Core Financial Systems — Legal Documents

This page consolidates our General Terms and Conditions, Support & SLA Terms (Annex 1), Data Processing Agreement (Annex 2), and DORA Provisions (Annex 3) for easy reference.

CORE FINANCIAL GENERAL TERMS AND CONDTIONS

1. SERVICES, SUPPORT AND FRAMEWORK AGEEMENT

1.1. Subject to the terms of this Agreement, Company
will use commercially reasonable efforts to provide
Customer the Services.

1.2. Subject to the terms hereof, Company will provide
Customer with technical support services in
accordance with the terms set forth in Annex 1.

1.3. Customer undertakes to immediately report any
defects of performance with regard to the Services
to Company and to provide conclusive information
with regard to the experienced errors and defects.
Customer undertakes reasonable efforts to assist
Company in error and defect identification and
correction.

1.4. This Agreement and these General Terms are
intended to set out the framework of the agreed
terms for any Services and the terms and conditions
under which such will be provided by Company to
Customer.

1.5. The first Statement of Work shall together with this
Agreement form the contract between Company and
Customer and each subsequent quotation or order
shall merge incrementally and be included as
forming a single contract.

2. RESTRICTIONS AND RESPONSIBILITIES

2.1. Customer will not, directly or indirectly: reverse
engineer, decompile, disassemble or otherwise
attempt to discover the source code, object code or
underlying structure, ideas, know-how or
algorithms relevant to the Services or any software,
documentation or data related to the Services, or
modify, translate, or create derivative works based
on the Services or any Software (except to the extent
expressly permitted by Company or authorized
within the Services); use the Services or any
Software for timesharing or service bureau
purposes or otherwise for the benefit of a third
party; or remove any proprietary notices or labels.

2.2. Customer may not export or re-export the Services,
or Software or anything related thereto or any direct
product thereof in violation of any restrictions, laws
or regulations of any applicable laws, regulations,
rules or restrictions, whether of the European
Union, United States of America or otherwise.

2.3. Customer represents, covenants, and warrants that
Customer will use the Services only in compliance
with this Agreement and Company’s standard
published policies from time to time in effect (the
“Policies”) and all applicable laws and regulations.
In addition, Customer will not use the Services for
any profane, fraudulent, misleading or other
purpose and shall ensure that all advertising
mediated through the Services shall be fair and
accurate in all material respects. Customer hereby
agrees to indemnify and hold harmless Company
against any damages, losses, liabilities, settlements
and expenses (including without limitation costs
and attorneys’ fees) in connection with any claim or
action that arises from an alleged violation of the
foregoing or otherwise from Customer’s use of
Services. Although Company has no obligation to
monitor Customer’s use of the Services, Company
may do so and may prohibit any use of the Services
it believes may be (or alleged to be) in violation of
the foregoing.

2.4. The Customer shall (a) provide the Company all
necessary co-operation in relation to this
agreement; (b) provide all necessary access to such
information as may be required by the Company; (c)
allow security access information and configuration
services in order to provide the Services, (d) without
affecting its other obligations under this agreement,
comply with all applicable laws and regulations with
respect to its activities under this agreement, (e)
carry out all other Customer responsibilities set out
in this agreement in a timely and efficient manner
(in the event of any delays in the Customer’s
provision of such assistance as agreed by the parties,
the Company may adjust any agreed timetable or
delivery schedule as reasonably necessary) (f)
ensure that its Authorised Users use the Services
and the Documentation in accordance with the
terms and conditions of this agreement and shall be
responsible for any Authorised User’s breach of this
agreement; (g) obtain and shall maintain all
necessary licences, consents, and permissions
necessary for the Company, its contractors and
agents to perform their obligations under this
agreement, including without limitation the
Services; (h) ensure that its network and systems
comply with the relevant specifications provided by
the Company from time to time; and (i) be solely
responsible for procuring and maintaining its
network connections and telecommunications links
from its systems to the Company’s data centres, and
all problems, conditions, delays, delivery failures
and all other loss or damage arising from or relating
to the Customer’s network connections or
telecommunications links or caused by the internet.

Consultancy Services

2.5. Where any Consultancy Services are to be carried out
at the Customer’s premises then Customer shall,
subject to compliance by Company’s personnel with
Customer’s reasonable security requirements, allow
Company full and complete access to the area(s)
where Consultancy Services are to be performed and
will provide adequate office accommodation and
facilities for any Company staff working on its
premises as required.

On Premises Software

2.6. With respect to any Software that is distributed or
provided to Customer for use on Customer premises
or devices (“On Premise Software”), Company
hereby grants Customer a non-exclusive, non-
transferable, non-sublicensable license to use such
Software during the Term only in connection with
the Services, to install and run the Software on the
Customer’s own servers or systems at the specified
site(s) for the Authorised Use during the Term;
where “Authorised Use” means use by the specified
number of Authorised Users processing within
agreed limits for internal business purpose, and The
licence begins on delivery and continues for the
agreed Term. Ownership of the underlying software
shall remain with the licensor. Title to any hardware
or related physical media may transfer to Customer
upon full payment, but such transfer shall not confer
any rights of ownership in the software or related
Intellectual Property. Company may recover such
hardware or suspend licence rights where Customer
is in breach of its obligations under this Agreement.

2.7. The Supplier will deliver On Premise Software in
executable form along with Documentation.
Installation or commissioning services will be as
detailed in a Statement of Work.

2.8. The Customer will maintain accurate records of
usage of On Premises Software and the Company
may audit once per 12-month period with notice.
Over-deployment will require the Customer to
purchase additional licences and pay any underpaid
fees.

2.9. The Customer is responsible for infrastructure
security, backups, and business continuity for the On
Premise Software and for meeting the minimum
system requirements stated in the Statement of
Work. On termination, the Customer must cease use
and uninstall the Software.

SaaS Services

2.10.Where Customer is granted access to software
hosted by Company or its licensors, such access is
provided on a non-exclusive, non-transferable,
subscription basis and is governed by the applicable
terms herein. No ownership rights in such software
or related intellectual property shall transfer to
Customer. Access to the SaaS solution remains
conditional upon full payment of applicable fees and
ongoing compliance with this Agreement. Company
reserves the right to suspend or revoke access in the
event of non-payment or any breach which, if not
remedied promptly after notice, would constitute a
material breach, or where continued access would
pose a security, compliance, or licensing risk.

2.11.As part of the registration process, Customer will
identify an administrative username and password
for Customer’s Company account. Company
reserves the right to refuse registration of, or cancel
passwords it deems inappropriate.

Resold Services

2.12.Where the Company solely acts as reseller of a
Service or Software, or of constituent part thereof,
then the primary responsibility for the provision
and delivery of that Service or Software to the
Customer shall rest with the direct supplier, and
shall be supplied and delivered on their prevailing
terms and conditions and their service levels and
support agreements. The Company shall bear no
contractual responsibility for performance of such
re-sold services, save as may be specifically set out
in a Statement of Work as regards consultancy or
implementation services.

3. CONFIDENTIALITY; PROPRIETARY RIGHTS

3.1. Each party (the “Receiving Party”) understands
that the other party (the “Disclosing Party”) has
disclosed or may disclose business, technical or
financial information relating to the Disclosing
Party’s business (hereinafter referred to as
“Proprietary Information” of the Disclosing
Party). Proprietary Information of Company
includes non-public information regarding features,
functionality, design, implementation and
performance of the Services. Proprietary
Information of Customer includes non-public data
provided by Customer to Company to enable the
provision of the Services. The Receiving Party
agrees: (i) to take reasonable precautions to protect
such Proprietary Information, and (ii) not to use
(except in performance of the Services or as
otherwise permitted herein) or divulge to any third
person any such Proprietary Information. The
Disclosing Party agrees that the foregoing shall not
apply with respect to any information after five (5)
years following the disclosure thereof or any
information that the Receiving Party can document
(a)is or becomes generally available to the public, or
(b) was in its possession or known by it prior to
receipt from the Disclosing Party, or (c) was
rightfully disclosed to it without restriction by a
third party, or (d) was independently developed
without use of any Proprietary Information of the
Disclosing Party or (e) is required to be disclosed by
law.

