Buildbase Product Agreement

PARTIES:

1. STROUWI BV, a company organised and existing under the laws of Belgium, having its

registered office at Sint-Pietersstraat 219, 3300 Vissenaken, registered with the Crossroads

Bank of Enterprises under company number 0735.370.955, represented by Wim Strouven –

Bestuurder Strouwi BV.

hereinafter referred to as “STROUWI” or the "Provider"; and

2. [Customer company name], a company organised and existing under the laws of Belgium,

having its registered office at [Address], registered with the Crossroads Bank of Enterprises

under company number [Company number], represented by [Customer name –

Customer job title].

hereinafter referred to as the “Customer”.

WHEREAS:

(A) STROUWI has extensive experience in the design, development and operation of software

and the thereto related services and, in this respect, the provision of subscriptions to the

Software as a Service (“SaaS”) product “Buildbase” or the “Product”.

(B) STROUWI is willing to provide a right to use the “Buildbase” application, adapt it to the

Customer’s specific needs and offer related services, such as, for example, set up, support,

hosting and maintenance services, under the terms and conditions agreed below.

related services supplied by STROUWI, under the terms and conditions agreed below (the

“Agreement”).

1. Agreement & scope

1.1 This Agreement contains the general contractual framework for the Services that may be

provided by STROUWI to the Customer with regard to the Product, consisting of:

- The grant of a right to use the Product (subscription);

- Setup Services; and

- Maintenance and Support Services.

1.2 If the Customer wishes to have Custom Implementation Services or PREMIUM Support

Services performed by STROUWI, a separate Custom Implementation Services Agreement

(Attachment 2) and/or PREMIUM Support Services Agreement (Attachment 3) will be signed.

2. Setup of the Product and Hosting Services

2.1 STROUWI shall use all reasonable endeavours to ensure that the Setup Services are provided

in accordance with the timetable set out in Attachment 1.

2.2 The Customer acknowledges that a delay in the Customer performing its obligations under the

Agreement may result in a delay in the performance of the Setup Services and STROUWI will

not be liable to the Customer in respect of any failure to meet the timetable to the extent that

failure arises out of a delay in the Customer performing any of its obligations which is in breach

of this Agreement.

2.3 The Customer acknowledges and agrees that STROUWI will set up, monitor and maintain the

infrastructure using third party services (the Hosting Services), such as, for example, Amazon

Web Services or Microsoft Azure, on behalf of the Customer in accordance with Attachment 4.

3. Subscription

3.1 Right to use

STROUWI grants to the Customer a non-exclusive and non-transferable right to use the

Product as described in Attachment 1, in accordance with the provisions of this Agreement and

for the Customer's own internal purposes and business operations exclusively during the Term

of this Agreement.

3.2 Customer restrictions

The Customer may not:

• copy, translate, modify, adapt, decompile, disassemble, reverse engineer the

Product in whole or in part, except as and to the extent specifically authorized

by applicable law;

• create derivative works on the basis of the Product, modify the design of the

databases that underlie the Product or perform Updates using update queries

not supplied by STROUWI;

• transfer the Product as a whole or in parts to the IT-environment of third

parties without the consent in writing of STROUWI;

• at any time deposit as security, assign, sub-license, sublease, sub-host, sell

or give away control of any portion of the Product, without STROUWI’s written

consent.

3.3 Title and ownership

Nothing in this Agreement will create the transfer of title or Intellectual Property Rights to the

Product, Documentation and related assets by STROUWI to the Customer.

3.4 Protection & modifications

STROUWI is authorized to take technical measures to protect the Product against unauthorized

use and/or copying.

STROUWI is authorized to replace or modify the source code of the Product in order to adjust

it to the evolution of the Product.

3.5 Open source software

The Customer acknowledges and agrees that the Product contains elements of open source

software subject to the thereto applied open source licenses as listed in Attachment 6.

4. Support and Maintenance

4.1 Maintenance Services

STROUWI shall provide the Maintenance Services to the Customer during the Term.

STROUWI shall provide the Maintenance Services with reasonable skill and care and in

accordance with the provisions of this clause.

STROUWI shall where practicable give to the Customer at least 10 working days prior written

notice of Maintenance Services that are likely to affect the availability of the Product or are

likely to have a material negative impact on the Product.

4.1.1 Updates

STROUWI shall give to the Customer written notice of any security Update to the Product and

at least 10 working days prior written notice of any non-security Update to the Product.

STROUWI shall apply Updates to the Product as follows:

(a) third party security Updates shall be applied to the Product following release by the

relevant third party, providing that STROUWI may -acting reasonably- decide not to

apply any particular third party security Update;

(b) STROUWI's security Updates shall be applied to the Product following the identification

of the relevant security risk and the completion of the testing of the relevant Update;

and

by STROUWI to the Customer or agreed by the parties from time to time.

4.1.2 Upgrades

STROUWI shall produce Upgrades at its sole discretion.

STROUWI shall give to the Customer prior written notice of the application of an Upgrade to

the Product as follows:

(a) at least 12 months for “Breaking” Upgrades that change the API interface of the

Product without being compatible with previous versions;

(b) at least 20 Business Days in line with the roadmap of STROUWI for all other Upgrades.

STROUWI shall apply each Upgrade to the Product within any period notified by STROUWI to

the Customer or as otherwise agreed by the parties in writing.

4.2 Support Services

STROUWI shall provide the Support Services to the Customer during the Term.

STROUWI shall provide the Support Services with reasonable skill and care on a best effort

basis.

Support Services will be 2nd line support. 1st line support will be provided by the Customer

team involved.

STROUWI shall respond promptly to all requests for Support Services made by the Customer

through the Service Desk (article 4.3), on Business Days and during Business Hours.

If so requested, STROUWI will provide Support Services in accordance with and subject to the

the provisions of the PREMIUM Support Services Agreement in Attachment 3.

4.3 Service Desk

Parties agree that all contacts in relation to the Product and this Agreement will be

communicated through the Service Desk.

5. Customer obligations

5.1 In order to respect the provision of Services under this Agreement, the Customer will:

• make sure that the System Requirements (both software and hardware requirements)

are met and tested before the Setup Services are initiated, including but not limited

to the systems the Product will integrate with, the authentication systems the Product

will use and the network components that allow integration between the Product and

the Customer IT-environment, if so required;

• grant its co-operation to the Setup Services and Custom Implementation Services by

providing all useful and requested data, timely approvals or information to STROUWI;

• take full responsibility for keeping third party hardware and software versions under

the control of the Customer, aligned to the minimum System Requirements;

• cooperate fully with STROUWI in diagnosing Incidents, notifying Incidents to

STROUWI as it/they arise(s) and if possible supplying STROUWI with a reasonably

documented, reproducible example of such Incident through the Service Desk.

