Standard Terms and Conditions

Background

These Terms and Conditions shall apply to the provision of the services performed by ProspectBase Ireland Ltd with registered number: 762727 whose registered office is: 18 Church Street, Portlaoise, Co. Laois, R32 TP89 (“Provider”or “Service Provider”) to you (“Client”). No other terms and conditions shall apply to the provision of Services unless agreed upon in writing between Provider and the Client.

‍

1. Definitions and Interpretation

1.1 In these Terms and Conditions, unless the context otherwise requires, the following expressions have the following meanings:

“Applicable Laws” means all laws, statutes, regulations, and similar instruments from time to time in force applicable to the Parties, the Services, and to the Contract;

“Business Day” means, any day (other than Saturday or Sunday) on which ordinary banks are open for their full range of normal business in the United Kingdom and/or in Ireland;

“Client” means the party procuring the Services from the Service Provider under the Contract;

“Client Materials” means any and all information, documents, and other materials provided by the Client to the Service Provider in relation to the provision of the Services;

“Commencement Date” means the date on which the Contract shall enter into effect, as set out in Clause 2 (Basis of Contract);

“Confidential Information” means, in relation to either Party, information which is disclosed to that Party by the other Party pursuant to or in connection with the Contract (whether orally or in writing or any other medium, and whether or not the information is expressly stated to be confidential or marked as such);

“Contract” means the contract entered into by the Service Provider and the Client for the provision of Services in accordance with and on the basis of these Terms and Conditions, any Schedules, relevant documents such as the Data Processing Agreement (“DPA”) mentioned in clause 10.4, and any appropriate Order or Statement of Work (“SOW”) connected with, and/or appended or attached to these Terms and Conditions;

“Data Protection Legislation” means all applicable legislation in force from time to time in the Republic of Ireland or the United Kingdom (or other region as appropriate) applicable to data protection and privacy including, but not limited to, the GDPR (EU) 2016/679, the UK GDPR (as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018; the Irish Data Protection Act 2018; ePrivacy Regulations SI 336/2011; the Data Protection Act 2018 (and regulations made there under); CCPA (& CPRA revisions), CASL, CAN-SPAM and the Privacy and Electronic Communications Regulations 2003 (“PECR”) as amended;

“Fees” means any and all sums due under the Contract from the Client to the Service Provider inconsideration of the Services, as set out in Clause 5 (Fees, Payment, and Records);

“Intellectual Property Rights” means patents, rights to inventions, copyright and related rights, trademarks, business names, domain names, design rights, database rights, rights subsisting in software, rights to use confidential information and the right to protect the same, and any and all other intellectual property rights, whether registered or unregistered, including applications and the right to apply for (and be granted) renewals or extensions of, and rights to claim priority from,any such rights and any and all equivalent rights or other forms of protection subsisting now or in the future anywhere in the world;

“Order” means the Client’s order for the Services as set out on Provider’s order form attached with theseT&Cs, or as provided by the Client on a purchase order, insertion order(“IO”) or relevant Statement of Work (“SoW”) in conjunction with these termsand conditions or other terms and conditions as agreed between the Client and Service Provider where applicable;

“Services” means the services to be provided by the Provider to the Client in accordance with the Contract, as fully defined in the Specification;

“Specification” means the fulldescription and specification of the Services as agreed in writing by theClient and the Service Provider.

‍2. Interpretation in these Terms and Conditions

Headings are for convenience only and shall not affect their interpretation. Words imparting the singular number shall include the plural and vice-versa.

‍

3. Services

3.1 With effect from the commencement date stated in these Terms and Conditions (“T&Cs”) and in consideration of the Fees being paid in accordance with these T&Cs, the Provider shall provide the Services to the Client.

3.2 The Provider shall use reasonable care and skill in its performance of the Services and shall ensure compliance with applicable laws and relevant codes of practice.

3.3 The Provider shall use its best and reasonable endeavours to perform the Services; however, time will not be of the essence in the performance of these obligations.

3.4 The Service Provider shall act in accordance with all reasonable instructions issued by the Client. With regards to such instructions requiring the Provider to process Personal Data (as defined by the UK GDPR), Client acknowledges and accepts that it is the Data Controller and Provider is a Data Processor.

3.5 Dual Data Controller and Processor Roles:

a) Provider as Independent Data Controller: Provider operates and maintains its     proprietary database of business contact information ("Provider Database"). Provider  is the sole data controller for the Provider Database, including decisions regarding:

         (i)      Collection, storage, and maintenance of business contact data;

         (ii)      Data quality, verification, and enhancement procedures;

         (iii)     Selection of tools, systems, and sub-processors for database management.

b)  Provider as Data Processor for Services: When performing Services under this Contract, Provider acts as a data processor on behalf of Client (the data controller) with respect to:

         (i)      Contacts selected from the Provider Database based on Client's targeting criteria and instructio

         (ii)     Execution of marketing campaigns to selected contacts using Client Materials (which includes messaging and content);

         (iii)    Processing of any personal data provided by Client or collected during campaign execution.

c)     Clarification of "Means" vs "Purposes": Client solely determines the purposes and essential means of processing (target audience criteria, campaign objectives, permitted communication channels, messaging content). Provider determines only the technical and organisational means of executing Client's instructions (selection of email platform, telemarketing provider, delivery optimisation).

d)   No Joint Control: The Parties acknowledge they do not act as joint controllers. Provider's roleas processor does not diminish its independent controller obligations for the Provider Database outside the scope of Client instructions.

e)   Provider Warranties: Provider warrants that all contacts in the Provider Database were lawfully obtained and that Provider maintains appropriate legal bases for their processing.

3.6 Marketing Compliance

a)       Provider shall ensure all marketing communications comply with:

      (i)      CAN-SPAM Act (UnitedStates);

      (ii)     Canada's Anti-Spam Legislation (CASL);

      (iii)    Privacy and Electronic Communications Regulations 2003 (PECR) as amended (United Kingdom);

      (iv)    Applicable regional and international marketing laws.

b)      Provider shall:

      (i)      Maintain valid legal basis and consent records for all contacts;

      (ii)     Include functional unsubscribe mechanisms in all email communications;

(iii) Honour opt-out requests within legally required timeframes (10 business days for CAN-SPAM, without delay for CASL);

      (iv)    Respect suppression lists provided by Client;

      (v)     Not contact individuals who have opted out of communications.

c)      Client warrants ithas lawful basis to engage Provider for marketing to its target audience and that any materials, content, or instructions provided to Provider comply with applicable marketing laws.

d)    Each Party shall indemnify the other for violations of marketing laws caused solely by its own non-compliance, breach of warranty, or provision of non-compliant instructions/ materials.