3.2. Customer shall own all right, title and interest in and
to Customer Data. Company shall own and retain all
right, title and interest in and to (a) the Services and
Software, all improvements, enhancements or
modifications thereto, (b) any software,
applications, inventions or other technology
developed in connection with Implementation
Services or support, and (c) all intellectual property
rights related to any of the foregoing.

3.3. Notwithstanding anything to the contrary, Company
shall have the right to collect, analyse, store, copy
and reproduce System Data and other information
relating to the provision, use and performance of
various aspects of the Services and related systems
and technologies (including, without limitation,
information concerning Customer Data and data
derived therefrom), and Company will be free
(during and after the term hereof) to (i) use such
information and data to improve and enhance the
Services and for other development, diagnostic and
corrective purposes in connection with the Services
and other Company offerings, and (ii) disclose such
data solely in aggregate or other de-identified form
in connection with its business. No rights or licenses
are granted except as expressly set forth herein.

3.4. If and to the extent required by applicable law,
including regulatory requirements, discovery
request, subpoena, court order or governmental
action, the Receiving Party may disclose or produce
Confidential Information but will give reasonable
prior notice (and where prior notice is not
permitted by applicable Law, notice will be given as
soon as the Receiving Party is legally permitted) to
the Disclosing Party to permit the Disclosing Party
to intervene and to request protective orders or
confidential treatment therefor or other
appropriate remedy regarding such disclosure.
Disclosure of any Confidential Information pursuant
to any legal requirement will not be deemed to
render it non-confidential, and the Receiving Party’s
obligations with respect to Confidential Information
of the Disclosing Party will not be changed or
lessened by virtue of any such disclosure.

4. PAYMENT OF FEES

4.1. Customer will pay Company the then applicable fees
described in the Commercial Terms or Statement of
Work for the Services in accordance with the terms
therein (the “Fees”). If Customer’s use of the
Services exceeds the Service capacity or limits set
forth in the Commercial Terms or Statement of
Work or otherwise requires the payment of
additional fees (per the terms of this Agreement),
Customer shall be billed for such usage and
Customer agrees to pay the additional fees in the
manner provided herein. Company reserves the
right to change the Fees or applicable charges and to
institute new charges and Fees at the end of the
Initial Service Term or then-current renewal term,
upon thirty (30) days prior notice to Customer
(which may be sent by email). If Customer believes
that Company has billed Customer incorrectly,
Customer must contact Company no later than 60
days after the closing date on the first billing
statement in which the error or problem appeared,
in order to receive an adjustment or credit. Inquiries
should be directed to Company’s customer support
department.

4.2. Consultancy Services shall be provided by Company
for a fixed daily rate as specified in the Statement of
Work for each full day worked. A full day work shall
consist of 0900hrs to 1730hrs.

4.3. Unless otherwise specified, Company shall invoice
monthly in advance and full payment for invoices
issued in any given month must be received by
Company thirty (30) days after the date of the
invoice. Unpaid amounts are subject to a finance
charge of 2% per month on any outstanding balance,
or the maximum permitted by law (whichever is
lower), plus all expenses of collection and may result
in immediate termination of Service on 7 days
written notice.

4.4. The Fees do not include taxes or duties and are, for
the avoidance of doubt, exclusive of Value Added
Tax (“VAT”). All additional taxes or duties, which
Company shall have to pay or collect in connection
with the provision of the Services, shall be billed to
and paid by Customer. This shall not apply to taxes
based on Company’s income.

4.5. Customer shall be responsible for the payment of
any taxes imposed by any governmental taxing
authority on the amounts Customer is liable to pay
to Company under this Agreement, including, but
not limited to, withholding taxes of whatever nature
(“Withholding Taxes”) and Customer may reduce
the amount payable to Company as Fees by the
amount of such Withholding Taxes. Customer
agrees promptly to pay any Withholding Taxes and
obtain and deliver to Company proof of payment of
such Withholding Taxes together with official
evidence thereof issued by the governmental
authority concerned, sufficient to enable Company
to support a claim for a tax credit in respect of any
sum so withheld.

5. TERM AND TERMINATION

5.1. Subject to earlier termination as provided below,
this Agreement is for the Initial Service Term as
specified in the Commercial Terms, and shall be
automatically renewed for additional periods equal
to the renewal term specified in the Commercial
Terms or, if no such renewal term is specified, of the
same duration as the Initial Service Term
(collectively, the “Term”), unless either party in
writing requests termination at least thirty (30)
days prior to the end of the then-current term.

5.2. This Agreement (and each order or Statement of
Work hereunder) shall, unless otherwise
terminated as provided in this clause 5, commence
on the Effective Date and shall continue for the
Initial Service Term and, thereafter, this agreement
shall be automatically renewed for successive
periods of 12 months (each a Renewal Period),
unless:

5.2.1. either party notifies the other party of
termination, in writing, at least 60 days
before the end of the Initial Service Term or
any Renewal Period, in which case this
agreement shall terminate upon the expiry of
the applicable Initial Service Term or
Renewal Period; or

5.2.2. otherwise terminated in accordance with the
provisions of this agreement;
and the Initial Service Term together with any
subsequent Renewal Periods shall constitute the
Term.

5.3. Without affecting any other right or remedy
available to it, either party may terminate this
agreement with immediate effect by giving written
notice to the other party if:

5.3.1. the other party fails to pay any amount due
under this agreement on the due date for
payment and remains in default not less than
seven days after being notified in writing to
make such payment;

5.3.2. the other party commits a material breach of
any other term of this agreement which
breach is irremediable or (if such breach is
remediable) fails to remedy that breach
within a period of 30 days after being notified
in writing to do so;

5.3.3. the other party suspends or ceases, or
threatens to suspend or cease, carrying on all
or a substantial part of its business.

5.4. On termination of this agreement for any reason:

5.4.1. all unpaid charges and expenses in relation to
this Agreement shall become immediately
due and payable by Customer

5.4.2. all licences granted under this agreement
shall immediately terminate and the
Customer shall immediately cease all use of
the Services and/or the Documentation;

5.4.3. each party shall return and make no further
use of any equipment, property,
Documentation and other items (and all
copies of them) belonging to the other party;

5.4.4. the Company may destroy or otherwise
dispose of any of the Customer Data in its
possession unless the Company receives, no
later than thirty days after the effective date
of the termination of this agreement, a
written request for the delivery to the
Customer of the then most recent back-up of
the Customer Data. The Company shall use
reasonable commercial endeavours to
deliver the back-up to the Customer within
30 days of its receipt of such a written
request, provided that the Customer has, at
that time, paid all fees and charges
outstanding at and resulting from
termination (whether or not due at the date
of termination). The Customer shall pay all
reasonable expenses incurred by the
Company in returning or disposing of
Customer Data;

5.4.5. any rights, remedies, obligations or liabilities
of the parties that have accrued up to the date
of termination, including the right to claim
damages in respect of any breach of the
agreement which existed at or before the date
of termination shall not be affected or
prejudiced; and

5.4.6. The parties’ rights and obligations under
Clauses 3, 5, 8, 9, 11 and 16 shall survive
termination of this Agreement. Termination
of this Agreement shall not prevent either
party from pursuing any other remedies
available to it, including but not limited to
injunctive relief.

6. WARRANTY AND DISCLAIMER

6.1. Company shall use reasonable efforts consistent
with prevailing industry standards to maintain the
Services in a manner which minimizes errors and
interruptions in the Services and shall perform the
Consultancy Services, Support Services and any
Implementation Services in a professional and
workmanlike manner. Services may be temporarily
unavailable for scheduled maintenance or for
unscheduled emergency maintenance, either by
Company or by third-party providers, or because of
other causes beyond Company’s reasonable control,
but Company shall use reasonable efforts to provide
advance notice in writing or by e-mail of any
scheduled service disruption. HOWEVER, COMPANY
DOES NOT WARRANT THAT THE SERVICES WILL
BE UNINTERRUPTED OR ERROR FREE; NOR DOES
IT MAKE ANY WARRANTY AS TO THE RESULTS
THAT MAY BE OBTAINED FROM USE OF THE
SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN
THIS SECTION, THE SERVICES AND
IMPLEMENTATION SERVICES ARE PROVIDED “AS
IS” AND COMPANY DISCLAIMS ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND NON-INFRINGEMENT.

