Master Subscription Agreement

Last updated: February 17, 2026

1. General

These general terms and conditions with appendices, and the applicable order documents ("Order Document") or statements of work (together "Agreement") govern the provision of the saas solution and relevant services by Alfred AI AS ("Alfred") to the customer identified in the Order Document ("Customer").

Capitalized terms used in this Agreement shall have the meanings ascribed to them in the section where they first appear in bold between quotation marks.

The data processing agreement attached as appendix 1 is incorporated into this Agreement. In the event of any conflict or inconsistency between the Agreement documents, the Order Document shall prevail over these general terms and conditions and appendix 1.

2. Right to Access and Use

Alfred shall provide access to the service specified in the applicable Order Document ("Service").

Subject to the Customer's compliance with the Agreement and payment of applicable fees, Alfred grants the Customer a limited, non-exclusive, non-transferable, and non-sublicensable right to access and use the Service during the term of the Agreement.

The Service may utilise artificial intelligence or machine learning technologies ("AI Features"). Alfred shall not use Customer's Confidential Information to train or improve its general AI models without Customer's express permission. Customer acknowledges that (i) content generated by the AI Features ("AI Output") is generated by probabilistic algorithms and may be inaccurate, incomplete, generic or contain errors, (ii) AI Output is not verified by Alfred, and (iii) similar or identical AI Output may be generated for other customers. Customer is solely responsible for independently verifying all AI Output before use.

3. Support

Alfred shall provide support as specified in the Customer's subscription plan outlined in the Order Document. Alfred's customer support processes all incoming support requests from the Customer. In cases where escalation is necessary, the Customer can reach out to its dedicated contact person. To facilitate effective support, the Customer agrees to provide Alfred with reasonable access to necessary information and resources in a timely manner.

4. Professional Services and Add-on Services

Customer may purchase implementation, training, or consulting services ("Professional Services") by executing a statement of work. Professional Services are governed by the terms of this Agreement and any specific requirements outlined in the applicable statement of work.

The Customer may subscribe to additional modules or features ("Add-Ons") at any time. Such Add-Ons shall be subject to this Agreement and any specific terms provided by Alfred prior to purchase. The purchase of Add-Ons will be formalised through a new Order Document or an amendment to an existing one.

5. Service Modifications

Alfred seeks to continuously improve the Service. Alfred may modify, update, enhance, or discontinue features, functionalities, or components of the Service during the term of the Agreement. Alfred will make reasonable efforts to notify the Customer in advance of any significant changes. Modifications may include adjustments to the Service's functionality, changes to the user interface, performance improvements, or the removal of certain features. However, Alfred shall not materially reduce the core functionality of the Service provided to the Customer. The Customer will receive access to updates and improvements that Alfred makes generally available to its other customers holding the same subscription type.

6. Customer Obligations and Acceptable Use

The Customer is responsible for ensuring that all persons to whom it grants access to the Service ("Users") are informed of and agree to comply with the Agreement.

The Customer shall be fully responsible and liable for all acts, omissions, and activities of its Users, and any breach of the Agreement by a User shall be deemed a breach by the Customer.

Users shall not share their login credentials. Accounts are for named individuals and cannot be shared or used by more than one person.

The Customer undertakes not to, and undertakes to ensure that the Users do not:

1. decompile, disassemble, reverse engineer, or otherwise attempt to obtain, perceive, use, or utilise the source code or underlying algorithms from which any software component of the Service is compiled or interpreted (other than as provided by mandatory law),
2. allow third parties other than the Users to gain access to the Service, or resell, sublicense, or distribute the Service to unauthorised third parties,
3. remove, alter, disable, or obscure any copyright, trademark, confidentiality, proprietary notices, security mechanisms, usage limitations, or other labels displayed on, embedded within, or otherwise part of the Service,
4. use any parts of the Service for purposes that infringe, misappropriate, or otherwise violate the intellectual property rights, proprietary rights, privacy rights, or other rights of any individual, entity, or third party, or that violate any applicable laws and regulations,
5. upload or transmit any material that contains viruses, worms, trojan horses, malicious code, or any other harmful or disruptive computer code, scripts, agents, programs, or files intended to disrupt, damage, or gain unauthorised access to any part of the Service,
6. interfere with, disrupt, disable, damage, or compromise the integrity, security, performance, or functionality of the Service, including, but not limited to, prompt injection and prompt hacking,
7. attempt to gain unauthorised access, or
8. use the Service or any part thereof to develop, create, or offer any product or Service that competes with the Service.

