Exhibit 4.33
Master Services Agreement
AHI-FORM-0024 v2
This document is confidential and contains trade secrets of Advanced Human Imaging Limited. Unauthorised disclosure, duplication or use of any part of this document without the prior written consent of Advanced Human Imaging Limited is strictly prohibited.
Commercial Details
| 1. Our Details | Name and ABN | Advanced Human Imaging Limited ABN 85 602 111 115 (we, us, our) | ||
| Office Address | Unit 5, 71-73 South Perth Esplanade, South Perth WA 6151 Australia | |||
| 2. Client Details | Name and Business / Company Number | ACTIVATE HEALTH OÜ, Registration Code 16035006 (you, your) | ||
| Office Address | Valukoja 10, 11415, Tallinn, Estonia | |||
| 3. Your App | Software Product / App Details | Activate | ||
| 4. Contract Details | Master Services Agreement Number | AHI010022 | ||
| 5. AHI SDKs | Product | Components | Included? | |
| Multi-Scan iOS & Android Software Development Kits (SDKs) | ■ Body Circumference measurements ■ Face Scan measurements |
Yes
Yes | ||
| 6. Data Processing | Applicable Data Processing Agreement | Inserted from Binding Terms Sheet executed on 19 January 2022: The Parties acknowledge that Activate Health is subject to European data protection legislation, in particular, subject to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council). The Parties agree to collaborate and work together to ensure that the integration of the AHI Platform would not lead to the transfer of personal data outside the European Union to Australia. Parties agree to collaborate and work together to ensure that after the integration of the AHI Platform to Activate Health’s platform, no personal data of Activate Health’s customers will be accessible to AHI. Data Processing Agreement – specific to Activate Health OÜ - BodyScan and FaceScan, a copy of which is annexed to this Master Services Agreement. | ||
| 7. Professional Services to be provided by us | Implementation Support Services (for integration of the Licensed SDKs into Your App) | During the 60 day period from the Commencement Date, the following Implementation Support Services will be made available to you for no additional charge after initial SDK hand over meeting: (a) up to a total of 16 hours of software developer time requested by you to support and assist your development team in undertaking Product Integration; (b) up to a total of 100 Support Requests in respect of Measurement Errors.
We are not required to provide any other Implementation Services except as may be set out in an Implementation Plan. | ||
| Training Services | Yes | Up to 4 hours of internet/phone-based training on the SDKs | ||
| Software Development | No | |||
| Consulting Services | No | Days: [insert] | ||
| Support Services | Yes | Support Hours: 9:00 am – 5:00 pm AWST on Business Days | ||
| 8. Term | Commencement Date | This Agreement will commence on 24 August 2022 | ||
| Initial Term | 24 months commencing on the Commencement Date | |||
| 9. Key Contacts | Our Contact Details | Name: | Nadine Amesz or Kevin Baum | |
| Telephone: | + 61 492 021 931 / + 61 478 435 719 | |||
| Email: | Nadine.amesz@advancedhumanimaging.com or Kevin.baum@advancedhumanimaging.com | |||
| Your Project Manager | Name: | Siim Saare | ||
| Telephone: | +3725022746 | |||
| Email: | Siim.saare@activate.ee | |||
Acceptance
| |||||
By signing below, you and us each agree to (1) the Commercial Details set out above together with the attached (2) Fee Schedule; (3) Terms and Conditions; (4) Service Level Agreement; and (5) the applicable Data Processing Agreement referred to above.
| |||||
| /s/ Dr. Katherine Iscoe | /s/ Siim Saare | ||||
| Dr. Katherine Iscoe | Siim Saare | ||||
|
CEO, Advanced Human Imaging Ltd Date: 08/26/2022 |
Co-Founder and CEO, Activate Health OÜ Date: 08/24/2022 |
||||
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 2 of 27 |
Fee Schedule
| User Fees | ||||
| Fee Type | Description | |||
| User Fees | User Fees are payable based on pricing indicators in Schedule 2 – User Fees. An Active User is one that accesses the AHI technology serving functionality in Your App at any time in the relevant month.
The price per month, per user pricing is incrementally tier based, and requires you to pay the per month, per user price for the first tier, then the per month, per user price for the second tier and so on.
Inserted from Binding Terms Sheet executed on 19 January 2022: (a) The Customer will use its best endeavours to grow the subscription base for the AHI Platform in the first 18 months to 25,000 active users across the current and new user base. (b) the Customer warrants and represents that its current user base is 100 active users. | |||
| Services Fees1 | ||||
| Service | Description | Price (Excl. GST)* | Payment Terms | |
| Support Services | Incident Support as specified in the SLA. | As per the Level 2 & Level 3 Support Hourly Rates set out below for Ad Hoc Services, per staff member required, where the request type is Incident. | Payable to us on a monthly basis in arrears. | |
| Measurement Support as specified in the SLA. | $100 per Support Request where the request type is Measurement Support. | Payable to us on a monthly basis in arrears. | ||
| Consulting Services | Consulting services that we may agree to provide. | At the rates set out below under “Ad Hoc Services”. | Payable to us on a monthly basis in arrears. | |
| Training Services | Training in respect of the SDKs as specified in clause 17 of the enclosed Terms and Conditions. | Up to 4 hours of internet/phone-based training on the SDKs | Payable to us on a monthly basis in arrears. | |
| Ad Hoc Services | Time spent providing any services to you for which there is no other rate specified in this Agreement. | Service Type | Hourly Rate | Payable to us on a monthly basis in arrears. |
| Level 1 Technical Support Training | $150 | |||
| First 20 Support Requests per month for Measurement Support | No additional charge | |||
| Additional Measurement Support+ | $100 per request | |||
| Level 2 Support+ | $200 | |||
| Level 3 Support+ | $250 | |||
| Quality Assurance consultation | $190 | |||
| Senior Architect consultation | $250 | |||
| Design (UX/UI) consultation | $220 | |||
| Other | [insert] | |||
| * | All amounts are in Australian Dollars unless specified otherwise. |
| + | Only payable where a defect or error does not cause the Support Request in the Licensed SDK. |
<<The remainder of this page is intentially left blank >>
| 1 | For avoidance of doubt, all and any additional services, such as additional Support Services and Ad Hoc Services under this agreement shall be supplied by us and payable by you on the condition that you have accepted the prior Statement of Work or other fee estimate associated with such services in written form. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 3 of 27 |
Terms and Conditions
| 1. | Term |
| 1.1. | This Agreement will commence on the Commencement Date and will continue for the Initial Term (24 months), subject to earlier termination by either party in accordance with this Agreement, noted in Clause 24.3. Upon expiry of the Initial Term, this Agreement will automatically extend for subsequent consecutive periods each of equivalent length to the Initial Term (each, a Renewal Term) until and unless either party notifies the other party in writing of its intent not to renew the Agreement at least thirty (30) days prior to the expiry of the Initial Term or the then current Renewal Term (as applicable) (time being of the essence), in which case if such notice is provided the Agreement shall terminate at the end of the Initial Term or then current Renewal Term (as applicable). |
| 2. | Non-exclusive relationship |
| 2.1. | The relationship between you and us pursuant to this Agreement is non-exclusive. Nothing in this Agreement will prevent us from supplying any goods or services to any third party in our absolute discretion. |
| 3. | Priority |
| 3.1. | If any two of the following documents of this Agreement are inconsistent, they will be interpreted in the following order of precedence (highest to lowest): |
| (a) | the terms and conditions in clauses 1 - 28 of these Terms and Conditions; |
| (b) | the SLA; |
| (c) | the Commercial Details; |
| (d) | the Fee Schedule. |
| 3.2. | To the extent of any inconsistency between the provisions of the Data Processing Agreement and this Agreement, this Agreement will prevail, except where inconsistent with the Privacy Act, the GDPR or any other applicable data protection laws (collectively, “Data Protection Laws”) in which case the provisions of the relevant Data Protection Laws will prevail. |
| 4. | Change Control |
| 4.1. | If either you or we wish to change any part of this Agreement (Requesting Party), the Requesting Party shall deliver a written notice to the other party pursuant to clause 25 setting out the details of the requested change (Change Request). |
| 4.2. | If you issue a Change Request, we will, if we consider that we can accommodate the Change Request, provide you with a written proposal (Change Proposal) setting out: |
| (a) | the likely time required to implement the changes; |
| (b) | any variations to the Fees arising from the changes; and |
| (c) | any consequential variation to the Agreement required by us. | |
| 4.3. | No change to this Agreement shall be effective unless the change is implemented pursuant to this clause 4 or the change is otherwise agreed in writing by the parties. |
| 5. | Integration of the Licensed SDKs into Your App |
| 5.1. | You must carry out Product Integration as soon as reasonably practicable, but in any event no later than 20 days following the Commencement Date. |
| 5.2. | We have no obligation to provide Implementation Services except to the extent we agree to do so in a separately agreed upon Implementation Plan. |
| 5.3. | If there is an Implementation Plan: |
| (a) | we will provide the Implementation Services specified in an Implementation Plan (if any) (Implementation Services) within any timeframes for performing the Implementation Services set out therein; and |
| (b) | you will comply with your obligations under the Implementation Plan. | |
| 5.4. | Except where otherwise agreed in writing by us, all Product Integration costs shall be borne by you. |
| 5.5. | You must provide all cooperation, access to Personnel and information reasonably required by us to perform Implementation Services. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 4 of 27 |
| 5.6. | AHI will conduct a quality assurance test prior to the target go-live date (timeframe is estimated between 3-5 days) to verify that the Licensed SDKs have been properly integrated into Your App. |
| 5.7. | If Product Integration has not been completed in accordance with clause 5.1 due to your non-compliance with the Implementation Plan, the Documentation, any incompatibility or defect in or with Your App, or due to any other factor (other than our non-performance of the Integration Services) then without limiting any other provisions of this Agreement, you must promptly (and in any event, within 30 days of written request by us) do everything required to complete Product Integration. |
| 6. | Licence |
| 6.1. | Subject to clause 6.3 and your compliance with this Agreement, we hereby grant you: |
| (a) | a non-exclusive, non-assignable, non-sublicensable, non-transferable licence exercisable by and through your employees and Authorised Third Party Developers, to incorporate the Licensed SDKs into Your App for Product Integration in accordance with the Documentation and any applicable Implementation Plan; and |
| (b) | a non-exclusive, non-assignable, non-sublicensable, non-transferable worldwide licence exercisable by and through your Users, to use the Licensed SDKs in the form integrated into Your App during Product Integration, subject to the Documentation |
(collectively, the Licence).
| 6.2. | You must not use the Licensed SDKs in any way other than pursuant to the Licence. |
| 6.3. | Any parts of the Licensed SDKs that are Open Source Software are subject to the applicable Open Source Licence. All applicable Open Source Licenses and the components of the Licensed SDKs that are governed by them are documented in the AHI MultiScan SDK Open Source Licences List which is a separate document available from us upon your request. |
| 6.4. | You must not commit, permit or otherwise authorise the commission of any act that would or might invalidate or be inconsistent with our Intellectual Property Rights. |
| 6.5. | Without limiting clause 6.4, you must not and must not permit any person, including any User or Third Party Developer, to: |
| (a) | resell, on-sell, assign or transfer the Licensed SDKs or purport to do so; |
| (b) | license, sublicense, or provide others with access to, the Licensed SDKs (however, you may license your End Users to use the Licensed SDKs on a non-exclusive, non-assignable, non-transferrable, non-sublicensable, revocable basis solely for them to use the Licensed SDKs from within Your App in the usual course of operating Your App as an end user); |
| (c) | “frame”, “mirror” or serve any of the Licensed SDKs on any web server or other computer server over the internet or any other network; |
| (d) | copy, alter, modify, adapt, create derivative works from, reproduce, distribute, resell, transfer to a third party, reverse assemble, disassemble, reverse engineer, decompile, reverse compile or enhance the Licensed SDKs (except as may be expressly permitted by applicable copyright law); |
| (e) | store, transmit or distribute, or permit the storage, transmission or distribution of, any virus or Your Data or other material using any Licensed SDKs that is unlawful, harmful, threatening, defamatory, infringing, offensive or in breach of any person’s rights or Applicable Law; |
| (f) | use any Licensed SDKs in any way which is in breach of any right of any person or any Applicable Law; |
| (g) | use the Licensed SDKs or any part of them (or allow them to be used) (including any component of any graphical user interface or the look and feel of the Licensed SDKs) to develop, or contribute to the development of, any software or product competitive with the Licensed SDKs; |
| (h) | alter, remove or tamper with any trade marks, patent or copyright notices, confidentiality legend or notice, any numbers or other means of identification used on or in relation to the Licensed SDKs; |
| (i) | use the Licensed SDKs to violate all or any legal rights of any person or company or other entity in any jurisdiction; or |
| (j) | introduce malicious programs into the AHI Platform (e.g., viruses, worms, Trojan horses, e-mail bombs). |
| 6.6. | You must: |
| (a) | not permit a Third Party Developer to use the Licensed SDKs unless they are an Authorised Third Party Developer; and/or |
| (b) | ensure that your Authorised Third Party Developers only use the Licensed SDKs to incorporate the Licensed SDKs into Your App for Product Integration in accordance with the Documentation and any applicable Implementation Plan. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 5 of 27 |
| 6.7. | You acknowledge that the integrity of the Licensed SDKs is protected by technical protection measures (TPMs) to prevent Intellectual Property Rights, including copyright, in the Licensed SDKs from being misappropriated. You must not attempt in any way to remove or circumvent any TPM in the Licensed SDKs. |
| 7. | Licensed SDK versions and support |
| 7.1. | During the Term, we may release updates of the Licensed SDKs (Update). We will not charge you any fee to provide you with any Updates. |
| 7.2. | AHI will provide Support Services in respect of the Licensed SDK during the Term until such time we deem an Update is required. In the event an Update is required, you will be notified and provided a 6-month grace period to accept the Update, and upon expiry of that period you will not be able to use any previous version. |
| 7.3. | The provisions of this Agreement that apply to the Licensed SDKs will apply equally to any Updates that we provide to you. |
| 8. | The AHI Platform |
| 8.1. | We will configure the AHI Platform within the 20 Business Day period after completion of Product Integration to enable Your App to make calls to the AHI Platform via the Licensed SDKs (AHI Platform Configuration). |
| 8.2. | Following Platform Configuration we undertake to use reasonable endeavours to arrange the hosting of the AHI Platform during the Term in accordance with the Availability Target set out in the SLA. |
| 8.3. | Any failure by us to meet the Availability Target shall not constitute a breach of this Agreement. |
| 9. | Risk Inference Reference Information |
| 9.1. | Any Risk Inference Reference Information that you may obtain from the AHI Platform is general in nature and does not constitute our advice or recommendations and may be obtained from third parties. |
| 9.2. | In respect of any Risk Inference Reference Information that you or an End User may obtain from the AHI Platform and/or via the use of the Licensed SDKs, we do not represent or warrant: |
| (a) | the accuracy or correctness of such Risk Inference Reference Information; or |
| (b) | the relevance or suitability of such Risk Inference Reference Information to you, Your App or any User. |
| 9.3. | You must independently verify that any Risk Inference Reference Information that you or an End User obtains from the AHI Platform and/or use of the Licensed SDKs is accurate, correct, relevant and suitable before it is relied upon by you, your Personnel, Your App or any User. |
| 9.4. | The information provided by the AHI Platform and the Licensed SDKs does not constitute medical advice and we do not provide health diagnoses of any kind. |
| 9.5. | We do not provide, nor do we represent that we provide, any medical advice or health diagnoses. Further, we do not represent or warrant that any use of the AHI Platform or the Licensed SDKs will result in the diagnosis, detection, treatment, cure or prevention of any medical disorder, illness or condition. |
| 9.6. | You: |
| (a) | agree that you have assessed the AHI Platform and the Licensed SDKs as being suitable for your and your Users’ requirements; |
| (b) | agree that to the maximum extent permitted by Law, you use the AHI Platform and the Licensed SDKs at your sole risk; and |
| (c) | hereby irrevocably release us from and against any claims that you might otherwise have against us in connection with any: |
| (i) | Risk Inference Reference Information; and |
| (ii) | other information, |
that you, your Personnel, Your App or any End User may receive directly or indirectly from the AHI Platform, the Licensed SDKs or Your App.