6.2. Company warrants that (a) Customer shall have the
right to possess, and use, the Deliverables in
accordance with the terms of this Agreement and
that possession and use shall not be disturbed by a
third party except to the extent set out in this
Agreement; (b) Service and Deliverables supplied
by it are, at the date of delivery, virus free, (c) the
Consultancy Services will be performed with
reasonable skill and care consistent with generally
accepted professional and technical standards and
practices of the computer software services
industry and where participation by Company’s
personnel is necessary in the execution or
performance of this Agreement, such personnel
shall possess the appropriate skills, experience,
training and qualifications consistent with
generally accepted professional and technical
standards of the computer software services
industry, for any tasks assigned to them.

6.3. If any warranties or other obligations entered into by
Company under this Agreement are breached or not
performed (or alleged to be breached or not
performed), Customer must notify Company as soon
as possible. Before Customer is allowed to take
further action, Customer must give Company a
reasonable time to remedy the problem and (if
necessary) to supply Customer with a repaired or
corrected version of any relevant Deliverables or re-
perform any relevant Services. This will be done
without any additional charge to Customer.

7. INDEMNITY

7.1. Company shall hold Customer harmless from
liability to third parties resulting from infringement
by the Service of any European Union patent or any
copyright or misappropriation of any trade secret,
provided Company is promptly notified of any and
all threats, claims and proceedings related thereto
and given reasonable assistance and the
opportunity to assume sole control over defence and
settlement; Company will not be responsible for any
settlement it does not approve in writing and
Company shall not be liable under this clause if
Customer acknowledges or accepts any allegation of
infringement without Company’s express prior
written consent. The foregoing indemnification
obligations do not apply with respect to portions or
components of the Service (i) not supplied by
Company, (ii) made in whole or in part in
accordance with Customer specifications, (iii) that
are modified after delivery by Company, (iv)
combined with other products, processes or
materials where the alleged infringement relates to
such combination, (v) where Customer continues
allegedly infringing activity after being notified
thereof or after being informed of modifications that
would have avoided the alleged infringement, or (vi)
where Customer’s use of the Service is not strictly in
accordance with this Agreement. If, due to a claim of
infringement, the Services are held by a court of
competent jurisdiction to be or are believed by
Company to be infringing, Company may, at its
option and expense (a) replace or modify the Service
to be non-infringing provided that such modification
or replacement contains substantially similar
features and functionality, (b) obtain for Customer a
license to continue using the Service, or (c) if neither
of the foregoing is commercially practicable,
terminate this Agreement and Customer’s rights
hereunder and provide Customer a refund of any
prepaid, unused fees for the Service.

8. LIMITATION OF LIABILITY

8.1. Except as expressly and specifically provided in this
agreement:

8.1.1. the Customer assumes sole responsibility for
results obtained from the use of the Services
and the Documentation by the Customer, and
for conclusions drawn from such use. The
Company shall have no liability for any damage
caused by errors or omissions in any
information, instructions or scripts provided
to the Company by the Customer in connection
with the Services, or any actions taken by the
Company at the Customer’s direction;

8.1.2. all warranties, representations, conditions and
all other terms of any kind whatsoever implied
by statute or common law are, to the fullest
extent permitted by applicable law, excluded
from this agreement; and

8.1.3. the Services and the Documentation are
provided to the Customer on an “as is” basis.

8.2. Nothing in this agreement excludes the liability of
the Company:

8.2.1. for death or personal injury caused by the
Company’s negligence; or

8.2.2. for fraud or fraudulent misrepresentation.

8.3. Subject to clause 8.1 and clause 8.2:

8.3.1. the Company shall not be liable whether in
tort (including for negligence or breach of
statutory duty), contract, misrepresentation,
restitution or otherwise for any loss of
profits, loss of business, depletion of goodwill
and/or similar losses or loss or corruption of
data or information, or pure economic loss, or
for any special, indirect or consequential loss,
costs, damages, charges or expenses however
arising under this agreement; and

8.3.2. the Company’s total aggregate liability in
contract tort (including negligence or breach
of statutory duty), misrepresentation,
restitution or otherwise, arising in
connection with the performance or
contemplated performance of this agreement
shall be limited to the greater of €250,000
and twice the total Fees paid for the Service
during the 12 months immediately preceding
the date on which the claim arose.

9. GDPR & PRIVACY

9.1. Each party shall comply with all applicable data
protection and privacy laws in connection with the
processing of personal data under this Agreement.
This includes, where applicable, compliance with:

9.1.1. the General Data Protection Regulation (EU)
2016/679 (“GDPR”);

9.1.2. the UK General Data Protection Regulation
(“UK GDPR”) and the UK Data Protection Act
2018; and

9.1.3. any other national or international data
protection laws applicable to the processing
activities carried out under this Agreement.

9.2. The parties agree that the processing of personal
data in connection with the Services shall be
governed by the Data Processing Agreement
(“DPA”) set out in Annex 2 to this Agreement and
also available on the Company website
https://corefinancial.ie;

10. INSURANCE

10.1.Each Party will obtain and maintain appropriate
insurance necessary for implementing and
performing under this Agreement in accordance
with applicable Law and in accordance with the
requirements of this clause 10.

10.2.Company will at its own cost and expense, acquire
and continuously maintain the following insurance
coverage during the term of this Agreement and for
one year after.

10.3.Commercial General Liability insurance, including
all major coverage categories and on such terms as
are generally available to Company on the market
from time to time with limits of not less than
€1,000,000 per occurrence and €10,000,000
general aggregate,

10.4.Professional Liability insurance, covering liabilities
for financial loss resulting or arising from acts,
errors or omissions in rendering services in
connection with this Agreement on such terms as
are generally available to Company on the market
from time to time with a minimum limit of
€5,000,000 each claim and annual aggregate; and

10.5.Cyber Liability with limit of €5,000,000 each claim
and annual aggregate, providing for protection
against liability for such coverages as are generally
available to Company on the market from time to
time.

11. DORA PROVISIONS

11.1.The European Union’s Digital Operational Resilience
Regulation for the financial sector (2022/2554)
(“DORA”) imposes obligations on EU-regulated
entities to manage information and communication
technology (ICT) risk. Annex 3 applies exclusively to
customers classified as “financial entities”, as
defined in DORA Article 2(1) points (a) to (t).

11.2.By providing the Services to the Customer, Company
may be regarded as an ICT third-party service
provider under DORA. The purpose of Annex 3 is to
ensure that the contractual provisions mandated by
DORA are incorporated into the agreement between
Company and the Customer.

11.3.To the extent that Company provides any services
that are not in scope for DORA, Annex 3 shall not
apply to the provision of such services.

12. NIS 2

12.1.The parties acknowledge that Directive (EU)
2022/2555 on measures for a high common level of
cybersecurity across the Union (“NIS2 Directive”) is
being transposed into Irish law and may apply to the
Client where it qualifies as an essential or important
entity.

12.2.Where the Services provided by Company form
part of the Customer’s network or information
systems within the meaning of NIS2, Company
shall:

12.2.1.implement and maintain appropriate and
proportionate technical and organisational
measures to manage cybersecurity risks
relevant to the Services;

12.2.2.notify the Client without undue delay of any
significant cybersecurity incident or event
that may materially affect the Services; and

12.2.3.provide reasonable assistance to the
Customer, upon request, in meeting its
incident-handling or reporting obligations
under applicable national law.

12.3.Company’s obligations under this clause are limited
to the Services provided under this Agreement and
do not extend to the Client’s wider systems,
infrastructure, or statutory obligations.

12.4.Any sector-specific or additional NIS2 requirements
may be addressed in a separate security or
compliance addendum where required.

13. CHANGES AND VARIATIONS

13.1.Company shall make such variations to the Services,
whether by way of addition, modification, or
omission as may be agreed. The Parties
acknowledge that changes to the scope,
deliverables, timelines, pricing, technical
requirements, or other aspects of the Agreement
may become necessary during the Term. Any such
change shall be managed in accordance with this
change control procedure.