If the Customer uses third-party applications or APIs in conjunction with the Service, the Customer is solely responsible for complying with the terms of such third parties. Alfred does not warrant the continued availability of integrations that depend on third-party APIs and is not liable for data once it is transmitted to a third-party service.

Customer shall not use any AI Features in a manner that exceeds reasonable usage volumes, and shall not send automated, high-volume requests such as bot-driven queries, to the Service.

Alfred reserves the right to monitor usage logs to verify compliance with this Agreement. If Alfred detects unauthorised use or usage exceeding the Customer's subscription entitlements, Alfred may invoice the Customer for such excess use at standard rates, without prejudice to other remedies.

7. Customer Data

The Customer retains all right, title, and interest in and to all data, content, and information uploaded or submitted to the Service ("Customer Data"). Alfred obtains no rights in Customer Data except for the limited licenses expressly granted in this Agreement.

Customer grants Alfred a non-exclusive, worldwide, royalty-free license to access, use, and process Customer Data solely to provide, maintain, and support the Service and Customer's use of the Service, prevent or address technical or security issues, and improve the Service. Alfred shall not sell, rent, or lease Customer Data to any third party.

Alfred may aggregate and anonymise Customer Data, among other things to create statistical analyses, benchmarks, and improved algorithms ("Aggregated Data"), provided that such data does not identify the Customer or any individual. Alfred owns all rights in such Aggregated Data.

8. Security Measures

Alfred shall maintain appropriate administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Customer Data.

Alfred reserves the right to update or modify its security measures and underlying technologies from time to time to reflect changing threats or technological advancements. However, no such update shall materially decrease the overall level of security provided to the Customer during the term of the Agreement.

9. Prices

All prices are exclusive of any applicable value-added taxes, duties, and other fees, and the Customer will be responsible for payment of all such additional amounts and any related penalties and interest.

Alfred shall be entitled to raise invoices in accordance with the Order Document. Unless otherwise specified, subscription fees are invoiced annually in advance. All fees are non-refundable except as expressly provided in the Agreement. Customer shall pay all invoices in accordance with the payment terms in the Order Document. Unless otherwise specified, Customer shall pay all invoices within 30 days of the invoice date.

Customer shall pay all amounts due under this Agreement in full without any set-off, counterclaim, deduction, or withholding. In case of late payment, interest shall be paid at a rate of 8% per annum (or the maximum rate permitted by law, whichever is lower), calculated daily from the due date until the date of payment.

Certain features, particularly those involving generative AI or large language models, may be subject to additional usage-based fees if Customer's consumption exceeds the standard allowance included in the subscription plan.

10. Term and Termination

The Agreement shall commence on the date specified in the Order Document, or at the effective date if no such date is specified, and shall continue for an initial period as stated in the Order Document, or 12 months if no such period is specified ("Initial Term"). Following the Initial Term, and unless otherwise set out in the Order Document, the Agreement shall automatically renew for successive 12 month periods ("Renewal Term"), unless either party provides written notice of non-renewal to the other party at least 60 calendar days prior to the end of the then-current term. The fees for any Renewal Term shall be at Alfred's then-current standard rates, or as otherwise agreed in the Order Document.

Either party may terminate this Agreement immediately upon written notice if the other party materially breaches this Agreement and fails to cure such breach within 30 days after receiving written notice, or becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency.

Upon termination, the Customer's right to use the Service shall immediately cease. If the Customer terminates the Agreement for Alfred's material breach, Alfred shall refund any prepaid fees covering the remainder of the term of the Agreement after the effective date of termination. In all other cases, unpaid fees for the remainder of the current term shall become immediately due and payable.

Upon termination, Alfred shall within reasonable time delete all Customer Data in its possession, except that Alfred may retain copies to the extent required by law; and in created archival backups, provided such backups are not actively accessed and remain subject to the confidentiality obligations of this Agreement.

11. Intellectual Property Rights

This Agreement does not constitute any transfer of ownership of any intellectual property rights. Alfred retains all rights, title, and interest in and to the Service, including but not limited to its design, source code, features, and all associated intellectual property. This ownership extends to improvements, enhancements, updates, modifications, training, adaptation, or derivative works related to the Service, regardless of whether such developments are created independently by Alfred, based on feedback, suggestions, or other input provided by the Customer, or requested or commissioned by the Customer as part of any customisation or configuration.

