Exhibit 10.5

Service Agreement

This Agreement is made

BETWEEN

(1) Immedis Limited registered in Ireland with company registration number 586847 whose registered office is at IDA Business and Technology Park, Ring Road, Kilkenny, Ireland (the “Customer”);

Of the One Part

(2) Galaxy Payroll Services Limited whose registered office is 21/F., Central 88, 88-98 Des Voeux Road Central, Central, Hong Kong (the “Supplier”);

Of the Other Part,

each a Party and together the Parties;

WHEREAS

(A) The Customer and the Supplier entered into negotiations regarding the provision of services to meet the Service Requirements (as hereinafter defined).

(B) As a result of such negotiations, the Customer has agreed to purchase, and the Supplier has agreed to supply, the Services (as hereinafter defined) on the terms and conditions of this Agreement.

NOW THIS AGREEMENT WITNESSETH that in consideration of the mutual terms and conditions herein after set forth and provided for and for other good and valuable consideration (the receipt and sufficiency of which is hereby acknowledged), the Parties hereto hereby covenant and agree as follows:-

1. INTERPRETATION

1.1. Definitions

Applicable Law: the Ireland and the European Union and any other laws or regulations, regulatory policies, guidelines or industry codes (of whatever jurisdiction), including Data Protection Law, which apply to the provision of the Services.

Background IPR: any and all IPRs that are owned by or licensed to either party and which are or have been developed independently of this Agreement (whether prior to the Effective Date or otherwise).

Business Day: a day, other than a Saturday, Sunday or public holiday in the Republic of Ireland, when banks are open for business.

Charges: all charges which may become due and payable by the Customer to the Supplier pursuant to this Agreement, as set out in the Work Order.

Confidential Information: any and all information and/or data in whatever form disclosed by the one party to the other, whether before or after this Agreement is entered into, whether orally or in writing or whether eye readable, machine readable or in any other form including, without limitation, the form, materials and design of any relevant software or equipment or any part thereof, the methods of operation and the various applications thereof, processes, formulae, plans, business plans, strategies, data, Know-How, ideas, designs, photographs, drawings, specifications, technical literature, information relating to employees, customers, suppliers or content providers and any other material made available by one party to the other or gained by the visit by one party to any establishment of the other party, whether before or after this Agreement is entered into, for the purpose of considering, advising in relation to or furthering any negotiations (and any information derived from such information) whether or not that information is marked or designated as confidential or proprietary.

Data Classification: Confidential Page 1

Consents: all permissions, consents, approvals, certificates, permits, licences, agreements and authorities (whether statutory, regulatory, contractual or otherwise) necessary for the provision of the Services.

Contract Year: a period of 12 months (or such shorter period if this Agreement is terminated earlier), commencing on the Effective Date and/or each anniversary of the Effective Date.

Customer’s Data: any data (including any Personal Data and Sensitive Personal Data relating to the staff, customers or suppliers of, or the staff of customers or suppliers of, the Customer), documents, text, drawings, diagrams, images or sounds (together with any database made up of any of those), embodied in any medium, that are supplied to the Supplier by or on behalf of the Customer, or which the Supplier is required to generate, process, store or transmit pursuant to this Agreement.

Customer’s Documentation: all technical specifications, user manuals, operating manuals, process definitions and procedures, and all such other documentation owned by the Customer

Customer’s Representative: the person responsible for managing the Customer’s overall relationship with the Supplier.

Customer’s Responsibilities: the responsibilities of the Customer as specified in the Work Order.

Customer’s Software: the software which is owned by the Customer and which is to be used by the Supplier and/or the Customer in the context of the provision or receipt of any of the Services.

Damages means all direct liabilities, costs, expenses, damages and losses (excluding indirect or consequential losses, loss of profit, loss of reputation), and all interest, fines, penalties and legal costs (calculated on a full indemnity basis), and all other [reasonable] professional costs and expenses) suffered or incurred by a Party arising out of this Agreement or a cause of action in connection with the operation of this Agreement, including breach of contract, tort (including negligence) and any other common law, equitable or statutory cause of action.

Data Controller has the meaning given to it in Data Protection Law;

Data Processor has the meaning given to it in Data Protection Law;

Data Sub Processor has the meaning given to it in Data Protection Law;

Data Protection Impact Assessment has the meaning given to it in Data Protection Law;

Data Protection Law: the data protection and information privacy laws of Ireland and the European Union as amended, revised or replaced from time to time, and to the extent applicable to this Agreement or the Services, the data protection and information privacy laws of other jurisdictions, including the Irish Data Protection Acts 1988 and 2003 and Regulation (EU) 2016/679 known as the General Data Protection Regulation or GDPR (when applicable).

Data Security Breach means any known potential or actual breach of the Minimum ISO Requirements or any obligations or duties owed by the Data Processor to the Data Controller relating to the confidentiality, integrity or availability of Confidential Information or Personal Data;

Data Subject has the meaning given to it in Data Protection Law;

Data Transfer Agreement means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission or such other agreement for the transfer of Personal Data as the Data Controller may approve;

Default: any default of either Party in complying with its obligations under this Agreement.

Data Classification: Confidential Page 2

Dispute: any dispute under this Agreement.

Dispute Resolution Procedure: the dispute resolution procedure set out in Clause [21].

Due Date: has the meaning give in Clause [5].

Effective Date: the date of this Agreement. Force Majeure Event: any cause affecting, preventing or hindering the performance by a Party of its obligations under this Agreement arising from acts, events, omissions or non-events beyond its reasonable control, including acts of God, riots, war, acts of terrorism, fire, flood, storm or earthquake and any disaster, but excluding any industrial dispute relating to the Supplier, the Supplier’s Personnel or any other failure in the Supplier’s supply chain.

Group of a Party means in relation to a Party, that Party, any subsidiary or holding company of that Party, and any subsidiary of a holding company of that Party, ‘holding company’ and ‘subsidiary’ having the meanings given to them in sections 7 and 8 of the Companies Act 2014 (Ireland).

Initial Term: the period commencing on the Effective Date and ending six months from the Effective Date.

Insolvency Event: in respect of either Party:

● other than for the purposes of a bona fide reconstruction or amalgamation, such Party passing a resolution for its winding up, or a court of competent jurisdiction making an order for it to be wound up or dissolved, or that Party being otherwise dissolved; or

● the appointment of an administrator of or examiner of, or the making of an administration order or examinership order in relation to, either Party, or the appointment of a receiver or administrative receiver of, or an encumbrancer taking possession of or selling, the whole or any part of the entity’s undertaking, assets, rights or revenue; or

● that Party entering into an arrangement, compromise or composition in satisfaction of its debts with its creditors or any class of them, or taking steps to obtain a moratorium, or making an application to a court of competent jurisdiction for protection from its creditors; or

● that Party being unable to pay its debts, or being capable of being deemed unable to pay its debts, within the meaning of section 570 of the Companies Act 2014; or

● that Party entering into any arrangement, compromise or composition in satisfaction of its debts with its creditors; or

● that Party filing a voluntary petition in bankruptcy or is adjudicated to be bankrupt or an insolvent debtor

or any event equivalent to the above in any jurisdiction.