13.2.Initiating a Change. Either Party may request a
change to the Agreement (a “Change Request”). All
Change Requests must be submitted in writing and
must include:

13.2.1.A description of the proposed change;

13.2.2.The reason for the change;

13.2.3.Impact on scope, deliverables, assumptions,
dependencies or acceptance criteria;

13.2.4.Impact on project timelines or milestones;

13.2.5.Impact on Fees or charges.

13.3.Assessment of Change Request. Upon receipt of a
Change Request, the receiving Party shall
acknowledge it within 5 Business Days. The
Company shall assess the Change Request and
provide a written impact assessment (“Change
Proposal”) including:

13.3.1.Technical and operational impacts;

13.3.2.Resource implications;

13.3.3.Revised Fees or pricing adjustments (if any);

13.3.4.Revised timelines;

13.3.5.Risks or prerequisites.

13.4.Approval of Change. A change becomes binding only
when both Parties sign a written Change Order
referencing this Agreement. Once signed, the
Change Order supersedes any inconsistent
provisions.

13.5.Handling Disagreements. If the Parties cannot agree
on a Change Request or Change Proposal, the
Agreement remains unchanged and neither Party
shall be obliged to proceed with the change.

13.6.Urgent or Safety-Critical Changes. Where a change is
urgently required to prevent service failure, protect
data, or address a legal requirement, the Company
may implement temporary measures. These shall be
submitted for retrospective approval within 10
Business Days.

14. COMPLIANCE WITH ANTI-CORRUPTION LAWS

14.1.Each Party shall comply with all applicable anti-
bribery and anti-corruption laws in Ireland,
including the Criminal Justice (Corruption
Offences) Act 2018 (the “Corruption Act”).

14.2.Neither Party, nor their employees, officers, agents,
subcontractors or affiliates shall, directly or
indirectly:

14.2.1.offer, promise, give, request, agree to receive
or accept any gift, consideration or
advantage as an inducement or reward
related to any person’s office, employment,
position or business;

14.2.2.engage in active or passive corruption, or
active or passive trading in influence, as
defined under the Corruption Act;

14.2.3.create or use any false or misleading
document, or withhold information, for
improper influence.

14.3.Corporate Liability and Reasonable Steps. Each
Party shall maintain adequate anti-corruption
procedures, training, controls and reporting
mechanisms. A company may be liable if employees
or agents commit corruption to obtain business
unless it demonstrates all reasonable steps and due
diligence were exercised.

14.4.Facilitation payments are strictly prohibited under
Irish law and under this Agreement.

14.5.Gifts, Hospitality and Expenses. Any gifts,
hospitality or expenses must be reasonable,
proportionate, for legitimate business purposes,
accurately recorded, and compliant with the
Corruption Act. No gifts or hospitality may be
provided to or accepted from public officials except
where legally permitted.

14.6.Reporting and Cooperation. Each Party shall
promptly notify the other of any breach or suspected
breach of this clause or any related investigation.
Each Party shall assist lawful anti-corruption
investigations.

15. COMPLIANCE WITH THE EU AI ACT

15.1.As of the Effective Date of this Agreement, Company
does not use or incorporate artificial intelligence
(“AI”) systems within the meaning of Regulation
(EU) 2024/1689 (the “EU AI Act”) in the delivery of
the Services.

15.2.In the event that Company introduces AI
functionality into its products or services during the
term of this Agreement, Company shall:

15.2.1.assess and categorise the AI system in
accordance with the AI Act’s risk-based
classification framework;

15.2.2.ensure the AI functionality complies with
applicable requirements, including those
relating to transparency, human oversight,
and technical robustness;

15.2.3.notify the Customer in advance of any such
deployment that may affect the Customer’s
use of the services or processing of data
under this Agreement;

15.2.4.provide sufficient information to enable the
Customer to meet its own legal and
regulatory obligations, where applicable.

15.3.Company shall not deploy any AI system
categorised as prohibited or high-risk under the
EU AI Act in connection with the Services without
the Customer’s prior written consent. Any
additional contractual terms required to ensure
compliance regarding high-risk systems shall be
agreed in writing between the parties before such
deployment.

16. MISCELLANEOUS

16.1.If any provision of this Agreement is found to be
unenforceable or invalid, that provision will be
limited or eliminated to the minimum extent
necessary so that this Agreement will otherwise
remain in full force and effect and enforceable.

16.2.This Agreement is not assignable, transferable or
sublicensable by either party except with the other
party’s prior written consent, which shall not be
unreasonably withheld, conditioned or delayed.

16.3.This Agreement is the complete and exclusive
statement of the mutual understanding of the
parties and supersedes and cancels all previous
written and oral agreements, communications and
other understandings relating to the subject matter
of this Agreement.

16.4.Any waivers or modifications of this Agreement
must be in a writing signed by both parties, except
as otherwise provided herein.

16.5.No agency, partnership, joint venture, or
employment is created as a result of this Agreement
and neither party has any authority of any kind to
bind the other party in any respect whatsoever.

16.6.In any action or proceeding to enforce rights under
this Agreement, the prevailing party will be entitled
to recover reasonable vouched costs and reasonable
legal fees.

16.7.All notices under this Agreement will be in writing
and will be deemed to have been duly given when
received, if personally delivered; when receipt is
electronically confirmed, if transmitted by facsimile
or e-mail; the day after it is sent, if sent for next day
delivery by recognized overnight delivery service;
and upon receipt, if sent by certified or registered
mail, return receipt requested.

16.8.This Agreement shall be governed by the laws of
Ireland (without regard to its conflict of laws
provisions) and the courts of Ireland shall have
jurisdiction to hear any dispute, controversy or
claim arising out of or in connection with this
Agreement. Each party irrevocably submits to the
jurisdiction of such courts, and each party waives
any objection that it may have to the laying of the
venue of any such action or proceeding in the
manner provided in this Section.

16.9.The parties agree that the entire text of this
agreement, as well as any exhibits or schedules
hereto, shall be in the English language. Company
may provide a translation of this agreement at its
own discretion but in any such case the English
language version of this agreement shall take
precedence in all respects.

16.10. Each Party will comply with all applicable customs
and export control laws and regulations of the
European Union and of the countries in which the
parties are incorporated and/or such other country,
in the case of Customer, where Customer or its Users
use the Services, and in the case of Company, where
Company provides the Services. Each Party certifies
that it and its personnel are not subject to EU
financial sanctions and/or travel bans or any other
sanctions program, including but not limited to the
sanctions programs of the U.S.A., the European
Union, and UN Security Council.

17. DEFINITIONS

In this Agreement (including the Appendices hereto), the
following terms shall have the following meanings unless the
context obviously and manifesting requires otherwise.

“Affiliate” means, with respect to a Party, any entity that
directly, or indirectly through one or more intermediaries,
controls, or is controlled by, or is under common control
with such Party.

“Authorised Users” means Customer employees or
contractors authorised to use the Software.

“Commercial Terms” means the commercial terms agreed
between Company and Customer setting out the details and
scope of the Product and any Services to be provided by
Company to Customer from time to time, as the same may be
amended or substituted from time to time.

“Company’s Computing Environment” means the
computing infrastructure and systems used by Company to
provide the Product via a SaaS Service.

“Consultancy Services” shall mean the consultancy services
to be performed by Company for the Customer pursuant to
and described in the Statement of Work, including the
development and/or supply of the Deliverables (if any).

“Contractor” means any third party contractor of Customer
or other third party performing services for Customer,
including outsourcing suppliers.

“Customer Data” means all Proprietary Data, Personal Data,
records, files, information or content, including text, sound,
video, images and software, that is (a) input or uploaded by
Customer or its Users to or collected, received, transmitted,
processed, or stored by Customer or its Users using the SaaS
Service in connection with this Agreement.

“Customer’s Computing Environment” means Customer’s
computing environment in which Company authorizes use
of the Subscription.