12. Confidentiality

"Confidential Information" means all information disclosed by one party ("Disclosing Party") to the other ("Receiving Party") that is marked as confidential or should reasonably be understood to be confidential given the nature of the information. This includes, without limitation, the terms and pricing of this Agreement, Customer Data, and Alfred's software, source code, and technical documentation.

The Receiving Party shall (i) hold Confidential Information in strict confidence, (ii) not disclose it to any third party except to its employees, affiliates, and contractors who have a "need to know" and are bound by confidentiality obligations no less restrictive than those herein, and (iii) use such information solely for the purpose of performing its obligations under this Agreement.

Confidential Information does not include information that (i) is or becomes public knowledge through no fault of the Receiving Party, (ii) was known to the Receiving Party prior to disclosure without restriction, (iii) is rightfully obtained from a third party without breach of any confidentiality obligation, or (iv) is independently developed by the Receiving Party without reference to the Disclosing Party's Confidential Information.

If the Receiving Party is required by law or court order to disclose Confidential Information, it shall provide the Disclosing Party with prompt written notice (where legally permitted) to allow the Disclosing Party to seek a protective order.

The obligations of confidentiality shall survive for 5 years following the termination of this Agreement.

13. Personal Data

To the extent Customer Data includes any personal data (as defined by applicable data protection laws), Alfred shall process such data in accordance with the data processing agreement attached as appendix 1.

14. Warranties and Remedies

Each party represents and warrants that it has the full power and authority to enter into this Agreement and that it shall comply with all laws and regulations applicable to the operation of its business.

Alfred warrants that the Service will perform materially in accordance with Alfred's standard documentation included in the Order Document and any professional services will be performed in a professional and workmanlike manner consistent with industry standards. Alfred shall not be responsible for defects or malfunctions caused by third-party services or components upon which the Service depends, and which are beyond Alfred's control. In such cases, Alfred will make reasonable efforts to coordinate with the third-party provider to address the issue.

If Alfred breaches the warranties or other obligations in the Agreement, Alfred shall correct the defect or re-perform the Service. If Alfred cannot reasonably remedy the breach, Customer may terminate the affected Order Document and request a refund of any prepaid, unused fees covering the remainder of the term. The Customer must notify Alfred of any warranty claim within 30 days of discovery. This remedy is Customer's sole and exclusive remedy for breach of the warranties or other obligations in the Agreement.

15. Disclaimers

Except for the express warranties set out in the Agreement, the Service is provided "as is" and "as available". To the fullest extent permitted by law, Alfred disclaims all other warranties, whether express, implied or statutory, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Alfred does not warrant that the Service will be uninterrupted or error-free.

Alfred reserves the right to perform maintenance, implement system updates, or make other changes, and will inform the Customer appropriately in advance, whenever possible.

Any use of the Service is at the Customer's own risk. Alfred does not warrant that the output provided through the Service is accurate, reliable, or correct. Users must not rely on the output from the Service as the sole source of truth, factual information, or as a substitute for professional advice. It is the Customer's responsibility to evaluate the accuracy, reliability, and appropriateness of the output for their specific use case, including conducting human review where necessary before using or sharing any output generated by the Service.

16. Limitation of Liability

TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR SPECIAL DAMAGES, INCLUDING LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF DATA, OR INTERRUPTION OF BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE FULLEST EXTENT PERMITTED BY LAW, EACH PARTY'S LIABILITY FOR DAMAGES IN ANY COMPLETE CALENDAR YEAR FOLLOWING EXECUTION OF THIS AGREEMENT WILL NOT EXCEED 100% OF THE TOTAL FEES PAID (PLUS FEES PAYABLE) TO ALFRED DURING THE IMMEDIATELY PRECEDING CALENDAR YEAR. IN RESPECT OF ANY DAMAGES BECOMING PAYABLE IN THE FIRST CALENDAR YEAR, THIS SHALL BE LIMITED TO THE TOTAL AMOUNT PAYABLE IN THE FIRST YEAR OF THE SUBSCRIPTION TERM.

THE LIMITATIONS IN THIS SECTION SHALL NOT APPLY TO LIABILITY ARISING FROM A PARTY'S FRAUD, GROSS NEGLIGENCE, OR WILFUL MISCONDUCT, CUSTOMER'S PAYMENT OBLIGATIONS, OR ANY LIABILITY THAT CANNOT BE EXCLUDED BY APPLICABLE LAW.

