Core Financial Systems — Legal Documents

This page consolidates our General Terms and Conditions, Support & SLA Terms (Annex 1), Data Processing Agreement (Annex 2), and DORA Provisions (Annex 3) for easy reference.

CORE FINANCIAL GENERAL TERMS AND CONDITIONS

1. SERVICES, SUPPORT AND FRAMEWORK AGEEMENT

1.1. Subject to the terms of this Agreement, Company will use commercially reasonable efforts to provide Customer the Services.

1.2. Subject to the terms hereof, Company will provide Customer with technical support services in accordance with the terms set forth in Annex 1.

1.3. Customer undertakes to immediately report any defects of performance with regard to the Services to Company and to provide conclusive information with regard to the experienced errors and defects. Customer undertakes reasonable efforts to assist Company in error and defect identification and correction.

1.4. This Agreement and these General Terms are intended to set out the framework of the agreed terms for any Services and the terms and conditions under which such will be provided by Company to Customer.

1.5. The first Statement of Work shall together with this Agreement form the contract between Company and Customer and each subsequent quotation or order shall merge incrementally and be included as forming a single contract.

2. RESTRICTIONS AND RESPONSIBILITIES

2.1. Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services, or modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third party; or remove any proprietary notices or labels.

2.2. Customer may not export or re-export the Services, or Software or anything related thereto or any direct product thereof in violation of any restrictions, laws or regulations of any applicable laws, regulations, rules or restrictions, whether of the European Union, United States of America or otherwise.

2.3. Customer represents, covenants, and warrants that Customer will use the Services only in compliance with this Agreement and Company’s standard published policies from time to time in effect (the “Policies”) and all applicable laws and regulations. In addition, Customer will not use the Services for any profane, fraudulent, misleading or other purpose and shall ensure that all advertising mediated through the Services shall be fair and accurate in all material respects. Customer hereby agrees to indemnify and hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Customer’s use of Services. Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.

2.4. The Customer shall (a) provide the Company all necessary co-operation in relation to this agreement; (b) provide all necessary access to such information as may be required by the Company; (c) allow security access information and configuration services in order to provide the Services, (d) without affecting its other obligations under this agreement, comply with all applicable laws and regulations with respect to its activities under this agreement, (e) carry out all other Customer responsibilities set out in this agreement in a timely and efficient manner (in the event of any delays in the Customer’s provision of such assistance as agreed by the parties, the Company may adjust any agreed timetable or delivery schedule as reasonably necessary) (f) ensure that its Authorised Users use the Services and the Documentation in accordance with the terms and conditions of this agreement and shall be responsible for any Authorised User’s breach of this agreement; (g) obtain and shall maintain all necessary licences, consents, and permissions necessary for the Company, its contractors and agents to perform their obligations under this agreement, including without limitation the Services; (h) ensure that its network and systems comply with the relevant specifications provided by the Company from time to time; and (i) be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to the Company’s data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer’s network connections or telecommunications links or caused by the internet.

Consultancy Services

2.5. Where any Consultancy Services are to be carried out at the Customer’s premises then Customer shall, subject to compliance by Company’s personnel with Customer’s reasonable security requirements, allow Company full and complete access to the area(s) where Consultancy Services are to be performed and will provide adequate office accommodation and facilities for any Company staff working on its premises as required.

On Premises Software

2.6. With respect to any Software that is distributed or provided to Customer for use on Customer premises or devices (“On Premise Software”), Company hereby grants Customer a non-exclusive, non- transferable, non-sublicensable license to use such Software during the Term only in connection with the Services, to install and run the Software on the Customer’s own servers or systems at the specified site(s) for the Authorised Use during the Term; where “Authorised Use” means use by the specified number of Authorised Users processing within agreed limits for internal business purpose, and The licence begins on delivery and continues for the agreed Term. Ownership of the underlying software shall remain with the licensor. Title to any hardware or related physical media may transfer to Customer upon full payment, but such transfer shall not confer any rights of ownership in the software or related Intellectual Property. Company may recover such hardware or suspend licence rights where Customer is in breach of its obligations under this Agreement.

2.7. The Supplier will deliver On Premise Software in executable form along with Documentation. Installation or commissioning services will be as detailed in a Statement of Work.

2.8. The Customer will maintain accurate records of usage of On Premises Software and the Company may audit once per 12-month period with notice. Over-deployment will require the Customer to purchase additional licences and pay any underpaid fees.

2.9. The Customer is responsible for infrastructure security, backups, and business continuity for the On Premise Software and for meeting the minimum system requirements stated in the Statement of Work. On termination, the Customer must cease use and uninstall the Software.

SaaS Services

2.10. Where Customer is granted access to software hosted by Company or its licensors, such access is provided on a non-exclusive, non-transferable, subscription basis and is governed by the applicable terms herein. No ownership rights in such software or related intellectual property shall transfer to Customer. Access to the SaaS solution remains conditional upon full payment of applicable fees and ongoing compliance with this Agreement. Company reserves the right to suspend or revoke access in the event of non-payment or any breach which, if not remedied promptly after notice, would constitute a material breach, or where continued access would pose a security, compliance, or licensing risk.

2.11.As part of the registration process, Customer will identify an administrative username and password for Customer’s Company account. Company reserves the right to refuse registration of, or cancel passwords it deems inappropriate.

Resold Services

2.12. Where the Company solely acts as reseller of a Service or Software, or of constituent part thereof, then the primary responsibility for the provision and delivery of that Service or Software to the Customer shall rest with the direct supplier, and shall be supplied and delivered on their prevailing terms and conditions and their service levels and support agreements. The Company shall bear no contractual responsibility for performance of such re-sold services, save as may be specifically set out in a Statement of Work as regards consultancy or implementation services.

3. CONFIDENTIALITY; PROPRIETARY RIGHTS

3.1. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Company includes non-public information regarding features, functionality, design, implementation and performance of the Services. Proprietary Information of Customer includes non-public data provided by Customer to Company to enable the provision of the Services. The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information. The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.

3.2. Customer shall own all right, title and interest in and to Customer Data. Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing.

3.3. Notwithstanding anything to the contrary, Company shall have the right to collect, analyse, store, copy and reproduce System Data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein.

3.4. If and to the extent required by applicable law, including regulatory requirements, discovery request, subpoena, court order or governmental action, the Receiving Party may disclose or produce Confidential Information but will give reasonable prior notice (and where prior notice is not permitted by applicable Law, notice will be given as soon as the Receiving Party is legally permitted) to the Disclosing Party to permit the Disclosing Party to intervene and to request protective orders or confidential treatment therefor or other appropriate remedy regarding such disclosure. Disclosure of any Confidential Information pursuant to any legal requirement will not be deemed to render it non-confidential, and the Receiving Party’s obligations with respect to Confidential Information of the Disclosing Party will not be changed or lessened by virtue of any such disclosure.