“Deliverables” shall mean any deliverable item(s) such as
design, specification, graphics, ideas, know-how, techniques,
documentation, software, reports or specifications that may
be developed and/or supplied by the Company hereunder

“Documentation” means any user guides, manuals,
instructions, specifications, notes, documentation, printed
updates, “read-me” files, release notes and other materials
related to the Product (including all information included or
incorporated by reference in the applicable Commercial
Terms), its use, operation or maintenance, together with all
enhancements, modifications, derivative works, and
amendments to those documents, that Company publishes
or provides under this Agreement.

“Effective Date” means either the date on which this
Agreement is signed or, if different, the date specified as such
in the Commercial Terms.

“GDPR” means the General Data Protection Regulation (EU
Regulation 2016/679) and any applicable implementing or
supplementary legislation in any relevant jurisdiction as
amended from time to time.

“Implementation Services” means any services agreed to
be provided by Company on a pilot basis or preparatory to
the provision of the Services on a continuing basis.

“Intellectual Property Rights” shall mean all intellectual
property rights of whatever nature including but not limited
to patents, trademarks, trade names, inventions, copyrights
(including copyright in computer programs), database
rights, design rights, know-how and trade secrets, whether
registered or not, whether capable of registration and
application for any of the foregoing

“Personal Data” means Customer Data that identifies,
relates to, describes, is reasonably capable of being
associated with, or could reasonably be linked, directly or
indirectly, with a natural person.

“Personnel” means a Party or its Affiliate’s directors,
officers, employees, nonemployee workers, agents, auditors,
consultants, contractors, subcontractors and any other
person performing services on behalf of such Party (but
excludes the other Party and any of the foregoing of the
other Party).

“Product” means the computer software and any associated
data, content and/or services identified in the Commercial
Terms that Company provides or is obligated to provide as
part of a Subscription, including any patches, bug fixes,
corrections, remediation of security vulnerabilities, updates,
upgrades, modifications, enhancements, derivative works,
new releases and new versions of the foregoing that
Company provides, or is obligated to provide, as part of the
Subscription.

“SaaS Service” means access and use of the Product, or a
component of a Product, as deployed and hosted by
Company in Company’s Computing Environment, and any
software and other technology provided or made accessible
by Company in connection therewith (and not as a separate
product or service) that Customer is required or has the
option to use in order to access and use the Product.

“Services” means all services and tasks that Company
provides or is obligated to provide under this Agreement,
including without limitation the Consultancy Services,
Product, SaaS Services, Support Services, Deliverables and
any Implementation Services.

“Subcontractor” means any third party subcontractor or
other third party to whom Company delegates any of its
duties and obligations under this Agreement.

“Subscription” means a subscription purchased by
Customer and fulfilled by Company for the licensing and
provision of Product, whether deployed in Customer’s
Computing Environment and/or provided as a SaaS Service
through Company’s Computing Environment.

“Support Services” means the support and maintenance
services for the Product that Company provides, or is
obligated to provide, as described in the Commercial Terms.

“System Data” means data and data elements (other than
Customer Data) collected by the Product, SaaS Service or
Company’s Computer Environment regarding configuration,
environment, usage, performance, vulnerabilities and
security of the Product or SaaS Service that may be used to
generate logs, statistics and reports regarding performance,
availability, integrity and security of the Product or SaaS
Service.

“User” means Customer, its Affiliates and any person or
software program or computer systems authorized by
Customer or any of its Affiliates to access and use the Product
as permitted under this Agreement, including Contractors of
Customer or its Affiliates.

Annex 1 — Support & SLA Terms

Appendix 4
Support Terms

1. Introduction

This Support Service Level Agreement (“SLA”) sets out the procedure for logging queries and our response times when
providing Maintenance Services pursuant to any such Software Licence and Maintenance Agreement entered between
the parties hereto (“LMA”).

This SLA is designed to reflect our current structure and work methods, and is a means of communicating to you, our
customer, how we operate and our stated performance levels and response times in respect of the provision of
Maintenance Services to you. We undertake to meet the performance levels and response times specified herein when
providing Maintenance Services pursuant to any LMA.

This SLA is effective from the Effective Date of the agreement and shall continue for the duration of the provision of
Maintenance Services under any LMA.

Capitalized terms used in this SLA shall have the same meanings as in any LMA unless specifically stated otherwise.

2. Contacting Support

Support issues can be logged at our support desk by email at support@corefinancial.ie or through our Support Tool at
https://corefinancial.ie/support/#CoreSupport

Our Support Tool benefits to Customer include:

• Tickets are categorised by the client.
• 24/7 access.
• Customers can Track the progress of their tickets.
• Visibility of updates and know exactly who is managing the request.
• Look back on historical Tickets – self serve – same issue repeating.
• Dashboards – for reporting

The support desk operates between the hours of 9am and 5.30pm (excluding lunchtime between 1–2pm) Monday to
Friday excluding Bank and Public Holidays.

3. Service Levels

The support service framework is structured across four priority levels and three support tiers to ensure that incidents
are managed consistently and in alignment with their business impact. Priority 1 issues—representing severe outages with no workarounds—receive the highest urgency, with accelerated response and resolution targets across all tiers, including a dedicated Teams channel for immediate escalation under the Gold tier. Priority 2 incidents, which significantly affect user operations but allow partial functionality to continue, follow defined response and resolution times that ensure timely restoration of service. Priority 3 and 4 issues, representing non‑critical disruptions or cosmetic inquiries, are managed within longer timelines that reflect their limited impact on business operations. The Gold, Silver, and Bronze support tiers provide organisations with flexible levels of service responsiveness, ranging from the most rapid engagement for mission‑critical environments to more economical options aligned with lower‑risk operational needs. The table below depicts the Service Levels based on priority levels.

Annex 2 — Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement (“DPA”) governs the processing of personal data by Core Financial Systems
Limited (“Core” or “Processor”) on behalf of the Customer (“Customer” or “Controller”) as part of the
services provided under the Master Services Agreement (“Agreement”) or the General Terms and
Conditions. This DPA reflects the parties’ agreement on data protection and security, in compliance with
Article 28 of the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, and other
applicable data protection laws

2. Definitions

“Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable
to the processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, and relevant
national laws.

“Customer” or “Controller” means the legal entity that determines the purposes and means of the
processing of Personal Data.

“Core” or “Processor” means Core Financial Systems Limited, acting as a processor of Personal Data on
behalf of the Customer.

“Data Subject” means an identified or identifiable natural person to whom the Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable natural person that is
processed under this Agreement.

“Special Category Data” means personal data as defined in Article 9(1) of the GDPR, including data
revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union
membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual
orientation.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise
processed.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by
automated means.

“Sub-processor” means a third party engaged by Core to process Personal Data on behalf of the Customer.

“Supervisory Authority” means an independent public authority responsible for monitoring the
application of Applicable Data Protection Law.

“Standard Contractual Clauses” or “SCCs” means the standard data protection clauses adopted by the
European Commission or the UK Government for the transfer of Personal Data to processors or controllers
established in Third Countries, pursuant to Article 46 of the GDPR.

“Third Country” means a country outside the European Economic Area (EEA) or the United Kingdom (UK)
that is not subject to an adequacy decision.

“Transfer Impact Assessment” or “TIA” means an assessment of the laws and practices of a Third Country
to determine whether Personal Data transferred there is subject to adequate protection under GDPR
standards.

“Services” means the services provided by Core to the Customer under the Agreement.

“Technical and Organisational Measures” or “TOMs” means the security measures implemented by Core
as further described in Schedule 3.

3. Scope of Processing and Allocation of Responsibilities

3.1 Roles of the Parties

The Customer is the data controller and Core is the data processor with respect to the processing of
Personal Data carried out under this DPA. The Customer determines the purposes and means of the
processing, and Core acts solely on the documented instructions of the Customer, as set out in this DPA and
the Agreement.

3.2 Scope of Processing.

This DPA applies to all processing of Personal Data carried out by Core on behalf of the Customer in the
course of delivering the Services under the Agreement. The Services may include:

(a) Cloud Services (Software-as-a-Service):
(i) Provision of access to Core’s hosted applications and modules as configured and used by the
Customer;
(ii) Functional operation of the platform, including user access, account management, and data
processing based on user activity;
(iii) Troubleshooting and incident resolution (detecting, preventing, repairing service errors);
(iv) Application updates, patching, security enhancements, and performance optimisation.