IPRs: all copyright, design rights (whether registered or unregistered); all rights in inventions (whether patentable or not), patent applications, patents, Know-how, Confidential Information; trade marks, business names, domain names and all goodwill acquired in relation to same and all rights of an equivalent nature whether registered or registerable and which exist now or in the future anywhere in the world.

IPR Claim: any claim of infringement or alleged infringement (including the defence of such infringement or alleged infringement) of any IPRs used to provide the Services.

Key Personnel: those personnel identified for the roles attributed to such personnel, as modified pursuant to Clause [7].

Know-how: the processes, techniques and methods of working all of a secret, confidential or proprietary nature which have been or are being developed;

Data Classification: Confidential Page 3

Mandatory Policies: the Customer’s business policies [and codes]

Payment Plan: the plan for payment of the Charges.

Personal Data has the meaning given to it in Data Protection Law;

Prior Consultation has the meaning given to it in Data Protection Law;

Privacy Shield means the Privacy Shield scheme and principles operated by the US Department of Commerce, and approved by the European Commission, or any replacement scheme and principles approved by the European Commission for that purpose from time to time;

Processing has the meaning given to it in Data Protection Law, and “Process” will be construed accordingly;

Regulatory Body: any government department and regulatory, statutory and any other entity, committee and body which, whether under statute, rules, regulations, code of practice or otherwise, is entitled by any Applicable Law to supervise, regulate, investigate or influence the matters dealt with in this Agreement or any other affairs of the Parties.

Security Policy: the Customer’s security policy.

Sensitive Personal Data has the meaning given to it in Data Protection Law.

Service Requirements: the Customer’s requirements for the Services as set out in the Work Order .

Services: the services to be delivered by or on behalf of the Supplier under this Agreement,

Supplier’s Documentation: all technical specifications, user manuals, operating manuals, process definitions and procedures, and all such other documentation as is required to be supplied by the Supplier to the Customer to enable it to use the Services and/or is required to be developed by the Supplier in order to provide the Services.

Supplier’s Personnel: all employees, staff, other workers, agents and consultants of the Supplier who are engaged in the provision of the Services from time to time.

Supplier’s Premises: any premises in the possession or control of the Supplier from which the Services are delivered, in whole or in part or in which records relating to the Services are kept.]

Supplier’s Representative: the person identified, or any replacement person appointed by the Supplier, as the person responsible for managing the Supplier’s overall relationship with the Customer.

Supplier’s Software: the software which is owned by the Supplier and which is to be used by the Supplier and/or the Customer in the context of the provision or receipt of any of the Services.

Term: means the Initial Term plus any continuation of this Agreement which comes into effect pursuant to Clause [2.2], as may be varied by the termination of this Agreement in accordance with Clause [19].

Termination Date: the date of expiry or termination of this Agreement.

Termination Notice: any notice to terminate this Agreement which is given by either Party in accordance with Clause [19].

Termination Period: the period of one week as specified in the Termination Notice pursuant to Clause [19] during which period the Customer may require the Supplier to continue to provide the Services after a Termination Notice has been given.

Data Classification: Confidential Page 4

Third Party Software: software which is proprietary to any third party and that is either licensed to the Customer or is used by the Supplier in the provision of the Services.

Use: with respect to each of the following IPRs and, in each case, in connection with the Services:

● the right to load, execute, store, transmit, display and copy (for the purposes of loading, execution, storage, transmission or display) the Supplier’s Background IPRs;

● the right to load, execute, store, transmit, display, copy (for the purposes of loading, execution, storage, transmission or display), modify, adapt, enhance, reverse compile, decode, translate and otherwise utilise the Supplier’s Software; and

● the right to copy, adapt, publish, distribute and otherwise use the Documentation.

VAT: value added tax.

1.2. Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.

1.3. The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.

1.4. Unless the context requires otherwise, words in the singular include the plural and in the plural include the singular.

1.5. Unless the context requires otherwise, a reference to one gender shall include a reference to the other genders.

1.6. A reference to a statute or statutory provision is a reference to it as amended, extended, replaced or re-enacted from time to time.

1.7. A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.

1.8. A reference to writing or written includes fax and email.

1.9. A reference to this Agreement or to any other agreement or document referred to in this Agreement is a reference to this Agreement or such other agreement as varied or novated (in each case, other than in breach of the provisions of this Agreement) from time to time.

1.10. References to clauses and schedules are to the clauses and schedules of this Agreement and references to paragraphs are to paragraphs of the relevant schedule.

1.11. Any words following the terms including, include, in particular, for example or any other similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or terms preceding those terms.

2. COMMENCEMENT AND DURATION

2.1. This Agreement shall take effect on the Effective Date and shall continue for the Initial Term, unless terminated in accordance with Clause [19] of this Agreement.

2.2. After the expiry of the Initial Term, the Agreement shall remain in force unless terminated in accordance with Clause [19] of this Agreement.

3. SERVICES

3.1. The Customer shall appoint the Supplier, and the Supplier shall provide the Services to the Customer pursuant to the terms and conditions of this Agreement.

Data Classification: Confidential Page 5

3.2. The Supplier shall provide the Services to the Customer from the [Effective Date].

3.3. The Supplier shall provide the Services in the English language and also in the local language of the supplier if required.

3.4. The Supplier shall ensure that each of the Services meets and satisfies the Service Requirements [and the Service Description].

3.5. In providing the Services, the Supplier shall at all times:

3.5.1. provide the Services in accordance with all Applicable Laws;

3.5.2. obtain, maintain and comply with all Consents;

3.5.3. allocate sufficient resources to provide the Services in accordance with the terms of this Agreement;

3.5.4. ensure that any of the Supplier’s Personnel who are engaged in the provision of any of the Services shall, if required by the Customer, attend such meetings at the premises of the Customer or elsewhere as may be reasonably required by the Customer; all costs related to the participation at such meetings, including travel, accommodation and hourly rates for the entire time spent from departing Bucharest to returning to Bucharest will be borne by the Customer and

3.5.5. provide such reasonable co-operation and information in relation to the Services to such of the Customer’s other suppliers as the Customer may reasonably require for the purposes of enabling any such person to create and maintain any interfaces that the Customer may reasonably require.

3.6. The Customer shall comply with the Customer’s Responsibilities.

3.7. The Supplier acknowledges that it is not being appointed as an exclusive provider of any of the Services and the Customer may at any time perform any part of the Services itself or procure them from a third party.

3.8. The Supplier shall be responsible for and bear all costs incurred in the implementation, maintenance and development of the Services.

3.9. In the event of the Supplier’s failure to provide any of the Services, the Customer may, without prejudice to its other rights, require the Supplier to re-perform the applicable Services.

4. DUE DILIGENCE

4.1. The Supplier acknowledges and confirms that:

4.1.1. it has had an opportunity to carry out a thorough due diligence exercise in relation to the Service Requirements and has asked the Customer all the questions it considers to be relevant for the purpose of establishing whether it is able to provide the Services in accordance with the terms of this Agreement;

4.1.2. it has received all information requested by it from the Customer pursuant to Clause [4.1.1] to enable it to determine whether it is able to provide the Services in accordance with the terms of this Agreement;

4.1.3. it has made and shall make its own enquiries to satisfy itself as to the accuracy and adequacy of any information supplied to it by or on behalf of the Customer pursuant to Clause [4.1.1] ;

Data Classification: Confidential Page 6

4.1.4. it has raised all relevant due diligence questions with the Customer before the Effective Date; and

4.1.5. it has entered into this Agreement in reliance on its own due diligence.