4. PAYMENT OF FEES

4.1. Customer will pay Company the then applicable fees described in the Commercial Terms or Statement of Work for the Services in accordance with the terms therein (the “Fees”). If Customer’s use of the Services exceeds the Service capacity or limits set forth in the Commercial Terms or Statement of Work or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein. Company reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Service Term or then-current renewal term, upon thirty (30) days prior notice to Customer (which may be sent by email). If Customer believes that Company has billed Customer incorrectly, Customer must contact Company no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit. Inquiries should be directed to Company’s customer support department.

4.2. Consultancy Services shall be provided by Company for a fixed daily rate as specified in the Statement of Work for each full day worked. A full day work shall consist of 0900hrs to 1730hrs.

4.3. Unless otherwise specified, Company shall invoice monthly in advance and full payment for invoices issued in any given month must be received by Company thirty (30) days after the date of the invoice. Unpaid amounts are subject to a finance charge of 2% per month on any outstanding balance, or the maximum permitted by law (whichever is lower), plus all expenses of collection and may result in immediate termination of Service on 7 days written notice.

4.4. The Fees do not include taxes or duties and are, for the avoidance of doubt, exclusive of Value Added Tax (“VAT”). All additional taxes or duties, which Company shall have to pay or collect in connection with the provision of the Services, shall be billed to and paid by Customer. This shall not apply to taxes based on Company’s income.

4.5. Customer shall be responsible for the payment of any taxes imposed by any governmental taxing authority on the amounts Customer is liable to pay to Company under this Agreement, including, but not limited to, withholding taxes of whatever nature (“Withholding Taxes”) and Customer may reduce the amount payable to Company as Fees by the amount of such Withholding Taxes. Customer agrees promptly to pay any Withholding Taxes and obtain and deliver to Company proof of payment of such Withholding Taxes together with official evidence thereof issued by the governmental authority concerned, sufficient to enable Company to support a claim for a tax credit in respect of any sum so withheld.

5. TERM AND TERMINATION

5.1. Subject to earlier termination as provided below, this Agreement is for the Initial Service Term as specified in the Commercial Terms, and shall be automatically renewed for additional periods equal to the renewal term specified in the Commercial Terms or, if no such renewal term is specified, of the same duration as the Initial Service Term (collectively, the “Term”), unless either party in writing requests termination at least thirty (30) days prior to the end of the then-current term.

5.2. This Agreement (and each order or Statement of Work hereunder) shall, unless otherwise terminated as provided in this clause 5, commence on the Effective Date and shall continue for the Initial Service Term and, thereafter, this agreement shall be automatically renewed for successive periods of 12 months (each a Renewal Period), unless: 5.2.1. either party notifies the other party of termination, in writing, at least 60 days before the end of the Initial Service Term or any Renewal Period, in which case this agreement shall terminate upon the expiry of the applicable Initial Service Term or Renewal Period; or 5.2.2. otherwise terminated in accordance with the provisions of this agreement; and the Initial Service Term together with any subsequent Renewal Periods shall constitute the Term.

5.3. Without affecting any other right or remedy available to it, either party may terminate this agreement with immediate effect by giving written notice to the other party if:

5.3.1. the other party fails to pay any amount due under this agreement on the due date for payment and remains in default not less than seven days after being notified in writing to make such payment;

5.3.2. the other party commits a material breach of any other term of this agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so;

5.3.3. the other party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business.

5.4. On termination of this agreement for any reason:

5.4.1. all unpaid charges and expenses in relation to this Agreement shall become immediately due and payable by Customer

5.4.2. all licences granted under this agreement shall immediately terminate and the Customer shall immediately cease all use of the Services and/or the Documentation;

5.4.3. each party shall return and make no further use of any equipment, property, Documentation and other items (and all copies of them) belonging to the other party;

5.4.4. the Company may destroy or otherwise dispose of any of the Customer Data in its possession unless the Company receives, no later than thirty days after the effective date of the termination of this agreement, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. The Company shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by the Company in returning or disposing of Customer Data;

5.4.5. any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced; and

5.4.6. The parties’ rights and obligations under Clauses 3, 5, 8, 9, 11 and 16 shall survive termination of this Agreement. Termination of this Agreement shall not prevent either party from pursuing any other remedies available to it, including but not limited to injunctive relief.

6. WARRANTY AND DISCLAIMER

6.1. Company shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Consultancy Services, Support Services and any Implementation Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. HOWEVER, COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND IMPLEMENTATION SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

6.2. Company warrants that (a) Customer shall have the right to possess, and use, the Deliverables in accordance with the terms of this Agreement and that possession and use shall not be disturbed by a third party except to the extent set out in this Agreement; (b) Service and Deliverables supplied by it are, at the date of delivery, virus free, (c) the Consultancy Services will be performed with reasonable skill and care consistent with generally accepted professional and technical standards and practices of the computer software services industry and where participation by Company’s personnel is necessary in the execution or performance of this Agreement, such personnel shall possess the appropriate skills, experience, training and qualifications consistent with generally accepted professional and technical standards of the computer software services industry, for any tasks assigned to them.

6.3. If any warranties or other obligations entered into by Company under this Agreement are breached or not performed (or alleged to be breached or not performed), Customer must notify Company as soon as possible. Before Customer is allowed to take further action, Customer must give Company a reasonable time to remedy the problem and (if necessary) to supply Customer with a repaired or corrected version of any relevant Deliverables or re- perform any relevant Services. This will be done without any additional charge to Customer.

7. INDEMNITY

7.1. Company shall hold Customer harmless from liability to third parties resulting from infringement by the Service of any European Union patent or any copyright or misappropriation of any trade secret, provided Company is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defence and settlement; Company will not be responsible for any settlement it does not approve in writing and Company shall not be liable under this clause if Customer acknowledges or accepts any allegation of infringement without Company’s express prior written consent. The foregoing indemnification obligations do not apply with respect to portions or components of the Service (i) not supplied by Company, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified after delivery by Company, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of the Service is not strictly in accordance with this Agreement. If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Company to be infringing, Company may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Customer a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for the Service.

8. LIMITATION OF LIABILITY

8.1. Except as expressly and specifically provided in this agreement:

8.1.1. the Customer assumes sole responsibility for results obtained from the use of the Services and the Documentation by the Customer, and for conclusions drawn from such use. The Company shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to the Company by the Customer in connection with the Services, or any actions taken by the Company at the Customer’s direction;

8.1.2. all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this agreement; and

8.1.3. the Services and the Documentation are provided to the Customer on an “as is” basis.

8.2. Nothing in this agreement excludes the liability of the Company:

8.2.1. for death or personal injury caused by the Company’s negligence; or 8.2.2. for fraud or fraudulent misrepresentation.

8.3. Subject to clause 8.1 and clause 8.2:

8.3.1. the Company shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this agreement; and

8.3.2. the Company’s total aggregate liability in contract tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement shall be limited to the greater of €250,000 and twice the total Fees paid for the Service during the 12 months immediately preceding the date on which the claim arose.