5.2 If any data or other input required under the terms of this Agreement from the Customer for

the Setup Services, for the provision of Custom Implementation or Support Services on the

Product, is not available to STROUWI or not available in good time or if the Customer does

not fulfil its obligations in a material way that directly impacts STROUWI’s ability to provide

the Services, STROUWI will be entitled to suspend the execution of Services.

6. Excluded matters

6.1 STROUWI will have no obligation to provide Services for:

• a Product that has been modified, repaired altered or merged with unauthorized

software by the Customer or third parties;

• use of the Product other than in accordance with the Documentation and/or for a

purpose for which it was not designed;

• Customer’s failure to implement STROUWI’s reasonable instructions in respect of

solutions to Bugs previously advised by STROUWI.

6.2 Any service which is provided by STROUWI as a result of any of the foregoing will be

considered as additional Services and charged on a time & materials basis in accordance with

the usual rates of STROUWI or subject to the signing of a separate agreement.

7. Fees

7.1 The Fees for the Product and Services provided under this Agreement are listed in Attachment

1 and fall due on the agreed Payment Milestones. Fees related to the hosting and managed

infrastructure (Attachment 4) and Fees for Custom Implementation (Attachment 2) or

PREMIUM Support Services (Attachment 3) are separately charged in accordance with the

provisions of the concerning Attachment.

7.2 STROUWI will not charge any additional fees for Software Updates, supplied by STROUWI for

the Product during the Term. The cost for the use of such Software Updates is included in the

Fees.

8. Payment terms & taxes

8.1 The Customer agrees to pay all valid invoices issued by STROUWI at the Payment Milestones

mentioned in the relevant Attachment to this Agreement.

Except if explicitly agreed otherwise in such Attachment, STROUWI’s invoices must be paid

by the Customer within thirty (30) calendar days, starting on the invoice date to the account

number as mentioned on the relevant invoice.

8.2 In case of any overdue payment, the relating invoice will, without prior notice of default, bear

interest at the (applicable) statutory interest rate for late payment within the meaning of

Article 1 of Directive 2011/7/EU of 16 February 2011 on combating late payment in

commercial transactions (as amended from time to time) as implemented in applicable

national law, as of the date on which the invoice was due.

In addition, in case of any overdue payment:

- STROUWI can refuse to deliver any Services until the amount owed has been paid in full,

including any interest due thereon;

- STROUWI can pursue any other remedies available under applicable law.

8.3 Unless explicitly agreed otherwise, all amounts are net of taxes. All taxes which are or may

be levied in the future by a government authority in respect of the Services provided by

STROUWI under this Agreement, will be borne by the Customer.

9. Limited warranty

9.1 STROUWI warrants that the Product conforms in all material respects to STROUWI’s published

Documentation in effect on the Signature Date.

9.2 STROUWI provides no other warranty, whether express or implied, in relation to the Product,

except for the mandatory legally provided warranties. In particular, STROUWI provides no

warranties of any kind in relation to:

• the merchantability and/or fitness of the Product for a particular purpose;

• the compatibility of the Product with the software and/or the hardware of third

parties;

• the expectation of the Customer that the Product will satisfy or may be

customized to satisfy all or any of Customer’s specific requirements, except if

explicitly agreed otherwise in writing;

• the uninterrupted or error-free use of the Product by the Customer, regardless

of whether such warranty would otherwise be imposed by contract, statute,

course of dealing, custom and usage, or otherwise.

9.3 If STROUWI supplies or assists in supplying to the Customer any hardware or non-STROUWI

software during or after Setup Services, the Customer acknowledges that any warranty is

provided solely by the relevant third party vendor, and not by STROUWI in whatever way.

Hence, the Customer will address any warranty or other claim directly to the relevant third

party.

10. Term and Termination

10.1 The Agreement will commence on the Signature Date and will remain in force and effect for

an initial period as agreed upon in the Attachment 1 (the “Term”). Subsequently, the

Agreement will be automatically renewed for renewal periods of 1 (one) year, unless the

Agreement is terminated by either Party providing written notice thereof at the latest 3

(three) months before the end of the then current period.

10.2 Despite the above, the parties will be entitled, without prejudice to their other rights or

remedies, to terminate the Agreement at any time and with immediate effect by notice by

registered letter to the other party if (“Termination for cause”):

- said party is in breach of any of its obligations under the Agreement and either that

breach is incapable of remedy or the concerning party has failed to remedy that breach

within thirty (30) days after receiving written notice requiring it to do so; or

- a court order is made for the winding up of said party;

- an effective resolution is passed for the winding up of said party (other than for the

purposes of amalgamation or reconstruction);

- said party has a receiver, manager, administrative receiver or administrator appointed in

respect of it; or

- said party is unable to pay its debts as they fall due or its assets are worth less than its

liabilities on a balance sheet basis.

Such immediate termination of the Agreement will automatically cause the immediate

termination of any separate agreement in respect of Custom Implementation Services or

PREMIUM Support Services in place.

10.3 Upon early termination of the Agreement by either party due to the other party’s breach of

the Agreement, the party not in breachmay require the payment of damages by the party in

breach. In case of the Customer being in breach such damages will be proportionate to the

remaining Fees, without prejudice to any other indemnity exceeding this amount.

10.4 Upon expiry or termination of the Agreement:

- the Customer’s right to receive and use the Product and/or Services under the Agreement

will cease automatically;

- each party will immediately return to the other all property and materials belonging to

that party, including all Confidential Information;

- all amounts due from the Customer to STROUWI hereunder will be paid immediately.

10.5 Any termination of the Agreement will not affect any accrued rights or liabilities of either

party, nor will it affect the coming into force or the continuance in force of any provision of

this Agreement which is expressly, or by implication, intended to come into force or continue

in force on or after termination.

11. Relationship between the parties

11.1 The relationship between the parties is that of independent contractors. Nothing in the

Agreement will constitute, create or give effect to a joint venture, employer/employee

relationship, partnership or other co-operative entity between the parties.

12. Limitation of liability

12.1 Neither party will be liable to the other or any other party for any indirect or consequential

economic losses or damages, including, but not limited to, loss of profits, loss of revenue,

loss of data or loss of goodwill, howsoever arising out of or in connection with the performance

of Services under this Agreement.

12.2 To the full extent permitted by applicable law, STROUWI’s total liability for direct damages to

the Customer in respect of the Agreement will not exceed the amount of the Fees paid by the

Customer for the last six (6) months, but never exceeding a total amount of EUR 50.000

(Fifty Thousand Euros).

13. Intellectual Property Rights

13.1 All Intellectual Property Rights in either party’s materials, information or data provided by

that party to the other party under this Agreement will be and remain vested in that party.

The other party will have no rights in respect thereof save for any rights granted to it by that

party under this Agreement.