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 6 of 27 |
| 9.7. | As between you and us, you are solely responsible for: |
| (a) | any healthcare or medical advice, treatment plans, suggestions, exercises and regimes that you provide or recommend to any User; |
| (b) | the accuracy, efficacy and results of any health information (including to the extent that any information from the AHI Platform and/or the SDKs constitutes health information) and advice, and for any clinical reports, health assessments, health care plans, treatment plans, clinical advice, suggestions, exercises, regimes, recommendations, services, clinical or remedial procedures, prescriptions and health services that you provide to any person (individually, a “Healthcare Service” and collectively, “Healthcare Services”), and for any claims arising in connection with any Healthcare Service that you supply or fail to supply. | |
| 9.8. | You must indemnify us in respect of any loss and/or damage that we incur in respect of any claim in connection with any Healthcare Service that you provide or fail to provide to any person. |
| 9.9. | We do not provide, or represent that we provide, any Healthcare Service and we are not a party to any contract for the provision or receipt of any Healthcare Service. Further, we do not represent or warrant that the AHI Platform and/or the Licensed SDKs or any Users’ use of any information generated or provided by them will result in the diagnosis, cure or prevention of any medical disorder or illness or that they are suitable for any End User’s specific requirements. |
| 10. | Ownership and use of Your Data |
| 10.1. | As between you and us, you own all Intellectual Property Rights in Your Data. |
| 10.2. | You license us and our suppliers on a non-exclusive, non-transferable, royalty-free basis throughout the Term to use Your Data to provide the Services to you (Data Licence). The Data Licence is irrevocable and non-terminable during the Term. |
| 10.3. | We shall not be responsible for any loss, destruction, alteration or unauthorised disclosure of any Your Data, except in relation to liability that cannot lawfully be excluded or where caused by our wilful misconduct or intentional misuse of Your Data. |
| 10.4. | You warrant and represent that: |
| (a) | Your Data and the collection, processing, storage and/or disclosure of it by us as part of the Services or as otherwise required by Applicable Law will not breach any Applicable Law or right of any person; and |
| (a) | you will ensure at all applicable times that the use, hosting, transmission, modification, processing, collection, holding and disclosure of Your Data via the Licensed SDKs or the AHI Platform does not breach any Applicable Law or any person’s rights, and that all relevant consents have been obtained by you as lawfully required for us and our personnel to collect, hold, disclose and otherwise process any Personal Data in the course of performing our obligations or exercising our rights under the Agreement or pursuant to Applicable Law. | |
| 10.5. | As between you and us, you are solely responsible for the accuracy, legality and quality of all Your Data, for any claims arising in respect of Your Data and for obtaining any permissions, consents, licences, rights and authorisations necessary for us and our suppliers to use, host, modify, hold, transmit, process, store and disclose Your Data in connection with this Agreement. |
| 10.6. | If we receive a request from any person for the provision of Personal Data in any Your Data we will forward a copy of the request to you, unless Applicable Law prohibits us from doing so, and you must provide all assistance that we require to comply with our legal obligations in connection with any such request. |
| 10.7. | You must indemnify us in respect of any loss and damage that we incur in respect of any claim that any Your Data is lost, unavailable, deleted or corrupted or that the transmission, storage, hosting, disclosure, access or use of Your Data by us or our suppliers, or the processing thereof by us or them, for the proposes of this Agreement, infringes the Intellectual Property Rights or other rights of any person or breaches any Applicable Law, except to the extend caused by our breach of this Agreement. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 7 of 27 |
| 11. | Intellectual Property Rights |
| 11.1. | Nothing in this Agreement affects the ownership of any Intellectual Property Rights owned by either party prior to the Commencement Date. |
| 11.2. | As between you and us, we own all Intellectual Property Rights in the Licensed SDKs (other than Open Source Software), the AHI Platform and the Documentation, and any updates, upgrades, new versions, and other modifications of the Licensed SDKs, AHI Platform and Documentation. You must not represent that you own the Licensed SDKs, AHI Platform or Documentation or any updates, upgrades, new versions and other modifications of the Licensed SDKs, AHI Platform and/or the Documentation. |
| 11.3. | Except as expressly stated herein, this Agreement does not grant you or any third party any rights to or in patents, copyright, database rights, trade secrets, trade names, trade marks (whether registered or unregistered), or any other Intellectual Property Rights or other rights or licences in respect of the Licensed SDKs, AHI Platform or the Documentation. |
| 11.4. | You must not directly or indirectly do anything that would or might invalidate, jeopardise, limit, interfere with or put in dispute our or our licensors’ ownership in or rights with respect to the Licensed SDKs, AHI Platform or Documentation. |
| 11.5. | You may not do or authorise the commission of any act that would or might invalidate or be inconsistent with our or our licensors’ Intellectual Property Rights in the Licensed SDKs, the AHI Platform or any Documentation. |
| 11.6. | You hereby assign to us all and any Intellectual Property rights that you may have in all and any comments in connection with the Licensed SDKs, the AHI Platform or requests for any new Licensed SDK or AHI Platform features that you or your officers, employees or agents may suggest or create (each, an Improvement Suggestion). Each Improvement Suggestion becomes our sole and exclusive property. This assignment is effective as soon as you or your officers, employees, and agents create any Improvement Suggestion or disclose an Improvement Suggestion to us including where applicable under section 197 of the Copyright Act 1968 (Cth) and in equity. You must execute and procure from your officers, employees and agents the execution of any documentation reasonably required by us to give effect to: (a) the assignment to us of all Intellectual Property Rights that they may have in any Improvement Suggestions; and (b) a waiver for us and any third parties authorised by us to exploit any Moral Rights that they may have in any Improvement Suggestions. |
| 11.7. | You must not: |
| (a) | use any of our trade marks or other marks (collectively, Marks) without our prior written consent; or |
| (b) | contest any Mark, apply for registration of any Mark or use or apply for registration of any trade mark, trade name, business name, company name or domain name that incorporates any element that is confusingly similar to any Mark. |
| 11.8. | Except as expressly provided in this Agreement, you have no rights in respect of any Marks or their associated goodwill. You hereby acknowledge that all such rights and goodwill inure for the benefit of, and are (and will remain) vested in, us. |
| 11.9. | We will indemnify you from and against any liability, loss, damage and reasonable costs arising out of any proceeding brought by any third party alleging that you are infringing that third party’s Intellectual Property Rights by using the Licensed SDKs in accordance with the Licence (IP Claim), provided that: |
| (a) | you notify us immediately upon receipt by you of notice of any IP Claim or upon you suspecting or having reasonable cause to suspect that such an IP Claim may be made; |
| (b) | you do not make any admission or settlement of any IP Claim without our prior written consent; |
| (c) | you give us sole control of the defence and any negotiations for compromise; and |
| (d) | you provide such assistance in connection with the IP Claim, as we may require. |
| 11.10. | If the Licensed SDKs becomes the subject of any IP Claim, you must permit us if, and as we consider appropriate: |
| (a) | to replace all or part of the Licensed SDKs with functionally equivalent software; |
| (b) | to modify the Licensed SDKs as necessary to avoid such claim; and/or |
| (c) | to procure a licence from the relevant complainant to allow you to continue using the Licensed SDKs for the balance of the Term. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 8 of 27 |
| 11.11. | If in the above circumstances we are unable to procure for you the right to continue using the Licensed SDKs, or to provide you with functionally equivalent non-infringing software, or to modify the Licensed SDKs, as necessary to avoid the IP Claim, this Agreement and the Licence may be terminated by us. |
| 11.12. | Notwithstanding any other provisions of this Agreement, we shall have no liability for or in connection with any IP Claim if such claim is caused by or arises out of: |
| (a) | your use of the Licensed SDKs in combination with software or hardware not supplied or approved in writing by us if such infringement could have been avoided by not combining, operating or using the Licensed SDKs with such software and/or hardware; |
| (b) | any modification of the Licensed SDKs created by any person other than us; |
| (c) | code or content in Your App or the integration of the Licensed SDKs into Your App; |
| (d) | Your Data or any other content or data used or transmitted by, you, your Personnel or any End User; |
| (e) | use of the Licensed SDKs knowingly in breach of any person’s rights; or |
| (f) | your breach of any Open Source Licence or this Agreement. |
| 11.13. | As between you and us, you, and not us, shall be solely liable for any claims made by any third party in connection with any of the matters referred to in clause 11.12 (a) – (f) and you must indemnify us from and against any liability, loss, damage and reasonable costs arising out of any of those matters. |
| 12. | Confidentiality |
| 12.1. | Each party (the first party) agrees and acknowledges that it may receive information of the other party marked as confidential or has the quality of confidential information during the Term of this Agreement (Confidential Information). |
| 12.2. | The first party agrees and acknowledges that the Confidential Information of the other party will be received and held by the first party in strict confidence and will not be disclosed by the first party, except: |
| (a) | as required to perform its obligations under this Agreement; |
| (b) | with the prior written consent of the other party; |
| (c) | as must be disclosed by Applicable Law; |
| (d) | where disclosed to its Personnel on a confidential basis; |
| (e) | as required by the rules of any stock exchange; or |
| (f) | as required by a court of competent jurisdiction, and then, only to the extent required, and provided that the first party promptly notifies the other party of such requirement of disclosure and provides full particulars to the other party of the disclosure. |
| 12.3. | The first party must use reasonable endeavours to ensure that its Personnel keep the other party’s Confidential Information that the first party provides to its Personnel confidential. |
| 12.4. | Confidential Information does not include any information: |
| (a) | that is independently developed, obtained or known by the first party, without relying on confidential information received by the first party from the other party; |
| (b) | that the first party can prove was already rightfully known by it at the time of disclosure to it as shown by contemporaneous records; |
| (c) | which is or becomes available to the first party from a third party lawfully in possession of such information and who has the lawful power to disclose such information to the first party on a non-confidential basis; or |
| (d) | that is in the public domain or becomes part of the public domain except where due to a breach of this Agreement or any breach of any obligation of confidence. |
| 12.5. | Our Confidential Information includes: |
| (a) | this Agreement; |
| (b) | all parts of the Licensed SDKs and the AHI Platform (including any designs, graphical user interface, the layout of any elements of the Licensed SDKs, the AHI Platform and the look and feel of the Licensed SDKs, the AHI Platform and any Custom Software); |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 9 of 27 |
| (c) | the Documentation; |
| (d) | all Intellectual Property Rights and any proprietary and technical data, trade secrets, patented and unpatented inventions, discoveries, works, improvements, innovations, ideas, concepts, graphs, flow charts, materials, samples, devices, models, know how, techniques, operations, dealings, processes, procedures, secret formula, computer hardware and software programs and designs, drawings, technology, machinery or equipment used or proposed to be used or developed in connection with the Licensed SDKs; |
| (e) | all advertising and marketing information and material provided by us to you; and |
| (f) | the Object Code and Source Code in the Licensed SDKs and AHI Platform, |
(collectively, AHI Confidential Information).