9. GDPR & PRIVACY

9.1. Each party shall comply with all applicable data protection and privacy laws in connection with the processing of personal data under this Agreement. This includes, where applicable, compliance with:

9.1.1. the General Data Protection Regulation (EU) 2016/679 (“GDPR”);

9.1.2. the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018; and

9.1.3. any other national or international data protection laws applicable to the processing activities carried out under this Agreement.

9.2. The parties agree that the processing of personal data in connection with the Services shall be governed by the Data Processing Agreement (“DPA”) set out in Annex 2 to this Agreement and also available on the Company website https://corefinancial.ie;

10. INSURANCE

10.1. Each Party will obtain and maintain appropriate insurance necessary for implementing and performing under this Agreement in accordance with applicable Law and in accordance with the requirements of this clause 10.

10.2. Company will at its own cost and expense, acquire and continuously maintain the following insurance coverage during the term of this Agreement and for one year after.

10.3. Commercial General Liability insurance, including all major coverage categories and on such terms as are generally available to Company on the market from time to time with limits of not less than €1,000,000 per occurrence and €10,000,000 general aggregate,

10.4. Professional Liability insurance, covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering services in connection with this Agreement on such terms as are generally available to Company on the market from time to time with a minimum limit of €5,000,000 each claim and annual aggregate; and

10.5. Cyber Liability with limit of €5,000,000 each claim and annual aggregate, providing for protection against liability for such coverages as are generally available to Company on the market from time to time.

11. DORA PROVISIONS

11.1. The European Union’s Digital Operational Resilience Regulation for the financial sector (2022/2554) (“DORA”) imposes obligations on EU-regulated entities to manage information and communication technology (ICT) risk. Annex 3 applies exclusively to customers classified as “financial entities”, as defined in DORA Article 2(1) points (a) to (t).

11.2. By providing the Services to the Customer, Company may be regarded as an ICT third-party service provider under DORA. The purpose of Annex 3 is to ensure that the contractual provisions mandated by DORA are incorporated into the agreement between Company and the Customer.

11.3. To the extent that Company provides any services that are not in scope for DORA, Annex 3 shall not apply to the provision of such services.

12. NIS 2

12.1. The parties acknowledge that Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) is being transposed into Irish law and may apply to the Client where it qualifies as an essential or important entity.

12.2. Where the Services provided by Company form part of the Customer’s network or information systems within the meaning of NIS2, Company shall:

12.2.1. implement and maintain appropriate and proportionate technical and organisational measures to manage cybersecurity risks relevant to the Services;

12.2.2. notify the Client without undue delay of any significant cybersecurity incident or event that may materially affect the Services; and

12.2.3. provide reasonable assistance to the Customer, upon request, in meeting its incident-handling or reporting obligations under applicable national law.

12.3. Company’s obligations under this clause are limited to the Services provided under this Agreement and do not extend to the Client’s wider systems, infrastructure, or statutory obligations.

12.4. Any sector-specific or additional NIS2 requirements may be addressed in a separate security or compliance addendum where required.

13. CHANGES AND VARIATIONS

13.1. Company shall make such variations to the Services, whether by way of addition, modification, or omission as may be agreed. The Parties acknowledge that changes to the scope, deliverables, timelines, pricing, technical requirements, or other aspects of the Agreement may become necessary during the Term. Any such change shall be managed in accordance with this change control procedure.

13.2. Initiating a Change. Either Party may request a change to the Agreement (a “Change Request”). All Change Requests must be submitted in writing and must include:

13.2.1. A description of the proposed change;

13.2.2. The reason for the change;

13.2.3. Impact on scope, deliverables, assumptions, dependencies or acceptance criteria;

13.2.4. Impact on project timelines or milestones;

13.2.5. Impact on Fees or charges.

13.3. Assessment of Change Request. Upon receipt of a Change Request, the receiving Party shall acknowledge it within 5 Business Days. The Company shall assess the Change Request and provide a written impact assessment (“Change Proposal”) including:

13.3.1. Technical and operational impacts;

13.3.2. Resource implications;

13.3.3. Revised Fees or pricing adjustments (if any);

13.3.4. Revised timelines; 13.3.5.Risks or prerequisites.

13.4. Approval of Change. A change becomes binding only when both Parties sign a written Change Order referencing this Agreement. Once signed, the Change Order supersedes any inconsistent provisions.

13.5. Handling Disagreements. If the Parties cannot agree on a Change Request or Change Proposal, the Agreement remains unchanged and neither Party shall be obliged to proceed with the change.

13.6. Urgent or Safety-Critical Changes. Where a change is urgently required to prevent service failure, protect data, or address a legal requirement, the Company may implement temporary measures. These shall be submitted for retrospective approval within 10 Business Days.

14. COMPLIANCE WITH ANTI-CORRUPTION LAWS

14.1. Each Party shall comply with all applicable anti- bribery and anti-corruption laws in Ireland, including the Criminal Justice (Corruption Offences) Act 2018 (the “Corruption Act”).

14.2. Neither Party, nor their employees, officers, agents, subcontractors or affiliates shall, directly or indirectly:

14.2.1. offer, promise, give, request, agree to receive or accept any gift, consideration or advantage as an inducement or reward related to any person’s office, employment, position or business;

14.2.2. engage in active or passive corruption, or active or passive trading in influence, as defined under the Corruption Act;

14.2.3. create or use any false or misleading document, or withhold information, for improper influence.

14.3. Corporate Liability and Reasonable Steps. Each Party shall maintain adequate anti-corruption procedures, training, controls and reporting mechanisms. A company may be liable if employees or agents commit corruption to obtain business unless it demonstrates all reasonable steps and due diligence were exercised.

14.4. Facilitation payments are strictly prohibited under Irish law and under this Agreement.

14.5. Gifts, Hospitality and Expenses. Any gifts, hospitality or expenses must be reasonable, proportionate, for legitimate business purposes, accurately recorded, and compliant with the Corruption Act. No gifts or hospitality may be provided to or accepted from public officials except where legally permitted.

14.6. Reporting and Cooperation. Each Party shall promptly notify the other of any breach or suspected breach of this clause or any related investigation. Each Party shall assist lawful anti-corruption investigations.

15. COMPLIANCE WITH THE EU AI ACT

15.1. As of the Effective Date of this Agreement, Company does not use or incorporate artificial intelligence (“AI”) systems within the meaning of Regulation (EU) 2024/1689 (the “EU AI Act”) in the delivery of the Services.

15.2. In the event that Company introduces AI functionality into its products or services during the term of this Agreement, Company shall:

15.2.1. assess and categorise the AI system in accordance with the AI Act’s risk-based classification framework;

15.2.2. ensure the AI functionality complies with applicable requirements, including those relating to transparency, human oversight, and technical robustness;

15.2.3. notify the Customer in advance of any such deployment that may affect the Customer’s use of the services or processing of data under this Agreement;

15.2.4. provide sufficient information to enable the Customer to meet its own legal and regulatory obligations, where applicable.