17. Suspension of Service

Alfred may suspend the Service if it reasonably determines that the Customer's use poses a security risk, violates applicable law, or breaches the acceptable use requirements in the Agreement. Additionally, Alfred may suspend the Service if any undisputed fee remains unpaid for more than 14 days after the due date and the Customer fails to cure the non-payment following written notice. Alfred shall not be liable for any damages arising from a suspension in accordance with this section. Access will be restored promptly once the underlying issue is resolved.

18. Indemnification

Alfred shall defend the Customer against any third-party claim alleging that the use of the Service infringes a valid intellectual property right in the EU/EEA, and shall pay any costs and damages finally awarded against the Customer (including reasonable legal fees) by a court of competent jurisdiction or agreed in settlement.

Customer shall defend Alfred against any third-party claim arising from Customer Data, the Customer's use of the Service in violation of this Agreement, or any third-party integrations used by the Customer. Customer shall pay any costs and damages finally awarded against Alfred (including reasonable legal fees) by a court of competent jurisdiction or agreed in settlement.

To receive the above, the indemnified party must (a) provide prompt written notice of the claim, (b) grant the indemnifying party sole control over the defence and settlement (provided that any settlement must unconditionally release the indemnified party), and (c) provide reasonable cooperation at the indemnifying party's expense.

If an infringement claim arises, Alfred may, at its option, (i) obtain a license for Customer's continued use, (ii) modify the Service to be non-infringing, or (iii) if neither is commercially feasible, terminate the affected subscription and refund any prepaid fees covering the remainder of the term. This section states the Customer's sole and exclusive remedy for intellectual property infringement.

This clause does not apply to intellectual property rights for which Alfred has no control, such as AI Output generated by large language models (LLMs).

19. Changes

Alfred reserves the right to amend or otherwise modify the Agreement at any time. The latest version is always accessible at app.teamalfred.ai/terms-of-service. Alfred will notify the Customer of any significant changes in an appropriate manner. Updates will take effect upon the renewal of the Customer's subscription. By continuing to use the Service, the Customer accepts the revised Agreement.

20. Force Majeure

Neither party shall be liable for any failure or delay in performance caused by events beyond its reasonable control, including natural disasters, war, terrorism, labour disputes, or internet/utility failures ("Force Majeure Event"). The affected party shall provide prompt written notice of the event. If a Force Majeure Event continues for more than 30 days, either party may terminate the affected Order Document upon written notice. This section does not excuse the Customer's obligation to pay fees for services already delivered.

21. Trial and Beta Services

Alfred may provide optional free services, beta, trials, or proof of concepts ("Free Services"). Either party may terminate Free Services at any time for any reason. Notwithstanding anything to the contrary in this Agreement, Free Services are provided 'as is' without any warranty of any kind. Alfred's aggregate liability for Free Services shall not exceed EUR 100.

22. Compliance with Laws

Alfred shall provide the Service in compliance with laws and regulations directly applicable to Alfred as a provider of information technology services in general, without regard to the Customer's specific use case. Customer is solely responsible for ensuring its use of the Service complies with all laws applicable to its specific business and industry. Customer shall not use the Service in violation of any applicable laws.

The Customer represents that it is not located in, and will not permit the Service to be accessed from, any country subject to US, EU, or other applicable trade sanctions or embargoes (including OFAC and EAR regulations). The Customer shall comply with all applicable export control laws.

23. Miscellaneous

Waiver. Alfred's failure to assert any right or provision shall not constitute a waiver of any such right or provision. No waiver shall be considered a further or continuing waiver of such term or any other term.

Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Assignment. Neither party may assign or transfer this Agreement without the prior written consent of the other party. Notwithstanding the foregoing, either party may assign this Agreement without consent to an affiliate or in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of its assets, provided the assigning party gives prompt written notice to the other party.

Subcontracting. Alfred may engage subcontractors to assist in the provision of the Service. Alfred shall remain fully responsible for the performance of its obligations under this Agreement and for the acts and omissions of its subcontractors to the same extent as if they were the acts and omissions of Alfred.

Survival. The rights and obligations in sections regarding fees, confidentiality, intellectual property, indemnification, limitation of liability, and other sections intended to survive termination shall survive the expiration or termination of this Agreement.