| 12.6. | Your Confidential Information Includes: |
| (a) | information about your Activate platform (including any designs, graphical user interface, the layout of any elements of Activate platform); |
| (b) | information concerning your business goals, business model and customers; |
| (c) | all information about your intellectual property and your proprietary and technical data, trade secrets, patented and unpatented inventions, discoveries, works, improvements, innovations, ideas, concepts, graphs, flow charts, materials, samples, devices, models, know how, techniques, operations, dealings, processes, procedures, secret formula, computer hardware and software programs and designs, drawings, technology, machinery or equipment used or proposed to be used or becoming known to AHI in connection with the performance of this Agreement. |
| 12.7. | The AHI Confidential Information is not your Confidential Information and you must not use, modify, reproduce, release, perform, display or disclose it except as is strictly necessary for you to use the Licensed SDKs in accordance with the Licence. |
| 12.8. | You agree that our business involves, among other activities, entering into transactions with third parties who license us to use their software or technology that we use to provide smartphone-based human scanning technology via the Licensed SDKs (technology licensors). You irrevocably agree and warrant that you will not, without our prior written consent, during the Term and for 3 years thereafter directly or indirectly, whether alone, with third parties or on behalf of another person or entity, in any capacity: |
| (a) | contact, solicit, accept an approach from, initiate, submit a request for products and/or services to, communicate with and/or enter into any contracts with, our technology licensors; |
| (b) | bypass us by entering into any licence or other contract with our technology licensors (whether or not introduced by us to you) for the purpose of gaining any benefit, whether such benefit is monetary or otherwise; and/or |
| (c) | attempt and/or assist, conspire with, aid, prepare or assist any third party to do anything referred to in clauses 12.8(a) and/or 12.8(b). |
| 12.9. | You must indemnify us for any loss or damage we incur as a result of your breach of clause 12.8. |
| 12.10. | You acknowledge that clause 12.8 is reasonable and necessary to protect our interests and that a breach of clause 12.8 will expose us to substantial loss and damage and that damages may be inadequate to protect our interests. We shall be entitled to seek and obtain injunctive relief or any other remedy in respect of an actual or potential breach by you of clause 12.8. You shall in good faith immediately upon our request, provide access to any documents and information necessary for us to investigate whether a breach of clause 12.8 has occurred. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 10 of 27 |
| 13. | Fees and Payment Terms |
| 13.1. | You must pay the Fees to us in accordance with the Payment Terms. |
| 13.2. | The Fees are exclusive of GST and you agree to pay to us all applicable GST that we incur in connection with this Agreement. You must pay all applicable GST, at the same time as the Fees, in accordance with the Payment Terms. |
| 13.3. | If you fail to make any payment due to us for any undisputed amounts under this Agreement by the due date for payment, then, without limiting our remedies, you shall pay interest on the overdue amount at the rate of 10% per annum (or if such rate is not permitted under Applicable Law, the highest rate of interest that may be charged under Applicable Law). Such interest shall accrue on a daily basis from the due date until actual payment of the overdue amount, whether before or after judgment and you shall pay the interest together with the overdue amount upon demand by us. |
| 13.4. | If we have not received payment of any Fees by the due date in accordance with the Payment Terms, then without prejudice to any of our other rights and remedies, we may, without liability to you, suspend the operation of the Licensed SDKs, the AHI Platform and/or all or any part of our obligations under the Agreement. |
| 14. | Fee Disputes |
| 14.1. | If you, acting reasonably, dispute an amount invoiced by us, you: |
| (a) | must pay the undisputed amount of the invoice by the due date; |
| (b) | must notify us of the dispute and the reasons for the dispute within 7 days of receipt of the invoice; and |
| (c) | may withhold payment of the disputed part of the invoice until the dispute is resolved in accordance with clause 26 (Dispute Resolution). |
| 14.2. | On resolution of the dispute in our favor, you must pay any additional amounts agreed or determined to be payable, plus interest at the rate of 10% per annum (or if such rate is not permitted under Applicable Law, the highest rate of interest that may be charged under Applicable Law), accruing daily from the date when the invoiced amount was due for payment until the date on which payment is made. |
| 14.3. | You shall pay all legal and debt collection fees, costs and disbursements incurred by us in enforcing your payment obligations under this Agreement. |
| 14.4. | You must not withhold payment of any Fees except any Fees that are disputed under clause 14.1. |
| 15. | Professional Services |
| 15.1. | We have no obligation to provide any professional services under this Agreement except as set out in the Commercial Details. |
| 16. | Support Services |
| 16.1. | We will provide the Support Services in relation to the Licensed SDKs, subject to the provisions of the Service Level Agreement. |
| 17. | Training Services |
| 17.1. | We will provide you with the allocated number of hours of online-based training set out in the Commercial Details in the use of the Licensed SDKs. |
| 17.2. | The start date of the Training Services will be determined by you and us. |
| 17.3. | If Training Services are to be provided on your premises, you will be responsible for all reasonable costs and expenses of our Personnel and all trainees in connection with travel to and attendance at the training, including with respect to accommodation, meals and transport (Expenses). You must reimburse us for all Expenses that we incur within twenty-eight (28) days of the date of any invoice we issue to you for any Expenses. |
| 18. | Software Development Services |
| 18.1. | We have no obligation to provide any software development services under this Agreement unless you and we execute a Statement of Work specifying the software development services to be provided and the software to be developed (Custom Software). |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 11 of 27 |
| 18.2. | You will pay the Fees set out in or referred to in the Statement of Work on a time and materials basis for all time spent carrying out our obligations under this clause 18. Works or services performed under a Statement of Work by us shall be payable by you on the condition that you have accepted the Statement of Work in advance in writing. |
| 18.3. | Except as otherwise agreed in a Statement of Work, we own all Intellectual Property Rights in all Custom Software. To the extent that we do not automatically own all such Intellectual Property Rights, you hereby assign all such Intellectual Property Rights to us. The assignment under this clause 18.3 includes an assignment of future copyright under section 197 of the Copyright Act 1968 (Cth) and in equity. |
| 18.4. | Any Custom Software developed will be subject to the same provisions of the Agreement that apply to Licensed SDKs except as otherwise expressly specified to the contrary in the applicable Custom Development Statement of Work. |
| 19. | Third Party Developers |
| 19.1. | Under no circumstances may you permit any Third Party Developer to access, download, or use any of the Licensed SDKs or any other product (including Your App) that uses or incorporates any of the Licensed SDKs, unless they are your Third Party Developers who have each entered into a Third Party Developer Licence Agreement. |
| 19.2. | You must: |
| (a) | cause each Third Party Developer to enter into a Third Party Developer Licence Agreement with us and provide us with the Third Party Developer Licence Agreement (in the form set out in Annexure A); and |
| (b) | wait for us to approve the Third Party Developer Licence Agreement (in our absolute discretion) and where approved by us, execute the Third Party Developer Licence Agreement, |
prior to permitting any Third Party Developer engaged by you to access, download or use any of the Licensed SDKs or Your App which uses or incorporates any of the Licensed SDKs.
| 19.3. | Following our execution of a Third Party Developer Licence Agreement that has been executed by your Third Party Developer, we will provide the fully executed copy to you, and such Third Party Developer shall only from that time be deemed to be an Authorised Third Party Developer. |
| 20. | Force Majeure Event |
| 20.1. | Each party will not be liable to the other party for any breach of this Agreement to the extent that it is caused or contributed to by a Force Majeure Event. |
| 21. | Liability |
| 21.1. | Except to the extent that such liability cannot be excluded by Applicable Law, neither party is liable to the other party for any Consequential Loss whether arising in contract, tort (including negligence) or otherwise, and whether the loss or damage is foreseeable or not. |
| 21.2. | For any loss or damage that is not otherwise excluded by the provisions of this Agreement, our liability is capped, in the aggregate, to the value of the Fees paid by you under this Agreement, and which cap is reduced to the extent that you or any Force Majeure Event caused or were responsible for such loss or damage. |
| 21.3. | You hereby indemnify us in respect of all and any loss and damage incurred by us as a result of any breach by you of your obligations under this Agreement or as a result of Your App infringing the rights of any person or breaching any Applicable Law. You warrant and represent that Your App and all use thereof by us for the purposes of this Agreement, will not infringe the rights of any person or breach any Applicable Law. |
| 21.4. | Notwithstanding any other provisions of this Agreement, a party’s liability is not limited under the Agreement with respect to: |
| (a) | liability under any indemnity specified in the Agreement; |
| (b) | liability that cannot be limited by law; or |
| (c) | liability for the party’s wilful misconduct or intentional breach of the Agreement. |
| 22. | Warranties and implied guarantees |
| 22.1. | Each party warrants that: |
| (a) | it has full capacity, authority and all necessary consents to enter into and to perform this Agreement and to grant the rights referred to in the Agreement and that the Agreement is executed by its duly authorised representative and represents a binding commitment on it; and |
| (b) | it shall comply with all Applicable Laws in the performance of its obligations under this agreement. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 12 of 27 |
| 22.2. | You warrant that your entering into and/or performance of your obligations under this Agreement does not and will not violate or conflict with or result in a breach of, or constitute a default under, or result in the imposition of, any encumbrance under the provisions of your constitution or any contract or other instrument. If any such conflict, breach or default occurs or is likely to occur: |
| (a) | you must immediately disclose full particulars of the actual and/or likely conflict, breach or default and you must indemnify us for any loss or damage that we may incur as a result thereof; and |
| (b) | we may terminate this Agreement by notice to you. |
| 22.3. | You warrant that you have made full disclosure to us of all information which would be material to our decision as to whether or not to enter into this Agreement and that the information given by or on your behalf to us to date is true, complete and accurate in all respects and none of that information is misleading whether by inclusion of misleading information or omission of material information or both. |
| 22.4. | The goods and services supplied under this Agreement may come with implied non-excludable guarantees which are regulated by the Australian Consumer Law. The extent of the implied guarantees depends on whether you are a ‘consumer’ of goods or services within the meaning of that term pursuant to the Australian Consumer Law as amended. |
| 22.5. | If the goods or services supplied by us to you are supplied to you as a ‘consumer’ of goods or services within the meaning of that term in the Australian Consumer Law as amended you will have the benefit of certain non-excludable rights and remedies in respect of the goods or services and nothing in the Agreement excludes or restricts or modifies any condition, warranty, guarantee, right or remedy which pursuant to the Competition and Consumer Act 2010 (Cth) is so conferred. However, if the goods or services are subject to a non-excludable condition, warranty, guarantee, right or remedy implied by the Australian Consumer Law and the goods or services are not ordinarily acquired for personal, domestic or household use or consumption, then pursuant to section 64A of the Australian Consumer Law, we limit our liability for breach of any such non-excludable warranty, guarantee, right or remedy implied by the Australian Consumer Law (other than a guarantee implied by sections 51, 52 or 53 of the Australian Consumer Law) or expressly given by us to you, in respect of each of the goods and services, at our option, to one or more of the following: |
| (a) | if the breach relates to goods: |
| (i) | the replacement of the goods or the supply of equivalent goods; |
| (ii) | the repair of such goods; |
| (iii) | the payment of the cost of replacing the goods or of acquiring equivalent goods; or |
| (iv) | the payment of the cost of having the goods repaired; and |
| (b) | if the breach relates to services: |
| (i) | the supplying of the services again; or |
| (ii) | the payment of the cost of having the services supplied again. |
| 22.6. | Other than with respect to any non-excludable guarantees implied into this Agreement under the Australian Consumer Law, to the maximum extent permitted by law (and if permitted by law): |
| (a) | all conditions, warranties and guarantees implied in the Agreement are excluded, to the extent possible by law; |
| (b) | we do not represent that the information obtained via the Licensed SDKs or the AHI Platform is accurate, correct, up-to-date or error free; |
| (c) | we do not warrant that any Licensed SDKs or the AHI Platform are error-free or will operate accurately, correctly or without interruption or will achieve your intended results; and |
| (d) | you accept sole responsibility for the selection of the Licensed SDKs and AHI Platform to achieve your intended results and for any results that you, your Personnel or Users obtain therefrom. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 13 of 27 |
| 23. | Insurance |
| 23.1. | Each party will during the Term obtain and maintain the following insurances: |
| (a) | cyber liability and privacy protection insurance in the amount of two million dollars ($2,000,000); and |
| (b) | any other insurance that the party must obtain under Applicable Law. |
| 23.2. | For each insurance policy taken out by a party in accordance with this Agreement it will provide the other party (upon request only) with a certificate of currency which identifies the insurer, policy number, term of the policy, type of insurance and limits of liability for the cover. |
| 24. | Suspension and Termination |
| 24.1. | We may temporarily and/or permanently suspend and/or disable the performance of the whole or any part of any Licensed SDKs, the AHI Platform or Services and/or your Personnel’s and Users’ access to and use of any Licensed SDKs, the AHI Platform or Services by way of TPM or otherwise if we know or reasonably suspect that: |
| (a) | you are in material breach of the Agreement or have not remedied any breach of the Agreement within a reasonable cure period specified by us; |
| (b) | any of your Personnel have not used or are not using the Licensed SDKs in compliance with the Licence; |
| (c) | any Authorised Third Party Developer is in material breach of the applicable Third Party Developer Licence Agreement or has not remedied any breach thereof within a reasonable cure period specified by us; or |