13.2 All Intellectual Property Rights in the Product and all signs and logos used in the Product will

be and remain vested in STROUWI at all times. The Customer will have no rights in respect

thereof save for any rights granted to it by STROUWI under this Agreement.

13.3 All Intellectual Property Rights created in the delivery of Services to the Customer will, as

between the parties, be the exclusive property of STROUWI.

13.4 The Customer acknowledges that STROUWI may make the result of any such Services

available to any of its other customers or any other third party, except for any code or

functionality that contains Confidential Information of the Customer as described in clause

15.

14. Indemnity for breach of third party rights

14.1 Without prejudice to clause 12, STROUWI will indemnify the Customer against any direct

damages which may be awarded against it by an enforceable court decision, as a result of

the Product being held to infringe an Intellectual Property Right of a third party, provided

that:

- the Customer shall notify STROUWI promptly by e-mail, upon learning that a claim might

be asserted;

- STROUWI has sole control over the defense of the claim and of any negotiations for its

settlement or compromise;

- the Customer takes no action that is contrary to STROUWI’s interests.

14.2 If a claim, as described in this clause, may be or has been asserted, the Customer will permit

STROUWI, at the latters option and expense, to:

- procure the right to continue using the Product;

- replace or modify the Product to eliminate the infringement while providing functionally

equivalent performance; or

- return the Product and refund to the Customer a pro rata share of Fees that the Customer

has actually paid for the period that the Product is/was not usable.

14.3 STROUWI will have no indemnity obligation whatsoever to the Customer under this clause if

the Intellectual Property Rights infringement claim results from:

- a correction or modification of the Product not provided by STROUWI;

- the failure to promptly respond to suggested Updates, which would resolve the

infringement;

- the use of the Product by the Customer in a manner not consistent with this Agreement,

the Documentation or the reasonable instructions of STROUWI; or

- the combination of the Product with other software not agreed upon by STROUWI.

15. Confidentiality

15.1 The parties acknowledge that they may become privy to Confidential Information which is

disclosed by the other party.

15.2 The Receiving Party will keep all Confidential Information confidential. The Receiving Party

will not disclose Confidential Information to any other person, and will not use Confidential

Information for any purposes other than for the purposes of the Agreement. The Receiving

Party will safeguard the Confidential Information to the same extent that it safeguards its

own confidential and proprietary information and in any event with not less than a reasonable

degree of protection.

15.3 The Receiving Party agrees to disclose Confidential Information only on a "need-to-know"

basis to employees and independent contractors.

15.4 The Receiving Party agrees that before any of its subcontractors and/or agents may be given

access to Confidential Information, each such subcontractor and/or agent will agree to be

bound by a confidentiality undertaking comparable to this Agreement. Notwithstanding the

return of any Confidential Information, the Receiving Party and its subcontractors and/or

agents will continue to hold in confidence all Confidential Information, which obligation will

survive any termination of the Agreement.

15.5 In the event the Receiving Party is requested or required to disclose, by court order or

regulatory decision, any of the other party’s Confidential Information, the Receiving Party will

provide the other party with prompt written notice so that the Disclosing Party may seek a

protective order or other appropriate remedy and/or waive compliance with the provisions of

this Agreement. The Receiving Party will furnish only that portion of the Confidential

Information which is legally required.

15.6 Within ten (10) business days upon (i) the termination of the Agreement or (ii) the Disclosing

Party’s reasonable earlier request at any time, the Receiving Party will destroy or return to

the Disclosing Party (at its option) any and all of Disclosing Party’s Confidential Information,

and will purge all copies and traces of the same from any storage location and/or media.

15.7 Confidential Information will not include any information that the Receiving Party can

establish:

• prior to receipt from the Disclosing Party, was in the possession of or rightfully

known by the Receiving Party without an obligation to maintain its

confidentiality;

• at the time of use or disclosure by the Disclosing Party was generally known

to the public without violation of this Agreement and not as a result of any

action or inaction of the Receiving Party;

• is disclosed to the Receiving Party by a third party not in violation of any

obligation of confidentiality; or

• is independently developed by the Receiving Party without the participation of

employees or other individuals who have had access to Confidential

Information of the Disclosing Party.

15.8 Any infringement by the Receiving Party of its confidentiality obligations will entitle the

Disclosing Party to claim payment of a EUR 25,000.00 (Twenty Five Thousand Euros) lump

sum, without prejudice to the Disclosing Party’s right to claim higher damages if the Disclosing

Party can prove the existence of such higher damages.

16. Data Protection

16.1 Each party shall, at all times, comply with its respective obligations under the General Data

Protection Regulation 2016/679, as amended, and any further implementation or

replacement of that law (“Data Protection Legislation”). The word "Process" and the

expression "Personal Data", when used in this clause shall have the meaning assigned thereto

in the Data Protection Legislation.

16.2 STROUWI shall process Personal Data provided to it pursuant to this Agreement and the Data

Protection Agreeement (Attachment 5) in accordance with the Data Protection Legislation.

17. Subcontracting and assignment

17.1 STROUWI will be entitled to use the services of subcontractors for the performance of any

Services under this Agreement. In such case, STROUWI will remain liable towards the

Customer for the performance of these Services.

17.2 Neither party will be entitled to assign any right or obligation under this Agreement without

the prior written consent of the other party, which will not be unreasonably withheld or

delayed.

18. Force majeure

18.1 If the performance of the Agreement by either party, or of any obligation thereunder (with

the exception of payment obligations), is prevented, restricted or interfered with by reason

of war, revolution, civil commotion, riot, fire, flood, disaster, acts of public enemies, blockade

or embargo, strikes, epidemic, any law, order, proclamation, regulation, ordinance, demand

or requirement having a legal effect of any government or any judicial authority or

representative of any such government, or any other act whatsoever, which is beyond the

reasonable control of the party affected, such party will, upon giving prior written notice to

the other party, be excused from such performance to the extent of such prevention,

restriction, or interference, provided that the party so affected will use its best efforts to avoid

or remove such causes of non-performances, and will continue performance thereunder with

the utmost dispatch whenever such causes are removed; provided, however, that the non-

excused party may terminate the Agreement if such non-performance continues uncured for

thirty (30) calendar days.

19. Miscellaneous

19.1 Compliance with laws and regulations

Both parties will, for their own accounts, comply with the laws and regulations of the public

authorities relating to this Agreement and pay all fees or other expenses in this respect.

19.2 Waiver

The failure of either party at any time to insist upon strict performance of any of the provisions

under this Agreement will not be deemed a waiver of its right at any time thereafter to insist

upon strict performance.

19.3 Notices

All notices, demands or consents required or permitted under this Agreement will be in

writing. Notice will be sent to the parties at the addresses set forth above, or at such other

address as will be given by either party to the other in writing.