Entire agreement. This Agreement constitutes the entire agreement between the parties regarding its subject matter and supersedes all prior agreements, proposals, and understandings.

Amendments. Any amendment to this Agreement must be in writing and signed by authorized representatives of both parties. No terms or conditions contained in a Customer purchase order or similar document shall be binding on Alfred, and such terms are explicitly rejected.

24. Governing Law and Jurisdiction

The Agreement is governed by and construed in accordance with the laws of Norway. Any disputes shall be subject to the exclusive jurisdiction of Oslo District Court.

Contact

For questions about this Agreement:

Alfred AI AS
Org. number: 835 845 702 MVA
Grimstadgata 28, 0464 Oslo, Norway
Email: legal@teamalfred.ai

Appendix 1 - Data Processing Agreement (DPA)

1. Background and Purpose

1.1 This data processing agreement governs Alfred Ai AS (the "Processor") processing of certain personal data on behalf of the customer identified in the order document ("Controller"), each a "Party" and jointly the "Parties".

1.2 The purpose of this data processing agreement (the "DPA") is to set out the rights and obligations of the Parties concerning the Processor's processing of personal data on behalf of the Controller in order to provide Services pursuant to the service agreement entered into between the Parties (the "Agreement"). The DPA forms an integral part of the Agreement.

1.3 This DPA does not govern personal data that the Processor processes on its own behalf (as a controller), such as for bookkeeping purposes and customer relation purposes.

2. Definitions

2.1 In this DPA, the following terms shall have the meanings set out below:

• "Applicable Data Protection Law" means any applicable data protection and privacy law, including but not limited to the GDPR, or any law replacing or supplementing the GDPR, and local law implementing the GDPR.
• "EEA" means the European Economic Area.
• "GDPR" means the EU General Data Protection Regulation 2016/679.
• "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, issued by the European Commission on 4 June 2021 and/or laid down by the European Commission or a relevant supervisory authority in accordance with Article 46(2)(c) or 46(2)(d) of the GDPR.
• "Sub-processor" means another processor engaged by the Processor for the processing of personal data on behalf of the Controller.
• "Third Country" means a non-EEA country or an international organisation that is not approved by the EU Commission as having an adequate level of data protection (adequacy decision).
• Other terms shall have the meaning as given to them in the GDPR.

3. General Obligations

3.1 Each Party shall comply with its obligations under Applicable Data Protection Law.

3.2 The Controller shall ensure that the personal data is processed for specified, explicit and legitimate purposes and that the Processor does not process more personal data than required for fulfilling such purposes. The Controller is responsible for ensuring that a valid legal basis for processing exists and that the data subjects are informed about the processing covered by this DPA in accordance with Applicable Data Protection Law.

3.3 The Controller hereby instructs the Processor to process personal data for the purposes and within the scope as set out in Appendix A and otherwise in accordance with this DPA. The Processor will only process the personal data on documented instructions from the Controller, unless required to do so by EEA law to which the Processor is subject.

3.4 The Processor shall immediately inform the Controller in writing if, in its reasonable opinion, (i) an instruction from the Controller infringes Applicable Data Protection Law, or (ii) a legal requirement laid down by EEA law to which the Processor is subject requires the Processor to process personal data beyond the scope of the Controller's documented instructions, unless that law prohibits such information on important grounds of public interest (if so, the Processor shall inform the Controller as soon as permitted by law).

4. Assistance to the Controller

4.1 The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to and comply with requests for exercising the data subject's rights laid down in chapter III of the GDPR.

4.2 Taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, including the obligations of data security, personal data breach notification, data protection impact assessments and prior consultation with supervisory authorities.

4.3 The Processor shall not engage in any direct communication related to this DPA specifically with data subjects or supervisory authorities, unless approved in advance by the Controller or required by applicable law. The Processor shall forward to the Controller any request or complaint received from a data subject or a supervisory authority concerning the processing of personal data under this DPA, unless prohibited by applicable law (if so, the Processor shall inform the Controller as soon as permitted by such law).

4.4 The Controller shall pay the Processor for any assistance provided under this DPA, including this section 4, at the Processor's hourly rates.

5. Technical and Organisational Security Measures

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain throughout the term appropriate technical and organisational data security measures to protect the personal data pursuant to Article 32 of the GDPR.