15.3. Company shall not deploy any AI system categorised as prohibited or high-risk under the EU AI Act in connection with the Services without the Customer’s prior written consent. Any additional contractual terms required to ensure compliance regarding high-risk systems shall be agreed in writing between the parties before such deployment.

16. MISCELLANEOUS

16.1. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.

16.2. This Agreement is not assignable, transferable or sublicensable by either party except with the other party’s prior written consent, which shall not be unreasonably withheld, conditioned or delayed.

16.3. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement.

16.4. Any waivers or modifications of this Agreement must be in a writing signed by both parties, except as otherwise provided herein.

16.5. No agency, partnership, joint venture, or employment is created as a result of this Agreement and neither party has any authority of any kind to bind the other party in any respect whatsoever.

16.6. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover reasonable vouched costs and reasonable legal fees.

16.7. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.

16.8. This Agreement shall be governed by the laws of Ireland (without regard to its conflict of laws provisions) and the courts of Ireland shall have jurisdiction to hear any dispute, controversy or claim arising out of or in connection with this Agreement. Each party irrevocably submits to the jurisdiction of such courts, and each party waives any objection that it may have to the laying of the venue of any such action or proceeding in the manner provided in this Section.

16.9. The parties agree that the entire text of this agreement, as well as any exhibits or schedules hereto, shall be in the English language. Company may provide a translation of this agreement at its own discretion but in any such case the English language version of this agreement shall take precedence in all respects.

16.10. Each Party will comply with all applicable customs and export control laws and regulations of the European Union and of the countries in which the parties are incorporated and/or such other country, in the case of Customer, where Customer or its Users use the Services, and in the case of Company, where Company provides the Services. Each Party certifies that it and its personnel are not subject to EU financial sanctions and/or travel bans or any other sanctions program, including but not limited to the sanctions programs of the U.S.A., the European Union, and UN Security Council.

17. DEFINITIONS

In this Agreement (including the Appendices hereto), the following terms shall have the following meanings unless the context obviously and manifesting requires otherwise.

“Affiliate” means, with respect to a Party, any entity that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with such Party.

“Authorised Users” means Customer employees or contractors authorised to use the Software.

“Commercial Terms” means the commercial terms agreed between Company and Customer setting out the details and scope of the Product and any Services to be provided by Company to Customer from time to time, as the same may be amended or substituted from time to time.

“Company’s Computing Environment” means the computing infrastructure and systems used by Company to provide the Product via a SaaS Service.

“Consultancy Services” shall mean the consultancy services to be performed by Company for the Customer pursuant to and described in the Statement of Work, including the development and/or supply of the Deliverables (if any).

“Contractor” means any third party contractor of Customer or other third party performing services for Customer, including outsourcing suppliers.

“Customer Data” means all Proprietary Data, Personal Data, records, files, information or content, including text, sound, video, images and software, that is (a) input or uploaded by Customer or its Users to or collected, received, transmitted, processed, or stored by Customer or its Users using the SaaS Service in connection with this Agreement.

“Customer’s Computing Environment” means Customer’s computing environment in which Company authorizes use of the Subscription.

“Deliverables” shall mean any deliverable item(s) such as design, specification, graphics, ideas, know-how, techniques, documentation, software, reports or specifications that may be developed and/or supplied by the Company hereunder

“Documentation” means any user guides, manuals, instructions, specifications, notes, documentation, printed updates, “read-me” files, release notes and other materials related to the Product (including all information included or incorporated by reference in the applicable Commercial Terms), its use, operation or maintenance, together with all enhancements, modifications, derivative works, and amendments to those documents, that Company publishes or provides under this Agreement.

“Effective Date” means either the date on which this Agreement is signed or, if different, the date specified as such in the Commercial Terms.

“GDPR” means the General Data Protection Regulation (EU Regulation 2016/679) and any applicable implementing or supplementary legislation in any relevant jurisdiction as amended from time to time.

“Implementation Services” means any services agreed to be provided by Company on a pilot basis or preparatory to the provision of the Services on a continuing basis.

“Intellectual Property Rights” shall mean all intellectual property rights of whatever nature including but not limited to patents, trademarks, trade names, inventions, copyrights (including copyright in computer programs), database rights, design rights, know-how and trade secrets, whether registered or not, whether capable of registration and application for any of the foregoing.

“Personal Data” means Customer Data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a natural person.

“Personnel” means a Party or its Affiliate’s directors, officers, employees, nonemployee workers, agents, auditors, consultants, contractors, subcontractors and any other person performing services on behalf of such Party (but excludes the other Party and any of the foregoing of the other Party).

“Product” means the computer software and any associated data, content and/or services identified in the Commercial Terms that Company provides or is obligated to provide as part of a Subscription, including any patches, bug fixes, corrections, remediation of security vulnerabilities, updates, upgrades, modifications, enhancements, derivative works, new releases and new versions of the foregoing that Company provides, or is obligated to provide, as part of the Subscription.

“SaaS Service” means access and use of the Product, or a component of a Product, as deployed and hosted by Company in Company’s Computing Environment, and any software and other technology provided or made accessible by Company in connection therewith (and not as a separate product or service) that Customer is required or has the option to use in order to access and use the Product.

“Services” means all services and tasks that Company provides or is obligated to provide under this Agreement, including without limitation the Consultancy Services, Product, SaaS Services, Support Services, Deliverables and any Implementation Services.

“Subcontractor” means any third party subcontractor or other third party to whom Company delegates any of its duties and obligations under this Agreement.

“Subscription” means a subscription purchased by Customer and fulfilled by Company for the licensing and provision of Product, whether deployed in Customer’s Computing Environment and/or provided as a SaaS Service through Company’s Computing Environment.

“Support Services” means the support and maintenance services for the Product that Company provides, or is obligated to provide, as described in the Commercial Terms.

“System Data” means data and data elements (other than Customer Data) collected by the Product, SaaS Service or Company’s Computer Environment regarding configuration, environment, usage, performance, vulnerabilities and security of the Product or SaaS Service that may be used to generate logs, statistics and reports regarding performance, availability, integrity and security of the Product or SaaS Service.

“User” means Customer, its Affiliates and any person or software program or computer systems authorized by Customer or any of its Affiliates to access and use the Product as permitted under this Agreement, including Contractors of Customer or its Affiliates.

Annex 1 — Support & SLA Terms

Appendix 4 Support Terms

1. Introduction

This Support Service Level Agreement (“SLA”) sets out the procedure for logging queries and our response times when providing Maintenance Services pursuant to any such Software Licence and Maintenance Agreement entered between the parties hereto (“LMA”). This SLA is designed to reflect our current structure and work methods, and is a means of communicating to you, our customer, how we operate and our stated performance levels and response times in respect of the provision of Maintenance Services to you. We undertake to meet the performance levels and response times specified herein when providing Maintenance Services pursuant to any LMA. This SLA is effective from the Effective Date of the agreement and shall continue for the duration of the provision of Maintenance Services under any LMA. Capitalized terms used in this SLA shall have the same meanings as in any LMA unless specifically stated otherwise.