‍

4. Client Obligations

4.1 The Client shall use its best and reasonable endeavours to provide the Provider with access to any, and all relevant information, materials, properties, and other matterswhich are required to enable the Provider to provide the Services.

4.2 The Client shall use its best and reasonable endeavours to acquire any permissions, consents, licences, or other matters which are required to enable the Provider to provide the Services.

4.3 The Provider shall not be liable for any delay or failure to provide the Services where such delay or failure is due to the Client’s failure to comply with this Clause 4.

4.4 The Client will at all times comply with Applicable Laws, and immediately inform the Provider if it believes, for any reason, it can no longer comply, or has not complied with Applicable Laws.

‍

5. Fees

5.1 The fees (“Fees”) for the Services are set out on the Order.

5.2 In addition to the Fees, the Provider shall be entitled to charge the Client interest for late payment of fees at an annual rate of 8%+ base rate.

5.3 The Fees are exclusive of any applicable value added tax, goods and services tax, sales tax, digital services tax, with holding tax, or any other tax, levy, or duty imposed or charged by any competent authority in any jurisdiction (collectively,"Taxes"). Unless otherwise specified on the Order, all such Taxes shall be payable by the Client in addition to the Fees. Where any applicable law requires the Client to withhold or deduct tax from payments due to the Provider, the Client shall gross up the payment so that the Provider receives the full invoiced amount and shall promptly provide the Provider with the relevant withholding certificate.

‍

6. Variation

6.1 If the Client wishes to vary any details of the Services it must notify the Provider in writing as soon as possible.  The Provider shall endeavour to make any required changes the Client agrees to pay any additional fees related to its request. Provider may accept variation requests at its sole discretion.

6.2 If, due to circumstances beyond its control, the Provider has to make any change in the Services or the arrangements relating to the provision thereof, it shall notify the Client immediately.  The Provider shall endeavour to keep any such changes to a minimum and shall seek to offer the Client arrangements as close to the original as is reasonably possible in the circumstances.

‍

7. Payment

7.1 The Provider shall invoice the Client for the Fees each month in arrears for the provision of the Services rendered;

7.2 The Client shall pay the Fees due within 30 days of the date of the Provider’s invoice.

7.3 Time for payment shall be of the essence of the Contract between the Provider and the Client.

7.4 If the Client fails to make payment within the period in sub-Clause 7.2, the Provider shall have the right to suspend any further provision of the Services until the balance due has been paid in full. The Provider may also cancel any future services which may have been ordered by, or otherwise arranged with, the Client if (a) the client has not paid all outstanding fees in full within 60 days of the date of the oldest invoice, or (b) the Client fails to make future payments on time and in full.

7.6 All Fees and invoices under this Contract shall be denominated and payable in United States Dollars (USD) unless otherwise specified on the Order or agreed in writing between the Parties. The Provider must receive the full invoiced USD amount net of any bank transfer charges, currency conversion costs, or payment processing fees, which shall be borne solely by the Client.

‍

8. Confidentiality

8.1 Each Party undertakes that, except as provided by sub-Clause 8.2 or as authorised in writing by the other Party (such authorisation not to be unreasonably withheld), it shall, at all times during the term of the Contract and for aminimum of three (3) years after its termination or expiry:

a)            keep confidential all Confidential Information;

b)            not disclose any Confidential Information to any other party;

c)            not use any Confidential Information for any purpose other than as contemplated by the Contract; and

d)            ensure that (as applicable) none of its employees, directors, officers, agents, or sub-contractors does any act which, if done by that Party, would be a breach of the provisions of this Clause 8.

8.2 Subject to sub-Clause 8.3, either Party may disclose any Confidential Information to:

a)            any sub-contractors, substitutes, or suppliers;

b)            any governmental or other authority or regulatory body; or

c)            any employee or officer of that Party or of any of the aforementioned persons, parties, or bodies.

8.3 Disclosure undersub-Clause 8.2 may be made only to the extent that it is necessary for the purposes contemplated by the Contract, or as required by law. In each case, the disclosing Party must first inform the recipient that the Confidential Information is confidential. Unless the recipient is a body described in sub-Clause 8.2(b) or is an authorised employee or officer of such a body, the Party disclosing the Confidential Information under sub-Clause 8.2 must obtain and submit to the other Party a written undertaking from the recipient to keep the Confidential Information confidential and to use it only for the purposes for which thedisclosure is made.

8.4 Either Party mayuse any Confidential for any purpose, or disclose it to any other party, wherethat Confidential Information is or becomes public knowledge through no fault of that Party.

8.5 When using ordisclosing Confidential Information under sub-Clause 8.4, the Party using or disclosing that Confidential Information must ensure that it does not use ordisclose any part of that Confidential Information which is not publicknowledge.

8.6 The provisions of this Clause 8 shall continue in force in accordance with their terms, not withstanding the termination or expiry of the Contract for any reason.

‍

9. Termination

9.1 Either party may terminate this Contract for convenience by providing the other party with atleast thirty (30) days' written notice.

9.3 Either Party may terminate the provision of the Services immediately if:

a)            a material breach is committed by either party of its obligations underthese T&Cs; or

b)            a party becomes the subject of a bankruptcy order or takes advantage of any other statutory provision for the relief of insolvent debtors.

c)            a party enters into a voluntary arrangement under Companies Act 2014 (Parts 10–12) and the Companies (Accounting) Act 2017 (Ireland), or Part 1 of the Insolvency Act 1986 (UK), or any other scheme or arrangement is made withits creditors; or

d)            a party convenes any meeting of its creditors, enters into voluntary orcompulsory liquidation, has a receiver, examiner, administrator, or administrative receiver appointed in respect of its assets or undertakings or any part thereof, enters into any scheme of arrangement or compromise with its creditors, any documents are filed with the court for the appointment of an administrator or examiner, a resolution is passed or petition presented to anycourt for the winding up of either party, or any proceedings are commenced relating to the insolvency or possible insolvency of either party, whether under the Insolvency Act 1986 and Schedule B1 thereof (England and Wales), the Companies Act 2014 Parts 10–12 (Ireland), or any equivalent legislation in any applicable jurisdiction.

‍

‍10. Data Protection and Intellectual Property

In this Clause 10, the terms “personal data”, “processing”, “data subject”, “controller”, “processor”,and “personal data breach” shall have the meanings defined in Article 4 of the EUGDPR, and the terms “Data Processor” and “Data Controller” shall have the same meanings as “processor” and “controller” respectively. The term “domestic law”means the law of Ireland or, where applicable, European Union law binding in Ireland, including EU GDPR and the Irish Data Protection Act 2018.