(b) Support Services:
(i) Handling support tickets and technical queries submitted by the Customer;
(ii) Investigating, reproducing, and resolving reported issues;
(iii) Diagnostic log collection and review (where authorised by the Customer);
(iv) Communicating fixes or workarounds to the Customer.

(c) Professional Services / Consultancy:
(i) Planning and configuration services;
(ii) System design, deployment, and testing;
(iii) Data import/export, mapping, and migration assistance;
(iv) Process optimisation and advisory;
(v) Post-go-live support and operational guidance.

3.3 Processing Environment

This DPA applies only to the processing of Personal Data that occurs:
(i) Within Core’s managed systems and infrastructure;
(ii) In environments controlled or accessed by Core and its authorised Sub-processors;
(iii) As required to deliver the contracted Services to the Customer.
Processing performed by the Customer independently, including data input or management within the
Customer’s own environments, is outside the scope of this DPA.

3.4 Nature and Details of Processing.

The specific categories of personal data, data subjects, and processing activities are detailed in Schedule 1
(Description of Processing) to this DPA.

4. Core’s Obligations as Processor

Core warrants and undertakes that it shall:

4.1 process Personal Data solely for the purpose of delivering the Services and only on documented
instructions from the Customer as defined in the Agreement, this DPA, or as otherwise agreed in
writing;
4.2 promptly inform the Customer if, in Core’s opinion, an instruction infringes Applicable Data
Protection Law;
4.3 ensure that persons authorised to process Personal Data are bound by confidentiality obligations
or are under appropriate statutory obligations of confidentiality;
4.4 implement and maintain appropriate Technical and Organisational Measures to protect Personal
Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or
access, as described in Schedule 3;
4.5 maintain a written record of processing activities in accordance with Article 30(2) of the GDPR
and make such records available to the Customer upon request;
4.6 assist the Customer in fulfilling its obligations under Applicable Data Protection Law, including in
relation to:
4.6.1 responding to requests from Data Subjects,
4.6.2 conducting data protection impact assessments (DPIAs),
4.6.3 consulting with Supervisory Authorities, and
4.6.4 meeting other compliance obligations under Articles 32 to 36 of the GDPR;
4.7 cooperate with the competent Supervisory Authorities, including the Data Protection
Commission or equivalent, on request and assist the Customer in responding to such inquiries or
investigations as required;
4.8 notify the Customer without undue delay upon becoming aware of a Personal Data Breach and
provide reasonable cooperation and assistance in connection with the investigation, mitigation,
and remediation of the breach;
4.9 at the choice of the Customer, delete or return all Personal Data at the end of the provision of the
Services, unless retention is required by applicable law, in which case Core shall continue to
ensure the confidentiality of the Personal Data and not actively process it;
4.10 make available to the Customer all information necessary to demonstrate compliance with this
DPA and allow for audits and inspections in accordance with Section 9 of this DPA; and
4.11 treat all Personal Data and any information derived from processing activities under this
Agreement as strictly confidential. Core shall ensure that access is limited to personnel or Sub-
processors who require such access for the performance of their duties, and who are bound by
appropriate statutory or contractual confidentiality obligations.

Where Core’s assistance to the Customer under this DPA (including but not limited to support in relation
to data subject requests, data protection impact assessments, consultations with Supervisory
Authorities, or responses to audits or investigations) requires effort or resources beyond Core’s
standard service obligations, Core may charge the Customer a reasonable fee for such additional
assistance. Such fees shall be agreed in advance in writing and shall reflect the time, expertise, and
resources required to perform the assistance in a commercially reasonable manner.

5. Customer Obligations as Controller

5.1 The Customer warrants and represents that:

5.1.1 It has obtained all necessary consents, permissions, and legal bases under Applicable Data
Protection Law to permit Core to process the Personal Data on its behalf, including to transfer
such Personal Data to Core and its authorised Sub-processors;
5.1.2 The Personal Data has been collected, processed, and transferred lawfully, fairly and in
accordance with Applicable Data Protection Law;
5.1.3 It is and will remain solely responsible for determining the purposes and means of Core’s
processing of the Personal Data;
5.1.4 It has fulfilled, and will continue to fulfil, its information obligations toward Data Subjects as
required by Articles 13 and 14 of the GDPR;
5.1.5 It has the legal authority to give the warranties and fulfil the undertakings set out in this
Agreement;
5.1.6 It is solely responsible for the accuracy, quality, and legality of the Personal Data provided to Core.

5.2 The Customer acknowledges and agrees that:
5.2.1 Core shall act solely on the documented instructions of the Customer in accordance with this DPA;
5.2.2 The Customer remains solely responsible for configuring its use of the Services to meet its legal
obligations, including its obligations relating to Data Subject rights;
5.2.3 The security measures described in Schedule 3 have been reviewed and approved by the
Customer as adequate for the types of processing and Personal Data involved.
5.2.4 The Customer shall comply with its obligations under Applicable Data Protection Law and is
responsible for ensuring that its instructions to Core are lawful. The Customer shall obtain all
necessary rights, permissions, and consents to allow Core to process Personal Data on its behalf.

6. Sub-processing

6.1 The Customer provides Core with a general authorisation to engage Sub-processors for the
performance of the Services, subject to the conditions set out in Article 28(2) and (4) of the GDPR.

6.2 A current list of authorised Sub-processors and their locations is available at:
https://corefinancial.ie/subprocessors

6.3 Core shall ensure that each Sub-processor is bound by written obligations that are substantially
similar to those set out in this DPA, including confidentiality obligations equivalent to those in Clause
4.11 of this DPA and providing sufficient guarantees to implement appropriate technical and
organisational measures.

6.4 Core shall remain fully liable to the Customer for the performance of any Sub-processor’s obligations.

6.5 Core shall inform the Customer of any intended changes to the list of Sub-processors and provide the
Customer with an opportunity to object on reasonable data protection grounds within thirty (30)
business days of such notice.

6.6 Where Core appoints a Sub-processor located in a third country outside the EEA or UK, and such
appointment involves a transfer of Personal Data, Core shall take primary responsibility for
preparing and documenting any required Transfer Impact Assessment (TIA), subject to the
Customer’s review and approval. Both parties shall cooperate in good faith to agree on a reasonable
TIA format. The Customer, as Controller, shall remain ultimately responsible for determining
whether the transfer satisfies the requirements of Applicable Data Protection Law, including whether
the TIA outcome and any supplementary measures are sufficient to permit the transfer.

6.7 Where the Customer objects to the appointment of a Sub-processor, the parties shall work together
in good faith to find a reasonable alternative. However, the Customer acknowledges that such an
objection may prevent Core from delivering the Services as agreed, and the Customer shall bear full
responsibility for any service limitations, delays, or resulting liabilities arising from its refusal to
authorise the use of that Sub-processor.

7. International Data Transfers

7.1 Core shall not transfer Personal Data outside the European Economic Area (EEA) or the United
Kingdom (UK) unless such transfer complies with Applicable Data Protection Law.

7.2 Core shall ensure that an appropriate transfer mechanism is in place, including one or more of the
following:

• An adequacy decision by the European Commission or UK Government;
• Standard Contractual Clauses (SCCs) adopted by the European Commission or UK Government;
• Binding Corporate Rules or another approved certification or code of conduct mechanism
  recognised under Applicable Data Protection Law.

7.3 Transfers to authorised Sub-processors are governed by Section 6 of this DPA. Where required, Core
shall assist the Customer in conducting a Transfer Impact Assessment (TIA) and implementing
supplementary safeguards necessary to ensure an equivalent level of protection for Personal Data
transferred to a third country.

7.4 The Customer acknowledges that it remains responsible for determining whether the use of Core’s
services and the associated international transfers comply with its internal policies and legal
obligations under Applicable Data Protection Law.

8. Personal Data Breaches

8.1 Notification obligations in the event of a Personal Data Breach are described in Section 4.8 of this
DPA.

8.2 For clarity, Core shall notify the Customer without undue delay and no later than 48 hours after
becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall cooperate in
accordance with Section 4.8.

8.3 Core shall provide the Customer with a description of the nature of the breach; the likely
consequences; the categories and approximate number of data subjects and records affected; and
measures taken or proposed to address the breach.