2. Contacting Support

Support issues can be logged at our support desk by email at support@corefinancial.ie or through our Support Tool at https://corefinancial.ie/support/#CoreSupport Our Support Tool benefits to Customer include:

• Tickets are categorised by the client.
• 24/7 access.
• Customers can Track the progress of their tickets.
• Visibility of updates and know exactly who is managing the request.
• Look back on historical Tickets – self serve – same issue repeating.
• Dashboards – for reporting

The support desk operates between the hours of 9am and 5.30pm (excluding lunchtime between 1–2pm) Monday to Friday excluding Bank and Public Holidays.

3. Service Levels

The support service framework is structured across four priority levels and three support tiers to ensure that incidents are managed consistently and in alignment with their business impact.

Priority 1 issues—representing severe outages with no workarounds—receive the highest urgency, with accelerated response and resolution targets across all tiers, including a dedicated Teams channel for immediate escalation under the Gold tier.

Priority 2 incidents, which significantly affect user operations but allow partial functionality to continue, follow defined response and resolution times that ensure timely restoration of service.

Priority 3 and 4 issues, representing non‑critical disruptions or cosmetic inquiries, are managed within longer timelines that reflect their limited impact on business operations.

The Gold, Silver, and Bronze support tiers provide organisations with flexible levels of service responsiveness, ranging from the most rapid engagement for mission‑critical environments to more economical options aligned with lower‑risk operational needs. The table below depicts the Service Levels based on priority levels.

Annex 2 — Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement (“DPA”) governs the processing of personal data by Core Financial Systems Limited (“Core” or “Processor”) on behalf of the Customer (“Customer” or “Controller”) as part of the services provided under the Master Services Agreement (“Agreement”) or the General Terms and Conditions. This DPA reflects the parties’ agreement on data protection and security, in compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, and other applicable data protection laws

2. Definitions

“Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, and relevant national laws.

“Customer” or “Controller” means the legal entity that determines the purposes and means of the processing of Personal Data.

“Core” or “Processor” means Core Financial Systems Limited, acting as a processor of Personal Data on behalf of the Customer.

“Data Subject” means an identified or identifiable natural person to whom the Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed under this Agreement.

“Special Category Data” means personal data as defined in Article 9(1) of the GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means.

“Sub-processor” means a third party engaged by Core to process Personal Data on behalf of the Customer.

“Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Law.

“Standard Contractual Clauses” or “SCCs” means the standard data protection clauses adopted by the European Commission or the UK Government for the transfer of Personal Data to processors or controllers established in Third Countries, pursuant to Article 46 of the GDPR.

“Third Country” means a country outside the European Economic Area (EEA) or the United Kingdom (UK) that is not subject to an adequacy decision.

“Transfer Impact Assessment” or “TIA” means an assessment of the laws and practices of a Third Country to determine whether Personal Data transferred there is subject to adequate protection under GDPR standards.

“Services” means the services provided by Core to the Customer under the Agreement.

“Technical and Organisational Measures” or “TOMs” means the security measures implemented by Core as further described in Schedule 3.

3. Scope of Processing and Allocation of Responsibilities

3.1 Roles of the Parties

The Customer is the data controller and Core is the data processor with respect to the processing of Personal Data carried out under this DPA. The Customer determines the purposes and means of the processing, and Core acts solely on the documented instructions of the Customer, as set out in this DPA and the Agreement.

3.2 Scope of Processing.

This DPA applies to all processing of Personal Data carried out by Core on behalf of the Customer in the course of delivering the Services under the Agreement. The Services may include:

(a) Cloud Services (Software-as-a-Service):

(i) Provision of access to Core’s hosted applications and modules as configured and used by the Customer;

(ii) Functional operation of the platform, including user access, account management, and data processing based on user activity;

(iii) Troubleshooting and incident resolution (detecting, preventing, repairing service errors);

(iv) Application updates, patching, security enhancements, and performance optimisation.

(b) Support Services:

(i) Handling support tickets and technical queries submitted by the Customer;

(ii) Investigating, reproducing, and resolving reported issues;

(iii) Diagnostic log collection and review (where authorised by the Customer);

(iv) Communicating fixes or workarounds to the Customer.

(c) Professional Services / Consultancy:

(i) Planning and configuration services;

(ii) System design, deployment, and testing;

(iii) Data import/export, mapping, and migration assistance;

(iv) Process optimisation and advisory;

(v) Post-go-live support and operational guidance.

3.3 Processing Environment

This DPA applies only to the processing of Personal Data that occurs:

(i) Within Core’s managed systems and infrastructure;

(ii) In environments controlled or accessed by Core and its authorised Sub-processors;

(iii) As required to deliver the contracted Services to the Customer

Processing performed by the Customer independently, including data input or management within the Customer’s own environments, is outside the scope of this DPA.

3.4 Nature and Details of Processing.

The specific categories of personal data, data subjects, and processing activities are detailed in Schedule 1 (Description of Processing) to this DPA.

4. Core’s Obligations as Processor

Core warrants and undertakes that it shall:

4.1 process Personal Data solely for the purpose of delivering the Services and only on documented instructions from the Customer as defined in the Agreement, this DPA, or as otherwise agreed in writing;

4.2 promptly inform the Customer if, in Core’s opinion, an instruction infringes Applicable Data Protection Law;

4.3 ensure that persons authorised to process Personal Data are bound by confidentiality obligations or are under appropriate statutory obligations of confidentiality;

4.4 implement and maintain appropriate Technical and Organisational Measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as described in Schedule 3;

4.5 maintain a written record of processing activities in accordance with Article 30(2) of the GDPR and make such records available to the Customer upon request;

4.6 assist the Customer in fulfilling its obligations under Applicable Data Protection Law, including in relation to:

4.6.1 responding to requests from Data Subjects,

4.6.2 conducting data protection impact assessments (DPIAs),

4.6.3 consulting with Supervisory Authorities, and

4.6.4 meeting other compliance obligations under Articles 32 to 36 of the GDPR;

4.7 cooperate with the competent Supervisory Authorities, including the Data Protection Commission or equivalent, on request and assist the Customer in responding to such inquiries or investigations as required;

4.8 notify the Customer without undue delay upon becoming aware of a Personal Data Breach and provide reasonable cooperation and assistance in connection with the investigation, mitigation, and remediation of the breach;

4.9 at the choice of the Customer, delete or return all Personal Data at the end of the provision of the Services, unless retention is required by applicable law, in which case Core shall continue to ensure the confidentiality of the Personal Data and not actively process it;

4.10 make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits and inspections in accordance with Section 9 of this DPA; and

4.11 treat all Personal Data and any information derived from processing activities under this Agreement as strictly confidential. Core shall ensure that access is limited to personnel or Sub- processors who require such access for the performance of their duties, and who are bound by appropriate statutory or contractual confidentiality obligations.