10.2 The Parties shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 10 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not removeor replace any of those obligations.

10.3 Data Controller and Processor Relationship. For the purposes of Data Protection Legislation and this Clause 10:

a)            Regarding the Provider Database: Provider is the data controller;

b)            Regarding Services performed under Client instructions:

         (i)      Client is the data controller for campaign execution and results;

          (ii)     Provider is the data processor executing Client's instructions.

c)            Regarding transfer of leads to Client: Provider acts as a datacontroller transferring personal data to Client (also a data controller) underlegitimate interests (Article 6(1)(f) UK GDPR).

d)            Each Party shall comply with its respective obligations under Data Protection Legislation corresponding to its role(s).

e)            Where Provider processes personal data as a processor, the provisions of Clauses 10.5 through 10.10 shall apply.

f)             Client acknowledges that Provider's status as data controller for its Provider Database does not create joint controller obligations for campaign execution activities.

10.4 The scope, nature,and purpose of the processing; the duration of the processing; the type(s) of personal data; and the category or categories of data subject shall be set out in Schedule 2.

10.5 Both Data Controller and Data Processor shall (without prejudice to the generality of sub-Clause 10.2) ensure all necessary consents and notices required are inplace to enable the lawful transfer and receipt of personal data to and fromone another, and for the lawful processing of personal data by the Data Processor for the purposes described in Schedule 1 and for its provision ofServices under this Contract.

10.6 The Data Processor shall (without prejudice to the generality of sub-Clause 10.2), with respect toany personal data processed by it in relation to its performance of any of itsobligations under the Contract:

a)            process the personal data only on the written documented instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by domestic law. The Data Processor shall promptly notify the Data Controller before carrying out such processing unless it is prohibited from doing so by that law;

b)            ensure that it has in place appropriate technical and organisational measures to protect the personal data from unauthorised or unlawful processing, accidental loss, damage, or destruction. Such measures shall be appropriate and proportionate to the potential harm resulting from such events and to the nature, scope, and context of the personal data and processing involved, considering the current state of the art in technology and the cost of implementing those measures.

c)            ensure that any and all persons with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential;

d)            not transfer any personal data outside of the EEA or Ireland without the prior written consent of the Data Controller (such consent to be freely provided upon entering into a Contract with Provider) and only if the following conditions are satisfied:

                                 i.                 the Data Controller and/or the Data Processor has/have provided appropriate safeguards for the transfer of personal data;

                               ii.                 affected data subjects have enforceable rights and effective legal remedies;

                              iii.                 the Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and

                              iv.                 the Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data;

e)            assist the Data Controller, at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to impact assessments, security, breach notifications, and consultations with supervisory authorities or other applicable regulatory authorities (including, but not limited to, the DataProtection Commission of Ireland ("DPC"))

f)             notify the Data Controller without undue delay of any personal data breach of which it becomes aware;

g)            on the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination or expiry of the Contract unless it is requiredto retain any of the personal data by domestic law;

h)            maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 10 and to allow for audits, including inspections, by the Data Controller and/or any reasonable party designated by the Data Controller. The Data Processor shall inform the Data Controller immediately if, in its opinion, any instruction infringes the Data Protection Legislation.

10.7 The Data Processor shall not sub-contract any of its obligations with respect to the processing of personal data under this Clause 10 to another processor without the prior written consent of the Data Controller (such consent not to be unreasonably withheld. In the event that the Data Processor appoints another processor, the Data Processor shall:

a)            enter into a written contract with the other processor, which shall impose upon that other processor substantially the same obligations as areimposed upon the Data Processor by this Clause 10, which the Data Processor shall ensure shall reflect the requirements of the Data Protection Legislation at all times;

b)            ensure that the other processor complies fully with its obligations under that agreement and the Data Protection Legislation; and

c)            remain fully liable to the Data Controller for the performance of that other processor’s obligations and the acts or omissions thereof.

10.8 Sub-Processors.

a)            Any approved sub-processors used in the provision of Services shall be confirmed with the Client upon request and Provider shall notify Client atleast 30 days before engaging new sub-processors or materially changing existing sub-processor arrangements. Client may object to new sub-processors on reasonable data protection grounds within 14 days of notification. If Client objects and Provider cannot provide alternative arrangements, Client may terminate the affected Services without penalty.

b)            Provider shall ensure all sub-processors are bound by written agreements imposing substantially the same data protection obligations as set out in this Clause 10.

c)            Provider remains fully liable for the acts and omissions of all sub-processorsas if they were Provider's own acts and omissions.

10.9 Data Breach Notification.

a)            Provider shall notify Client within 24 hours of becoming aware of apersonal data breach affecting personal data processed under this Contract.

b)            The notification shall include:

              (i)      Nature of the breach and categories and approximate volumes of datasubjects and personal data records affected;

              (ii)     Contact details of Provider's responsible contact;

              (iii)    Likely consequences of the breach;

              (iv)    Measures taken or proposed to address the breach and mitigate potential adverse effects.

c)            Provider shall provide reasonable cooperation and assistance to Clientin investigating, mitigating, and remediating the breach, and in complying withany breach notification obligations to supervisory authorities or datasubjects.

d)            Provider shall document all personal data breaches and make such documentation available to Client and supervisory authorities upon reasonable request.

10.10 Audits and Compliance.

a)            Client or its authorised auditors may audit Provider's compliance with this Clause 10 upon 30 days' prior written notice, no more than once annually.

b)            Audits shall be conducted during Business Hours and in a manner that minimises disruption to Provider's operations.

c)            Provider may demonstrate compliance through:

              (i)      Providing copies of relevant certifications (ISO 27001, SOC 2 Type II,etc.);

              (ii)     Third-party audit reports;

              (iii)    Completed compliance questionnaires;

d)            Client shall bear the costs of audits.

e)            Both Parties shall maintain confidentiality of audit findings and usethem solely for compliance verification purposes.