19.4 Headings

Section headings used herein are for reference only and will not be used to construe the

provisions of this Agreement. The plural will be deemed to include the singular, and the

singular will be deemed to include the plural.

19.5 English language

All communications by STROUWI under this Agreement, will be in English.

19.6 Applicable law and jurisdiction

The Agreement will be governed by and construed under the laws of Belgium. Each party

submits to the exclusive jurisdiction of the competent courts of Antwerp, division Antwerp,

for the purposes of any dispute arising hereunder.

20. Definitions and interpretation

20.1 Definitions

For the purposes of this Agreement, the following terms will have the meanings specified or

referred to in this clause:

“1st line support” will mean a role in Incident management, where generally the staff involved has

less technical skills or has less experience with the Product than those of 2

line support. In reference

to this Agreement, the Customer team will perform Incident diagnosis and triage of the Tickets before

sending them to the Service Desk.

“2nd line support” will mean a role in Incident management, where generally the staff has greater

technical skills or has more experience with the product than those of first-Line. In reference to this

Agreement, the STROUWI team will perform Incident diagnosis and be responsible for resolution

after the Customer has triaged the tickets arriving at the Service Desk and resolving any issues

within their area of responsability.

“Agreement” will mean the framework agreement between the parties incorporating the

Attachments.

“Attachment” will mean any attachment to the Agreement, forming an integral part thereof, and

incorporating the terms and conditions of this Agreement.

“Bugs” will mean any mistake, problem, or malfunction which causes an incorrect or inadequate

functioning of the Product without such Incident being caused by third party interference or

dependencies.

“Business Day” will mean Monday through Friday, excluding Belgian public holidays.

“Business Hours” will mean 9:00 a.m. – 6:00 p.m. on a Business Day, CET.

"Confidential Information" will mean any and all information that is disclosed (orally, in writing,

by electronic delivery, or otherwise) by one party (“Disclosing Party”) to the other Party (“Receiving

Party”) prior to or during the term of the Agreement (or to which the Receiving Party otherwise gains

access as a result of the Agreement) relating to the business of the Disclosing Party, including without

limitation business plans and models, financial information, market research, Customer and supplier

information, proprietary software and methods, and information concerning proprietary inventions

and technologies. The Product, Documentation and this Agreement and its Attachments, including

the amount of fees to be paid hereunder, are agreed to be Confidential Information of STROUWI.

“Customer” will mean the party receiving the Product and Services as defined in the preamble of

this Agreement.

“Customer Data” will mean all data which is received, stored, or transmitted on or through the

Product, including personal data which will be processed in accordance with the provisions of the

Data Processing Agreement (Attachment 5).

“Custom Implementation Services” will mean the Services related to definition, engineering,

testing and deployment of custom components for the Product, configuration or help with

configuration, technical support during integration for third-party system integrators, training and

project management subject to the provisions of the Custom Implementation Services Agreement.

“Documentation” will mean any (a) publications relating to the use of the Product, such as

reference manuals, user guides, systems administrator and technical guides; or any (b) written

materials prepared by STROUWI describing the infrastructure setup, platform, software requirements

or any technical specifications relating to the functionality of the Product, installation specifications,

and other technical requirements specified for the operation of the Product, as made available by

STROUWI to the Customer.

“Fees” will mean all fees, related to the Product and the Services provided by STROUWI as agreed

upon in the Attachments to the Agreement.

“Hosting Services” will mean the managed infrastructure services provided in accordance with

clause 2.3 and Attachment 4.

“Incident” will mean that the operation of the Product deviates from the (expected) standard as

provided for in the Agreement and any related Documentation.

“Intellectual Property Rights” will mean all patent rights, trademarks, designs and models,

copyrights, softwarerights, rights in databases, proprietary rights in know-how, including trade

secrets and other confidential information, and any other form of legally protectable intellectual or

industrial property rights under any jurisdiction whatsoever.

“Maintenance Services” will mean the Services related to the maintenance of the Product under

this Agreement.

“Payment Milestone” will mean a specific moment or event as defined in the Attachments to the

Agreement, triggering payment date of certain Fees.

“Product” will mean the “Buildbase” application, consisting of (i) the managed infrastructure and

(ii) the software which will be made available by STROUWI to the Customer as a service via the

internet in accordance with this Agreement.

“Resolution” will mean the delivery of a deliverable that resolves a Bug in a testing environment.

“Services” will mean, amongst others, the configuration, setup, development, maintenance,

monitoring, hosting and support services supplied by STROUWI to the Customer with regard to the

Product.

“Service Desk” will mean the internal support organization of STROUWI that serves as a single

point of contact for all requests.

“Set Up services” will mean the Services related to the creation of the Customer within the Product,

set up of the Microsoft Azure hosting services in accordance with Attachment 4 and set up of the

required user roles and user role mapping.

“Signature Date” will mean the moment the Agreement is signed.

“Software Update” will mean a release of the Product which corrects faults and Bugs or otherwise

amends the Product, but which does not constitute a Software Upgrade; a Sofware Update will be

indicated by the Product version going from, for instance, “x.1 to x.2.”.

“Software Upgrade” will mean a new version of the Product, usually consisting of several bundled

improvements, adjustments and reviews. A Software Upgrade will be indicated by the Product version

going, for instance, from “1.x.x to 2.0.”

“Support Services” will mean any services related to the support of the Product under this

Agreement or in accordance with the provision of a PREMIUM Support Services Agreement.

“System Requirements” will mean, the minimum hardware and software requirements, including

devices, operating system versions and general equipment requirements to run the Product, as listed

in Attachment 1 and the Documentation, or notified otherwise by STROUWI to the Customer.

“Ticket” will mean an Incident logged in the Service Desk.

“Ticket Status” will mean the current status of a specific Ticket, such as for example, open,

feedback, acknowledged, in progress, etc… as described in the PREMIUM Support Services

Agreement.

20.2 Interpretation

The titles and headings included in this Agreement are for convenience only and do not

express in any way the intended understanding of the parties. They will not be taken into

account in the interpretation of this Agreement.

The Attachments to this Agreement form an integral part thereof and any reference to the

Agreement includes the Attachments and vice versa.

***

Signature page

Done on [DATE] in two originals. Each party acknowledges receipt of its own original.

STROUWI:

Name:

Wim Strouven

Title:

Bestuurder Strouwi BV

Customer:

Name:

[Customer name]

Title:

[Customer job title]

Attachment 1: Commercial Terms

1. Scope

Product Modules:

• Login service

• Role service

• Datalayer service

• Security service

• Buildbase service

• Organization service

• Payment service

• Notification service

• File export service

Setup Services:

• Initial setup for each of services listed above.

2. Term

The initial term of this agreement is 6 months, commencing from the Signature Date.