| (d) | we determine that you or any of your Personnel’s use of the Licensed SDKs is likely to lead to any third party instituting or threatening legal proceedings against us or any other person. |
| 24.2. | A party (the first party) may terminate this Agreement by written notice to the other party (the Defaulting Party) if the Defaulting Party is in material breach of this Agreement which is not remediable, or if capable of remedy and the Defaulting Party fails to remedy the material breach within seven (7) days of written notice from the first party requiring the remedying of the breach. |
| 24.3. | Either party may terminate this Agreement at any time without cause, by providing at least 90 days written notice to the other party: |
| (a) | If you wish to terminate this Agreement, within the first 18 months from the Commencement Date without cause, you will be required to provide 90 days written notice to terminate, which the notice period will be defaulted to the full license fee of EUR€3,500 per month for the notice period. All previous monthly license fee amounts from the Commencement Date (outlined in Schedule 2 – User Fees), leading up to the written termination notice must be paid, as well as the 3 months notice period at EUR€3,500 per month. |
| (b) | If we wish to terminate the Agreement within the first 18 months from the Commencement Date without cause, we will provide you at least 90 days written notice to terminate, and all requirements to pay the license fee will be waived from the date of the termination notice. |
| 24.4. | We may terminate this Agreement, the License or our provision of any Services, if: |
| (a) | you undergo a Change of Control without our prior written consent; |
| (b) | you breach, challenge or dispute the validity of any of our Intellectual Property Rights; |
| (c) | you purport to assign any of your rights or novate any of your obligations under this Agreement without our prior written consent; |
| (d) | you breach any Applicable Law or any person’s rights; or |
| (e) | a third party provider ceases to provide hardware, software, products, licences or services that we require to comply with our obligations under this Agreement. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 14 of 27 |
| 24.5. | If this Agreement is terminated or expires for any reason: |
| (a) | any rights or obligations that, by their nature, survive termination shall so survive; |
| (b) | you shall promptly return to us all copies of any of our Confidential Information and Documentation in your possession or control, or if required by us, destroy all such copies of our Confidential Information and Documentation; |
| (c) | in the absence of any direction from you within 30 days following termination or expiry of this Agreement, we shall delete all Your Data that remains in our possession or control; |
| (d) | we do not have any obligation to provide you with any refund, except to the extent that we must do so pursuant to Applicable Law; |
| (e) | your right to use and access the Licensed SDKs, the AHI Platform and any Documentation immediately ceases; and |
| (f) | the Licence will immediately terminate. |
| 24.6. | If this Agreement is terminated prior to the expiry of the Initial Term or any then current Renewal Term (other than due to our breach of the Agreement), then without prejudice to any of our other rights, you must pay any amounts (collectively, the Outstanding Amount) payable as outlined in clause 24.3. If an Outstanding Amount is payable, we will send you a tax invoice in respect of the Outstanding Amount and you will pay this invoice within twenty eight (28) days. Payment under this clause 24.3 is not intended to be, and will not be punitive and is intended to compensate us for reasonable losses that we will suffer resulting from the early termination of the Agreement. |
| 25. | Notices |
| 25.1. | All notices required or permitted to be made under this Agreement shall be in writing and shall be deemed delivered if: (a) delivered in person; (b) sent by post to the postal addresses of the recipient identified in the Commercial Details; or (c) sent by email to the recipient’s email addresses identified in the Commercial Details. If notice is delivered in person, notice shall be effectively given upon delivery. If notice is sent by post within Australia, notice shall be effectively given the next Business Day after posting if sent by express post, or 6 Business Days after posting if sent by ordinary post. If notice is sent by post internationally, notice shall be effectively given upon the sender receiving confirmation of delivery from the applicable postal service. If notice is sent by email, notice shall be deemed to have been effectively given on the day it is transmitted if the sender receives a read or delivery receipt confirming delivery or receipt of the email or a reply to the email. Any party may change its address for notice hereunder by giving written notice to the other party in accordance with this clause 25.1. |
| 25.2. | Text messages, instant messages, messages sent through social media websites, and similar messages are not considered “written” or “in writing” for the purposes of this Agreement. |
| 26. | Dispute Resolution |
| 26.1. | If a dispute arises between the parties out of or relating to this Agreement (Dispute), each party must seek to resolve it strictly in accordance with the provisions of this clause 26. Compliance with the provisions of this clause is a condition precedent to seeking relief in any court in respect of the Dispute, except as otherwise provided in this clause. |
| 26.2. | A party seeking to resolve a Dispute must notify the existence and nature of the Dispute to the other party (Notification). Upon receipt of a Notification, each party must refer resolution of the Dispute to their chief executives or lawyers. |
| 26.3. | If the Dispute has not been resolved within one (1) calendar month of the Notification, then each party will be entitled to pursue such course of action as it determines. |
| 26.4. | Nothing in this clause 26 shall limit either party’s right to seek urgent interlocutory relief from any court of competent jurisdiction at any time. |
| 27. | General |
| 27.1. | Assignment: You shall not assign, transfer, license or novate your rights or obligations under this Agreement without our prior written consent. Any such assignment, transfer, license or novation without our prior written consent is void. |
| 27.2. | Waiver: No exercise or failure to exercise or delay in exercising any right or remedy by a party shall constitute a waiver by that party of that or any other right or remedy available to it. |
| 27.3. | Invalidity: If any provision of this Agreement or its application to any party or circumstance is or becomes invalid or unenforceable to any extent, the remainder of the Agreement and its application shall not be affected and shall remain enforceable to the greatest extent permitted by law. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 15 of 27 |
| 27.4. | Relationship: Nothing contained in this Agreement creates any partnership, employment, joint venture or agency between the parties. |
| 27.5. | Entire Agreement: This Agreement is entered into as an agreement. It constitutes the entire agreement of the parties about its subject matter and supersedes all other proposals, prior agreements, oral or written, arrangements, agreements and all other communications between the parties about its subject matter. |
| 27.6. | Amendments: This Agreement may be amended only by a written document signed by all parties and a provision of or a right under this Agreement may not be waived or varied except in writing signed by the party to be bound. |
| 27.7. | Jurisdiction: This Agreement is governed by the laws in force in Western Australia. Each party irrevocably submits to the jurisdiction of the courts located in New South Wales and/or Western Australia, and the courts of appeal from them in relation to any dispute concerning the Agreement. |
| 27.8. | Counterparts: This Agreement may be executed (including via DocuSign or similar) in counterparts provided that no binding agreement shall be reached until the executed counterparts are exchanged. A counterpart of a document exchanged by email shall constitute evidence of the execution of the original. |
| 28. | Definitions and interpretation |
| 28.1. | In this Agreement, terms in bold font in brackets have the meanings given thereto as set out in the applicable clauses in which they are defined. Any word starting with a capital letter that is not otherwise defined in this document, shall have the meaning given to it in the SLA. In addition, in these Terms and Conditions the following words have the following meanings: |
Agreement means: (1) the Commercial Details; (2) the Fee Schedule; (3) these Terms and Conditions; (4) the Service Level Agreement; and (5) the applicable Data Processing Agreement specified in the Commercial Details.
Applicable Law means any applicable act, law, legislation, rule of the general law, including common law and equity, judicial order or consent or requisition from, by or with any governmental agency, including any Data Protection Law in any applicable jurisdiction.
Australian Consumer Law means schedule 2 to the Competition and Consumer Act 2010 (Cth).
Authorised Third Party Developer means a person who is deemed to be such pursuant to clause 19.3.
Business Day means any day from Monday to Friday in Western Australia, excluding public and bank holidays in Western Australia. Business Hours means 9:00 am – 5:00 pm on Business Days.
Change of Control means a change in the beneficial ownership of more than 25% of: (a) the issued share capital of a company; or (b) the legal power to direct or cause the direction of the general management of the company.
Commencement Date means the commencement date specified in the Commercial Details.
Commercial Details means the table of this document under that heading.
Consequential Loss means any Loss that is:
| (a) | indirect or consequential to another loss; |
| (b) | loss or damage being or caused by a loss of revenue, loss of profits, loss of savings or anticipated savings or business, loss of data, loss of opportunity, loss of goodwill or expectation loss; |
| (c) | a special, punitive or exemplary loss or damage (including, without limitation, any penalty or fine imposed); or |
| (d) | a pure economic loss. |
Custom Software has the meaning given to it in clause 18.1.
Data Processing Agreement means the applicable data processing agreement(s) specified in the Commercial Details.
Documentation means any information, materials or documents (whether in electronic form or not) referring to or describing the Licensed SDKs, the AHI Platform and/or Services that we provide to you, including any written specifications, user guides, manuals and explanatory materials.
Fees means the fees, rates and charges that are payable by you to us under this Agreement, as set out in the Fee Schedule or otherwise agreed in writing between you and us.
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 16 of 27 |
Force Majeure Event means any act, event, omission, accident or circumstance beyond our reasonable control.
GDPR means the EU General Data Protection Regulation.
GST has the meaning given in the A New Tax System (Goods and Services Tax) Act 1999 (Cth) as amended or replaced from time to time.
Implementation Plan means a written plan agreed in writing between you and us for the integration of the Licensed SDKs with Your App.
Initial Term means the initial term as set out in the Commercial Details.
Insolvency Event means, in respect of a party: (a) the party ceases to carry on business, is unable to pay its debts as and when they fall due, or is deemed to be insolvent or bankrupt; (b) a receiver or a liquidator or provisional liquidator or an administrator is appointed to the party, or an application (including voluntary application filed by that party) is lodged or an order is made or a resolution is passed for the winding up (whether voluntary or compulsory) of that party; (c) where the party is a partnership, the partnership is dissolved or an application is made for its dissolution; (d) the party suspends payment of its debts to the other party, or the party takes the benefit of any law for the relief of insolvent debtors; or (e) anything analogous or having a substantially similar effect to any of the events described in (a) through (d) above occurs under the law of any applicable jurisdiction.
Intellectual Property Rights means all current and future intellectual property rights, including all copyright, patents, trade marks, design rights, trade secrets, domain names, and other rights of a similar nature and all other rights to intellectual property as defined under Article 2 of the Convention Establishing the World Intellectual Property Organization, whether registrable or not and whether registered or not, and any applications for registration or rights to make such an application, anywhere in the World.
Licensed SDKs means the software development kits specified in the Commercial Details, including any new versions, updates, patches, and upgrades. Such SDKs may include: (a) libraries (including any binary libraries); (b) documentation; (c) software; (d) sample code; and (e) other materials supplied by us to you in connection with any such libraries, Documentation and sample code.
Level 1 Technical Support means first level support services including:
| (a) | providing a suitable mechanism for your Users to be able to report a fault to you in Your App for diagnosis (i.e support hotline, support emails etc); and |
| (b) | basic investigation of faults reported by your Users. |
Loss means any direct or indirect loss, cost, expense, penalties, fines, liability or damage including legal costs on a solicitor/client basis and any claim, demand or proceedings brought, or judgment or order obtained, by a third party.
Measurement Error has the meaning given to it in the SLA.
Moral Rights has the meaning given in the Copyright Act 1968 (Cth).
Object Code means computer code in a form that a computer can execute, when compiled or converted from its Source Code version.
Open Source Licence means the applicable licence that governs Open Source Software.
Open Source Software means any software licensed under any form of open source licence meeting the Open Source Initiative’s Open Source Definition (http://www.opensource.org/docs/definition.php).
Parties or parties means you and us and Party or party means either you or us as the context dictates.
Payment Terms means any payment terms and conditions set out in the Fee Schedule.
Personal Data has the meaning given in the Data Processing Agreement.
Personnel means officers, agents, employees and subcontractors (excluding any Third Party Developer and Authorised Third Party Developer). We are not your Personnel and you are not our Personnel for the purposes of this definition.
Privacy Act means the Privacy Act 1988 (Cth).
Product Integration means the process of integrating the Licensed SDKs into Your App(s).
Risk Inference Reference Information means health risk information derived from applying a specific risk study to a set of scan results produced by the Licensed SDKs.
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 17 of 27 |
Scheduled Outage means any downtime of the AHI Platform scheduled by us or any of our suppliers in advance with respect to the hosting of the AHI Platform.
Service Level Agreement or SLA means the document entitled “Service Level Agreement (SLA)” attached to this MSA.
Services means the Implementation Services, Support Services (as that term is defined in the SLA), the Training Services, the processing of Your Data by the AHI Platform and any other services that we agree to supply pursuant to this Agreement.
Source Code means computer code in human-readable form, that when compiled becomes Object Code.
Statement of Work or SOW means a document entitled “Statement of Work” executed by you and us.
Support Request has the meaning given to it in the SLA.
Support Services has the meaning given to it in the SLA.
Term means the Initial Term and any applicable Renewal Terms.
Terms and Conditions means clauses 1 - 28 of this document.
Third Party Developer means a third party software developer engaged or to be engaged by you to provide software development services to you.
Third Party Developer Licence Agreement mean the agreement set out at Annexure A to this Agreement.
User means an end user authorised by you to use Your App.
Your App has the meaning given to it in the Commercial Details.