4.1.6. it acknowledges that, during due diligence, it made representations to the Customer on standards which it applies and further warrants that all such standards will be maintained and upheld throughout the Term and may be subject to audit in accordance with Clause [6]

4.2. Save as provided in this Agreement, no representations, warranties or conditions are given or assumed by the Customer in respect of any information which is provided to the Supplier by the Customer and any such representations, warranties or conditions are excluded, save to the extent that such exclusion is prohibited by law.

4.3. The Supplier shall promptly notify the Customer in writing if it becomes aware during the performance of this Agreement of any inaccuracies in any information provided to it by the Customer during such due diligence which materially and adversely affects its ability to perform the Services.

4.4. The Supplier shall not be entitled to recover any additional costs from the Customer which arise from, or be relieved from any of its obligations as a result of, any matters or inaccuracies notified to the Customer by the Supplier in accordance with Clause [4.3] save where such additional costs or adverse effect on performance have been caused by the Supplier having been provided with fundamentally misleading information by or on behalf of the Customer and the Supplier could not reasonably have known that the information was incorrect or misleading at the time such information was provided. If this exception applies, the Supplier shall be entitled to recover such reasonable additional costs from the Customer.

4.5. Nothing in this Clause [4] shall limit or exclude the liability of the Customer for fraud or fraudulent misrepresentation.

5. CHARGING AND INVOICING

5.1. In consideration of the provision of the Services by the Supplier in accordance with the terms and conditions of this Agreement, the Customer shall pay the Charges to the Supplier in accordance with the Payment Plan.

5.2. The Supplier shall invoice the Customer for payment of the Charges at the time the Charges are expressed to be payable in accordance with the Payment Plan. All invoices shall be directed to the Customer’s Representative.

5.3. The Customer shall pay the Charges which have become payable in accordance with the Payment Plan within [30] days of receipt of an undisputed invoice from the Supplier (Due Date).

5.4. If the Customer receives an invoice which it reasonably believes includes a sum which is not valid and properly due:

5.4.1. the Customer shall notify the Supplier in writing as soon as reasonably practicable;

5.4.2. the Customer’s failure to pay the disputed Charges shall not be deemed to be a breach of this Agreement;

5.4.3. the Customer shall pay the balance of the invoice which is not in dispute by the Due Date;

Data Classification: Confidential Page 7

5.4.4. to the extent that the Customer is obliged, following resolution of the dispute, to pay an amount, then the Supplier may charge interest in accordance with Clause [5.7] from the original Due Date until the date of payment;

5.4.5. to the extent that the Supplier is obliged to refund an amount to the Customer, interest shall be added to that amount in accordance with Clause [5.7]; and

5.4.6. once the dispute has been resolved, where either Party is required to make a balancing payment, it shall do so within 30 Business Days and, where the Supplier is required to issue a credit note, it shall do so within 30 Business Days.

5.5. The Supplier shall maintain complete and accurate records of, and supporting documentation for, all amounts which may be chargeable to the Customer pursuant to this Agreement. Such records shall be retained for inspection by the Customer for 6 years from the end of the Contract Year to which the records relate unless legally required for longer.

5.6. The Supplier has the right to suspend the supply of the Services 30 business days after notifying the Customer in writing that a payment is overdue, unless full payment of all overdue amounts is received.

5.7. If the Customer fails to make any payment due to the Supplier under this Agreement by the due date for payment, then the Customer shall pay interest on the overdue amount at the rate of 2% per annum above ECB’s base rate from time to time. Such interest shall accrue on a daily basis from the due date until actual payment of the overdue amount, whether before or after judgment. The defaulting Party shall pay the interest together with the overdue amount.

5.8. Except as otherwise provided, the Parties shall each bear their own costs and expenses incurred in respect of compliance with their obligations under this Agreement.

5.9. All sums payable by either Party under this Agreement shall be paid in Euro or US Dollars.

5.10. The Charges are stated exclusive of VAT, which shall be added at the prevailing rate as applicable and paid by the Customer following delivery of a valid VAT invoice. The Supplier shall indemnify the Customer against any liability (including any interest, penalties or costs incurred) which is levied, demanded or assessed on the Customer at any time in respect of the Supplier’s failure to account for, or to pay, any VAT relating to payments made to the Supplier under this Agreement.

5.11. The Customer may retain or set off any sums owed to it by the Supplier which have fallen due and payable against any sums due to the Supplier under this Agreement.

6. AUDITS

6.1. The Supplier shall allow the Customer and any auditors of or other advisers to the Customer to access any of the Supplier’s Premises, personnel and relevant records as may be reasonably required in order to:

6.1.1. fulfil any legally enforceable request by any Regulatory Body;

6.1.2. undertake verifications of the accuracy of the Charges or identify suspected fraud;

6.1.3. undertake verification that the Services are being provided and all obligations of the Supplier are being performed in accordance with this Agreement;

6.1.4. undertake verification of the Security Policy (can be provided on request).

Data Classification: Confidential Page 8

6.2. The Customer shall use its [reasonable endeavours] to ensure that the conduct of each audit does not unreasonably disrupt the Supplier or delay the provision of the Services by the Supplier and that, where possible, individual audits are co-ordinated with each other to minimise any disruption.

6.3. Subject to the Customer’s obligations of confidentiality, the Supplier shall provide the Customer (and the Customer’s auditors and other advisers) with all reasonable co-operation, access and assistance in relation to each audit.

6.4. The Customer shall provide at least 5 Business Days’ notice of its intention to conduct an audit unless such audit is conducted in respect of a suspected fraud, in which event no notice shall be required.

6.5. The Parties shall bear their own costs and expenses incurred in respect of compliance with their obligations under this Clause [6] unless the audit identifies a Default by the Supplier, in which case the Supplier shall reimburse the Customer for all its reasonable costs incurred in the course of the audit.

6.6. If an audit identifies that:

6.6.1. the Supplier has failed to perform its obligations under this Agreement, the provisions of Clause [21] shall apply, provided that, if the audit demonstrates that the Supplier is failing to comply with any of its obligations under this Agreement then, without prejudice to the other rights and remedies of the Customer, the Supplier shall take the necessary steps to comply with its obligations at no additional cost to the Customer;

6.6.2. the Customer has overpaid any Charges, the Supplier shall pay to the Customer the amount overpaid within [30] days from the date of receipt of an invoice or notice to do so; and

6.6.3. the Customer has underpaid any Charges, the Customer shall pay to the Supplier the amount of the under-payment within 30 days from the date of receipt of an invoice for such amount.

6.7. The Customer may increase the extent to which it monitors the conduct of the Services if the Supplier fails to fulfil its obligations under this Agreement. The Customer shall give the Supplier prior notification of its intention to increase the level of its monitoring. The Supplier shall bear its own costs in complying with the Customer in relation to any monitoring which is conducted by the Customer pursuant to this Clause [6.7].