10.11 GDPR and California Privacy Rights.

a)            To the extent Provider processes personal data of individuals located inthe European Union, European Economic Area, or United Kingdom on Client's behalf, Provider shall comply with the requirements of the EU GDPR (Regulation2016/679) and, where processing relates to UK data subjects, the UK GDPR as aconcurrent obligation. Provider shall:

               (i)      Process personal data only in accordance with documented instructions from Client, unless required by law to process otherwise (in which case Provider shall inform Client before processing, unless prohibited by law);

               (ii)     Ensure all persons authorised to process personal                data are subject to appropriate confidentiality obligations;

               (iii)    Implement appropriate technical and organisational measures                 as set out in Schedule 1 to ensure a level of security appropriate to the risk;

               (iv)    Not engage sub-processors without prior authorisation from Client as set out in Clause 10.8;

               (v)     Assist Client in responding to data subject rights requests (access, rectification, era sure,           restriction, portability, objection) within 5 business days of receiving Client's request for assistance;       

               (vi)    Assist Client in ensuring compliance with data protection impact                 assessments, prior consultation with supervisory authorities, and security breach obligations;

               (vii)    Notify Client within 24 hours of becoming                aware of any personal data breach as set out in Clause 10.9;

               (viii)   Delete or return all personal data to Client after the end of provision of Services, unless retention is required by law;

               (ix)     Make available to Client all information necessary to demonstrate compliance with Article 28 EU GDPR and allow for audits as set out in Clause 10.10;

                (x)     Immediately inform Client if, in Provider's opinion, any instruction from Client infringes EU GDPR, UK GDPR, or other Data Protection Legislation.

b)            CCPA/CPRA Compliance for California Residents: To the extent Provider processes personal information (as defined by the California Consumer Privacy Act as amended by the California Privacy Rights Act, collectively"CCPA") of California residents on Client's behalf, Provider shall:

                  (i)      Not sell or share such personal information;

                  (ii)     Not retain, use, or disclose such personal information for any purpose other than performing the Services specified in this Contract;

(iii)    Not retain, use, or disclose such personal information outside of the direct business relationship between Provider and Client;

(iv)    Not combine such personal information with personal information receivedfrom or on behalf of another person, except as permitted by CCPA;

(v)     Comply with applicable provisions of the CCPA, including but not limitedto Sections 1798.100 through 1798.199;

(vi)    Assist Client in responding to verified consumer rights requests(access, deletion, correction, opt-out of sale/sharing, limit use of sensitivepersonal information) within 10 business days of receiving Client's request forassistance;

(vii)    Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information to protect it fromunauthorised or illegal access, destruction, use, modification, or disclosure;

(viii)   Notify Client within 24 hours of determining that it can no longer meetits obligations under CCPA;

(ix)     Certify annually upon Client's request that Provider understands andwill comply with the applicable restrictions and obligations under CCPA;

(x)     Upon Client's reasonable request, provide information necessary for Client to demonstrate Provider's compliance with CCPA service provider obligations.

Cross-Jurisdictional Application: Where personal data/information relates to individuals who may be subject to both GDPR and CCPA protections, Provider shall

a)            comply with the requirements of both subsections (a) and (b), applyingthe most protective standard where requirements conflict.

b)            Grant of Rights to Client: Provider grants Client the right, upon reasonable notice and at reasonable times, to take reasonable and appropriate steps to ensure that Provider uses personal data/information in a manner consistent with Client's obligations under GDPR and CCPA, including through audits as provided in Clause 10.10.

c)            Survival: These obligations shall survive termination for so long as Provider retains any personal data or personal information processed on Client's behalf under this Contract.

d)            Sub-Processor Requirements: Provider shall ensure that any sub-processors engaged under Clause 10.8 are subject to the same data protection obligations set out in this Clause 10.11, whether through contractual arrangements or binding corporate rules.

10.12 Intellectual Property Rights.

a)            Background Intellectual Property: Each Party retains ownership of all intellectual property rights that existed prior to the Commencement Date orthat are developed independently of this Contract ("Background IP").

b)            Provider Tools and Methodologies: Provider retains ownership of all proprietary methodologies, processes, software, tools, templates, databases (including the Provider Database), and know-how used to provide the Services("Provider IP").

c)            Client Materials: Client retains ownership of all Client Materials, including content, branding, messaging, creative assets, and confidential information provided to Provider.

d)            Deliverables and Work Product:

(i)      Upon full payment of all Fees due, Client shall own all deliverables created specifically and exclusively for Client under this Contract, including:

·       Campaign strategies and marketing plans developed specifically for Client;

·       Custom reports, analyses, and insights specific to Client’s campaigns;

·       Lists of qualified leads generated through the Services.

(ii)     Provider retains ownership of any deliverables that incorporate Provider IP, but grants Client a perpetual, non-exclusive, worldwide, royalty-free license to use such deliverables for Client's internal business purposes.

e)            License Grants:

            (i)      Client grants Provider a non-exclusive license to use              Client Materials solely to perform the Services during the Contract term.

             (ii)     Provider grants Client a non-exclusive license to use any Provider IP embedded              in deliverables for Client's internal business purposes, subject to full payment of Fees.

f)             Aggregated and Anonymised Data:

              (i)      Provider may collect, use, and retain aggregated,               anonymised, andde-identified data derived from provision of Services for:

·       Benchmarking and industry research;

·       Service improvement and development;

·       Internal analytics and reporting;

provided that such data does not identify Client, Client's customers, or any individuals, and cannot be reverse engineered to identify them.

g)            Infringement Indemnity: Provider shall indemnify and hold harmless Client from any claims that Provider IP infringes third-party intellectualproperty rights, provided Client:

(i)      Promptly notifies Provider of any such claim;

(ii)     Gives Provider sole control of the defence and settlement;

(iii)     Provides reasonable cooperation in the defence.

h)            Enforcement: Provider reserves the right to take such action as may beappropriate to restrain or prevent infringement of Provider IP by thirdparties.

‍

11. Liability and Indemnity

11.1 Limitation of Indirect Damages. Neither Partyshall be liable to the other by reason of any representation, implied warranty,condition or other term, or any duty at common law or under this Contract, forany loss of profit, loss of revenue, loss of business opportunity, or anyindirect, special, punitive, or consequential loss, damage, costs, expenses orother claims (whether caused by that Party's employees, agents or otherwise) inconnection with the provision or use of the Services or the performance ofobligations under this Contract.

11.2 Nothing in the Contract shall limit or exclude either Party’s liability under or in relation to the Contract for any form ofl iability which cannot be limited or excluded by law (without prejudice to the generality of sub-Clause 11.1) including, but not limited to:

a)            death or personal injury caused by negligence;

b)            fraud or fraudulent misrepresentation;

c)            for the wilful misconduct of either that Party or that of its employees or agents

11.3 Mutual Liability Cap.

a)            Subject to Clause 11.2 (liabilities which cannot be limited or excluded by law), the total aggregate liability of either Party to the other under or in relation to the Contract for any and all relatedor unrelated acts or omissions, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be limited to three(3) times the total Fees paid or payable under the Contract in the 12 months preceding the event giving rise to liability.

b)            The limitations in this Clause 11.3 shall not apply to:

(i)       Personal data breaches resulting from Provider's failure to implement security measures required under Schedule 1;

(ii)      Either Party's violation of Data Protection Legislation due to its own acts or omissions;

(iii)     Either Party's breach of Clause 8 (Confidentiality) or Clause 10.12 (Intellectual PropertyRights);

(iv)     Provider's breach of Clause 3.6 causing regulatory fines or penalties to Client;

(v)      Client's failure to pay Fees due under Clause 7;

(vi)     Fraud, wilful misconduct, or gross negligence by either Party.

c)            For clarity, the cap in subsection (a) appliesper Party - each Party has its own separate liability cap.

