions): Scope: Executingmarketing campaigns to contacts selected based on Client's targeting criteriaand instructions. Activities: Querying Provider Database using Client'sspecified targeting criteria (job titles, industries, company sizes, geographiclocations, etc.); Executing marketing campaigns (email, telemarketing, contentsyndication, etc.) to selected contacts using Client's messaging and content;Tracking campaign engagement, responses, and results; Processing opt-outs andunsubscribe requests from campaign recipients; Collecting opt-ins from engagedcontacts who consent to receive Client's follow-up communications; Reportingcampaign results and qualified leads to Client; Following Client's instructionsregarding communication channels, frequency, messaging, and audience scope.Legal Basis: Performance of contract with Client (Article 6(1)(b) UK GDPR) -Provider processes data under Client's lawful instructions. Client's Role: Clientdetermines purposes and essential means of processing (campaign objectives,target audience, messaging, channels). Provider implements Client'sinstructions using Provider's tools and expertise.

c.            Provider Controller Activities (Lead Transfer to Client): Scope: Transferring qualified leads(contacts who opted in to receive Client's materials) from Provider to Clientas controller-to-controller transfer. Activities: Obtaining opt-in consent fromengaged contacts for their data to be shared with Client; Transferring leadpersonal data to Client; Providing transparency to leads about data sharingwith Client. Legal Basis: Legitimate interests (Article 6(1)(f) UK GDPR) andconsent (Article 6(1)(a)) - Provider and Client's legitimate interest in B2B lead generation; leads' consent to share data with Client.

d.            Data Subject Rights- Allocation of Responsibility: Requests regarding inclusion in ProviderDatabase: → Provider handles as controller; Requests regarding specific Clientcampaigns: → Client handles as controller; Provider assists as processor; Requestsregarding lead data transferred to Client: → Client handles as controller(Provider may assist)

A.   LIST OF PARTIES

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

MODULE FOUR: Transfer processor to controller

 

Data exporter: The Service Provider

Primary Data Privacy Contact: Gareth Morris. Email Address:privacy@prospectbase.com

 

Data importer: The Client

Primary Data Privacy Contact: the Client signatory on the Order Form orother Client representative as provided to the Service Provider as the mainpoint of contact for Data Privacy and Data Protection matters.

 

 

B.   DESCRIPTION OF TRANSFER

MODULE ONE: Transfer controller to controller [Applicable when Provider transfers qualified leads to Client]

MODULE TWO: Transfer controller to processor [Applicable when Client provides data to Provider for processing]

MODULE FOUR: Transfer processor to controller [Applicable when Provider transfers campaign results/leads to Client]

Categories of data subjects whose personal data istransferred: Employees, directors, officers, and other business representativesof B2B companies acting in their professional capacity, primarily in industriessuch as technology, professional services, finance, healthcare, manufacturing,and other sectors as specified by Client. Categories/Types of personal datatransferred: As detailed in Schedule 2, Clause 5(a): Name, job title, businessemail, business phone numbers, employer, business address, LinkedIn profile, IPaddress, cookie identifiers (where applicable). Sensitive data (if applicable):No special category data (sensitive personal data as defined in Article 9 UKGDPR) is intentionally collected or transferred. If any sensitive data isinadvertently discovered, it shall be immediately deleted and not processed. Frequencyof the transfer: Continuous basis throughout the term of the Contract and ascampaigns are executed. Nature of the processing: As covered in Schedule 2,Clause 2: Collection, recording, organization, structuring, storage,adaptation, retrieval, consultation, use, disclosure by transmission,dissemination, alignment, restriction, erasure, and destruction of personaldata in connection with provision of B2B demand generation services.

Purpose(s) of the data transfer and furtherprocessing: As covered in Schedule 2, Clause 3:

·       Provider processesdata to execute marketing campaigns per Client instructions;

·       Provider transfersqualified leads to Client for Client's sales and marketing follow-up;

·       Client processesleads for business development, sales, and ongoing customer relationshipmanagement.

Period for which the personal data will beretained: As covered in Schedule 2, Clause 4 and Schedule 1, Clause 3:

·       Lead datatransferred to Client: Retained by Client per Client's retention policies;

·       Provider Database:Ongoing while lawful basis exists, subject to data subject rights;

·       Legal/compliancerecords: As required by applicable law (minimum 7 years for financial records).

For transfers to (sub-)processors (if applicable):The subject matter, nature, and duration of processing by sub-processors shallbe the same as for transfers from the Data Processor (Provider) to the DataController (Client), limited to activities necessary to support Provider'sdelivery of Services (e.g., email platform providers, telemarketing serviceproviders, data hosting providers).

 

C.   COMPETENT SUPERVISORY AUTHORITY

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE FOUR: Transfer processor to controller

The Information Commissioner’s Office (“ICO”) unless as otherwiserequired by applicable laws