9. Right of Audit

9.1 Upon the reasonable request of the Customer, Core shall allow, for the purposes of audit and—where
confidentiality and contractual terms permit—access to data processing facilities, systems, files, and
documentation used for the processing of Personal Data. Such access shall be solely for the purposes
of reviewing, auditing and/or certifying Core’s compliance with the data protection obligations
under this DPA and Applicable Data Protection Law.

9.2 Such audits may be conducted by the Customer or by independent or impartial inspection agents or
auditors selected by the Customer and not reasonably objected to by Core.

9.3 The Customer shall provide at least 30 days’ prior written notice of its intention to audit. The notice
must include specific details on the scope, objectives, and categories of evidence required. The
parties shall mutually agree on audit dates and times before the audit commences.

9.4 Audits shall be conducted during Core’s normal business hours and in a manner that minimises
disruption to Core’s business operations. The Customer shall take all reasonable steps to prevent any
material business interruption.

9.5 If the audit extends beyond the agreed scope or period, reasonable additional costs may be incurred
by Core. Such costs shall be negotiated in advance and, where necessary, incorporated into a Schedule
or separate agreement.

9.6 The exercise of audit rights shall be subject to:
(a) any necessary regulatory or supervisory approvals required in the Customer’s jurisdiction;
(b) Core’s confidentiality obligations owed to other clients or third parties; and
(c) the confidentiality provisions of the Agreement, and any additional confidentiality obligations
reasonably required by Core to protect proprietary information, security protocols, or third-party
data, provided that such measures do not materially hinder or obstruct the audit.

10. Liability and Indemnity

10.1 Core shall not be liable for any claim brought by a Data Subject arising from any Processing activity
undertaken by Core in accordance with the documented instructions of the Customer, to the extent
that such instructions caused the breach.

10.2 Subject to Clause 10.1, each party (the “Indemnifying Party”) shall indemnify and keep indemnified
the other party (the “Indemnified Party”) against any direct losses, costs, claims, damages, liabilities,
or expenses (including reasonable legal fees) incurred by the Indemnified Party as a result of:
(a) any breach by the Indemnifying Party of its obligations under this Agreement or Applicable Data
Protection Law; or
(b) any monetary fine or penalty imposed on the Indemnified Party by a Supervisory Authority
arising from the Indemnifying Party’s non-compliance with this Agreement or Applicable Data
Protection Law.

10.3 Where a claim is brought against the Customer by a Data Subject in connection with Core’s
processing of Personal Data, and such processing was not in accordance with the Customer’s
documented instructions, Core shall indemnify and keep indemnified the Customer against all direct
costs, damages, and reasonable legal expenses incurred in relation to such claim.

10.4 Where a claim is brought against Core by a Data Subject and such claim arises from the Customer’s
instructions or from the Customer’s failure to comply with its obligations under Applicable Data
Protection Law, the Customer shall indemnify and keep indemnified Core against all direct costs,
damages, and reasonable legal expenses incurred in relation to such claim.

10.5 Neither party shall be liable to the other for any indirect or consequential loss, loss of profit, loss of
revenue, or loss of data, except to the extent such liability arises from:
(a) a breach of confidentiality under this Agreement;
(b) a Personal Data Breach resulting from a party’s failure to comply with its obligations under this
Agreement; or
(c) an indemnity obligation set out in this Clause 10.

11. Duration and Termination

11.1 This Data Processing Agreement shall remain in force for the duration of the Agreement between
Core and the Customer, or for as long as Core processes Personal Data on behalf of the Customer,
whichever is longer.

11.2 Upon termination or expiry of the Agreement, Core shall, at the Customer’s choice and subject to any
legal obligation to retain the data, delete or return all Personal Data processed on behalf of the
Customer, and shall certify such deletion if requested by the Customer in writing.

11.3 Core shall not retain Personal Data longer than is necessary for the performance of the Services
unless required by applicable law. In such case, Core shall continue to ensure the confidentiality and
integrity of the Personal Data and shall not process it for any other purpose.

12. Conflict and Precedence

12.1 In the event of any conflict between this Data Processing Agreement and the Agreement, the terms
of this Data Processing Agreement shall prevail solely in relation to the processing of Personal Data
and compliance with Applicable Data Protection Law.

13. Governing Law

13.1 This Data Processing Agreement shall be governed by, and construed in accordance with, the
governing law and jurisdiction provisions set out in the Agreement.

14. Variation of this Agreement

14.1 Core may update this Data Processing Agreement from time to time to reflect changes in applicable
law, regulatory guidance, or its Sub-processor arrangements. Any material changes shall be
communicated to the Customer in writing and published at: https://corefinancial.ie/dpa

14.2 Where required by Applicable Data Protection Law, the parties shall negotiate in good faith to agree
any necessary variations to ensure continued compliance.

14.3 No other variation of this Data Processing Agreement shall be effective unless made in writing and
signed by authorised representatives of both parties.

Schedule 1 – Description of Processing

Subject Matter: Provision of software and consulting services under the Agreement.
Duration: For the term of the Agreement or as otherwise agreed.
Nature and Purpose: Hosting, configuration, support, reporting, and processing activities necessary to
deliver the Services.
Categories of Data Subjects: Data Subjects may include Customer’s representatives and end-users including
employees, contractors, collaborators, business partners, and customers of Customer, depending on
Customer’s use of the Services at Customer’s election.
Categories of Personal Data: Contact information, account data, financial records, audit logs, and any data
uploaded by the Customer.
Special Category Data: The processing of Special Category Personal Data (as defined in Article 9 of the
GDPR) is not anticipated under this Agreement. Should the need to process such data arise, the Parties shall
agree in writing on the lawful basis, safeguards, and necessary amendments to this Agreement prior to any
such processing taking place.

Schedule 2 – Sub-processors and Locations

An up-to-date list of authorised Sub-processors and processing locations is available at:
https://corefinancial.ie/subprocessors

Schedule 3 – Technical and Organisational Measures (TOMs)

The minimum technical and organisational measures that must be implemented by the Data Processor
when using their own IT resources to process Personal Data:

1. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process any Personal Data have properly managed, configured and up to date firewalls in place.
2. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have properly managed and configured network monitoring and logging in place.
3. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have properly managed, configured and up to date intrusion detection and/or intrusion prevention systems in place.
4. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have strong access controls in place.
5. Appropriate levels of network, system, and physical redundancy are in place.
6. All the buildings or facilities (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to host IT systems, IT devices, servers and other critical IT equipment which are used to process Personal Data are protected by appropriate physical and environmental controls.
7. All IT devices, mobile computer devices and servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have real-time protection anti-virus, anti-malware and anti-spyware software installed and updated daily.
8. All IT systems, IT devices, mobile computer devices, servers and other critical IT equipment (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data are protected by strong unique passwords which satisfy or better the requirements of the Data Controller’s Password Policy.
9. All the mobile computer devices and removable storage devices (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have encryption enabled which encrypts any Personal Data stored at rest on the device. The encryption of the Personal Data on the device may be achieved by either full‑disk encryption, file system encryption or (as applicable) database encryption. All encryption used by the Data Processor must satisfy or better the requirements of the Data Controller’s Encryption Policy.
10. All servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have encryption enabled which encrypts any Personal Data stored at rest on the server. The encryption of the Personal Data on the server may be achieved by either full‑disk encryption, file system encryption or (as applicable) database encryption. All encryption used by the Data Processor must satisfy or better the requirements of the Data Controller’s Encryption Policy.
11. All servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data are backed up on a daily basis. Where the Data Processor backs up the Servers onto backup media, the Data Processor must ensure the following:

    11.1 The backup media is stored a sufficient distance away from the server, for example, in another building on‑site under the control of the Data Processor or off‑site in a building or facility controlled by the Data Processor or a contracted third party;

    11.2 When not in use, the backup media is protected from damage caused by fire, heat, humidity, water, and exposure to strong magnetic fields;

    11.3 The backup media is password protected by strong unique passwords which satisfy or better the requirements of the Data Controller’s Password Policy;