7. KEY PERSONNEL

7.1. Each Party shall appoint the persons as the individuals who shall be responsible for the matters allocated to such Key Personnel. The Key Personnel shall be those people who are identified by each Party as being key to the success of the implementation and/or operation of the Services and who shall be retained on the implementation and/or operation of the Services for such time as a person is required to perform the role which has been allocated to the applicable Key Personnel. The Key Personnel shall have the authority to act on behalf of their respective Party on the matters for which they are expressed to be responsible.

7.2. The Supplier shall not remove or replace any of the Key Personnel unless:

7.2.1. requested to do so by the Customer for justified reasons; or

7.2.2. the person is on long-term leave; or

7.2.3. the element of the Services in respect of which the individual was engaged has been completed to the Customer’s satisfaction; or

Data Classification: Confidential Page 9

7.2.4. the person’s employment with the Supplier is terminated or the role within the company changes (promotions, moves to another department); or

7.2.5. the Supplier obtains the prior written consent of the Customer with 30 days notice.

7.3. The Supplier shall inform the Customer of the identity and background of any replacements for any of the Key Personnel as soon as a suitable replacement has been identified. The Customer shall be entitled to interview any such person and may object to any such proposed appointment within 5 Business Days of being informed of or meeting any such replacement if, in its reasonable opinion, it considers the proposed replacement to be unsuitable for any reason.

7.4. Each Party shall ensure that the role of each of its Key Personnel is not vacant (in terms of a permanent representative) for more than 5 Business Days. Any replacement shall be as, or more, qualified and experienced as the previous incumbent and fully competent to carry out the tasks assigned to the Key Personnel whom he or she has replaced. A temporary replacement shall be identified with immediate effect from the Supplier or the Customer becoming aware of the role becoming vacant.

7.5. If the Supplier replaces the Key Personnel as a consequence of this Clause [7], the cost of effecting such replacement shall be borne by the Supplier.

8. SUPPLIER’S PERSONNEL

8.1. At all times, the Supplier shall ensure that:

8.1.1. each of the Supplier’s Personnel is suitably qualified, adequately trained and capable of providing the applicable Services in respect of which they are engaged;

8.1.2. each of the Supplier’s Personnel holds all necessary certificates or authorisations to provide the Services;

8.1.3. there is an adequate number of Supplier’s Personnel to provide the Services properly;

8.2. The Customer may refuse to grant access to, and remove, any of the Supplier’s Personnel who do not comply with any of the Customer’s policies, or if they otherwise present a security threat.

8.3. The Supplier shall replace any of the Supplier’s Personnel who the Customer reasonably decides have failed to carry out their duties with reasonable skill and care. Following the removal of any of the Supplier’s Personnel for any reason, the Supplier shall ensure such person is replaced promptly with another person with the necessary training and skills to meet the requirements of the Services.

8.4. The Supplier shall maintain up-to-date personnel records on the Supplier’s Personnel engaged in the provision of the Services and, on request, provide reasonable information to the Customer on the Supplier’s Personnel. The Supplier shall ensure at all times that it has the right to provide these records under Data Protection Legislation.

8.5. The Supplier shall use reasonable endeavours to ensure continuity of personnel and to ensure that the turnover rate of its staff engaged in the provision or management of the Services is at least as good at the prevailing industry norm for similar services, locations and environments.

8.6. For the avoidance of doubt, failure by the Supplier to comply with any of its obligations under this Clause [8] shall constitute a Default by the Supplier which shall entitle the Customer to terminate this Agreement immediately pursuant to Clause [19.2.1].

Data Classification: Confidential Page 10

8.7. For the avoidance of doubt, Supplier’s Personnel are held to be acting as an agent of the Supplier and thus under the control and responsibility of said Supplier. In the event of any misconduct, gross negligence, fraud or fraudulent misrepresentation by the Personnel, Supplier is wholly responsible for all acts and omissions of Supplier’s Personnel and the Customer cannot be held to have any part in such event.

9. NON-SOLICITATION

9.1. Neither Party shall (except with the prior written consent of the other) directly or indirectly solicit or entice away (or attempt to solicit or entice away) from the employment of the other Party any person employed or engaged in the receipt or provision of the Services at any time during the Term or for a further period of [12] months after the termination of this Agreement other than by means of a national advertising campaign open to all comers and not specifically targeted at any of the staff of the Customer or the Supplier.

9.2. If either Party commits any breach of Clause [9.1], the other shall, on demand, pay a sum equal to one year’s basic salary or the annual fee that was payable to that employee, worker or independent contractor plus the recruitment costs incurred in replacing such person.

10. IPRs

10.1. Subject to Clause [11], the Customer shall not acquire any right, title or interest in or to the IPRs of the Supplier or its licensors, including:

10.1.1. The Supplier’s Documentation;

10.1.2. the IPRs relating to the Supplier’s Software;

10.1.3. the IPRs relating to the Third Party Software used by the Supplier in the provision of the Services; and

10.1.4. the Supplier’s Background IPRs; and

10.2. the Supplier shall not acquire any right, title or interest in or to the IPRs of the Customer or its licensors, including:

10.2.1. the IPRs relating to the Customer’s Documentation;

10.2.2. the IPRs relating to the Customer’s Know-how;

10.2.3. the IPRs relating to the Customer’s Data;

10.2.4. the Customer’s Background IPRs.

10.3. Where either Party acquires, by operation of law, title to IPRs of the other referred to in this Clause [10], and this acquisition is inconsistent with the allocation of title set out in this Clause [10], such IPRs shall be assigned by it to the other Party on the request of the other Party, whenever that request is made.

11. INDEMNITY

11.1. The Supplier shall, at all times during and after the Term, indemnify the Customer and keep the Customer indemnified against all Damages incurred by or awarded against the Customer arising as a direct result of gross negligence or wilful misconduct of the Supplier under this Agreement.

11.2. Without prejudice to the generality of Clause [11.1] above, the Supplier shall, at all times during and after the Term, indemnify the Customer and keep the Customer indemnified against all Damages incurred by, awarded against or agreed to be paid by the Customer arising from any IPR Claim made in respect of the Supplier’s IPRs except to the extent that such liabilities have resulted directly from the Customer’s failure to properly observe its obligations under this Agreement.

Data Classification: Confidential Page 11

11.3. In the event that the Customer suffers any of the Damages referred to in Clause [11.2] the Customer shall:

11.3.1. notify the Supplier in writing of any IPR Claim made in respect of the Supplier’s IPR;

11.3.2. allow the Supplier to conduct all negotiations and proceedings and provide the Supplier with such reasonable assistance as is required by the Supplier, each at the Supplier’s cost, regarding the IPR Claim made in respect of the Supplier’s IPR; and

11.3.3. not, without prior consultation with the Supplier, make any admission relating to the IPR Claim made in respect of the Supplier’s IPR or attempt to settle it, provided that the Supplier considers and defends any IPR Claim made in respect of the Supplier’s IPR diligently, using competent counsel and in such a way as not to bring the reputation of the Customer into disrepute.