Where Core’s assistance to the Customer under this DPA (including but not limited to support in relation to data subject requests, data protection impact assessments, consultations with Supervisory Authorities, or responses to audits or investigations) requires effort or resources beyond Core’s standard service obligations, Core may charge the Customer a reasonable fee for such additional assistance. Such fees shall be agreed in advance in writing and shall reflect the time, expertise, and resources required to perform the assistance in a commercially reasonable manner.

5. Customer Obligations as Controller

5.1 The Customer warrants and represents that:

5.1.1 It has obtained all necessary consents, permissions, and legal bases under Applicable Data Protection Law to permit Core to process the Personal Data on its behalf, including to transfer such Personal Data to Core and its authorised Sub-processors;

5.1.2 The Personal Data has been collected, processed, and transferred lawfully, fairly and in accordance with Applicable Data Protection Law;

5.1.3 It is and will remain solely responsible for determining the purposes and means of Core’s processing of the Personal Data;

5.1.4 It has fulfilled, and will continue to fulfil, its information obligations toward Data Subjects as required by Articles 13 and 14 of the GDPR;

5.1.5 It has the legal authority to give the warranties and fulfil the undertakings set out in this Agreement;

5.1.6 It is solely responsible for the accuracy, quality, and legality of the Personal Data provided to Core.

5.2 The Customer acknowledges and agrees that:

5.2.1 Core shall act solely on the documented instructions of the Customer in accordance with this DPA;

5.2.2 The Customer remains solely responsible for configuring its use of the Services to meet its legal obligations, including its obligations relating to Data Subject rights;

5.2.3 The security measures described in Schedule 3 have been reviewed and approved by the Customer as adequate for the types of processing and Personal Data involved.

5.2.4 The Customer shall comply with its obligations under Applicable Data Protection Law and is responsible for ensuring that its instructions to Core are lawful. The Customer shall obtain all necessary rights, permissions, and consents to allow Core to process Personal Data on its behalf.

6. Sub-processing

6.1 The Customer provides Core with a general authorisation to engage Sub-processors for the performance of the Services, subject to the conditions set out in Article 28(2) and (4) of the GDPR.

6.2 A current list of authorised Sub-processors are published below in Schedule 2.

6.3 Core shall ensure that each Sub-processor is bound by written obligations that are substantially similar to those set out in this DPA, including confidentiality obligations equivalent to those in Clause 4.11 of this DPA and providing sufficient guarantees to implement appropriate technical and organisational measures.

6.4 Core shall remain fully liable to the Customer for the performance of any Sub-processor’s obligations.

6.5 Core shall inform the Customer of any intended changes to the list of Sub-processors and provide the Customer with an opportunity to object on reasonable data protection grounds within thirty (30) business days of such notice.

6.6 Where Core appoints a Sub-processor located in a third country outside the EEA or UK, and such appointment involves a transfer of Personal Data, Core shall take primary responsibility for preparing and documenting any required Transfer Impact Assessment (TIA), subject to the Customer’s review and approval. Both parties shall cooperate in good faith to agree on a reasonable TIA format. The Customer, as Controller, shall remain ultimately responsible for determining whether the transfer satisfies the requirements of Applicable Data Protection Law, including whether the TIA outcome and any supplementary measures are sufficient to permit the transfer.

6.7 Where the Customer objects to the appointment of a Sub-processor, the parties shall work together in good faith to find a reasonable alternative. However, the Customer acknowledges that such an objection may prevent Core from delivering the Services as agreed, and the Customer shall bear full responsibility for any service limitations, delays, or resulting liabilities arising from its refusal to authorise the use of that Sub-processor.

7. International Data Transfers

7.1 Core shall not transfer Personal Data outside the European Economic Area (EEA) or the United Kingdom (UK) unless such transfer complies with Applicable Data Protection Law.

7.2 Core shall ensure that an appropriate transfer mechanism is in place, including one or more of the following:

• An adequacy decision by the European Commission or UK Government;
• Standard Contractual Clauses (SCCs) adopted by the European Commission or UK Government;
• Binding Corporate Rules or another approved certification or code of conduct mechanism recognised under Applicable Data Protection Law.

7.3 Transfers to authorised Sub-processors are governed by Section 6 of this DPA. Where required, Core shall assist the Customer in conducting a Transfer Impact Assessment (TIA) and implementing supplementary safeguards necessary to ensure an equivalent level of protection for Personal Data transferred to a third country.

7.4 The Customer acknowledges that it remains responsible for determining whether the use of Core’s services and the associated international transfers comply with its internal policies and legal obligations under Applicable Data Protection Law.

8. Personal Data Breaches

8.1 Notification obligations in the event of a Personal Data Breach are described in Section 4.8 of this DPA.

8.2 For clarity, Core shall notify the Customer without undue delay and no later than 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall cooperate in accordance with Section 4.8.

8.3 Core shall provide the Customer with a description of the nature of the breach; the likely consequences; the categories and approximate number of data subjects and records affected; and measures taken or proposed to address the breach.

9. Right of Audit

9.1 Upon the reasonable request of the Customer, Core shall allow, for the purposes of audit and—where confidentiality and contractual terms permit—access to data processing facilities, systems, files, and documentation used for the processing of Personal Data. Such access shall be solely for the purposes of reviewing, auditing and/or certifying Core’s compliance with the data protection obligations under this DPA and Applicable Data Protection Law.

9.2 Such audits may be conducted by the Customer or by independent or impartial inspection agents or auditors selected by the Customer and not reasonably objected to by Core.

9.3 The Customer shall provide at least 30 days’ prior written notice of its intention to audit. The notice must include specific details on the scope, objectives, and categories of evidence required. The parties shall mutually agree on audit dates and times before the audit commences.

9.4 Audits shall be conducted during Core’s normal business hours and in a manner that minimises disruption to Core’s business operations. The Customer shall take all reasonable steps to prevent any material business interruption.

9.5 If the audit extends beyond the agreed scope or period, reasonable additional costs may be incurred by Core. Such costs shall be negotiated in advance and, where necessary, incorporated into a Schedule or separate agreement.

9.6 The exercise of audit rights shall be subject to:

(a) any necessary regulatory or supervisory approvals required in the Customer’s jurisdiction;

(b) Core’s confidentiality obligations owed to other clients or third parties; and

(c) the confidentiality provisions of the Agreement, and any additional confidentiality obligations reasonably required by Core to protect proprietary information, security protocols, or third-party data, provided that such measures do not materially hinder or obstruct the audit.

10. Liability and Indemnity

10.1 Core shall not be liable for any claim brought by a Data Subject arising from any Processing activity undertaken by Core in accordance with the documented instructions of the Customer, to the extent that such instructions caused the breach.