11.4 Insurance.

a)            Provider shall maintain throughout theContract term and for 12 months thereafter:

(i)       Public and Product Liability Insurance with coverage of £2,000,000;

(ii)      Cyber Liability Insurance with coverage of £250,000;

(iii)     Employer's Liability with coverage of £10,000,000.

b)            All insurance policies shall be with reputable insurers authorised to conduct business in the United Kingdom.

c)            Provider shall provide Client with certificates of insurance upon request (no more than annually) and shall notify Client within 20 Business Days of any material changes, cancellations, ornon-renewal of required insurance coverage.

d)            Maintenance of insurance does not limit Provider's liability under this Contract.

12. Force Majeure

12.1.        Neither party shall be liable for any failure or delay in performing their obligations where such failure or delay results from any cause that is beyond the reasonable control of that party. Such causes include, but are not limited to: power failure, Internet Service Provider failure, industrial action, civil unrest, fire, flood, storms, earthquakes, acts of terrorism, acts of war, governmental action, pandemics, epidemics, government-mandated lockdowns, public health emergencies, and cyber-attacks on critical infrastructure or public utilities not caused by either Party's security failures or breach of this Contract or any other event that is beyond the control of the Party in question.

12.2.        The affected Party shall: (a) Notify the other Party in writing within 48 hours of the Force Majeure event occurring; (b) Use commercially reasonable efforts to mitigate the impact and resume performance as soon as reasonably practicable; (c) Provide regular updates (at least weekly) on the status and expected duration of the Force Majeure event.

12.3.        If a Force Majeure event continues for more than 60 consecutive days, either Party may terminate this Contract without penalty upon 14 days' written notice to the other Party. Upon such termination, Client shall pay Provider for all Services satisfactorily performed up to the termination date.

13. Communications

13.1 All notices under these T&Cs shall be in writing and signed by, or on behalf of, the party giving notice (or a duly authorised officer of that party).

13.2 Notices shall be deemed to have been duly given:

a)            when delivered by courier, other messenger, or registered mail during the normal business hours of the recipient;

b)            when sent, if transmitted by fax or email and a successful transmission report or return receipt is generated;

c)            on the fifth business day following mailing, if mailed by national ordinary mail; or

d)            on the tenth business day following mailing, if mailed by airmail.

13.3 All notices underthese T&Cs shall be addressed to the most recent address, email address or fax number notified to the other party.

14. No Waiver

14.1 No waiver by the Provider of any breach of these T&Cs by the Client shall be considered as a waiver of any subsequent breach of the same or any other provision.

14.2 No failure or delay on the part of either the Provider or the Client to exercise any right, power or privilege under these T&Cs shall operate as a waiver of, nor shallany single or partial exercise of any such right, power or privilege preclude any other or further exercise of any other right, power, or privilege.

15. Severance

In the event that oneor more of these T&Cs is found to be unlawful, invalid, or otherwise unenforceable, that / those provisions shall be deemed severed from the remainder of these standard terms and conditions (which shall remain valid and enforceable).

16. Law and Jurisdiction

16.1 These T&Cs (including any non-contractual matters and obligations arising there from or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.

16.2 Any dispute, controversy, proceedings or claim between the Provider and the Client relating to these T&Cs (including any non-contractual matters and obligation sarising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales without prejudice to the right of eitherParty to bring proceedings in any other court of competent jurisdiction forenforcement purposes.

17. Anti-Bribery andModern Slavery

17.1.        Each Party shall:

a)            Comply with all applicable anti-bribery and anti-corruption laws,including the Bribery Act 2010 (United Kingdom), Foreign Corrupt Practices Act(United States), and equivalent laws in all jurisdictions where Services areperformed;

b)            Comply with the Modern Slavery Act 2015 and maintain policies andprocedures designed to prevent modern slavery and human trafficking in itsoperations and supply chain;

c)            Not engage in any activity, practice, or conduct that would constitutean offense under the above laws if carried out in the United Kingdom;

d)            Maintain adequate procedures to prevent bribery and modern slavery andprovide evidence of such procedures upon reasonable request;

e)            Promptly report to the other Party any request or demand for any unduefinancial or other advantage of any kind received in connection with theperformance of this Contract.

17.2.        Each Party shall notify the other immediately upon becoming aware of anybreach or suspected breach of this Clause 17.

17.3.        Breach of this Clause 17 shall constitute a material breach permittingthe non-breaching Party to terminate this Contract immediately without penaltyupon written notice.

17.4.        Each Party shall indemnify the other against any losses, liabilities,damages, costs, or expenses incurred by the other Party arising from any breachof this Clause 17.

18. Non-Solicitation

18.1.        During the term of this Contract and for 12 months following its termination or expiry, neither Party shall, without the prior written consent of the other Party:

a)            Directly or indirectly solicit, entice, or induce any employee, contractor, or consultant of the other Party who has been materially involvedin the provision or receipt of Services under this Contract to leave their employment or engagement; or

b)            Directly or indirectly employ or engage any such person, whether as an employee, consultant, contractor, or otherwise.

18.2.        This Clause 18 shall not prevent:

a)            General advertising or recruitment campaigns not specifically targetedat the other Party's personnel;

b)            Unsolicited approaches by individuals responding to general advertisements;

c)            Hiring individuals whose employment or engagement with the other Party ended more than 6 months prior to commencement of discussions regarding employment;

d)            Engaging individuals made redundant or whose roles were eliminated by the other Party.

18.3.        As a genuine pre-estimate of liquidated damages (and not a penalty), if either Party breaches Clause 18.1, the breaching Party shall pay the other Party an amount equal to 6 months' salary (or equivalent fees forcontractors/consultants) of the affected individual, calculated at the rate ineffect immediately prior to their departure.

18.4.        The remedy in Clause 18.3 shall be without prejudice to any other rightsor remedies available to the non-breaching Party, including injunctive relief.

‍

‍

SCHEDULE 1

This Schedule 1 setsout a description of the technical and organisational measures implemented by ProspectBase Ireland Ltd in accordance with the Applicable Laws.  ProspectBase Ireland Ltd takes information security and data protection seriously and these measures are designed tosafeguard personal data during its processing. These measures ensure the security, confidentiality, integrity, availability and resilience of systems and services involved in the processing of Personal Data.