Your Data means all data entered into the AHI Platform via Your App.
| 28.2. | In this Agreement, the following rules of construction applies, unless the context otherwise requires: |
| (a) | headings and underlinings are for convenience only and do not affect the construction of the Agreement; |
| (b) | a provision of the Agreement will not be interpreted against a party because the party prepared or was responsible for the preparation of the provision, or because the party’s legal representative prepared the provision; |
| (c) | currency or “$” refers to Australian Dollars; |
| (d) | a reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time; |
| (e) | a reference to a clause, subclause or paragraph is a reference to a clause, subclause or paragraph of the Agreement; |
| (f) | a reference to a subclause or paragraph is a reference to the subclause or paragraph in the clause in which the reference is made; |
| (g) | a reference to time is to time in New South Wales; |
| (h) | a reference to a person includes a reference to an individual, a partnership, a company, a joint venture, government body, government department, and any other legal entity; |
| (i) | words in the singular shall include the plural and in the plural, shall include the singular; |
| (j) | a provision of the Agreement shall not be construed against a party merely because the party or its solicitors prepared the provision; |
| (k) | the phrases “specified in the Commercial Details” and similar, means specified as being applicable or in the affirmative in the Commercial Details; |
| (l) | the Agreement shall not bind you or us until and unless the “Acceptance” section of the Commercial Details has been executed by both you and us; and |
the words ’such as’, ‘including’, ‘includes’ and similar expressions are not used as, nor are intended to be, interpreted as words of limitation and shall be interpreted as if the words “but not limited to” immediately followed them in each case.
[The remainder of this page is left intentionally blank]
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 18 of 27 |
Service Level Agreement (SLA)
| 1. | Definitions and Interpretation |
| 1.1. | This Service Level Agreement (SLA) forms part of the Agreement. In this SLA, definitions and any rules of construction in the attached Terms and Conditions, are hereby incorporated into this SLA by reference. |
| 2. | Availability Target |
| 2.1. | We will use our best endeavours to make the AHI Platform Available, as measured over each calendar month during the Term (each such calendar month, a Service Period), at least 99% of the time, excluding only the time it is not Available solely as a result of your breach of the Agreement, Your App, a Scheduled Outage, an outage of any infrastructure or hosting service supplied by Amazon Web Services or a Force Majeure Event. ’Available’ means the AHI Platform is available and operable for access by Your App via the Licensed SDKs. |
| 3. | Provision of Support Services |
| 3.1. | Where Support Services are specified in the Commercial Details, we shall use our best endeavours to respond to any request for: |
| (a) | technical support with respect to any reproducible malfunction in the Licensed SDKs or the AHI Platform that you report to us that prevents the Licensed SDKs from performing materially in accordance with the Documentation (Software Error); and |
| (b) | technical support with respect to an anthropometric measurement capture or result, or transdermal optical imaging capture or result (Measurement Error), |
in accordance with the applicable response times specified in clause 6.2 of this SLA (collectively, the Support Services).
| 4. | Support Services Conditions |
| 4.1. | You must: |
| (a) | provide us with prompt access to your technical environment, including any software, systems, equipment, and networks via remote access, as reasonably required by us to provide the Support Services; and |
| (b) | provide us with access to all of your necessary Personnel and/or documentation as reasonably required by us to provide the Support Services. |
| 5. | Technical Support |
| 5.1. | The Support Services are limited to the provision of telephone and email support during Business Hours to your designated Personnel approved by us (Support Staff) to answer questions from your Support Staff. |
| 5.2. | The Support Services will be provided through our technical support hotline (via telephone or email) which operates during Business Hours. A support phone number and a support email address will be provided to you by us through which your Support Staff can request the Support Services referred to in clause 5.1. |
| 5.3. | If you require Support Services during the Term, you must notify us that you require technical support (Support Request) in accordance with the following procedure: |
| (a) | you must issue a Support Request to us in accordance with clause 5.2; |
| (b) | when issuing a Support Request, you must ensure that you provide to us: |
| (i) | the impacted User’s unique identification number as designated by us; |
| (ii) | the make, model and operating system of the impacted User’s mobile device (where applicable); |
| (iii) | a detailed description of the Software Error or Measurement Error; |
| (iv) | details of the version number of the Licensed SDK/s that the Personnel or User is experiencing the Software Error or Measurement Error with; |
| (v) | evidence of the Software Error or Measurement Error; and |
| (vi) | any other information reasonably required by us. |
| 5.4. | We shall have no obligation to provide any Support Services with respect to the Licensed SDKs or the AHI Platform to any of your Authorised Third Party Developers, Personnel or Users, other than your Support Staff. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 19 of 27 |
| 5.5. | You must provide Level 1 Technical Support to Users. |
| 5.6. | We may temporarily suspend the operation of the Licensed SDKs and/or the AHI Platform or your access to them as reasonably required by us to perform the Support Services. |
| 6. | Support Service Prioritisation |
| 6.1. | We will prioritise support services requested by you under this SLA in accordance with the following severity code classification (as determined by us in our absolute discretion): |
| ● | Major (Severity 1) – A Software Error or Measurement Error which either (a) impacts an essential part of Your App; or (b) materially impacts your business operations. |
| ● | Normal (Severity 2) – An Error or Measurement Error which either (a) impacts a non-essential part of Your App; or (b) does not materially impact your business operations. |
| 6.2. | We will use reasonable endeavors to acknowledge the receipt of any relevant request for Support Services pursuant to this SLA within the following timeframes: |
| Severity Level | Target Response Time | Target Resolution Time |
| Severity Level 1 | 1 Business Hour | 1 Business Day |
| Severity Level 2 | 4 Business Hours | 5 Business Days |
The Target Response Time is measured from the time we receive a Support Request. If a support request is sent outside Business Hours it shall be deemed to be received by us at 9.00 am on the next Business Day. The Target Resolution Time is measured from the time we acknowledge receipt of your Support Request.
| 6.3. | We will use reasonable endeavors to resolve the Software Error or Measurement Error (including by providing a workaround) the subject of any Support Request, within the Target Resolution Time. |
| 6.4. | Support Levels are defined as: |
| Level | Provided By | Description |
| Level 1 | You | Your Support Staff provides end user, first line support in accordance with Support Documentation |
| Level 2 | AHI | Our Support Staff to provide support to your Designated Support Staff if a Support Request is unable to be resolved |
| Level 3 | AHI | Our technical support staff to provide support to Level 2 Support Staff. |
| 7. | Exclusions |
| 7.1. | We shall have no obligation to provide any Support Services or other technical support with respect to the Licensed SDKs or the AHI Platform other than as expressly required pursuant to this SLA. In addition, and without limiting the foregoing provisions, we shall have no obligation to provide Support Services: |
| (a) | for Software Errors or Measurement Errors occurring during a planned or scheduled outage by us or our hosting providers; |
| (b) | with respect to any Software Error or Measurement Error resulting from your and/or your Third Party Developer’s, Personnel’s or Users’ action or inaction; |
| (c) | for errors caused by or in connection with a Force Majeure Event; |
| (d) | any Software Errors or Measurement Errors caused by use of the Licensed SDKs in conjunction with any third-party software; |
| (e) | for Software Errors or Measurement Errors resulting from third party software bugs and defects; |
| (f) | with respect to Software Errors or Measurement Errors caused by or relating to your technical environment; |
| (g) | with respect to any Error or Measurement Error caused by your and/or your Authorised Third Party Developer’s Personnel’s or Users’ breach of the Agreement; or |
| (h) | if you have failed to pay any outstanding Fees to us as and when due and payable. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 20 of 27 |
Annexure A - Third Party Developer Licence Agreement
Third Party Developer Licence Agreement
This Third Party Developer Licence Agreement (“Agreement”) is made and entered into on [insert date] by and between Advanced Human Imaging Limited ABN 85 602 111 115 of Unit 5, 71 - 73 South Perth Esplanade, South Perth WA 6151 (“Licensor”) and [insert Third Party Developer name, ABN and address of licensee] (“Licensee”, “you”, “your”).
| 1. | Definitions and interpretation |
| 1.1 | In this Agreement: |
‘AHI Software Development Kit’ means one or more software development tools supplied by the Licensor and described by the Licensor as a “software development kit” or “SDK” or that can be used to create applications incorporating smartphone-based human scanning technology. Such software development tools may include:
(a) libraries (including any binary libraries); (b) documentation; (c) software; (d) sample code; and (e) other materials supplied by the Licensor to the Licensee in connection with any such libraries, documentation and sample code.
‘Commencement Date’ means the date on which a copy of the Licensed SDKs are delivered to you or made available to you by the Licensor or the Partner.
‘Confidential Information’ means all information provided by the Licensor to the Licensee in connection with this Agreement where such information is identified by the Licensor as confidential at the time of its disclosure or has the quality of confidential information, but excluding information which is:
| (a) | on receipt by the Licensee, in the public domain or which subsequently enters the public domain without any breach of this Agreement; or |
| (b) | on receipt by the Licensee, already known by or in the possession of the Licensee and which knowledge or possession can be proven by written contemporaneous records. |
Notwithstanding any other provisions of this Agreement, the Licensor’s Confidential Information includes the source code in the Licensed SDKs.
‘Documentation’ means any information, materials or documents (whether in electronic form or not) referring to or describing the Licensed SDKs that is provided to you, including any written specifications, user guides, manuals and explanatory materials.
‘Force Majeure Event’ means a circumstance beyond the Licensor’s reasonable control, which results in the Licensor being unable to observe or perform on time an obligation under this Agreement.
‘Implementation Audit’ means once the SDK product integration is complete, the Third Party Developer agrees to allow AHI access to a pre-release version of the Third Party Developer Product/s integrated with AHI Licensed SDKs, for the purpose of conducting an Implementation Audit, as documented in Schedule 1 – SDK Implementation Audit Checklist.
‘Intellectual Property Rights’ means all intellectual property rights, including all copyright, patents, trademarks, design rights, trade secrets, domain names and other rights of a similar nature, whether registrable or not and whether registered or not, and any applications for registration or rights to make such an application, anywhere in the World.
‘Licence’ has the meaning given to it in clause 2.2.
‘Licence Period’ means the period commencing on the Commencement Date and concluding upon the conclusion of your engagement with Partner.
‘Licensed SDKs’ means the AHI Software Development Kit, including any new versions, updates, and upgrades.
‘Open Source Licence’ means the applicable licence that governs Open Source Software.
‘Open Source Software’ means any software licensed under any form of open source licence meeting the Open Source Initiative’s Open Source Definition (http://www.opensource.org/docs/definition.php).
‘Partner’ means the third party who engages you, or has engaged you, to integrate the Licensed SDKs into its application.