10.2 Subject to Clause 10.1, each party (the “Indemnifying Party”) shall indemnify and keep indemnified the other party (the “Indemnified Party”) against any direct losses, costs, claims, damages, liabilities, or expenses (including reasonable legal fees) incurred by the Indemnified Party as a result of: (a) any breach by the Indemnifying Party of its obligations under this Agreement or Applicable Data Protection Law; or (b) any monetary fine or penalty imposed on the Indemnified Party by a Supervisory Authority arising from the Indemnifying Party’s non-compliance with this Agreement or Applicable Data Protection Law.

10.3 Where a claim is brought against the Customer by a Data Subject in connection with Core’s processing of Personal Data, and such processing was not in accordance with the Customer’s documented instructions, Core shall indemnify and keep indemnified the Customer against all direct costs, damages, and reasonable legal expenses incurred in relation to such claim.

10.4 Where a claim is brought against Core by a Data Subject and such claim arises from the Customer’s instructions or from the Customer’s failure to comply with its obligations under Applicable Data Protection Law, the Customer shall indemnify and keep indemnified Core against all direct costs, damages, and reasonable legal expenses incurred in relation to such claim.

10.5 Neither party shall be liable to the other for any indirect or consequential loss, loss of profit, loss of revenue, or loss of data, except to the extent such liability arises from: (a) a breach of confidentiality under this Agreement; (b) a Personal Data Breach resulting from a party’s failure to comply with its obligations under this Agreement; or (c) an indemnity obligation set out in this Clause 10.

11. Duration and Termination

11.1 This Data Processing Agreement shall remain in force for the duration of the Agreement between Core and the Customer, or for as long as Core processes Personal Data on behalf of the Customer, whichever is longer.

11.2 Upon termination or expiry of the Agreement, Core shall, at the Customer’s choice and subject to any legal obligation to retain the data, delete or return all Personal Data processed on behalf of the Customer, and shall certify such deletion if requested by the Customer in writing.

11.3 Core shall not retain Personal Data longer than is necessary for the performance of the Services unless required by applicable law. In such case, Core shall continue to ensure the confidentiality and integrity of the Personal Data and shall not process it for any other purpose.

12. Conflict and Precedence

12.1 In the event of any conflict between this Data Processing Agreement and the Agreement, the terms of this Data Processing Agreement shall prevail solely in relation to the processing of Personal Data and compliance with Applicable Data Protection Law.

13. Governing Law

13.1 This Data Processing Agreement shall be governed by, and construed in accordance with, the governing law and jurisdiction provisions set out in the Agreement.

14. Variation of this Agreement

14.1 Core may update this Data Processing Agreement from time to time to reflect changes in applicable law, regulatory guidance, or its Sub-processor arrangements. Any material changes shall be communicated to the Customer in writing and published in update Annex 2.

14.2 Where required by Applicable Data Protection Law, the parties shall negotiate in good faith to agree any necessary variations to ensure continued compliance.

14.3 No other variation of this Data Processing Agreement shall be effective unless made in writing and signed by authorised representatives of both parties.

Schedule 1 – Description of Processing

Subject Matter: Provision of software and consulting services under the Agreement.

Duration: For the term of the Agreement or as otherwise agreed.

Nature and Purpose: Hosting, configuration, support, reporting, and processing activities necessary to deliver the Services.

Categories of Data Subjects: Data Subjects may include Customer’s representatives and end-users including employees, contractors, collaborators, business partners, and customers of Customer, depending on Customer’s use of the Services at Customer’s election.

Categories of Personal Data: Contact information, account data, financial records, audit logs, and any data uploaded by the Customer.

Special Category Data: The processing of Special Category Personal Data (as defined in Article 9 of the GDPR) is not anticipated under this Agreement. Should the need to process such data arise, the Parties shall agree in writing on the lawful basis, safeguards, and necessary amendments to this Agreement prior to any such processing taking place.

Schedule 2 – Sub-processors and Locations

Schedule 3 – Technical and Organisational Measures (TOMs)

The minimum technical and organisational measures that must be implemented by the Data Processor when using their own IT resources to process Personal Data:

1. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process any Personal Data have properly managed, configured and up to date firewalls in place.
2. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have properly managed and configured network monitoring and logging in place.
3. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have properly managed, configured and up to date intrusion detection and/or intrusion prevention systems in place.
4. All IT Networks (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have strong access controls in place.
5. Appropriate levels of network, system, and physical redundancy are in place.
6. All the buildings or facilities (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to host IT systems, IT devices, servers and other critical IT equipment which are used to process Personal Data are protected by appropriate physical and environmental controls.
7. All IT devices, mobile computer devices and servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have real-time protection anti-virus, anti-malware and anti-spyware software installed and updated daily.
8. All IT systems, IT devices, mobile computer devices, servers and other critical IT equipment (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data are protected by strong unique passwords which satisfy or better the requirements of the Data Controller’s Password Policy.
9. All the mobile computer devices and removable storage devices (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have encryption enabled which encrypts any Personal Data stored at rest on the device. The encryption of the Personal Data on the device may be achieved by either full‑disk encryption, file system encryption or (as applicable) database encryption. All encryption used by the Data Processor must satisfy or better the requirements of the Data Controller’s Encryption Policy.
10. All servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have encryption enabled which encrypts any Personal Data stored at rest on the server. The encryption of the Personal Data on the server may be achieved by either full‑disk encryption, file system encryption or (as applicable) database encryption. All encryption used by the Data Processor must satisfy or better the requirements of the Data Controller’s Encryption Policy.
11. All servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data are backed up on a daily basis. Where the Data Processor backs up the Servers onto backup media, the Data Processor must ensure the following:11.1 The backup media is stored a sufficient distance away from the server, for example, in another building on‑site under the control of the Data Processor or off‑site in a building or facility controlled by the Data Processor or a contracted third party;11.2 When not in use, the backup media is protected from damage caused by fire, heat, humidity, water, and exposure to strong magnetic fields; 11.3 The backup media is password protected by strong unique passwords which satisfy or better the requirements of the Data Controller’s Password Policy; 11.4 The backup media is encrypted using strong encryption which satisfies or betters the requirements of the Data Controller’s Encryption Policy; 11.5 Access to the backup media is limited to the Data Processors employees, contractors and/or (as applicable) Sub‑Processors who are involved in the backup process; 11.6 When in transit, the backup media is protected at all times from damage, theft, interference and loss; 11.7 The backup media is tested by the Data Processor on a regular basis; 11.8 All old, obsolete, and damaged backup media which was used to backup Personal Data is physically destroyed.
12. All servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data have logging enabled, and the server logs are monitored by the Data Processor on a regular basis.
13. All Personal Data which is sent in transit by the Data Processor is sent via secure channels (for example, VPN, Secure FTP or TLS) or encrypted email. All encryption used by the Data Processor must satisfy or better the requirements of the Data Controller’s Encryption Policy.
14. Appropriate patch management procedures are in place for managing the timely application of relevant security software updates and patches to all IT devices, mobile computer devices, servers and other critical IT equipment (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data.
15. Documented disaster recovery plans are in place which detail how the Data Processor will restore the availability of, and access to any servers (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data in the event of a physical or technical security breach.
16. Appropriate asset management procedures are in place which allow for the management and recording of all the Data Processors IT hardware and software assets used to process Personal Data.
17. Appropriate procedures are in place for the timely decommissioning and secure wiping or destruction (i.e. process that renders data unrecoverable) of all old, obsolete and damaged IT devices, mobile computer devices, servers, software and other critical IT equipment (with the exception of those which are owned or controlled by the Data Controller) used by the Data Processor to process Personal Data.
18. Appropriate procedures are in place which allow the Data Processor to regularly, test, assess and evaluate the effectiveness of the technical and organisational measures they have implemented to ensure the security of Personal Data which they process on behalf of the Data Controller.
19. Appropriate separation controls are in place which provide for the separation of different customers data on the Data Processors IT hardware and software and ensure Personal Data is Processed by the Data Processor as separately as possible from the Data Processors other customer’s data.
20. Full separation (where applicable) of the Data Processors production and development / test / training environments is in place.
21. Documented IT and information security policies are in place which all the Data Processor’s employees and contractors sign up to and are expected to comply with.
22. Appropriate procedures are in place for the vetting of all new Data Processor employees and contractors who will have access to Personal Data.
23. Non-disclosure and confidentiality clauses are included in the Data Processors contracts of employment for all their employees and contractors who have access to Personal Data.
24. Where legally required to do so, the Data Processor has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR.