11.4. If an IPR Claim is made in respect of the Supplier’s IPR, or the Supplier anticipates that an IPR Claim might be made in respect of the Supplier’s IPR, the Supplier may, at its own expense and sole option, either

11.4.1. procure for the Customer the right to continue using the part of the material which is subject to the IPR Claim in respect of the Supplier’s IPR; or

11.4.2. replace or modify, or procure the replacement or modification of, such material, provided that:

11.4.2.1. the performance and functionality of the replaced or modified item is at least equivalent to the performance and functionality of the original item;

11.4.2.2. there is no additional cost to the Customer; and

11.4.2.3. the terms of this Agreement apply to the replaced or modified Services.

If the Supplier elects to modify or replace an item pursuant to Clause [11.4.2] or to procure a licence in accordance with [11.4.1], but this has not avoided or resolved the IPR Claim in respect of the Supplier’s IPR, then the Customer may terminate this Agreement by written notice with immediate effect.

12. DATA PROTECTION

12.1. Data Controller: The Customer is a Data Controller in respect of the Personal Data Processing as set out in Annex 1.

12.2. Data Processor: Without prejudice to Article 28.10 of the GDPR, the Supplier acts as a Data Processor in respect of the Personal Data it Processes on behalf of the Customer or a member of the Customer’s Group as set out in Annex 1.

12.3. The Supplier shall comply with its obligations as a Data Processor under Data Protection Law. If the Supplier is or becomes aware of any reason that would prevent its compliance with Data Protection Law or any incident of non-compliance with Data Protection Law in connection with the Processing of Personal Data under this Agreement it shall notify the Customer in the most expedient time possible.

Data Classification: Confidential Page 12

12.4. Instructions: The Supplier shall only, and shall procure that its Personnel only, Process the Personal Data in accordance with this Agreement and any other written instructions of the Customer unless required to do so by Union or Member State law to which the Supplier is subject and in such a case, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Supplier agrees that it will acquire no rights or interest in the Personal Data.

12.5. Data Subject Rights: The Supplier agrees to assist the Customer to respond to requests by Data Subjects, exercising their rights under Data Protection Law, within such reasonable timescale as may be specified by the Customer.

12.6. If the Supplier receives any such request from Data Subjects directly, the Supplier will immediately inform the Customer that it has received the request and forthwith forward the request to the Customer. The Supplier will not respond in any way to such a request, except on the instructions of the Customer.

12.7. Assistance: The Supplier shall assist the Customer within such reasonable timescale as may be specified by the Customer with compliance with the Customer’s obligations pursuant to:

12.7.1. Article 32 of the GDPR (Security);

12.7.2. Articles 33 and 34 of the GDPR (Data Breach Notification);

12.7.3. Article 35 of the GDPR (the conduct of Data Protection Impact Assessments); and

12.7.4. Article 36 of the GDPR (Prior Consultation requests to Regulators in relation to Personal Data Processing under this Agreement).

12.8. Data Transfers: The Supplier will not transfer any Personal Data or other information relating to customers of the Customer from one country to another except with the prior written consent of the Customer and in accordance with any terms the Customer may impose on such transfer. As a condition of granting such consent, the Customer may, among other requirements, require the Supplier to:

12.8.1. enter into or procure that any relevant subcontractor enters into an appropriate Data Transfer Agreement; or

12.8.2. for transfers to the United States of America, ensure that the recipient has and continues to maintain a current, valid certification under the Privacy Shield and complies with the Privacy Shield principles.

The foregoing provisions of this Clause 14.8 shall also apply to any further transfer of the Personal Data or other information relating to customers of the Customer.

12.9. In the event that the transfer mechanism entered into under Clause 12.8 ceases to be valid, the Supplier shall at the Customer’s discretion:-

12.9.1. enter into and/or procure that any relevant subcontractor enters into an appropriate alternative data transfer mechanism;

12.9.2. destroy any Personal Data in its and/or its subcontractor’s possession; or

12.9.3. return any Personal Data in its and/or its subcontractor’s possession to the Customer.

12.10. In the event that there ceases to exist any valid data transfer mechanism which would enable the Personal Data to be lawfully transferred by the Customer to the Supplier, the Customer shall be entitled to terminate this Agreement by giving a minimum of thirty (30) days’ prior written notice to the Supplier.

Data Classification: Confidential Page 13

12.11. Personal Data from Customer Group Members: In the event that more than one member of the Customer Group passes to the Supplier, or otherwise gives the Supplier access to, Personal Data or other information relating to its customers under this Agreement:

12.11.1. the Supplier will keep the Personal Data and other information relating to customers of each member separately identified, by reference to that member; and

12.11.2. the Supplier will not divulge any of the Personal Data or other information relating to customers of one member of the Customer Group, to another member of the Customer Group, without the consent of the member owning the Personal Data or other information relating to its customers.

12.12. Sub-Processing: The Supplier agrees that it shall not engage any third party to Process Customer Personal Data without the prior written consent of the Customer.

12.13. If the Supplier engages any third party to Process any Customer Personal Information, the Supplier shall impose on such third party, by means of a written contract, the same data protection obligations as set out in this Agreement and shall ensure that if any third party engaged by the Supplier in turn engages another person to Process any Personal Information, the third party is required to comply with all of the obligations in respect of Processing of Personal information that are imposed under this Agreement.

12.14. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of the other processors and shall not make any such changes without the prior written consent of the Customer.

12.15. The Supplier shall remain fully liable to Customer for Processing by any third party as if the Processing was being conducted by the Supplier.

12.16. Security: The Supplier shall implement appropriate technical and organisational measures to assure a level of security appropriate to the risk to the security of Personal Information, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of or access to Personal Information including as appropriate and as notified in advance to the Customer:

12.16.1. the pseudonymisation and encryption of Personal Information

12.16.2. the ability to ensure the ongoing confidentiality, integrity and availability of the Personal Information and resilience of the Supplier’s Systems used for such Processing;

12.16.3. the ability to restore the availability and access to the Personal Information in the event of a physical or technical incident; and

12.16.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

12.17. Confidentiality: The Supplier will ensure that its personnel who Process Personal Data under this Agreement are subject to obligations of confidentiality in relation to such Personal Data.

12.18. Demonstrating Compliance: The Supplier shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

12.19. Infringement: The Supplier will immediately inform the Customer if, in its opinion, an instruction given or request made pursuant to this Agreement infringes Data Protection Law.

Data Classification: Confidential Page 14

12.20. Breach Notification: The Supplier will notify the Customer within twenty-four (24) hours of the Supplier becoming aware of a Data Security Breach, and shall include in such notification, at least the applicable information referred to in Article 33 (3) of the GDPR in accordance with the form set out at Appendix 2. The Supplier shall not communicate with any Data Subject in respect of a Data Security Breach without the prior written consent of the Customer.

12.21. Damages: The Supplier shall indemnify the Customer, without limit or exclusion, against any Damages incurred by the Customer, and any member of the Customer Group or any Personnel, arising from or in connection with:

12.21.1. The Supplier acting outside or contrary to the lawful instructions of the Customer;

12.21.2. Any other breach by the Supplier of its obligations under this Agreement regarding Data Protection or of Data Protection Laws; and/or

12.21.3. Any act or omission of the Supplier or its Personnel which causes the Customer or any member of the Data Customer’s Group in any way to be in breach of Data Protection Laws.