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 21 of 27 |
| 1.2 | In this Agreement: |
| (a) | a reference to a person includes a corporation or any other legal entity; |
| (b) | a reference to “a party” is to you or the Licensor as the context dictates and a reference to “parties” is to both you and the Licensor; |
| (c) | a reference to currency is to Australian dollars unless specified otherwise; |
| (d) | the term “includes” (or any similar term) means “includes without limitation”; and |
| (e) | a clause of this Agreement will not be interpreted against a party merely because the party prepared or was responsible for its preparation. |
| 2. | Third Party Developer |
| 2.1. | You have represented to us that the Partner has engaged you to provide software development services that may require or enable you to access, download, and/or use the Licensed SDKs for that engagement (the “Purpose”). |
| 2.2. | Subject to clause 3, the Licensor grants you, for the Licence Period, a non-exclusive, non-transferable, non-assignable, non-sublicensable licence for you to use Licensed SDKs solely for the Purpose (“Licence”). |
| 2.3. | Upon conclusion of the Licence Period, the Licence shall immediately and automatically terminate and you must destroy all and any copies of the Licensed SDKs in your possession or control. |
| 2.4. | You may not use the Licensed SDKs beyond the Licence Period without the Licensor’s prior written consent. |
| 3. | Restrictions on use |
| 3.1. | You may not make any use of the Licensed SDKs except as permitted by the Licence. You may not do or authorise the commission of any act that would or might invalidate or be inconsistent with the Licensor’s Intellectual Property Rights in the Licensed SDKs. Without limiting the foregoing provisions, you must not (before, during or after the Licence Period): |
| (a) | license, sublicense, resell, assign, transfer, distribute, or provide others with access to, the Licensed SDKs; |
| (b) | “frame”, “mirror” or serve any of the Licensed SDKs on any web server or other computer server over the Internet or any other network; |
| (c) | use the Licensed SDKs to develop a competing product; |
| (d) | provide the Licensed SDKs to any subcontractor or contractor without the Licensor’s prior written consent; |
| (e) | copy, alter, modify, create derivative works from, reproduce, transfer to a third party, reverse assemble, reverse engineer, reverse compile or enhance the Licensed SDKs (except as expressly permitted by applicable copyright law); or |
| (f) | use the Licensed SDKs in breach of any statute, regulation, law or legal right of any person. |
| 3.2. | You must provide the Licensor with access to your business records, equipment (including computer equipment) and premises as reasonably required by the Licensor to inspect the performance of your obligations under this Agreement. |
| 3.3. | Certain parts of the Licensed SDKs comprise of Open Source Software. The applicable Open Source Licences govern your use of those parts of the Licensed SDKs. Those applicable Open Source Licences and the components of the Licensed SDKs governed by those Open Source Licences are documented in the AHI MultiScan SDK Open Source Licences List which is a separate document that you may request from the Licensor. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 22 of 27 |
| 4. | Intellectual Property Rights |
| 4.1. | Nothing in this Agreement constitutes a transfer of any Intellectual Property Rights. |
| 4.2. | The Licensor owns all Intellectual Property Rights in the Licensed SDKs and any modifications, including any updates, upgrades and enhancements in the Licensed SDKs. |
| 4.3. | As between you and the Licensor, the Licensor owns all Intellectual Property Rights in the Licensed SDKs and the Documentation. You must not represent that you own the Licensed SDKs, the Documentation or any modifications of the Licensed SDKs and/or the Documentation. |
| 4.4. | Except as expressly stated herein, this Agreement does not grant you or any third party any rights to or in patents, copyright, database rights, trade secrets, trade names, trade marks (whether registered or unregistered), or any other Intellectual Property Rights or other rights or licences in respect of the Licensed SDKs or the Documentation. |
| 4.5. | You must not directly or indirectly do anything that would or might invalidate, jeopardise, limit, interfere with or put in dispute our or our licensors’ ownership in or rights with respect to the Licensed SDKs or Documentation. |
| 4.6. | You may not do or authorise the commission of any act that would or might invalidate or be inconsistent with our or our licensors’ Intellectual Property Rights in the Licensed SDKs or any Documentation. |
| 4.7. | You hereby assign to us all and any Intellectual Property rights that you may have in all and any comments in connection with the Licensed SDKs, the Documentation or requests for any new Licensed SDK features that you or your Personnel may suggest or create (each, an Improvement Suggestion). Each Improvement Suggestion becomes our sole and exclusive property. This assignment is effective as soon as you or your officers, employees and agents create any Improvement Suggestion or provides an Improvement Suggestion to us including where applicable under section 197 of the Copyright Act 1968 (Cth) and in equity. You must execute and procure from your officers, employees and agents the execution of any documentation reasonably required by us to give effect to: (a) the assignment to us of all Intellectual Property Rights that they may have in any Improvement Suggestions; and (b) a waiver for us and any third parties authorised by us to exploit any Moral Rights that they may have in any Improvement Suggestions. |
| 4.8. | You must not: |
| (a) | use any of our trade marks or other marks (Marks) except as provided for in this Agreement; or |
| (b) | contest any Mark, apply for registration of any Mark or use or apply for registration of any trade mark, trade name, business name, company name or domain name that incorporates any element that is confusingly similar to any Mark. |
| 4.9. | Except as expressly provided in this Agreement, you have no rights in respect of any Marks or their associated goodwill, and you hereby acknowledge that all such rights and goodwill inure for the benefit of, and are (and will remain) vested in, us. |
| 5. | Confidentiality |
| 5.1. | You must not, without the prior written consent of the Licensor, use or disclose the Licensor’s Confidential Information unless and to the extent expressly permitted by this Agreement or required by law. |
| 5.2. | You may: |
| (a) | use the Confidential Information of the Licensor solely to comply with your obligations and exercise your rights under this Agreement; and |
| (b) | disclose the Confidential Information to a Court but only if compelled by law to do so. |
| 5.3. | You must implement and maintain effective security measures to prevent unauthorised use and disclosure of the Licensor’s Confidential Information whilst it is in your possession or control. |
| 5.4. | You must destroy all Confidential Information (including all copies and notes thereof) of the Licensor in your possession or control, on demand by the Licensor and upon termination of this Agreement for any reason. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 23 of 27 |
| 6. | Responsibility for licenses, authorisations and consents |
| 6.1. | You are responsible for obtaining all necessary licenses, authorisations and consents as required to lawfully upload, store or transfer data through or into the Licensed SDKs. |
| 6.2. | You must not use the Licensed SDKs in breach of any applicable laws. |
| 6.3. | You must indemnify the Licensor for any loss or damage it incurs as a result of your breach of this clause 6. |
| 7. | Liability |
| 7.1. | To the extent possible by law, the Licensor does not have any liability to you under or in connection with the Licensed SDKs. |
| 7.2. | If the Licensed SDKs are supplied to you as a ‘consumer’ of goods or services within the meaning of that term in the Australian Consumer Law, you will have the benefit of certain non-excludable rights and remedies in respect of the goods or services and nothing in these terms and conditions excludes or restricts or modifies any condition, warranty, guarantee, right or remedy which pursuant to the Competition and Consumer Act 2010 (Cth) is so conferred. However, if the goods or services are subject to a non-excludable condition, warranty, guarantee, right or remedy implied by the Australian Consumer Law and the goods or services are not ordinarily acquired for personal, domestic or household use or consumption, then pursuant to section 64A of the Australian Consumer Law, the Licensor limits its liability for breach of any such non-excludable warranty, guarantee, right or remedy implied by the Australian Consumer Law (other than a guarantee implied by sections 51, 52 or 53 of the Australian Consumer Law) or expressly given by the Licensor to you, in respect of each of the goods and services, where it is fair and reasonable to do so, at the option of the Licensor, to one or more of the following: |
| (a) | if the breach relates to goods: |
| (i) | the replacement of the goods or the supply of equivalent goods; |
| (ii) | the repair of such goods; |
| (iii) | the payment of the cost of replacing the goods or of acquiring equivalent goods; or |
| (iv) | the payment of the cost of having the goods repaired; and |
| (b) | if the breach relates to services: |
| (i) | the supplying of the services again; or |
| (ii) | the payment of the cost of having the services supplied again. |
| 7.3. | Other than any non-excludable guarantees implied into this Agreement under the Australian Consumer Law (if any), all conditions, warranties and guarantees implied in this Agreement (including with respect to fitness for purpose) are excluded from this Agreement and the Licensed SDKs are provided “as is” and without any warranty of any kind. |
| 8. | Termination |
| 8.1. | A party may terminate this Agreement by written notice to the other party (the “defaulting party”) if the defaulting party is in material breach of this Agreement which is not remediable, or if capable of remedy where the defaulting party fails to remedy the breach within 14 days of written notice. |
| 8.2. | Either party may terminate this Agreement by written notice to the other party at any time. |
| 9. | Consequences of Termination |
| 9.1. | If this Agreement is terminated or expires for any reason, then, in addition and without prejudice to any other rights or remedies available: |
| (a) | clause 3, 4, 5, 6, 7, 9 and 10 and any other rights or obligations that, by their nature, survive termination, shall so survive; |
| (b) | your right to use the Licensed SDKs immediately ceases and the Licence shall immediately terminate; and |
| (c) | you must immediately destroy all copies of the Licensed SDKs within your possession or control. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 24 of 27 |
| 10. | General |
| 10.1. | You must not assign, sublicense or otherwise deal in any other way with any of your rights under this Agreement without the prior written consent of the Licensor. The Licensor may assign or novate its rights or obligations under this Agreement (in whole or in part) at any time. |
| 10.2. | Nothing contained in this Agreement creates any partnership, employment, joint venture or agency between the parties. |
| 10.3. | The Licensor is under no obligation to provide any maintenance, support, upgrades or updates under this Agreement with respect to the Licensed SDKs. |
| 10.4. | This Agreement is the entire agreement between you and Licensor about its subject matter and supersedes all other representations, arrangements or agreements between you and Licensor. |
| 10.5. | This Agreement may be amended only by a document signed by the parties and a party’s right under this Agreement may not be waived or varied except in writing signed by the party. |
| 10.6. | The Licensor will not be responsible for a failure to comply with its obligations under this Agreement to the extent that failure is caused by a Force Majeure Event. |
| 10.7. | The laws of Western Australia govern this Agreement and each party submits to the exclusive jurisdiction of the courts located in Western Australia and/or New South Wales, and the courts of appeal from them. |
|
Signed as an agreement. Signed for and on behalf of Advanced Human Imaging Limited ABN 85 602 111 115 by its authorised representative: |
|
| Dr. Katherine Iscoe | |
| CEO | |
Signed for and on behalf of the Licensee by its authorised representative: |
| [insert] |
Please note, the SDK EULA for Tird Party Developers was signed by Random Forest OÜ on 27 January 2022. A blank copy has been provided to Activate Health OÜ for any other Third Party Developers who may be engaged in the future.
[The remainder of this page is left intentionally blank]
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 25 of 27 |
Schedule 2 – User Fees
BLOCK PRICING SCHEDULE – Introductory Pricing and Marketing Support – THROUGH TO 31 DECEMBER 2022
Activate Health and AHI have negotiated introductory pricing and marketing support as follows:
| Description | Date / timing | Price | Expiry |
| 1000 x Block of FaceScans | 1 September 2022 | Free | 31 December 2022 |
| 1000 x Block of BodyScans | 1 September 2022 | Free | 31 December 2022 |
| 4000 x Block of FaceScans (low price agreed EUR€2.99 per scan) | 1 September 2022 | EUR€11,960.00 | 31 December 2022 |
| 4000 x Block of BodyScans (price agreed EUR€2.75 per scan) | 1 September 2022 | EUR€11,000.00 | 31 December 2022 |
| First Payment | 1 September 2022 | EUR€11,480.00 | |
| Second Payment | 1 November 2022 | EUR€11,480.00 | |
| Individual FaceScan (Pay as you go) – when blocks have been exhausted | 1 September 2022 | EUR€2.99 per scan | 31 December 2022 |
| Individual BodyScan (Pay as you go) – when blocks have been exhausted | 1 September 2022 | EUR€2.75 per scan | 31 December 2022 |
| ● | There is a minimum spend license fee, broken into the following tiered payment schedule: EUR€1,500 per month for the first 6 months, EUR€2,250 for the next 6 months, and EUR€3,500 per month after 12 months through to 18 months following the integrated solution go-live date. If the Customer reaches 50,000 active users by the end of the first 12 months, the licence fee will waived for the remaining 6 months. |
| ● | Regardless of usage, the second payment of EUR€11,480.00 will fall due on 1 November 2022. |
| ● | If the usage exceeds the 5,000 scans, on either of the individual scans before 31 December 2022, AHI will raise a separate invoice for any additional scans at the end of each month. These additional scans will be billed at the end of each month at the rate of FaceScan EUR€2.99 per scan, and BodyScan EUR€2.75 per scan. These prices for individual scans will expire on 31 December 2022. |
| ● | AHI will make available to the Customer the SDK kits, at no cost to the Customer. This is based on the current AHI functionality. Any additionally functionality required by the Customer would be built at an agreed cost or can be built in conjunction with the Customer’s development team at an agreed cost. |
| ● | The parties will work together to deliver a market ready product not later than 1 September 2022. |
| ● | AHI will make its continued platform improvements available to the Customer from time to time at no cost to the Customer. |
Please refer to the following page for pricing as of 1 January 2023
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 26 of 27 |
| ADVANCED HUMAN IMAGING PRICING MODEL – EUR€ | |
BLOCK PRICING SCHEDULE – FROM 1 JANUARY 2023
| Tier No | FaceScan blocks (pre-paid) | Price per FaceScan (as part of the block) | FaceScan Block Price |
| 1 | 5,000 scans (minimum purchase) | EUR€2.99 | EUR€14,950.00 |
| 2 | 20,000 scans | EUR€2.49 | EUR€49,800.00 |
| 3 | 25,000 scans | EUR€1.99 | EUR€49,750.00 |
| Tier No | BodyScan blocks (pre-paid) | Price per BodyScan (as part of the block) | BodyScan Block Price |
| 1 | 5,000 scans (minimum purchase) | EUR€2.75 | EUR€13,750.00 |
| 2 | 10,000 scans | EUR€2.49 | EUR€24,900.00 |
| 3 | 12,500 scans | EUR€2.29 | EUR€28,625.00 |
| 4 | 15,000 scans | EUR€2.10 | EUR€31,500.00 |
| 5 | 20,000 scans | EUR€1.99 | EUR€39,800.00 |
| 6 | 25,000 scans | EUR€1.49 | EUR€37,250.00 |
| Individual FaceScan (Pay as you go) – when blocks have been exhausted | EUR€6.99 per scan | ||
| Individual BodyScan (Pay as you go) – when blocks have been exhausted | EUR€3.00 per scan | ||
NB 1: The minimum spend license fee as detailed on the previous page remains in place.
| ● | As of 1 January 2023, if no further blocks of scans have been purchased, the pricing will revert to the individual scan price of FaceScan EUR€6.99 per scan and BodyScan EUR€3.00 per scan. |
| ● | If a block of scans has been exhausted, the pricing will automatically trigger to the individual FaceScan EUR€6.99 per scan and BodyScan EUR€3.00 per scan cost. This will then be invoiced at the end of the month for the number of scans completed. (Customers are responsible for tracking their ongoing usage). |
| ● | Blocks of FaceScans and BodyScans are to be paid up front and are valid for a period of 12 months, after which the remaining scans will become obsolete. Additional blocks of scans can be purchased at any time and will be valid for the 12 months following purchase. |
| ● | Pricing for blocks of scans over 25,000 will be negotiated between the Customer and AHI. |
| Commercial in Confidence AHI-FORM-0024 | Master Services Agreement v2 Page 27 of 27 |
| AHI DATA PROCESSING AGREEMENT | |
MASTER SERVICES AGREEMENT REFERENCE: AHI010022
THIS AGREEMENT forms part of the Master Services Agreement (MSA) and is effective as per the commencement date as signed in the MSA (“Commencement Date”)
PARTIES
| 1. | ADVANCED HUMAN IMAGING LIMITED (ABN 85 602 111 115) of Unit 5, 71-73 South Perth Esplanade, South Perth Western Australia 6151 (the “Service Provider”, “AHI”); and |
| 2. | ACTIVATE HEALTH OÜ, Registration Code 16035006 of Valukoja 10, 11415, Tallinn, Estonia (“Licensee”). |
BACKGROUND
| A. | Under an agreement (the “Master Services Agreement”) between AHI and the Licensee with the Contract Reference indicated in the Master Services Agreement, AHI provides to the Licensee, access to the AHI cloud platform for the purpose of providing smartphone and cloud based digital biometric processing services. |
| B. | The provision of the AHI Services involves the processing of Personal Data (as defined below) by AHI on behalf of the Licensee. |
| C. | The parties have agreed to enter into this Data Processing Agreement (“DPA”) to meet the requirements of applicable Data Protection Law. |
THE PARTIES AGREE as follows:
| 1. | DEFINITIONS AND INTERPRETATION |
| 1.1. | In this DPA any capitalised expression used but not defined in this DPA shall have the meaning provided to it in the Master Services Agreement and the following expressions shall have the following meanings: |
Account Data means Personal Data that relates to the Service Provider’s supplier relationship with the Licensee.