Annex 3 — DORA Provisions

1.1. Definitions for this Annex 3;

1.1.1. “Financial Services Customer” refers to a customer of Company who is also classified as a “financial entity”, under DORA Article 2(1) points (a) to (t).

1.1.2. ICT Risk” refers to any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the Services or of network and information systems relevant to the Services or other operations or processes relevant to the Services by producing adverse effects in the digital or physical environment.

1.1.3. “Regulator” refers to any European financial service regulator or national competent authority that has the monitoring or supervisory rights specified below over Customer and/or over Company as the provider of the Services to Customer

1.2. The Services [DORA Article 30(2)(a) & Article 30(2)(e)].

1.2.1. Company will provide Customer with the Services in accordance with the service description and performance standards set out in the Agreement

1.3. Incident Management [DORA Article 30(2)(f)].

1.3.1. If Customer or Company confirm the existence of, or in good faith reasonably suspect there has been, a single event or series of linked events that have an adverse impact on the functioning or performance, or compromises the security, of any of Customer’s or Company’s equipment, software, network, information systems, or the availability, authenticity, integrity or confidentiality of data held or controlled by Company, such that the provision or receipt of the Services is impacted (an “ICT Incident”), Company shall;

1.3.2. (if Company is the party impacted by the event(s)), notify Customer of that fact without undue delay (and no later than 24 hours of its actual confirmation of the ICT Incident or identification in good faith of a suspected ICT Incident), together with reasonable details of the ICT Incident and any steps required to be taken or that it is taking to mitigate the effects of the ICT Incident, including if relevant any steps necessary to reduce the risk of any future breach of security of that same nature

1.3.3. provide reasonable assistance to Customer (at a cost agreed between the parties) to support Customer to recover from the ICT Incident and to comply with its obligations under Applicable Law including with regard to notifications to the Regulator; and

1.3.4. if Company is the party impacted by the event(s)), promptly address and remediate the ICT Incident, and mitigate its effects.

1.4. Permitted Locations [DORA Article 30(2)(b)]

1.4.1. Company will provide the Services from and will store and process Customer Data and Confidential Information in the UK and the EEA. Company’s subcontractors and banking partners involved in providing the Services may also transfer personal data outside of the UK and the EEA, as set out in our Privacy Notice. Further details regarding the service locations and storage of data are available upon request.

1.5. Termination [DORA Article 28(7) & Article 30(2)(h)].

1.5.1. Customer may terminate the Agreement:

1.5.1.1. immediately on the giving of notice to Company where Company is in breach of Applicable Laws;

1.5.1.2. immediately on the giving of notice to Company where Company commits a material breach of the Agreement which is incapable of remedy or, if capable of remedy, is not remedied within thirty (30) days after written notice to Customer of the occurrence of such event;

1.5.1.3. immediately on the giving of notice to Company where Customer identifies or becomes aware of circumstances or events which Customer reasonably considers are capable of altering the performance of the Services provided under the Agreement, including material changes that affect the Services or Company;

1.5.2. immediately on the giving of notice to Company where there is evidence of weaknesses in the ICT risk management of Company or any Subcontractor it relies on, including in respect of the security of any Customer Data; and 1.5.3. immediately on the giving of notice to Company upon request of a Regulator or where Customer is otherwise required to do so by Applicable Law.

1.6. Consequences of Termination [DORA Article 30(2)(d)].

1.6.1. If the Agreement is terminated or expires, or in the case of the insolvency, resolution or discontinuation of business operations of Company, Company shall ensure that any Regulator can access any data owned by Customer, Customer Data and Confidential Information, and that Customer can access, retrieve, store or otherwise deal with any data owned by Customer, Customer Data and Confidential Information.

1.7. Information Security [DORA Article 30(2)(c) and (d)].

1.7.1. Company shall ensure that its information security measures, and those of any Subcontractor(s) it uses to provide the Services, are appropriate in order to ensure at all times: (i) the security, availability, authenticity, integrity, confidentiality, and accuracy of Customer Data; and (ii) that the Customer Data can be traced, recovered, disposed of or deleted as may be requested by Customer at any time. Company shall ensure that Customer Data can be accessed, recovered and returned to Customer as needed and in an accessible format.

1.8. Awareness and Training [DORA Article 30(2)(i)].

1.8.1. On reasonable request from Customer, Company shall participate in Customer’s (i) ICT security awareness programmes; (ii) digital operational resilience training; and (iii) other similar awareness and training initiatives. Where such participation in awareness and training initiatives is requested by Customer, Customer and Company will agree, in good faith and acting reasonably, which of Company personnel should participate.

1.9. Regulatory Assistance [DORA Article 30(2)(g)].

1.9.1. Company shall fully cooperate with, and provide Customer with reasonable assistance in connection with, any investigation by or dealings with any Regulators relating to the Agreement, and/or Customer’s purchase or use of the Services. Such assistance shall include Company:

1.9.2. directing any and all queries from a Regulator relating to the Agreement or the Services to Customer; and

1.9.3. cooperating with and responding to any request for information, confirmations and/or assistance including replying to questions from a Regulator within a reasonable period of time and at the reasonable direction of and in consultation with Customer and/or a Regulator; and

1.9.4. granting each Regulator the right to give instructions in order to (i) prevent any breach of regulatory requirements (ii) remove any obstacles that hinder the Regulator’s audit rights and (iii) to remove any defects that impact the integrity of any entrusted assets or the due performance of the Services and/or financial services.

1.10. Company will further ensure that its Subcontractors fully cooperate with Customer and Regulators as is necessary for the discharge of Customer’s legal and regulatory obligations.