12.22. Termination/Expiry: On termination or expiry of this Agreement (or at any other time on request by the Customer), the Supplier shall return, destroy or permanently erase, at the election of the Customer, all copies of Personal Data received and/or processed by it under this Agreement unless Applicable Law requires retention of the Personal Data.

12.23. Survival of Clause: The provisions of this Clause 12 shall survive the term of this Agreement until the Supplier has returned or destroyed all Personal Data in accordance with Clause 12.22.

12.24. Standard Contractual Clauses: In addition to the obligations described herein, the Customer (as “data exporter”) and the Supplier (as “data importer”) hereby enter into the Standard Contractual Clauses as set out in Annex 3 and its Appendices.

13. CONFIDENTIALITY

13.1. Except to the extent set out in this Clause [13], or where disclosure is expressly permitted elsewhere in this Agreement, each Party shall:

13.1.1. treat the Confidential Information as confidential; and

13.1.2. not disclose the Confidential Information to any other person without the owner’s prior written consent.

13.2. Clause [13.1] shall not apply to the extent that:

13.2.1. such information was in the possession of the Party making the disclosure, without obligation of confidentiality, prior to its disclosure; or

13.2.2. such information was obtained from a third party without obligation of confidentiality; or

13.2.3. such information was already in the public domain at the time of disclosure otherwise than through a breach of this Agreement; or

13.2.4. such information was independently developed without access to the other Party’s Confidential Information.

13.3. Each Party may only disclose the Confidential Information to its Personnel who are directly involved in the provision of the Services and who need to know the information. The Party shall ensure that such Personnel are aware of, and comply with, these confidentiality obligations.

Data Classification: Confidential Page 15

13.4. The Party receiving Confidential Information shall not, and shall procure that the its Personnel do not, use any of the Disclosing Party’s Confidential Information received otherwise than for the purposes of this Agreement.

13.5. Each Party undertakes (except as may be required by law or in order to instruct professional advisers in connection with this Agreement) not to:

13.5.1. disclose or permit disclosure of any details of this Agreement to the news media or any third party; or

13.5.2. disclose that the Customer is a customer or client of the Supplier; or

13.5.3. use the other Party’s name or brand in any promotion or marketing without the prior written consent of the other Party.

13.6. Nothing in this Clause [13] shall prevent either Party from using any techniques, ideas or Know-how gained during the performance of this Agreement in the course of its normal business to the extent that this use does not result in a disclosure of the other Party’s Confidential Information or an infringement of IPRs.

13.7. On the Termination Date, each Party shall:

13.7.1. return to the other Party all documents and materials (and any copies) containing, reflecting, incorporating or based on the Confidential Information;

13.7.2. return or erase all the Confidential Information from computer and communications systems and devices used by it, including such systems and data storage services provided by third parties (to the extent technically practicable); and

13.7.3. certify in writing to the other Party that it has complied with the requirements of this clause, provided that a recipient Party may retain documents and materials containing, reflecting, incorporating or based on the Confidential Information to the extent required by law or any applicable governmental or regulatory authority. The provisions of this clause shall continue to apply to any such documents and materials retained by a recipient Party.

14. SECURITY REQUIREMENTS

14.1. The Supplier shall comply with Immedis Security Policies. Current versions can be provided on request.

14.2. The Customer shall notify the Supplier of any changes or proposed changes which would affect compliance to the Security Policies. The Supplier would have 15 Business Days to confirm acceptance of the new policies and any addition reasonable costs incurred for compliance with changes. Should the Supplier not agree with the proposed changes or the Customer not be willing to cover the additional costs, each Party has the right to terminate the contract immediately, with no penalties for early termination due.

14.3. The Supplier shall advise the Customer as soon as it becomes aware of any breach, or potential breach, of the Security Policy or any other breach, or potential breach, of security which may adversely affect the Services.

Data Classification: Confidential Page 16

14.4. The Customer shall have the right, based on evidence of wrongdoing or improper performance, to require the Supplier not to use specified individuals employed or engaged by the Supplier, in the performance of specified elements of the Services. The Customer shall not exercise this right in breach of any law.

14.5. Unless a change to the Charges is agreed by the Customer in writing, the Supplier shall continue to perform the Services in accordance with its existing obligations.

15. WARRANTIES AND REPRESENTATIONS

15.1. Each Party warrants, represents and undertakes that:

15.1.1. it has full capacity and authority to enter into and to perform this Agreement;

15.1.2. this Agreement is executed by a duly authorised representative of that Party;

15.1.3. there are no actions, suits or proceedings or regulatory investigations pending or, to that Party’s knowledge, threatened against or affecting that Party before any court or administrative body or arbitration tribunal that might affect the ability of that Party to meet and carry out its obligations under this Agreement;

15.1.4. once duly executed, this Agreement will constitute its legal, valid and binding obligations;

15.1.5. its Representative shall be authorised to carry out the matters for which they are expressed to be responsible

15.2. The Supplier undertakes, warrants and represents on an ongoing basis that:

15.2.1. the Supplier will perform and procure the performance of its obligations under this Agreement in compliance with all Applicable Laws;

15.2.2. it has, and will continue to hold, all Consents and regulatory approvals necessary to provide the Services;

15.2.3. it shall discharge its obligations under this Agreement using personnel holding the required skill, experience and qualifications and with all due skill, care and diligence;

15.2.4. it has, and will continue to have, all necessary rights in and to the Supplier’s Software, the Third Party Software used by the Supplier and the Supplier’s Background IPRs, or any other materials made available by the Supplier to the Customer which are used to perform the Supplier’s obligations under this Agreement;

15.2.5. all Software used by or on behalf of the Supplier pursuant to this Agreement will:

15.2.5.1. be currently supported versions of that Software;

15.2.5.2. proprietary be free of material defects and errors; and

15.2.5.3. proprietary perform in accordance with the user manuals and the published specification for such Software.

Data Classification: Confidential Page 17

16. COMPLIANCE WITH APPLICABLE LAWS AND MANDATORY POLICIES

16.1. Compliance with Applicable Laws:

16.1.1. The Supplier shall at all times carry out and provide the Services in compliance with all Applicable Laws. The Supplier shall keep its software up to date with the legislative changes of local and national authorities. The Supplier shall maintain such records as are necessary pursuant to such Applicable Laws and shall promptly on request make them available for inspection by any relevant authority that is entitled to inspect them and by the Customer (or its authorised representative).

16.1.2. Without prejudice to Clause [16.1.1], the Supplier shall monitor and shall keep the Customer informed in writing of any changes in the Applicable Laws which may impact the Services and shall provide the Customer with timely details of measures it proposes to take and changes it proposes to make to comply with any such changes.

16.1.3. The Supplier shall consult with the Customer (and wherever possible agree with the Customer) on the manner, form and timing of changes it proposes to make to meet any changes in Applicable Laws where they would impact the Services. The Supplier shall not implement any change, without the Customer’s prior written agreement, which would have an adverse effect on the Supplier’s ability to provide the Services in accordance with the Service Levels.

16.1.4. The Supplier shall keep their payroll software up to date with the legislatives changes of local and national authorities. Should there be any delay with implementing these changes, the Supplier shall inform the Customer immediately.