Controller shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Consent shall mean any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
Data Protection Law refers to all laws and regulations applicable to the Service Provider’s processing of Personal Data under this DPA including, without limitation:
| ● | Australian Privacy Act 1998 (Cth) (“APA”) and associated legislation such as, the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“NDB Law”) |
| ● | California Consumer Privacy Act, California Civil Code Sections 1798.100 et seq and its implementing regulations (“CCPA”) |
| AHI-FORM-0025 v1 Page 1 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
| ● | UK General Data Protection Regulation (“UK GDPR”) |
| ● | EU General Data Protection Regulation (“EU GDPR”) |
| ● | Brazilian General Data Protection Law (“LGPD”) |
| ● | Peru’s Personal Data Protection Law (N°29733 (“PDPL”)) and its Regulation (N°003-2013-JUS- Regulation of the PDPL) |
| ● | China’s Personal Information Protection Law (“PIPL”). |
Data Subject shall mean an identified or identifiable natural person to whom Personal Data relates.
End User means an individual Data Subject who is a customer or user of any Licensee product or service which incorporates the AHI Service or relies upon the AHI Platform.
End User Data means Personal Data about an End User provided to the Service Provider by the End User and/or the Licensee and including the End User’s height, weight, Sex, Age, whether the End User: is a smoker, has hypertension, is on blood pressure medication, is diabetic, together with facial blood-flow information, generated on End User devices by the AHI Services.
Licensed SDK means the software development kits listed at Schedule 1 of the Master Services Agreement.
Licensee Products means the Licensee software products listed at Schedule 1 of the Master Services Agreement.
AHI Platform means the AHI public cloud environment described at Parts A and B of Schedule 3 of this DPA.
AHI Services means smartphone digital biometric processing services provided by AHI, using the AHI Platform, to End Users through Licensee Products that integrate the Licensed SDKs.
Personal Data means any information relating to a person (‘Data Subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Processor shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
‘processing’ and ‘process’ shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
| AHI-FORM-0025 v1 Page 2 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
Service Data means data processed by the Service Provider for the purposes of transmitting and exchanging End User Data including, without limitation, the date, time, duration and type of communication; information collected from End User devices about how they use the AHI Service; and activity logs used to optimise and maintain the performance and security of the AHI Services and to investigate and prevent system abuse.
Sensitive Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation; and Personal Data relating to criminal convictions and offences and shall be deemed to include “Sensitive Information” as defined in the Australian Privacy Act 1998 (Cth).
Silhouette means the image of an End-User represented as a solid shape or a single colour, with the interior of a silhouette being featureless.
Supervisory Authority means an independent public authority which is established under the UK GDPR or the EU GDPR.
3D Model means a virtual 3D representation of an End-User’s human body shape.
| 1.2. | In this DPA: |
| 1.2.1. | a reference to this DPA includes its schedules; |
| 1.2.2. | clause, paragraph, schedule or other headings in this DPA are included for convenience only and shall have no effect on interpretation; |
| 1.2.3. | a reference to a ‘party’ includes that party’s successors and permitted assigns; |
| 1.2.4. | words in the singular include the plural and vice versa; |
| 1.2.5. | any words that follow ‘include’, ‘includes’, ‘including’, ‘in particular’ or any similar words and expressions shall be construed as illustrative only and shall not limit the sense of any word, phrase, term, definition or description preceding those words; |
| 1.2.6. | a reference to ‘writing’ or ‘written’ includes any method of reproducing words in a legible and non-transitory form (including email); |
| 1.2.7. | references to any applicable laws shall be references to any applicable laws replacing, amending, extending, re-enacting or consolidating any such applicable laws and the equivalent terms defined in such applicable laws, once in force and applicable; and |
| 1.2.8. | a reference to any law includes all subordinate legislation made from time to time under that law. |
| AHI-FORM-0025 v1 Page 3 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
| 2. | SCOPE AND APPLICATION OF THIS AGREEMENT |
| 2.1. | This DPA applies to the processing of End User Data by the Service Provider on behalf of the Licensee pursuant to the Master Services Agreement. |
| 2.2. | This DPA shall continue in full force and effect for the term of the Master Services Agreement and will automatically and immediately terminate upon termination or expiry of the Master Services Agreement for any reason. |
| 3. | PROCESSING OF PERSONAL DATA & INSTRUCTIONS |
| 3.1. | The parties acknowledge and agree that with regard to the processing of End User Data, the Licensee shall be the Controller and the Service Provider is a processor (except where the Licensee is a processor to a third-party Controller, in which case the Service Provider shall be a sub- processor). |
| 3.2. | The Service Provider shall process End User Data solely for the purpose of providing the AHI Services to the Licensee and only in accordance with the Licensee’s instructions (including processing initiated by End Users in their use of the Services) or as otherwise necessary to comply with applicable laws. Information about the means of processing, including hosting and technical architecture information, are provided at Schedule 3. |
| 3.3. | The Licensee’s instructions shall only be constituted by: |
| 3.3.1. | the Master Services Agreement and this DPA; |
| 3.3.2. | the Licensee or any End User uploading or otherwise entering End User data into the AHI Platform; |
| 3.3.3. | any settings selected and/or configurations made or initiated by the Licensee or any End User in or to the AHI Platform or in respect of the AHI Services; |
| 3.3.4. | any reasonable written instructions provided by the Licensee to the Service Provider via email or through any communications tool facilitated by the AHI Services which are expressly stated to be written instructions issued by the Licensee as Controller to the Service Provider as processor and which are consistent with the terms of the Master Services Agreement and this DPA; or |
| 3.3.5. | the Licensee and relevant End-Users using the functionality of the AHI Platform or provided as part of the AHI Services to issue instructions to process Personal Data, such as, to delete Personal Data or export Personal Data. |
| 3.4. | The Licensee shall ensure that its instructions comply with Data Protection Law, and the Service Provider shall not be required to comply with the Licensee’s instructions if such instructions would violate Data Protection Law or any other law or regulation. |
| 3.5. | The parties acknowledge and agree that with regard to the processing of Account Data and Service Data, the Service Provider is an independent Controller, and the Service Provider shall process Account Data and Service Data in accordance with Data Protection Law. |
| AHI-FORM-0025 v1 Page 4 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
| 4. | LICENSEE’S OBLIGATIONS |
| 4.1. | The Licensee shall, in its use of the AHI Platform and AHI Services, process End User Data in accordance with the requirements of Data Protection Law and shall have sole responsibility for the accuracy, quality and legality of End User Data and the means by which it has acquired End User Data; and represents and warrants to the Service Provider that: |
| 4.1.1. | it has complied and will continue to comply, with Data Protection Law in respect of its processing of End User Data; |
| 4.1.2. | it has provided, and will continue to provide, all necessary notices (including any applicable requirements to provide notice to End Users regarding the use of the Service Provider as a processor) and has obtained, and will continue to obtain, all Consents and rights necessary under Data Protection Law for the Service Provider to process End User Data for the purposes described in this DPA; |
| 4.1.3. | it has and will continue to have, the right to upload or transfer End User Data to the AHI Platform for processing in accordance with the terms of the Master Services Agreement and this DPA; and |
| 4.1.4. | The processing of End User Data by the Service Provider for the purposes of the Services will not violate the rights of any Data Subject that has opted out from sales. |
| 4.2. | The Licensee undertakes not to upload or transfer (or cause to be uploaded or transferred) any Sensitive Data (excluding any End User Data created by or using the AHI Service) or any Personal Data relating to any Data Subject who is not an End User to the AHI Platform, and agrees that the Service Provider shall have no liability whatsoever for any such Sensitive Data (with the exception of End User Data created by or using the AHI Service) or third party Personal Data, whether in connection with a Personal Data Breach or otherwise. |
| 5. | SUB-PROCESSING |
| 5.1. | The Service Provider shall be entitled to use sub-processors to process End User Data for the purpose of providing the AHI Services. For these purposes, the Licensee authorises the use of the sub-processors listed at Schedule 2. |
| AHI-FORM-0025 v1 Page 5 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
| 5.2. | If the Service Provider intends to use any new sub-processor to process End User Data for the purpose of providing the AHI Services, it shall notify the Licensee thereof in writing following which the Licensee shall have 30 days to object, on reasonable grounds, to the use of any such new sub- processor. If no objection is raised, the Licensee shall be deemed to have authorised the new sub- processor for the purposes of clause 5.1, above. If the Licensee raises an objection, the parties shall meet (in person, by telephone or by video call) within 7 days of such objection to discuss commercial reasonable alternative solutions in good faith. If the parties cannot reach a resolution in 30 days, the Service Provider shall be entitled to terminate the Master Services Agreement by written notice. |
| 5.3. | Before using any sub-processor to process End User Data, the Service Provider shall enter into a sub-processing contract with the sub-processor that meets the requirements of Data Protection Law. |
| 5.4. | In the event that a sub-processor used by the Service Provider to process End User Data for the purpose of providing the AHI Service fails to meet its obligations under a sub-processing contract with the Service Provider, the Service Provider shall remain fully liable to the Licensee for failing to meet its obligations under this DPA. |
| 6. | SECURITY & CONFIDENTIALITY |
| 6.1. | The Service Provider has implemented and will maintain the technical and organisational measures set out at Schedule 1 (the “Security Measures”) to protect End User Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. |
| 6.2. | The Licensee acknowledges and agrees that: |
| 6.2.1. | the Security Measures provide a level of security for End User Data that is appropriate for the risk to End Users associated with the processing of End User Data, taking in to account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing; and |
| 6.2.2. | that the security measures are subject to technical and organisational progress and development and that the Service Provider may update or modify the Security Measures from time to time, provided that such updates do not result in the degradation of the overall security of the AHI Service or protection of End User Data. |
| 6.3. | The Service Provider shall ensure that any person who is authorised by it to process End User Data (including its staff, agents and subcontractors) shall be under a contractual obligation of confidentiality. |
| AHI-FORM-0025 v1 Page 6 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
| 7. | REPORTING & NOTIFICATION of PERSONAL DATA BREACHES |
| 7.1. | The Service Provider shall notify the Licensee about any Personal Data Breach without undue delay and in any event within 48 hours (48) hours of identifying the Personal Data Breach. |
| 7.2. | The Licensee acknowledges and agrees that the Service Provider is subject to the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“NDB Law”), meaning it will be deemed to ‘jointly hold’ the End User Data with the Licensee for the purposes of the NDB Law and will be required, following a Personal Data Breach to assess whether a reasonable person would conclude that the Personal Data Breach is likely to result in serious harm to affected individuals and if so, to notify the affected Data Subjects and the Office of the Australian Information Commissioner. |
| 7.3. | The Licensee acknowledges and agrees that if it is subject to the provisions of the UK GDPR or the EU GDPR, it will need to notify the appropriate Supervisory Authority of a Personal Data Breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of Data Subjects. |
| 7.4. | The Licensee acknowledges and agrees that if it is subject to the provisions of the UK GDPR or the EU GDPR, it will need to notify the Data Subjects affected by a Personal Data Breach without undue delay, if the Personal Data Breach is likely to result in a high risk to their rights and freedoms. |
| 8. | RECORDS, AUDIT & ASSISTANCE |
| 8.1. | Where required by Data Protection Law, the Service Provider shall: |
| 8.1.1. | make available to the Licensee such information that is in its possession or control as is necessary to demonstrate the Service Provider’s compliance with Data Protection Law; and |
| 8.1.2. | allow for and contribute to audits, including inspections, by the Licensee (at the Licensee’s cost) to enable to Licensee to assess and verify the Service Provider’s compliance with Data Protection Law (subject to a maximum of no more than one audit request in any 12 month period). |
| 8.2. | Where required by Data Protection Law, the Service Provider shall (at the Licensee’s cost), assist the Licensee in complying with its obligations under Data Protection Law including by: |
| 8.2.1. | notifying the Licensee without undue delay if it receives a request from an End User to exercise their rights under Data Protection Law or any other compliant or request relating to the processing of the End User data; |
| AHI-FORM-0025 v1 Page 7 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
| 8.2.2. | cooperating fully with the Licensee and assisting as required in relation to any such End User request, compliant or other request by providing such End User Data and information as the Licensee reasonably requires; and |
| 8.2.3. | providing reasonable assistance to the Licensee in complying with its obligations under Data Protection Laws with respect to the security of processing, notification of Personal Data breaches, carrying out data protection impact assessments and in its dealings with data protection supervisory authorities. |
| 8.3. | The Service Provider may charge a reasonable fee for its time spent and costs incurred under this clause, which shall be paid by the Licensee within 7 days of the date of its invoice, except where charging for any of the access, information or assistance covered in this section is prohibited by Data Protection Law. To avoid unexpected costs for the Licensee, the Service Provider undertakes to agree the payable fees under this clause with the Licensee in advance. |
| 9. | INTERNATIONAL TRANSFERS |
| 9.1. | The Service Provider confirms that in connection with the provision of the AHI Services, End-User Data will only be processed within the geometric proximity of the End-User’s public IP address i.e. where the End-User’s request (to use the service) originates from a location in Europe, their request will be processed by the AWS located in Europe. For clarity and the purposes of this DPA, the Licensee has requested all End-User Data be processed within the EU, pursuant to the EU GDPR. Please refer to Schedule 2 for the AWS Cloud location specified. |
| 9.2. | The Licensee acknowledges and agrees that in connection to providing support services to the Licensee, End-User Data will only be transferred to, or accessible by, AHI personnel based in Australia or sub-processer NuraLogix, documented in Schedule 2 – Sub Processors in Canada, for the provision of support services. In such cases, Annex 4 shall apply. |
| 9.3. | The Service Provider may transfer ‘personal information’ for the purposes of the Australian Privacy Act 1988 (Cth) to the relevant region provided that it complies with Australian Privacy Principle 8 (Cross-border disclosure of personal information). |
| 9.4. | The Service Provider will also adhere to any other applicable Data Protection Law when transferring Personal Data internationally. |
| AHI-FORM-0025 v1 Page 8 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
| 10. | DELETION & DEIDENTIFICATION OF DATA |
| 10.1. | Subject as set out at clause 10.2, the Service Provider shall, at the request of the Licensee, delete all End User Data (unless retention of End User Data is required by law, in which case the Service Provider shall inform the Licensee of such requirement in writing) or return it to the Licensee (in the format reasonably requested by the Licensee) within a reasonable time after the earlier of the following: |
| 10.1.1. | termination of the Master Services Agreement; or |
| 10.1.2. | where processing of that End User Data is no longer required for the performance of the Service Provider’s obligations under this DPA or the Master Services Agreement. |
| 10.2. | Before deleting or returning End User Data to the Licensee in accordance with clause 10.1, the Service Provider shall be permitted to anonymise and aggregate End User Data such that it fully ceases to include Personal Data (“Deidentified Data”) and to keep and use the Deidentified Data for the purposes of improving and developing the AHI Services following termination of the Master Services Agreement and this DPA. |
| 11. | GENERAL |
Amendment: This DPA represents the entire agreement between the parties with respect to its subject matter and may not be amended except by a written document executed by the parties. Notwithstanding the foregoing provisions of this paragraph, the Service Provider may amend this DPA by written notice to the Licensee (“Amendment Notice”) if and to the extent the amendment is necessary to comply with Data Protection Laws or any amendments made to them, or the requirements of any applicable supervisory, government or regulatory authority. If the Licensee does not agree with any Amendment Notice, it must notify the Service Provider by written notice of that fact within 7 days of the date of the Amendment Notice (“Objection Notice”). If the parties are unable to resolve the objection within 7 days from the date of the Objection Notice (“Dispute Resolution Period”), either party may terminate this DPA for its convenience by written notice within 7 days of the expiry of the Dispute Resolution Period.