1.            Data Retention: (a) Personal data shall be retained only for the duration necessary to provide Services to Clients or as required by applicable law. (b) Retention periods: (i) Active client campaign data: Duration of Contract plus 30 days for final reporting; (ii) Provider Database contacts: Ongoing while lawful basis exists, reviewed at least annually; (iii) Contractual and financial records: 6 years from end of Contract (7 for UK legalcompliance); (iv) Marketing consent records: Duration of consent plus 3 years;(v) Data subject rights request records: 3 years from resolution. (c) Upon Contract termination or upon Client's written request, personal data processedon behalf of Client shall be securely deleted or returned within 30 days,unless retention is required by law. (d) Deletion methods shall comply with NIST SP 800-88 Guidelines for Media Sanitization or equivalent standards (secure overwriting, cryptographic erasure, or physical destruction). (e) Provider shall provide written certification of deletion upon Client's request. (f) Decommissioning procedures: All storage media containing personal datashall be securely sanitized before reuse or physically destroyed when retiredfrom service.

2.            Data Security Measures: (a) Encryption and Pseudonymisation: (i) Data at rest: AES-256 encryption or equivalent; (ii) Data in transit: TLS 1.3 or higher for allnetwork communications; (iii) Pseudonymisation techniques applied wheretechnically feasible and appropriate; (iv) Encryption key management: Keys stored separately from encrypted data with restricted access. (b) Access Controls: (i) Multi-factor authentication (MFA) required for all access to systems containing personal data; (ii) Role-based access control (RBAC) limiting access to personal data based on job function and need-to-know principle; (iii) Unique user credentials for all personnel - no shared user accounts; (iv) Regular access reviews (at least quarterly) to remove unnecessary permissions;(v) Automated account lockout after 5 failed login attempts; (vi) Immediate revocation of access upon termination of employment. (c) System Security: (i) Security patches and updates applied within 7 days of release (critical patcheswithin 3 days); (ii) Endpoint protection (anti-malware, EDR) deployed on alldevices accessing personal data; s;  (v) Automated alerting for suspiciousactivities or security events.

3.            Data Subject Rights:

a.            Provide mechanisms for data subjects to exercise their rights, including the right to access, rectification, erasure, and restriction of processing.

b.            Designate an individual (or team) responsible for overseeing compliance with data subject rights and GDPR requirements.

4.            Contractual Obligations: Ensure that contracts with clients and third-party vendors include GDPR-compliant clauses regarding data processing, security, andconfidentiality.

5.            Data Transfer Safeguards: Implement appropriate safeguards for international data transfers, suchas Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), when transferring personal data outside the UK or the EEA.

6.            Staff Training: (a) All employees, contractors, and personnel with access to personal data shall complete mandatory data protection and information securitytraining: (i) Upon commencement of employment or engagement (within first 30days); (ii) Annually thereafter as refresher training; (iii) Upon significantchanges to Data Protection Legislation or Company policies. (b) Training shall cover: (i) Data protection principles and UK GDPR/CCPA requirements; (ii) Company's data protection policies and procedures; (iii) Information securitybest practices; (iv) Acceptable IT usage policies; (v) Recognizing andreporting security incidents and data breaches; (vi) Handling data subjectrights requests; (vii) Social engineering and phishing awareness. (c) Trainingcompletion records shall be maintained for audit purposes for minimum 3 years.(d) Specialized training for personnel in data protection, security, orhigh-risk roles shall be provided as appropriate.

7.            Third Party Vendor Management. (a) All sub-processors, service providers, andvendors with access to personal data must meet security standards equivalent tothose set out in this Schedule 1. (b) Vendor due diligence shall be conductedprior to engagement, including: (i) Security questionnaire or assessment; (ii)Review of relevant certifications (ISO 27001, SOC 2, etc.); (iii) Contractualdata protection obligations. (c) All vendors with access to personal data shallbe subject to written agreements requiring: (i) Compliance with Data ProtectionLegislation; (ii) Implementation of appropriate technical and organisationalmeasures; (iii) Assistance with data subject rights requests; (iv) Notificationof data breaches; (v) Deletion or return of data upon contract termination. (d)Vendor security performance shall be reviewed at least annually or upon anysecurity incident.

‍

‍

SCHEDULE 2

This Schedule 2 describes the scope and nature of personal data processing carried out by the Service Provider in connection with its Services under the Contract. It also identifies the applicable Standard Contractual Clauses (SCCs), specifically Modules ONE and FOUR, depending on the type of transfer. The Service Provider acts as a Data Controller for its proprietary Provider Database (as defined inClause 3) and as a Data Processor when processing personal data strictly in accordance with Client instructions. For clarity, the Provider determines the technical and organisational means for service delivery, while the Client defines the purposes and essential parameters of processing.

1.            Scope and Data Sources: Only necessary personal data (Business Contact Data) shall be processed for providing the Services to the Client. Data is obtained from the following sources: (a) Public business registries (e.g., Companies House, EDGAR, similar governmental registries); (b) Company websites and publicly accessible business information pages; (c) Professional networking platforms where users have made their profiles publicly available (e.g., LinkedIn public profiles); (d) Business directories, trade publications, and industry databases; (e) Publicly available business contact information published bycompanies or individuals; (f) Reputable third-party data providers that operatelawfully under Data Protection Legislation and warrant appropriate legal bases for collection and sale of business contact information; (g) Client-provided data (where Client has obtained appropriate legal basis and warrants lawful transfer to Provider). Provider warrants that: (i) All data sources comply with applicable data protection laws; (ii) Appropriate legal basis exists for collection, storage, and processing of all data in the Provider Database; (iii) Data is verified for accuracy and updated regularly; (iv) Individuals whosedata is processed have not opted out of Provider's database or requested deletion (subject to ongoing monitoring).

2.            Nature: “Processing”means collecting, recording, organising, structuring, storing, adapting oraltering, retrieving, consulting, using, disclosing by transmission, disseminating, aligning or combining, restricting, erasing or destroying. The technical and organisational measures in Schedule 1 ensure processing is compliant.