16.1.5. Without prejudice to the rest of this Clause [16.1], the Supplier shall use all reasonable endeavours to minimise any disruption caused by any changes in Applicable Laws introduced pursuant to this Clause [16.1].

16.2. Breach of compliance requirements:

16.2.1. Breach of Clause [16.1] and Clause [16.2] shall be deemed a Default of this Agreement, which is irredeemable, under Clause [21] and shall entitle the Customer to terminate this Agreement immediately pursuant to Clause [19.2].

17. LIMITATION OF LIABILITY

17.1. Nothing in this Agreement shall limit or exclude either Party’s liability for:

17.1.1. death or personal injury caused by its negligence, or the negligence of its personnel, agents or subcontractors;

17.1.2. fraud or fraudulent misrepresentation; and

17.1.3. any other liability which cannot be limited or excluded by applicable law.

17.2. Subject to Clause [17.1] neither Party shall have liability to the other, whether in contract, tort (including negligence), breach of statutory duty, or otherwise for any indirect or consequential loss arising under or in connection with this Agreement.

17.3. Subject to Clause [17.1] the Party’s total aggregate liability for all the other Party’s Defaults (other than a failure to pay any of the Charges that are properly due and payable and for which the Customer shall remain fully liable), whether arising from tort (including negligence), breach of contract or otherwise under or in connection with this Agreement resulting in loss of or damage to the property or assets (including software, infrastructure, assets or equipment) shall in no event exceed €1 million.

Data Classification: Confidential Page 18

18. INSURANCE

18.1. The Supplier shall maintain in force at least the following insurance policies with reputable insurance companies to cover its relevant potential liabilities in connection with this Agreement:

18.1.1. a standard professional indemnity insurance policy with a limit of at least €1 million per claim.

18.2. The Supplier shall provide the Customer with a copy of each insurance policy or broker certificate listed in Clause 18.1 at the end of each Contract Year or whenever the policy is renewed or materially changed. In the event that any documentation provided by the Supplier to the Customer pursuant to this Clause [18.3] is not in the English language, the Supplier shall provide an English language version to the Customer which has been translated by a certified translator.

19. TERMINATION

19.1. Any Party may terminate this Agreement for convenience at any time, in whole or in part, on giving not less than one month prior written notice to the Supplier in accordance with Clause [32] ;

19.2. Any Party may terminate this Agreement immediately if:

19.2.1. the other Party is in Default of this Agreement and such Default is not remedied in accordance with the SLA or Service Improvement Plan; or

19.2.2. the other Party is in Default of this Agreement, which is irremediable; or

19.2.3. the Parties fail to agree the Service Improvement Plan in accordance with the Service Improvement Plan Process; or

19.2.4. the Parties fail to implement or successfully complete the Service Improvement Plan in accordance with the Service Improvement Plan Process; or

19.2.5. an Insolvency Event affecting the either Party occurs.

19.3. Either Party may rely on a single Default or on a number of Defaults or repeated Defaults to terminate this Agreement;

19.4. In the event of termination under either Clause [19.1] or [19.2], the Party shall inform the other Party in the Termination Notice of the duration of the Termination Period during which the Supplier will continue to provide, or procure the provision of, some or all of the Services.

19.5. The Customer may, during the continuance of any Force Majeure Event, terminate this Agreement by written notice to the Supplier if a Force Majeure Event occurs that affects all or a substantial part of the Services and which continues for more than 10 Business Days.

20. CONSEQUENCES OF TERMINATION

20.1. Following the service of a Termination Notice for any reason, the Supplier shall continue to provide or procure the provision of the Services, and shall ensure that there is no degradation in the standards of the Services until the expiry of the Termination Period.

Data Classification: Confidential Page 19

20.2. On the Termination Date, the Supplier shall:

20.2.1. repay to the Customer any amount which it may have been paid in advance in respect of Services not provided or procured by the Supplier as at the Termination Date; and

20.2.2. provide access, during normal working hours, to the Customer for up to 12 months after the expiry or termination of this Agreement to:

20.2.2.1. such information relating to the Services as remains in the possession or control of the Supplier; and

20.2.2.2. such members of the Supplier’s Personnel as have been involved in the design, development and provision of the Services and who are still employed by the Supplier, provided that the Customer and/or the Replacement Supplier shall pay the reasonable costs of the Supplier actually incurred in responding to requests for access under this Clause [20.2.2]

20.3. The Supplier hereby covenants and agrees that it shall waive any and all liens or other equivalent rights which it may have over any documents it may produce as a result of providing the Services and it shall provide such documentation (including any work in progress) to the Customer upon request and in any event immediately upon termination, provided that there are no overdue amounts unpaid by the Customer at the date of termination.

21. DISPUTE RESOLUTION PROCEDURE

21.1. The Parties shall attempt, in good faith, to resolve any Dispute promptly by negotiation which shall be conducted as follows:

21.1.1. if a Dispute arises in the opinion of either Party, the Party in question may give written notice to the other Party’s Representative that the dispute has arisen (“Dispute Notice”);

21.1.2. If the Customer’s Representative and the Supplier’s Representative are unable, or fail, to resolve the Dispute within 14 days following referral of the Dispute to them, the Parties may attempt to resolve the Dispute by mediation in accordance with Clause [21.2].

21.2. If, within 14 days of the Dispute Notice, the Parties have failed to agree on a resolution, either Party may refer any Dispute for mediation pursuant to this Clause [21.2], but neither shall be a condition precedent to the commencement of any court proceedings, and either Party may issue and commence court proceedings prior to or contemporaneously with the commencement of mediation. The following provisions shall apply to any such reference to mediation:

21.2.1. the reference shall be a reference under the Model Mediation Procedure (MMP) of the Centre of Dispute Resolution (CEDR) for the time being in force;

21.2.2. both Parties shall, immediately on such referral, co-operate fully, promptly and in good faith with CEDR and the mediator and shall do all such acts and sign all such documents as CEDR or the mediator may reasonably require to give effect to such mediation, including an agreement in, or substantially in, the form of CEDR’s Model Mediation Agreement for the time being in force; and

21.2.3. to the extent not provided for by such agreement of the MMP:

21.2.3.1. the mediation shall commence by either Party serving on the other written notice setting out, in summary form, the issues in dispute and calling on that other Party to agree the appointment of a mediator; and

Data Classification: Confidential Page 20

21.2.3.2. the mediation shall be conducted by a sole mediator (which shall not exclude the presence of a pupil mediator) agreed between the Parties or, in default of agreement, appointed by CEDR.

21.3. Notwithstanding Clause [21.2], if and to the extent that the Parties do not resolve any Dispute or any issue in the course of any mediation, either Party may commence or continue court proceedings in respect of such unresolved Dispute or issue.

21.4. Nothing in this Clause [21] shall prevent either Party from instigating legal proceedings where an order for an injunction, disclosure or legal precedent is required.

21.5. Without prejudice to the Customer’s right to seek redress in court, the Supplier shall continue to provide the Services and to perform its obligations under this Agreement notwithstanding any Dispute or the implementation of the procedures set out in this Clause [21].