3. Fees

The Setup Fee is [SETUP FEE].

The annual Subscription Fee is [SUBSCRIPTION FEE].

4. Payment Milestones

The Setup Fee and the Annual Subscription Fee will be payable in advance and can be invoiced from

the Signature Date and each anniversary thereof.

5. System Requirements

STROUWI reserves the right to limit its Support Services to the most recent versions of web browsers

only, typically supporting the latest 2 major web browser versions.

6. Availability

The Provider shall ensure that the uptime for the Product is at least 90 % during each calendar

month.

"uptime" means the percentage of time during a given period when the Product is available at the

gateway between public internet and the network of the hosting services provider for the Product.

Downtime caused directly or indirectly by any of the following shall not be considered when

calculating whether the Provider has met the uptime guarantee given above:

(a) a Force Majeure Event;

(b) a fault or failure of the internet or any public telecommunications network;

(d) any breach by the Customer of this Agreement; or

(e) Maintenance Services carried out in accordance with this Agreement; or

(f) outages or planned maintenance caused by third party (hosting) providers.

Attachment 2: Custom Implementation Services Agreement

The Provider may, upon request by the Customer, provide Custom Implementation Services to

support the Customer and their collective project team. These Custom Implementation Services

will provide general assistance, development of customizations, consulting services and integration

development or guidance with relation to the Product for which the Customer acquires a subscription

under this Agreement.

1. Scope

Prior to the execution of any Custom Implementation Services, the Provider will provide the

Customer with with a Work Order for approval by the Customer containing:

• an estimation of the amount of man-days needed;

• a description of the scope of the work;

• an estimation of the time by which the work can be performed.

2. Fees

Custom Implementation Service Fees are calculated on a Time and Materials basis at a daily rate of

€700 EUR, VAT excluded.

Actual, reasonable travel and out-of-pocket travel-related expenses, if any, are not included in the

Fees and will, provided they have been approved by the Customer in writing in advance, be invoiced

separately, in accordance with the Agreement.

3. Payments

The Custom Implementation Service Fees are invoiced by STROUWI at the end of every month

based upon the timesheets and expenses submitted by STROUWI, and shall be due and payable by

the Customer in accordance with the terms of this Agreement.

Attachment 3: PREMIUM Support Services Agreement

Available upon request.

Attachment 4: Hosting Services

1. Nature and Scope

1.1 STROUWI will configure and install the Customer’s instance of the Product using Microsoft

Azure.

1.2 With effect from the completion of the Set Up services STROUWI will provide Hosting Services

and server monitoring under the terms and conditions of this Attachment 4 and in accordance

with the Availability service levels as agreed upon in Attachment 1.

1.3 The Customer acknowledges and agrees that STROUWI will provide Hosting Services in

support of the Customer’s use of the Microsoft Azure Services.

1.4 By entering this Agreement, the Customer acknowledges that its use of STROUWI’s Hosting

Services will therefore also be subject to the Microsoft Azure Terms, which shall be effective

without signature. STROUWI is the Customer’s reseller as defined in the Microsoft Azure

Reseller Terms, and the Customer releases STROUWI from any and all liability whatsoever

arising out of or in connection with Microsoft Azure’s performance of its duties or exercise of

its rights in the above mentioned agreements or the Customer’s breach thereof.

2. Fees & Payment Milestones

2.1 The fees related to the Microsoft Azure Services (“Hosting Fees”) will be charged to the

Customer on a monthly basis. The Hosting Fees will vary based on the volume used by the

Customer in the preceding month.

3. Term and Termination

3.1 Subject to the terms and conditions of this Attachment 4 STROUWI shall provide the Hosting

Services and shall continue to provide the Hosting Services thereafter unless or until the

Product Agreement expires or the Product Agreement is terminated in accordance with the

terms of said agreement.

3.2 Upon termination, STROUWI will no longer be the reseller of the Customer's Microsoft Azure

Services, and the Customer must elect to either:

a) transfer ownership of the concerning Microsoft Azure account(s) from STROUWI to the

Customer; or

b) close the concerning Microsoft Azure account(s).

3.3 If the Customer chooses option a), he must enter into a direct agreement with Microsoft Azure

prior to or contemporaneous with the termination of the Agreement. STROUWI will provide

reasonable assistance as required in transferring the Customer's Microsoft Azure account

credentials so that the Customer may continue to access the data stored in the Microsoft Azure

Services.

3.4 If the Customer chooses option b) and wishes to have its Customer Data stored in the Microsoft

Azure Services transferred to the Customer, STROUWI will provide the Customer with

commercially reasonable assistance at STROUWI’s then current rates for such activities

required in transferring the Customer Data from the Microsoft Azure Services in a mutually

agreed upon fashion.

3.4 If the Customer does not make such election at the time of giving notice of termination,

STROUWI may close the concerning Microsoft Azure account thirty (30) Business Days after

termination, without liability for any lost Customer Data or account credentials.

3.5 Upon termination, the Customers’ right to use any STROUWI software, tools, libraries,

methodology, experience or know-how used and/or gained in the framework of the Product

Agreement will end.

4. Definitions

For the purposes of this Attachment, the following terms will have the meanings specified or referred

to in this clause:

“Microsoft Azure” will mean Microsoft Ireland Operations Limited.

“Microsoft Azure Terms” will mean Microsoft Azure’sstandard terms and conditions applicable to

the Hosting Services, the current versions of which can be found at https://azure.microsoft.com/en-

us/support/legal/.

“Microsoft Azure Services” will mean the web services made available by Microsoft Azure used by

the Product.

“Customer Configuration” will mean an information technology system which is the subject of the

Hosting Services. The Customer Configuration or managed infrastructure will be set up, hosted and

maintained by STROUWI.

“Customer Data” will mean all data which is received, stored, or transmitted on the Customer

Configuration.

“Hosting Services” will mean the managed infrastructure services provided under the scope of this

Attachment.

Attachment 5: Data Processing Agreement

BETWEEN:

STROUWI BV, a company organised and existing under the laws of Belgium, having its registered

office at Sint-Pietersstraat 219, 3300 Vissenaken, registered with the Crossroads Bank of Enterprises

under company number 0735.370.955, represented by Wim Strouven – Bestuurder.

hereinafter referred to as STROUWI” and the Processor”;

And:

[Customer company name], a company organised and existing under the laws of Belgium, having

its registered office at [Address], registered with the Crossroads Bank of Enterprises under company

number [Company number], represented by [Customer name – Customer job title]

hereinafter referred to as the “Customer” and the “Controller”;

Hereinafter together referred to as the Parties”, or separately as a Party”.