3.            Purpose of Processing: Personal data is processed for the following purposes: (a) Provider as Data Controller (“Provider Database”): To maintain a database of business contact information for the purpose of providing B2B demand generation and marketing services to clients. Legal basis: Legitimate interests (Article6(1) (f) UK GDPR) - facilitating B2B marketing and business development. (b) Provider as Data Processor (Service Delivery): To provide Services as detailed in a Contract between the Service Provider and Client, which may include one or more of the following: (i) Content Syndication; (ii) ABM (Account-Based Marketing) Display; (iii) Email Marketing; (iv) Tele-Marketing; (v) Cost-per-click (CPC) or Cost-per-impression (CPM) campaigns; (vi) DataConcierge Services (building, data hygiene, enhancement, rectification,verification, etc.); (vii) Brand Promotion; (viii) Intent Solutions; (ix) Other B2B demand generation and lead generation services as agreed. Legal basis: Performance of contract between Provider and Client (Article 6(1)(b) UK GDPR)and Provider processing under Client's lawful instructions. (c) Provider as Data Controller (Lead Transfer to Client): To transfer qualified leads (individuals who have opted in to receive Client's marketing materials andcommunications) to Client as a controller-to-controller transfer. Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) – facilitating business-to-business connections and Client's legitimate interest in receiving qualified leads. Provider conducts Legitimate Interests Assessments (LIAs) balancing business purposes against data subjects' rights and freedoms,ensuring: (i) Data subjects are business contacts acting in professional capacity; (ii) Processing is reasonably expected within B2B marketing context;(iii) Opt-in consent obtained from leads before transfer to Client; (iv) Data subjects' rights are respected (opt-out, access, deletion).

4.            Duration: Ongoing for aslong as the Services are provided to the Client; and, beyond such provision ofservices or termination of Contract where legally required (to comply withlocal laws).

5.            Types and Categories of Personal Data: (a) Types of Personal Data Processed: (i) First Name, Surname; (ii) Job Title, Job Function, Job Role, Department; (iii) Business Email Address; (iv) Company/Employer Name; (v) Company Phone Number,Direct Dial Number, Mobile Number; (vi) Business Address; (vii) IP Address (fortracking campaign engagement); (viii) Social Media Handles (e.g., publicLinkedIn profile URLs); (ix) Cookie Identifiers and similar tracking technologies (where applicable for campaign tracking and engagement measurement). (b) Firmographic and Technographic Information (Non-Personal Data): Industry, Company Size, Revenue, Region, Country, HQ Location,Technology Stack, etc. (c) Categories of Personal Data: Non-Sensitive PersonalData and Personally Identifiable Information (PII) as detailed in subsections(a) and (b), collectively forming Business Contact Data of employees anddirectors of businesses. (d) Cookie and Tracking Technologies: Where Services involve use of cookies, pixels, or similar tracking technologies: (i) Provider shall implement cookie consent mechanisms compliant with PECR (UK), ePrivacy Directive, and applicable state privacy laws (e.g., CCPA); (ii) Strictly necessary cookies may be placed without consent; (iii) Non-essential cookies(analytics, marketing, targeting) shall only be placed with prior opt-inconsent from data subjects; (iv) Provider shall maintain records of consent foraudit purposes; (v) Provider's cookie policy is available at https://www.prospectbase.com/legal/cookies-policy and complies with applicable transparency requirements;  (vi) Data subjects may withdraw consent and request deletion of cookies at any time.

6.            Legal Basis for Processing Under UK GDPR: (a) Controller-to-Controller Transfers (Provider Database to Client Leads): Article 6(1)(f) - Legitimate Interests: (i) Provider's legitimate interest: Operating B2B demand generation business and providing qualified leads to business clients; (ii) Client's legitimate interest: Receiving qualified business leads for sales and marketing purposes;(iii) Balancing test: Processing is limited to business contacts acting in professional capacity; data subjects reasonably expect B2B marketing in this context; opt-in obtained before transfer; minimal privacy impact; appropriate safeguards in place (opt-out, transparency). (b) Controller-to-ProcessorTransfers (Client to Provider): Article 6(1)(b) - Performance of Contract: Processing necessary for Provider to perform Services under Contract with Client, and for Client to execute lawful instructions to Provider. (c) Provider's Processing of Provider Database: Article 6(1)(f) - Legitimate Interests: Provider's legitimate interest in maintaining accurate, up-to-date database of business contact information to facilitate provision of B2B marketing and demand generation services to clients. (d) Legitimate Interests Assessments: Provider conducts and maintains Legitimate Interests Assessments (LIAs) for all controller activities, documenting: (i) Purpose and nature of processing; (ii)Legitimate interests pursued; (iii) Necessity and proportionality of processing; (iv) Balancing test considering data subjects' rights, freedoms, and reasonable expectations; (v) Safeguards to protect data subjects; (vi) Conclusion that legitimate interests are not overridden by data subjects' interests. (e) Additional Legal Bases (as applicable): Article 6(1)(a) -Consent: Where data subjects have provided specific, informed, freely given consent (e.g., opt-in to receive Client's marketing materials). Article 6(1)(c) - Legal Obligation: Where processing is necessary to comply with legal obligations(e.g., tax, accounting, regulatory requirements).

7.            DataSubject Rights Procedures:(a) Provider facilitates exercise of data subject rights under Data Protection Legislation, including: (i) Right of access (Article 15); (ii) Right to rectification (Article 16); (iii) Right to erasure / "right to beforgotten" (Article 17); (iv) Right to restriction of processing (Article18); (v) Right to data portability (Article 20); (vi) Right to object (Article21); (vii) Rights related to automated decision-making (Article 22); (viii)CCPA/CPRA rights (for California residents). (b) Data subjects may exerciserights by: (i) Emailing: privacy@prospectbase.com; (ii) Writing to: Privacy Team, ProspectBase IrelandLtd, 18 Church Street, Portlaoise, Co. Laois, R32 TP89, Ireland; (iii) Usingonline form at: https://www.prospectbase.com/ccpa (for California residents), (iv) Opting outvia unsubscribe links in marketing communications. (c) Response Timeframes:Provider shall respond to data subject rights requests within: (i) 1 month ofreceipt (EU GDPR/UK GDPR), extendable by 2 months for complex requests withexplanation to data subject; (ii) 45 days of receipt (CCPA/CPRA), extendableonce by 45 days with notice to consumer; (iii) As otherwise required by applicable Data Protection Legislation. (d) Verification: Provider may requestadditional information to verify identity of data subject making request, usingreasonable means proportionate to risk. (e) Requests Relating to ClientCampaigns: (i) For data processed on Client's instructions (processor role),Provider shall forward data subject requests to Client within 2 Business Days;(ii) Provider shall assist Client in responding to such requests within 5 Business Days of Client's request for assistance; (iii) Costs of assistance borne by Client unless request resulted from Provider's error or non-compliance. (f) Requests Relating to Provider Database: For data in Provider Database (controller role), Provider shall handle requests directlyand take appropriate action (provide access, correct, delete, restrict, etc.) within timeframes in subsection (c). (g) Fees: Provider does not charge fees for data subject rights requests unless requests are manifestly unfounded, excessive, or repetitive, in which case reasonable administrative fees mayapply as permitted by law. (h) Record-Keeping: Provider maintains records of all data subject rights requests and responses for minimum 3 years for audit and compliance purposes.