    11.4 The backup media is encrypted using strong encryption which satisfies or betters the requirements of the Data Controller’s Encryption Policy;

    11.5 Access to the backup media is limited to the Data Processors employees, contractors and/or (as applicable) Sub‑Processors who are involved in the backup process;

    11.6 When in transit, the backup media is protected at all times from damage, theft, interference and loss;

    11.7 The backup media is tested by the Data Processor on a regular basis;

    11.8 All old, obsolete, and damaged backup media which was used to backup Personal Data is physically destroyed.

12. All servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have logging enabled, and the server logs are monitored by the Data Processor on a regular basis.
13. All Personal Data which is sent in transit by the Data Processor is sent via secure channels (for example, VPN, Secure FTP or TLS) or encrypted email. All encryption used by the Data Processor must satisfy or better the requirements of the Data Controller’s Encryption Policy.
14. Appropriate patch management procedures are in place for managing the timely application of relevant security software updates and patches to all IT devices, mobile computer devices, servers and other critical IT equipment (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data.
15. Documented disaster recovery plans are in place which detail how the Data Processor will restore the availability of, and access to any servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data in the event of a physical or technical security breach.
16. Appropriate asset management procedures are in place which allow for the management and recording of all the Data Processors IT hardware and software assets used to process Personal Data.
17. Appropriate procedures are in place for the timely decommissioning and secure wiping or destruction (i.e. process that renders data unrecoverable) of all old, obsolete and damaged IT devices, mobile computer devices, servers, software and other critical IT equipment (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data.
18. Appropriate procedures are in place which allow the Data Processor to regularly, test, assess and evaluate the effectiveness of the technical and organisational measures they have implemented to ensure the security of Personal Data which they process on behalf of the Data Controller.
19. Appropriate separation controls are in place which provide for the separation of different customers data on the Data Processors IT hardware and software and ensure Personal Data is Processed by the Data Processor as separately as possible from the Data Processors other customer’s data.
20. Full separation (where applicable) of the Data Processors production and development / test / training environments is in place.
21. Documented IT and information security policies are in place which all the Data Processor’s employees and contractors sign up to and are expected to comply with.
22. Appropriate procedures are in place for the vetting of all new Data Processor employees and contractors who will have access to Personal Data.
23. Non-disclosure and confidentiality clauses are included in the Data Processors contracts of employment for all their employees and contractors who have access to Personal Data.
24. Where legally required to do so, the Data Processor has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR.

Annex 3 — DORA Provisions

1.1. Definitions for this Annex 3;

1.1.1. “Financial Services Customer” refers to a customer of Company who is also classified as a
“financial entity”, under DORA Article 2(1) points (a) to (t).

1.1.2. ICT Risk” refers to any reasonably identifiable circumstance in relation to the use of network
and information systems which, if materialised, may compromise the security of the Services
or of network and information systems relevant to the Services or other operations or
processes relevant to the Services by producing adverse effects in the digital or physical
environment.

1.1.3. “Regulator” refers to any European financial service regulator or national competent
authority that has the monitoring or supervisory rights specified below over Customer
and/or over Company as the provider of the Services to Customer

1.2. The Services [DORA Article 30(2)(a) & Article 30(2)(e)].

1.2.1. Company will provide Customer with the Services in accordance with the service
description and performance standards set out in the Agreement

1.3. Incident Management [DORA Article 30(2)(f)].

1.3.1. If Customer or Company confirm the existence of, or in good faith reasonably suspect there
has been, a single event or series of linked events that have an adverse impact on the
functioning or performance, or compromises the security, of any of
Customer’s or Company’s equipment, software, network, information systems, or the
availability, authenticity, integrity or confidentiality of data held or controlled
by Company, such that the provision or receipt of the Services is impacted (an “ICT
Incident”), Company shall;

1.3.2. (if Company is the party impacted by the event(s)), notify Customer of that fact without
undue delay (and no later than 24 hours of its actual confirmation of the ICT Incident or
identification in good faith of a suspected ICT Incident), together with reasonable details of
the ICT Incident and any steps required to be taken or that it is taking to mitigate the effects
of the ICT Incident, including if relevant any steps necessary to reduce the risk of any future
breach of security of that same nature

1.3.3. provide reasonable assistance to Customer (at a cost agreed between the parties) to
support Customer to recover from the ICT Incident and to comply with its obligations under
Applicable Law including with regard to notifications to the Regulator; and

1.3.4. if Company is the party impacted by the event(s)), promptly address and remediate the ICT
Incident, and mitigate its effects.

1.4. Permitted Locations [DORA Article 30(2)(b)]

1.4.1. Company will provide the Services from and will store and process Customer Data and
Confidential Information in the UK and the EEA. Company’s subcontractors and banking
partners involved in providing the Services may also transfer personal data outside of the
UK and the EEA, as set out in our Privacy Notice. Further details regarding the
service locations and storage of data are available upon request.

1.5. Termination [DORA Article 28(7) & Article 30(2)(h)].

1.5.1. Customer may terminate the Agreement:

1.5.1.1. immediately on the giving of notice to Company where Company is in breach
of Applicable Laws;

1.5.1.2. immediately on the giving of notice to Company where Company commits a material
breach of the Agreement which is incapable of remedy or, if capable of remedy, is not
remedied within thirty (30) days after written notice to Customer of the occurrence of
such event;

1.5.1.3. immediately on the giving of notice to Company where Customer identifies or
becomes aware of circumstances or events which Customer reasonably considers are
capable of altering the performance of the Services provided under the Agreement,
including material changes that affect the Services or Company;

1.5.2. immediately on the giving of notice to Company where there is evidence of weaknesses in
the ICT risk management of Company or any Subcontractor it relies on, including in respect
of the security of any Customer Data; and

1.5.3. immediately on the giving of notice to Company upon request of a Regulator or
where Customer is otherwise required to do so by Applicable Law.

1.6. Consequences of Termination [DORA Article 30(2)(d)].

1.6.1. If the Agreement is terminated or expires, or in the case of the insolvency, resolution or
discontinuation of business operations of Company, Company shall ensure that
any Regulator can access any data owned by Customer, Customer Data and Confidential
Information, and that Customer can access, retrieve, store or otherwise deal with any data
owned by Customer, Customer Data and Confidential Information.

1.7. Information Security [DORA Article 30(2)(c) and (d)].

1.7.1. Company shall ensure that its information security measures, and those of
any Subcontractor(s) it uses to provide the Services, are appropriate in order to ensure at all
times: (i) the security, availability, authenticity, integrity, confidentiality, and accuracy
of Customer Data; and (ii) that the Customer Data can be traced, recovered, disposed of or
deleted as may be requested by Customer at any time. Company shall ensure
that Customer Data can be accessed, recovered and returned to Customer as needed and in
an accessible format.

1.8. Awareness and Training [DORA Article 30(2)(i)].

1.8.1. On reasonable request from Customer, Company shall participate in Customer’s (i) ICT
security awareness programmes; (ii) digital operational resilience training; and (iii) other
similar awareness and training initiatives. Where such participation in awareness and
training initiatives is requested by Customer, Customer and Company will agree, in good
faith and acting reasonably, which of Company personnel should participate.

1.9. Regulatory Assistance [DORA Article 30(2)(g)].

1.9.1. Company shall fully cooperate with, and provide Customer with reasonable assistance in
connection with, any investigation by or dealings with any Regulators relating to the
Agreement, and/or Customer’s purchase or use of the Services. Such assistance shall
include Company:

1.9.2. directing any and all queries from a Regulator relating to the Agreement or the
Services to Customer; and

1.9.3. cooperating with and responding to any request for information, confirmations and/or
assistance including replying to questions from a Regulator within a reasonable period of
time and at the reasonable direction of and in consultation with Customer and/or
a Regulator; and

1.9.4. granting each Regulator the right to give instructions in order to (i) prevent any breach of
regulatory requirements (ii) remove any obstacles that hinder the Regulator’s audit rights
and (iii) to remove any defects that impact the integrity of any entrusted assets or the due
performance of the Services and/or financial services.

1.10. Company will further ensure that its Subcontractors fully cooperate with Customer and
Regulators as is necessary for the discharge of Customer’s legal and regulatory obligations.