WHEREAS

- STROUWI has extensive experience in the design, development, operation, hosting, selling

and support of digital applications;

- STROUWI and the Controller have concluded an agreement related to provisions of Services

by STROUWI to the Controller, hereinafter referred to as the Buildbase Product Agreement

or Framework Agreement”;

- The Framework Agreement necessitates the Processing by STROUWI of Personal Data on

behalf of the Controller;

- Parties now agree to sign a Data Processing Agreement, defining the specific needs of the

Controller in this respect, as stipulated below (hereafter referred to as the Agreement”);

- This Data Protection Agreement and its annexes set forth the terms and conditions pursuant

to which Personal Data will be processed in the framework of the Agreement.

1. Definitions

In this Agreement, the following terms shall have the meanings set out below:

"Authorised Sub-processors"

means (a) those Sub-processors set out in Annex 3 and (b)

any additional Sub-processors consented to in writing by

Controller in accordance with the Sub-processing section.

"Sub-processor"

means any Data Processor (including any third party)

appointed by STROUWI to process Controller Personal Data

on behalf of the Controller.

"Process/Processing", "Data

Controller", "Data Processor",

"Data Subject","Personal Data",

"Special Categories of Personal

Data"

and any further definition not included under this

Agreement or the Framework Agreement shall have the

same meaning as in EU General Data Protection Regulation

2016/679 of the European Parliament and of the Council

("GDPR").

“Data Protection Laws”

means EU General Data Protection Regulation 2016/679 of

the European Parliament and of the Council ("GDPR") as

well as any local data protection laws.

“Erasure"

means the removal or destruction of Personal Data such

that it cannot be recovered or reconstructed.

"EEA"

means the European Economic Area.

"Third country"

means any country outside EU/EEA, except where that

country is the subject of a valid adequacy decision by the

European Commission on the protection of Personal Data in

Third Countries.

"Controller Personal Data"

means the data described in Annex 1 and any other

Personal Data processed by STROUWI on behalf of the

Controller pursuant to or in connection with the Framework

Agreement.

"Personal Data Breach"

means a breach leading to the accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of, or

access to, Controller Personal Data transmitted, stored or

otherwise processed.

"Services"

means the services supplied by STROUWI to the Controller

pursuant to the agreement(s) in place between the Parties.

"Standard Contractual Clauses"

means the standard contractual clauses for the transfer of

personal data to Processors established in Third countries,

as approved by the European Commission Decision

2010/87/EU, or any set of clauses approved by the

European Commission which amends, replaces or

supersedes these.

2. Scope

In the course of providing the Services to the Controller pursuant to the Framework Agreement,

STROUWI may process Controller Personal Data on behalf of the Controller as per the terms of this

Agreement. STROUWI agrees to comply with the following provisions with respect to any Controller

Personal Data.

To the extent required by applicable Data Protection Laws, STROUWI shall obtain and maintain all

necessary licenses, authorisations and permits necessary to process Personal Data including the

Controller Personal Data mentioned in Annex 1.

STROUWI shall maintain all the technical and organisational measures to comply with the

requirements set forth in the Agreement and its Annexes.

3. Processing of Controller Personal Data

STROUWI shall only process Controller Personal Data for the purposes of the Framework Agreement.

STROUWI shall not process, transfer, modify, amend or alter the Controller Personal Data or disclose

or permit the disclosure of the Controller personal data to any third party other than in accordance

with Controller s documented instructions, unless said processing is required by EU or Member State

law to which STROUWI is subject.

4. Processor personnel

STROUWI shall take all reasonable steps to ensure the reliability of any employee, agent or contractor

who may have access to the Controller Personal Data, ensuring in each case that access is limited to

those individuals who require access to the relevant Controller Personal Data.

STROUWI shall ensure that all individuals which have a duty to process Controller Personal Data:

- are informed of the confidential nature of the Controller Personal Data and are aware of

STROUWI's obligations under this Agreement and the Framework Agreement in relation to

the Controller Personal Data;

- have undertaken appropriate training in relation to the Data Protection Laws;

- are subject to confidentiality undertakings or professional or statutory obligations of

confidentiality; and

- are subject to user authentication and logon processes when accessing the Controller

Personal Data in accordance with this Agreement, the Framework Agreement and the

applicable Data Protection Laws.

5. Personal Data Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context

and purposes of Processing as well as the risk of varying likelihood and severity for the rights and

freedoms of natural persons, STROUWI shall take all reasonable measures to implement appropriate

technical and organisational measures (Annex 2) to ensure a level of Controller Personal Data

security appropriate to the risk, including but not limited to:

- pseudonymisation and encryption;

- the ability to ensure the ongoing confidentiality, integrity, availability and resilience

of processing systems and services;

- the ability to restore the availability and access to Controller Personal Data in a timely

manner in the event of a physical or technical incident; and

- a process for regularly testing, assessing and evaluating the effectiveness of technical

and organisational measures for ensuring the security of the Processing.

In assessing the appropriate level of security, STROUWI shall take into account the risks that are

presented by Processing, in particular from accidental or unlawful destruction, loss, alteration,

unauthorised disclosure of, or access to Controller Personal Data transmitted, stored or otherwise

processed.

6. Sub-Processing

The Controller acknowledges and expressly agrees that STROUWI may use third party Sub-

processors for the provision of the Services as described in the Framework Agreement.

Any such Sub-processors that provide Services for the Controller and thereto Process Personal Data

will be permitted to Process Personal Data only to deliver the Services and will be prohibited from

Processing such Personal Data for any other purpose.

STROUWI remains fully responsible for any such Sub-processor s compliance with STROUWI s

contractual obligations, including the present Agreement. STROUWI will, prior to the entrusting of

Services to such Sub-processor, carry out any relevant due diligence on such Sub-processor to assess

whether it is capable of providing the level of protection for the Personal Data as is required by this

Agreement, and provide evidence of such due diligence to the Controller where requested by the

Controller or a regulator.

STROUWI will enter into written agreements with any such Sub-processor which contain obligations

no less protective than those contained in this Agreement, including the obligations imposed by the

Standard Contractual Clauses of the European Commission, as applicable.

STROUWI will make available to the Controller the current list of Sub-processors for the Services

identified in Annex 3 to this Agreement. Such Sub-processors list will include the identities of those

Sub-processors and their country of location. STROUWI will provide the Controller with a notification

of a new Sub-processor before authorising any new Sub-processor(s) to Process Personal Data in

connection with the provision of the Services.

If the Controller objects to the use of a new Sub-processor that will be processing the Controller s

Personal Data, then the Controller will notify STROUWI in writing within twenty-one (21) calendar

days after receipt of STROUWI s written request to that effect. In such a case, STROUWI will use

reasonable efforts to change the affected Services or to recommend a commercially reasonable

change to the Controller s use of the affected Services to avoid the Processing of Personal Data by

the Sub-processor concerned. If STROUWI is unable to make available or propose such change within

sixty (60) calendar days, the Controller may terminate the relevant part of the contractual

relationship between the Parties regarding those Services which cannot be provided by STROUWI

without the use of the Sub-processor concerned. To that end, the Controller will provide written

notice of termination that includes the reasonable motivation for non-approval.