8.            Distinction Between Provider Controller and Processor Activities:

a.            Provider Controller Activities (Provider Database): Scope: Sourcing, verifying, enriching, maintaining, and storing business contact data in Provider Database. Activities: Acquiring business contact data from publicsources and third-party providers; Verifying data accuracy and enriching withadditional business information; Storing and securing Provider Database;D etermining retention periods for database records; Responding to data subjectrights requests regarding Provider Database; Deciding purposes for which Provider Database is used (B2B marketing services); Selecting sub-processorsand vendors for database management. Legal Basis: Legitimate interests (Article6(1)(f) EU GDPR/UK GDPR) - Provider's legitimate interest in operating B2B demand generation business. Data Subject Information: Provider provides transparency through privacy policy at https://www.prospectbase.com/legal/privacy-policy explaining collection, use, legal bases, and data subject rights. Written enquiries may be directed to: 18 Church Street,Portlaoise, Co. Laois, R32 TP89, Ireland.

b.            Provider Processor Activities (Service Delivery Under Client Instructions): Scope: Executing marketing campaigns to contacts selected basedon Client's targeting criteria and instructions. Activities: Querying Provide rDatabase using Client's specified targeting criteria (job titles, industries, company sizes, geographic locations, etc.); Executing marketing campaigns(email, telemarketing, content syndication, etc.) to selected contacts usingClient's messaging and content; Tracking campaign engagement, responses, andresults; Processing opt-outs and unsubscribe requests from campaign recipients;Collecting opt-ins from engaged contacts who consent to receive Client'sfollow-up communications; Reporting campaign results and qualified leads to Client; Following Client's instructions regarding communication channels,frequency, messaging, and audience scope. Legal Basis: Performance of contractwith Client (Article 6(1)(b) EU GDPR/UK GDPR) - Provider processes data underClient's lawful instructions. Client's Role: Client determines purposes andessential means of processing (campaign objectives, target audience, messaging,channels). Provider implements Client's instructions using Provider's tools and expertise.

c.            Provider Controller Activities (Lead Transfer to Client): Scope:Transferring qualified leads (contacts who opted in to receive Client'smaterials) from Provider to Client as controller-to-controller transfer. Activities:Obtaining opt-in consent from engaged contacts for their data to be shared with Client; Transferring lead personal data to Client; Providing transparency toleads about data sharing with Client. Legal Basis: Legitimate interests(Article 6(1)(f) EU GDPR/UK GDPR) and consent (Article 6(1)(a)) - Provider and Client's legitimate interest in B2B lead generation; leads' consent to share data with Client.

d.            Data Subject Rights - Allocation of Responsibility: Requests regarding inclusion in Provider Database: → Provider handles as controller; Requests regarding specific Client campaigns: → Client handles as controller; Provider assists as processor; Requests regarding lead data transferred to Client: →Client handles as controller (Provider may assist)

‍

A.   LIST OF PARTIES

MODULE ONE: Transfercontroller to controller

MODULE TWO: Transfercontroller to processor

MODULE THREE: Transferprocessor to processor

MODULE FOUR: Transferprocessor to controller

Data exporter: TheService Provider

Primary Data PrivacyContact: Gareth Morris. Email Address: privacy@prospectbase.com

Data importer: TheClient

Primary Data PrivacyContact: the Client signatory on the Order Form or other Client representativeas provided to the Service Provider as the main point of contact for DataPrivacy and Data Protection matters.

‍

B.   DESCRIPTION OF TRANSFER

MODULE ONE: Transfer controller to controller[Applicable whenProvider transfers qualified leads to Client]

MODULE TWO: Transfer controller to processor [Applicable when Clientprovides data to Provider for processing]

MODULE FOUR: Transfer processor to controller[Applicable whenProvider transfers campaign results/leads to Client]

Categories of data subjects whose personaldata is transferred: Employees, directors, officers, and other businessrepresentatives of B2B companies acting in their professional capacity,primarily in industries such as technology, professional services, finance,healthcare, manufacturing, and other sectors as specified by Client. Categories/Typesof personal data transferred: As detailed in Schedule 2, Clause 5(a): Name, jobtitle, business email, business phone numbers, employer, business address,LinkedIn profile, IP address, cookie identifiers (where applicable). Sensitivedata (if applicable): No special category data (sensitive personal data asdefined in Article 9 UK GDPR) is intentionally collected or transferred. If anysensitive data is inadvertently discovered, it shall be immediately deleted andnot processed. Frequency of the transfer: Continuous basis throughout the termof the Contract and as campaigns are executed. Nature of the processing: Ascovered in Schedule 2, Clause 2: Collection, recording, organization,structuring, storage, adaptation, retrieval, consultation, use, disclosure bytransmission, dissemination, alignment, restriction, erasure, and destructionof personal data in connection with provision of B2B demand generationservices.

Purpose(s) of the data transfer and furtherprocessing: As covered in Schedule 2, Clause 3:

·       Provider processes data to execute marketing campaigns per Clientinstructions;

·       Provider transfers qualified leads to Client for Client's sales andmarketing follow-up;

·       Client processes leads for business development, sales, and ongoingcustomer relationship management.

Period for which the personal data will beretained: As covered in Schedule 2, Clause 4 and Schedule 1, Clause 3:

·       Lead data transferred to Client: Retained by Client per Client'sretention policies;

·       Provider Database: Ongoing while lawful basis exists, subject to datasubject rights;

·       Legal/compliance records: As required by applicable law (minimum 6 yearsfor financial records).

For transfers to (sub-)processors (ifapplicable): The subject matter, nature, and duration of processing bysub-processors shall be the same as for transfers from the Data Processor(Provider) to the Data Controller (Client), limited to activities necessary tosupport Provider's delivery of Services (e.g., email platform providers,telemarketing service providers, data hosting providers).

‍

C.   COMPETENT SUPERVISORY AUTHORITY

MODULE ONE: Transfercontroller to controller

MODULE TWO: Transfercontroller to processor

MODULE FOUR: Transferprocessor to controller

The Data Protection Commission of Ireland ("DPC") shall be thelead supervisory authority for processing activities carried out by theProvider as an entity established in Ireland, pursuant to Article 56 EU GDPR.

Where processing relates to data subjects located in the United Kingdom,the Information Commissioner's Office ("ICO") shall act as thecompetent supervisory authority for those processing activities, pursuant to UKGDPR.

Nothing in this clause prevents a data subject from lodging a complaintwith the supervisory authority of their Member State of habitual residencepursuant to Article 77 EU GDPR.

‍

‍

‍