Assignment: Neither party may assign, transfer, licence or novate its rights or obligations under this DPA without the prior written Consent of the other party.
Severability: If any provision of this DPA is deemed invalid by a court of competent jurisdiction, the remainder of this DPA shall remain enforceable. If a provision of this DPA conflicts with any Data Protection Law affecting the parties’ commercial relationship, that provision will be severed and the remainder of this will remain enforceable.
Relationship: The parties are independent contractors and this DPA does not create any relationship of partnership, joint venture, or employer and employee or otherwise.
Counterparts: This DPA may be executed in counterparts provided that no binding agreement shall be reached until the executed counterparts are exchanged.
| AHI-FORM-0025 v1 Page 9 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
Entire Agreement: This DPA and any terms implied herein by any applicable Data Protection Laws constitute the entire agreement between the parties and to the extent possible by law, supersedes all prior understandings, representations, arrangements and agreements between the parties, regarding its subject matter.
Applicable Law: This DPA will be governed by and construed in accordance with the law of the Master Services Agreement. To the extent this Data Processing Agreement is inconsistent with any other provision of the Master Services Agreement, this Master Services Agreement shall prevail.
SIGNED for and on behalf of the Licensee by:
| Siim Saare | |
| /s/ Siim Saare | |
Authorised Signature |
|
Date: 08/24/2022 |
SIGNED for and on behalf of the Service Provider by:
| Dr. Katherine Iscoe | |
| /s/ Dr. Katherine Iscoe | |
Authorised Signature |
|
Date: 08/26/2022 |
<< The remainder of this page is intentionally left blank >>
| AHI-FORM-0025 v1 Page 10 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
SCHEDULE 1: SECURITY MEASURES
The Service Provider has implemented the following technical and organisational security measures:
| 1. | Information security policies and related procedures |
| 2. | Staff security awareness straining |
| 3. | Security and data protection obligation in staff contracts of employment |
| 4. | Identity and access management measures including identity verification, multi-factor authentication and authorisation processes in respect of all computer systems |
| 5. | Anti-malware software, email web filtering and security detection and protection software. |
| 6. | Physical security measures at all buildings and offices, include door and window locks, filing cabinet locks and visitor access management controls. |
| 7. | Security assurance activities including internal and external security auditing. |
| 8. | Network boundary protection controls, including firewalls |
| 9. | Security testing including penetration testing of software developed by the Service Provider (including the AHI software development kit or ’SDK’). |
| 10. | Data backup and archiving supporting by business continuity and IT disaster recovery plans. |
| 11. | Where necessary, taking in to account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, pseudonymisation and/or encryption of Personal Data. |
<< The remainder of this page is intentionally left blank >>
| AHI-FORM-0025 v1 Page 11 of 12 |
| AHI DATA PROCESSING AGREEMENT | |
SCHEDULE 2: SUB-PROCESSORS
The following sub-processors are authorised by the Licensee to End-User Data:
| Sub-Processor | Purpose | Location | ||
| NuraLogix Corporation (“NuraLogix”) | Face Scan processing Services | Canada* | ||
| Amazon Web Services | Public Cloud Services | Frankfurt | ||
| Itoc Pty Ltd | 24x7 Monitoring of the AHI Platform | Australia |
| * | Please refer to clause 9.2 above. |
<< The remainder of this page is intentionally left blank >>
| AHI-FORM-0025 v1 Page 12 of 12 |
SCHEDULE 3: NATURE, MEANS & PURPOSES OF PROCESSING & DURATION OF PROCESSING
Part A: Overview
The Service Provider will provide the Licensee with an SDK that Processes End-User Data on behalf of the Licensee for the purpose of providing smartphone and cloud based digital biometric processing services.
The Service Provider’s SDK processes:
| 1. | Face Scan Data to calculate heart rate, irregular heartbeats, breathing, blood pressure, heart rate variability, and cardiac workload information, as well as provide support to End Users. |
| 2. | Body Scan Data to calculate digital anthropometric circumference measurements, body composition information (such as body fat %), and to provide support to End Users. |
The Service Provider’s Platform is hosted on the Amazon Web Services (AWS) cloud platform.
The Service Provider regularly tests the SDK for vulnerabilities to Open Web Application Security Project standards by independent security experts.
This processing shall continue for the term of the Master Services Agreement, in accordance with clause 2.2 of this DPA.
BodyScan
All BodyScan data processing happens on-device. No End-User images or videos ever leave their device, as all measurements are processed on-device.
To process and return Body Scan results, no Personally Identifiable Information leaves the End-User’s device.
FaceScan
FaceScan data is processed on AWS cloud.
The processing of the End-User’s data is based on the geographic proximity of the End-User’s public IP address. When the End-User requests a FaceScan, if they are located in the EU, the request will be processed in the EU (Frankfurt) located AWS. The signals (facial blood flow data) are extracted from the FaceScan video and encrypted at rest and on transmission.
All Personally Identifiable Information is deleted after processing.
The diagram at Part B (image below) shows the Service Provider’s Platform architecture as of the commencement date of this DPA.
Support
End-User Data will only be transferred to, or accessible by, the Service Provider’s personnel based in Australia or sub-processer NuraLogix in Canada, for the provision of support services.
Part B: Architecture
ANNEX 4
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
| 2.1. | The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country. |
| 2.1. | The Parties: |
| 2.1.1.1. | the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and |
| 2.1.1.2. | the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) |
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
| 2.2. | These Clauses apply with respect to the transfer of personal data as specified in Annex I.B. |
| 2.3. | The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses. |
Clause 2
Effect and invariability of the Clauses
| 2.3.1.1.1.1. | These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. |
| 1 | Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295 of 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision […]. |
| 2.3.1.1.1.2. | These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679. |
Clause 3
Third-party beneficiaries
| 2.1. | Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: |
| 2.1.1.1. | Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; |
| 2.1.1.2. | Clause 8 - Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e);; |
| 2.1.1.3. | Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); |
| 2.1.1.4. | Clause 12 - Module Two; |
| 2.1.1.5. | Clause 13; |
| 2.1.1.6. | Clause 15.1(c), (d) and (e); |
| 2.1.1.7. | Clause 16(e); |
| 2.1.1.8. | Clause 18 - ModuleTwo: Clause 18(a) and (b); |
| 2.2. | Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679. |
Clause 4
Interpretation
| 2.1. | Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. |
| 2.2. | These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679. |
| 2.3. | These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. |
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 - Optional
Docking clause
| 2.1. | An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A. |
| 2.2. | Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A. |
| 2.3. | The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party. |
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
| 8.1 | Instructions |
| 2.1. | The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract. |
| 2.2. | The data importer shall immediately inform the data exporter if it is unable to follow those instructions. |
| 8.2 | Purpose limitation |
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
| 8.3 | Transparency |
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
| 8.4 | Accuracy |
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
| 8.5 | Duration of processing and erasure or return of data |
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
| 8.6 | Security of processing |
| 2.1. | The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. |
| 2.2. | The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. |
| 2.3. | In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. |
| 2.4. | The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer. |
| 8.7 | Sensitive data |
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
| 8.8 | Onward transfers |
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union2 (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
| 2.4.1.1. | the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; |
| 2 | The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. |
| 2.4.1.2. | the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question; |
| 2.4.1.3. | the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or |
| 2.4.1.4. | the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. |
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
| 8.9 | Documentation and compliance |
| 2.1. | The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses. |
| 2.2. | The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter. |
| 2.3. | The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer. |
| 2.4. | The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. |
| 2.5. | The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request. |
Clause 9
Use of sub-processors
OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
| 2.6. | Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.3 The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses. |
| 2.7. | The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy. |
| 2.8. | The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract. |
| 2.9. | The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data. |
Clause 10
Data subject rights
| 2.1. | The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter. |
| 2.2. | The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. |
| 2.3. | In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter. |
Clause 11
Redress
| 2.1. | The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject. |
| 3 | This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. |
| 2.2. | In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them. |
| 2.3. | Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: |
| 2.3.1.1. | lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13; |
| 2.3.1.2. | refer the dispute to the competent courts within the meaning of Clause 18. |
| 2.4. | The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. |
| 2.5. | The data importer shall abide by a decision that is binding under the applicable EU or Member State law. |
| 2.6. | The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws. |
Clause 12
Liability
| 2.1. | Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. |
| 2.2. | The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. |
| 2.3. | Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. |
| 2.4. | The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage. |
| 2.5. | Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties. |
| 2.6. | The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage. |
| 2.7. | The data importer may not invoke the conduct of a sub-processor to avoid its own liability. |
Clause 13
Supervision
| 2.1. | The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. |
| 2.2. | The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken. |
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
| 2.1. | The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses. |
| 2.2. | The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements: |
| 2.2.1.1. | the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; |
| 2.2.1.2. | the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards4; |
| 2.2.1.3. | any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination. |
| 2.3. | The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses. |
| 2.4. | The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request. |
| 2.5. | The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). |
| 2.6. | Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination |
| 4 | As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply. |
Clause 15
Obligations of the data importer in case of access by public authorities
| 15.1 | Notification |
| 2.1. | The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: |
| 2.1.1.1. | receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or |
| 2.1.1.2. | becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. |
| 2.2. | If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. |
| 2.3. | Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). |
| 2.4. | The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. |
| 2.5. | Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses. |
| 15.2 | Review of legality and data minimisation |
| 2.1. | The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e). |
| 2.2. | The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. |
| 2.3. | The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. |
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
| 2.1. | The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. |
| 2.2. | In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f). |
| 2.3. | The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: |
| 2.3.1.1. | the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; |
| 2.3.1.2. | the data importer is in substantial or persistent breach of these Clauses; or |
| 2.3.1.3. | the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. |
In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
| 2.4. | Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. |
| 2.5. | Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. |
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Estonia.
Clause 18
Choice of forum and jurisdiction
| 2.1. | Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. |
| 2.2. | The Parties agree that those shall be the courts of the Republic of Estonia. |
| 2.3. | A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. |
| 2.4. | The Parties agree to submit themselves to the jurisdiction of such courts. |
APPENDIX
ANNEX I
A. LIST OF PARTIES
Data exporter(s): ACTIVATE HEALTH OÜ, Registration Code 16035006 of Valukoja 10, 11415, Tallinn, Estonia
Contact person’s name, position and contact details
| Siim Saare | |||
| CEO | |||
| siim.saare@activate.ee | |||
| Signature | /s/ Siim Saare | ||
| Date | 08/24/2022 | ||
Data importer(s): ADVANCED HUMAN IMAGING LIMITED (ABN 85 602 111 115) of Unit 5, 71-73 South Perth Esplanade, South Perth Western Australia 6151
Contact person’s name, position and contact details
| Nadine Amesz | |||
Operations Officer |
|||
Email: nadine.amesz@ahi.tech |
|||
| Signature | /s/ Nadine Amesz | ||
| Date | 08/25/2022 | ||
B. DESCRIPTION OF TRANSFER
Specified in the Schedule 3 to the Data Processing Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 Estonian Data Protection Inspectorate.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Specified in the Schedule 1 to the Data Processing Agreement