5.2 The Processor shall limit the access to the personal data to its personnel on a need-to-know basis. The Processor shall ensure that the personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that the confidentiality also applies after the termination of the DPA.

6. Use of Sub-processors

6.1 The Processor has Controller's general authorisation to use Sub-processors. Upon signature of the DPA the Processor uses the Sub-processors listed in Appendix B.

6.2 If the Processor intends to make changes by adding or replacing Sub-processors (including changes in processing locations of Sub-processors), the Processor shall notify the Controller about such intended change. If the Controller does not consent to the change, the Controller must object to such change within two weeks from the Processor's notification. The Controller will be deemed to have consented to the change unless such objection is provided to the Processor within this time limit.

6.3 The Processor must ensure that materially the same data protection obligations as set out in this DPA are imposed upon any Sub-processor by a written agreement.

6.4 The Processor shall not in any way be liable for any processing carried out by the Sub-processor as a result of instructions received by the Sub-processor directly from the Controller.

7. International Data Transfers

7.1 The Processor must only transfer personal data to any Third Country after general consent from the Controller following the procedure set out in clause 6.2 of this DPA. Processor shall at all times keep an updated list of Sub-processors in Third Countries.

7.2 The Processor shall only transfer personal data to Third Countries under a legal basis for such transfer following Applicable Data Protection Law, including Chapter V of the GDPR. Upon the Controller's reasonable request, the Processor shall provide the Controller with evidence that such requirements are complied with (commercial terms may be redacted).

8. Personal Data Breaches

8.1 In the event of a personal data breach, the Processor shall without undue delay after becoming aware of it notify the Controller in writing about the breach. The notice shall contain all such information the Controller may reasonably require to enable the Controller to comply with its obligations pursuant to Article 33 and Article 34 of the GDPR, provided that the Processor possesses or may reasonably obtain such information.

9. Audits

9.1 The Processor shall maintain necessary records and make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

9.2 The Processor shall allow for and contribute to audits, including inspections, of the Processor's processing operations. The Controller may perform the audit itself or by use of a third-party auditor, subject to appropriate confidentiality undertakings. The request for audit shall be given in writing with a notice period of at least three weeks, unless otherwise is required under Applicable Data Protection Law. Audits cannot be requested more than once a year, unless the Controller has a particular reason to request additional audits on an ad-hoc basis. To the extent reasonably possible, the audits shall be conducted within ordinary working hours and without obstructing the Processor's activities.

9.3 Authorities who supervise the Controller have a right to request information from and to conduct audits of the Processor to the same extent as the Controller.

9.4 The Controller shall bear any costs related to audits initiated by the Controller or accrued in relation to audits of the Controller, including compensation to Processor for reasonable time spent by it and its employees complying with on premises audits. However, if an audit reveals material deviations from the obligations set out in this DPA caused by the Processor or any Sub-processor, the Processor's costs of the audit shall be borne by the Processor.

10. Liability

10.1 The Parties' liabilities are governed by the Agreement.

11. Term and Termination

11.1 This DPA remains in force as long as the Processor is processing personal data on behalf of the Controller under the Agreement.

11.2 If the Processor has not implemented appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR, the Controller may terminate the DPA if the Processor has not implemented such measures within two months after the Controller's notification thereof.

11.3 Upon expiry or termination, the Processor shall, at the choice of the Controller, delete or return to the Controller the personal data. If the Controller chooses deletion, the Processor shall verify to the Controller that it has done so.

11.4 Notwithstanding the foregoing, the Processor is entitled to continue storing the personal data to the extent required to comply with applicable law, or to the extent it follows from the Processor's general backup routines, provided that clause 5 continues to apply for such data, and provided that the Processor does not actively process such data.

Appendix A - Scope of the Processing

Purpose of the processing

Processing of personal data necessary to provide the Services as defined in the Agreement.

Nature of the processing

Processing of personal data as provided by the customer through the use of the Services.

Categories of personal data

• Email addresses
• First names and last names
• Job titles
• Job departments
• IP addresses
• Data communicated while using the Service; such as content you provide through our service (for example, contacts and related data), and content (e.g. files) imported to our service including through our integrations, e.g. Google Calendar, as well as any account details related to these integrations

Categories of data subjects

• Customers of the controller
• Potential customers of the controller
• Partners or suppliers of the controller
• Employees of the controller depending on their use of the platform
• Additional data subjects depending on the data that the controller provides

Appendix B - Approved Sub-processors