7. Data Subject Rights

Taking into account the nature of the Processing, STROUWI shall assist the Controller by

implementing appropriate technical and organisational measures, insofar as this is possible, for the

fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights as

laid down in the Data Protection Laws.

STROUWI shall promptly notify the Controller if it receives a request from a Data Subject and/or

competent authority under any applicable Data Protection Laws with respect to Controller Personal

Data.

STROUWI shall cooperate as requested by the Controller to enable the Controller to comply with any

exercise of rights by a Data Subject under any Data Protection Laws with respect to Controller

Personal Data and comply with any assessment, enquiry, notice or investigation under any Data

Protection Laws with respect to Controller Personal Data or this Agreement, which shall include:

- The provision of data requested by the Controller within a reasonable timescale specified by

the Controller in each case, including details and copies of the complaint, communication or

request and any Controller Personal Data it holds in relation to a Data Subject;

- Where applicable, providing such assistance as is reasonably requested by the Controller to

enable the Controller to comply with the relevant request within the timescales prescribed

by the Data Protection Laws;

- Implementing additional technical and organisational measures as may be reasonably

required by the Controller to allow the Controller to respond effectively to relevant

complaints, communications or requests.

It is however explicitly agreed between the Parties that any costs incurred by STROUWI for the

services delivered in relation to the aforementioned assistance will be charged to the Controller at

the then current hourly rate of STROUWI.

8. Personal Data Breach

STROUWI shall notify the Controller without undue delay and, in any case, within forty eight (48)

hours upon becoming aware of or reasonably suspecting a Personal Data Breach. STROUWI will

provide the Controller with sufficient information to allow the Controller to meet any obligations to

report a Personal Data Breach under the Data Protection Laws. Such notification shall:

- Describe the nature of the Personal Data Breach, the categories and numbers of Data

Subjects concerned, and the categories and numbers of Personal Data records concerned;

- Communicate the name and contact details of STROUWI's Privacy Officer or other relevant

contact from whom more information may be obtained;

- Describe the estimated risk and the likely consequences of the Personal Data Breach; and

- Describe the measures taken or proposed to be taken to address the Personal Data Breach.

STROUWI shall without undue delay further investigate the Personal Data Breach and shall keep

Controller informed of the progress of the investigation and take all reasonable steps to further

minimise the impact. Both Parties agree to fully cooperate with such investigation.

In the event of a Personal Data Breach, STROUWI shall not inform any third party without first

obtaining the Controller’s prior written consent, unless notification is required by EU or Member State

law to which STROUWI is subject, in which case STROUWI shall, to the extent permitted by such law,

inform the Controller of that legal requirement, provide a copy of the proposed notification and

consider any comments made by the Controller before notifying the Personal Data Breach.

STROUWI’s obligation to report or respond to a Personal Data Breach is not and will not be construed

as an acknowledgement by STROUWI of any fault or liability with respect to the Personal Data Breach.

Any costs incurred by STROUWI for the Services delivered in relation to the aforementioned

assistance related to Personal Data Breaches caused by the Controller, will be charged to the

Controller at the then current hourly rate of STROUWI.

9. Data Protection Impact Assessment and Prior Consultation

STROUWI shall provide reasonable assistance to the Controller with any data protection impact

assessments which are required under Article 35 of GDPR and with any prior consultations to any

supervisory authority of the Controller which are required under Article 36 of GDPR, in each case

solely in relation to Processing of Controller Personal Data by STROUWI on behalf of the Controller

and considering the nature of the processing and information available to STROUWI.

Any costs incurred by STROUWI for the Services delivered in relation to the aforementioned

assistance will be charged to the Controller at the then current hourly rate of STROUWI.

10. Erasure or return of Controller Personal Data

STROUWI shall promptly and, in any event, within 90 (ninety) calendar days of the earlier of: (i)

cessation of Processing of Controller Personal Data by STROUWI; or (ii) termination of the Framework

Agreement, either:

- Return a complete copy of all Controller Personal Data to the Controller by secure file transfer

and securely erase all other copies of Controller Personal Data Processed by STROUWI or

any Authorised Sub-processor; or

- Securely wipe all copies of Controller Personal Data Processed by STROUWI or any Authorised

Sub-processor, and in each case, provide a written certification to the Controller that it has

complied fully with the requirements of section Erasure or Return of Controller Personal Data.

STROUWI may retain Controller Personal Data to the extent required by Union or Member State law,

and only to the extent and for such period as required by Union or Member State law, and always

provided that STROUWI shall ensure the confidentiality of all such Controller Personal Data and shall

ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified

in the Union or Member State law requiring its storage and for no other purpose.

11. Audit rights

Upon reasonable written notice in advance, STROUWI shall make available to the Controller all

information necessary to demonstrate compliance with this Agreement and allow for, and contribute

to audits, including inspections by the Controller or another auditor mandated by the Controller of

any premises where the Processing of Controller Personal Data takes place.

STROUWI shall permit the Controller or another auditor mandated by the Controller to inspect, audit

and copy any relevant records, processes and systems in order that the Controller may satisfy itself

that the provisions of this Agreement are being complied with.

STROUWI shall immediately inform the Controller if, in its opinion, an instruction pursuant to this

section infringes the Data Protection Laws.

12. International Transfers of Controller Personal Data

STROUWI shall not process Controller Personal Data nor permit any Authorised Sub-processor to

process the Controller Personal Data in a third country, unless authorised in writing by Controller in

advance, via an amendment to this Agreement.

When requested by Controller, STROUWI shall promptly enter into (or procure that any relevant Sub-

processor of STROUWI enters into) an agreement with Controller including Standard Contractual

Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of

Controller Personal Data in a third country, which terms shall take precedence over those in this

Agreement.

13. Controller responsibilities

Controller shall comply with all applicable laws and regulations, including the Data Protection Laws.

Controller remains responsible for the lawfulness of the Processing of Controller Personal Data

including, where required, obtaining the consent of Data Subjects to the Processing of his or her

Personal Data.

Controller remains fully responsible for Personal Data Breaches caused by Controller s actions or

negligence.

With regard to the protection of the Data Subject s rights pursuant to the applicable Data Protection

Laws, Controller shall facilitate the exercise of Data Subject rights and shall ensure that adequate

information is provided to Data Subjects about the Processing hereunder in a concise, transparent,

intelligible and easily accessible form, using clear and plain language.

Controller shall take reasonable steps to keep Personal Data up to date to ensure the data are not

inaccurate or incomplete with regard to the purposes for which they are collected.

With regard to components that Controller provides or controls, including but not limited to

workstations connecting to the STROUWI IT-environment, data transfer mechanisms used and

credentials issued to Controller personnel, Controller shall implement and maintain the required

technical and organisational measures for data protection and will be solely liable for any damages

caused by errors of the Controller in this respect.

14. Liability

Either Party s liability shall be limited, per contract year, to an amount of 25.000 EUR for direct

damages.

Neither Party shall be liable for any indirect or consequential damages, such as (but not limited to)

loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third party claims.

No limitation of liability shall apply in case of fraud, willful intent, death and physical injury resulting

from a Party s negligence.

15. General Terms

Subject to this section, the Parties agree that this Agreement and the Standard Contractual Clauses

shall terminate automatically upon termination of the Framework Agreement.

This Agreement shall be governed by the governing law of the Framework Agreement for so long as

that governing law is the law of a Member State of the European Union.

With regard to the subject matter of this Agreement, in the event of inconsistencies between the

provisions of this Agreement and any other agreements between the Parties, including but not limited

to the Framework Agreement, the provisions of this Agreement shall prevail with regard to the

Parties data protection obligations for Personal Data of a Data Subject from a Member State of the

European Union.

Should any provision of this Agreement be invalid or unenforceable, then the remainder of this

Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i)

amended as necessary to ensure its validity and enforceability, while preserving the Parties

intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid

or unenforceable part had never been contained therein.

IN WITNESS WHEREOF, this Agreement is entered into and becomes a binding part of the Framework

Agreement with effect from the Agreement effective date.

***

Signature page

Done on [DATE] in two originals. Each Party acknowledges receipt of its own original.

STROUWI:

Name:

Wim Strouven

Title:

Bestuurder Strouwi BV

Customer:

Name:

[Customer name]

Title:

[Customer job title]

ANNEX 1: DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Controller Personal Data as required by

Article 28(3) GDPR.

1. Categories of Data Subjects:

The Personal Data subject to the processing activities under this Agreement belong to the following

categories of Data Subjects:

- Employee of Customer

- Client of Customer

- Customer

2. Types of Personal Data:

The types of Personal Data subject to the processing activities under this Agreement are the

following.:

- Employee names

- Employee statute

- Employee hours

- Customer name

- Client names

- Client projects

3. Purposes of Processing of Personal Data

Personal Data will be Processed for the purpose of:

- Execution of the Services under the Framework Agreement and/or any other agreement in

place between the Parties.

4. Duration of the Processing of Controller Personal Data

Personal data will be Processed for the duration of any agreement in place between the Parties.

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

1. Organisational Security Controls

Organisational security controls shall include the following principles at a minimum.

STROUWI and STROUWI personnel shall Process Controller Personal Data, and access and use any

networks, systems and/or computers managed by Controller, only on a need-to-know basis and only

to the extent necessary to perform the Services under the Agreement, the Framework Agreement

and/or any agreement in place between the Parties.

Prior to providing access to any Controller Personal Data to any STROUWI personnel, STROUWI shall

take reasonable steps to ensure continuing compliance of the level of security specified under this

Agreement by such STROUWI Personnel. STROUWI Personnel with access to Personal Data are

subject to confidentiality obligations, and these are formally integrated into employment contracts.

STROUWI shall maintain information security policies and procedures consistent with the provisions

of this Agreement.

Ownership for Security and Data Protection: STROUWI has appointed one or more individuals

responsible for coordinating and monitoring the security rules and procedures as well as data

protection compliance.

Risk Management: STROUWI executes periodical risk assessments based on a formal risk

management methodology.

STROUWI shall take reasonable measures to terminate physical and logical access to Controller

Personal Data by STROUWI Personnel no later than the date of separation or transfer to a role no

longer requiring access to Controller Personal Data.

STROUWI maintains a selection process by which it evaluates the security, privacy and confidentiality

practices of a Sub-processor in regard to data handling.

2. Technical Security Controls

Technical security controls on STROUWI information systems (any STROUWI systems and/or

computers used to Process Controller Personal Data pursuant to the Agreement) shall include the

following principles at a minimum.

STROUWI shall use appropriately strong passwords consistent with technology industry practices,

including minimum password length, lockout, expiration period and changing of default passwords.

STROUWI shall implement and maintain controls to detect and prevent unauthorised access,

intrusions and computer viruses.

STROUWI shall maintain documented change management procedures that provide a consistent

approach for controlling, implementing and documenting changes (including emergency changes) for

STROUWI information systems.

Unless otherwise expressly agreed in the Agreement, development and testing environments shall

be physically and/or logically separated from production environments.

STROUWI shall maintain reasonable back-up and disaster recovery processes and procedures.

Workstations shall not be left authenticated when unattended and shall be password or PIN protected

when not in use.

Personal Data on portable devices are encrypted.

STROUWI has procedures for securely disposing of media and printed materials that contain Personal

Data.

STROUWI standardly encrypts, or provides the mechanisms to Controller to encrypt, Personal Data

that is transmitted over public networks.

Event Logging: STROUWI logs access and use of its information systems containing Personal Data,

registering the access ID, time and relevant activity.

3. Physical Security Controls

Physical security controls shall include the following principles at a minimum on all STROUWI facilities

where Controller Personal Data may be Processed.

Physically secure perimeters and external entry points shall be suitably protected against

unauthorised access. Access to all locations shall be limited to STROUWI Personnel and authorised

visitors only. Reception areas shall be manned or have other means to control physical access.

Visitors shall be required to sign a visitor register.

ANNEX 3: AUTHORISED SUB-PROCESSORS

List of Approved Sub-processors as at the Agreement effective date to be included here. Please

include (i) full legal name; (ii) processing activity; (iii) location of service centre(s).

No.

Authorised sub-processor

(full legal name)

Processing activity

Location of service

centre(s).

Azure

Cloud hosting

North Europe – Ireland

West Europe - Netherlands

MongoDB

Database Support –

Cloud hosting

North Europe – Ireland

West Europe - Netherlands

Attachment 6: Open Source components and licenses

Framework

License

Spring

Apache 2.0

OpenJDK java

General Public License, version 2

Spring Cloud Netflix

Apache 2.0

Maven

Apache 2.0

Apache POI

Apache 2.0

Junit Jupiter

Eclipse Public License – v2.0

Lombok

Lombok license

Mockito

MIT License

AssertJ

Apache 2.0

Vue

MIT License

Vuetify

MIT License

Axios

MIT License

FasterXml Jackson

Apache 2.0

XML commons

Apache 2.0

Jakarta XML

Eclipse Distribution License version 1.0

XML

Apache 2.0

Log4j

Apache 2.0

Logback

Eclipse Distribution License version 1.0 – Lesser

General Public License 2.1