22. CONFLICT

22.1. If there is an inconsistency between the clauses and the Schedules, the provisions in the Schedules shall prevail.

23. FORCE MAJEURE

23.1. Subject to the remaining provisions of this Clause [23] neither Party to this Agreement shall in any circumstances be liable to the other for any delay or non-performance of its obligations under this Agreement to the extent that such delay or non-performance is due to a Force Majeure Event.

23.2. In the event that either Party is delayed or prevented from or hindered in performing its obligations under this Agreement by a Force Majeure Event, such Party shall:

23.2.1. give notice in writing of such delay or prevention to the other Party as soon as reasonably possible, stating the commencement date and extent of such delay or prevention, the cause of the delay or prevention and its estimated duration;

23.2.2. use all reasonable endeavours to mitigate the effects of such delay or prevention on the performance of its obligations under this Agreement; and

23.2.3. resume performance of its obligations as soon as reasonably possible after the removal of the cause of the delay or prevention.

23.3. A Party cannot claim relief if the Force Majeure Event is attributable to that Party’s wilful act, neglect or failure to take reasonable precautions against the relevant Force Majeure Event.

23.4. The Supplier cannot claim relief if the Force Majeure Event is one where a reasonable service provider should have foreseen and provided for the cause in question.

23.5. As soon as practicable following the affected Party’s notification, the Parties shall consult with each other in good faith and use all reasonable endeavours to agree appropriate terms to mitigate the effects of the Force Majeure Event and to facilitate the continued performance of this Agreement. Where the Supplier is the affected Party, it shall take or procure the taking of all steps to overcome or minimise the consequences of the Force Majeure Event.

23.6. The affected Party shall notify the other Party as soon as practicable after the Force Majeure Event ceases or no longer causes the affected Party to be unable to comply with its obligations under this Agreement. Following such notification, this Agreement shall continue to be performed on the terms existing immediately prior to the occurrence of the Force Majeure Event unless agreed otherwise by the Parties.

23.7. The Customer may, during the continuance of any Force Majeure Event, terminate this Agreement in accordance with Clause [19] in the circumstances set out in that clause.

Data Classification: Confidential Page 21

24. ASSIGNMENT AND OTHER DEALINGS

24.1. Both Parties shall not assign, novate, transfer, mortgage, charge, subcontract, declare a trust over or deal in any other manner with any of its rights and obligations under this Agreement without the prior written consent of the Customer (such consent to be in the absolute discretion of the Customer).

25. VARIATION

25.1. No variation of this Agreement shall be effective unless it is in writing and signed by the Parties (or their authorised representatives).

26. WAIVER

26.1. A failure or delay by a Party to exercise any right or remedy provided under this Agreement or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under this Agreement or by law shall prevent or restrict the further exercise of that or any other right or remedy.

27. NO PARTNERSHIP OR AGENCY

27.1. Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the Parties, constitute any Party the agent of another Party, or authorise any Party to make or enter into any commitments for or on behalf of any other Party.

27.2. Each Party confirms it is acting on its own behalf and not for the benefit of any other person.

28. ANNOUNCEMENTS

28.1. No Party shall make, or permit any person to make, any public announcement concerning this Agreement without the prior written consent of the other Parties (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.

29. SEVERANCE

29.1. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement.

29.2. If any provision or part-provision of this Agreement is invalid, illegal or unenforceable, the Parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.

30. FURTHER ASSURANCE

30.1. Each Party shall, and shall use all reasonable endeavours to procure that any necessary third party held in a contractual capacity to the agreement, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.

Data Classification: Confidential Page 22

31. ENTIRE AGREEMENT

31.1. This Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

31.2. Each Party agrees that it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement. Each Party agrees that it shall have no claim for innocent or negligent misrepresentation [or negligent misstatement] based on any statement in this Agreement.

32. NOTICES

32.1. A notice given to a Party under or in connection with this Agreement shall be in writing and sent to the Party at the address or email address or DX number given in this Agreement or as otherwise notified in writing to the other Party

32.2. The following table sets out methods by which a notice may be sent and its corresponding deemed delivery date and time:

Delivery method	Deemed delivery date and time
Delivery by hand.	On signature of a delivery receipt.
Pre-paid first class post or other next working day delivery service [providing proof of delivery]].	at the time recorded by the delivery service.
Pre-paid airmail [providing proof of delivery]].	or at the time recorded by the delivery service.]
[Fax.]	[At the time of transmission.]
[Email.]	[At the time of transmission.]

32.3. For the purpose of calculating deemed receipt, all references to time are to local time in the place of deemed receipt.

32.4. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

33. COUNTERPARTS

33.1. This Agreement may be executed in any number of counterparts, each of which when executed [and delivered] shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement

33.2. Transmission of an executed counterpart of this Agreement (but for the avoidance of doubt not just a signature page) by email (in PDF, JPEG or other agreed format) or electronic signature shall take effect as delivery of an executed counterpart of this Agreement. If this method of delivery is adopted, without prejudice to the validity of the agreement thus made, each Party shall provide the others with the original of such counterpart as soon as reasonably possible thereafter.

33.3. No counterpart shall be effective until each Party has executed at least one counterpart.

Data Classification: Confidential Page 23

34. GOVERNING LAW

34.1. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of Ireland.

35. JURISDICTION

35.1. Each Party irrevocably agrees that the courts of Ireland and shall have non-exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.

IN WITNESS whereof this Agreement has been entered into by the Parties on the date and year first herein written.

SIGNED for and on behalf of		SIGNED for and on behalf of
IMMEDIS LIMITED		Galaxy Payroll Services Limited
By		by
Signature:	/s/ Mark Graham	Signature:	/s/ Frank Lao
Name:	Mark Graham	Name:	Frank Lao
Title:	Chief Commercial Officer	Title:	Managing Director
Date:	7/2/2019	Date:	7/2/2019

Data Classification: Confidential Page 24

Annex 1

Description of the Processing of Personal Data

1. Subject Matter

Supplier will undertake the role of Sub Processor for payroll services on behalf of Client.

2. Nature

The Processing entails collection, storage, retrieval, use, combination, calculation, transformation, summarisation and reporting, disclosure by transmission, dissemination or otherwise making available, erasure, destruction and all other Processing which need to be performed to provide the Services, which may include but is not limited to

● calculation of gross-to-nett pay for Employees of Client on a Payroll and reporting this to Client

● filing of required statutory/regulatory returns in the relevant jurisdiction and, where included in the Services,

● arranging for payments to Employees and third parties (such as taxation authorities) to be made and

● if so required, making such payments.

3. Purpose

Personal data is processed by the Processor on behalf of Client in accordance with Immedis’ instructions, in order to pay the Data Subjects their salary and make the necessary statutory and voluntary deductions.

4. Categories of Personal Data

The following personal data may be involved in the Processing if and only if required.

a) name, date of birth, address, email address, phone numbers

b) statutory and employer-related personal identifiers

c) salary information including:

i) all aspects of compensation, including external earnings information

ii) participation in employer schemes such as pensions, life assurance and health insurance

iii) statutory payments including sick pay, parental leave pay, etc.

d) non-salary payments such as business expenses paid via payroll and value and taxation of benefits in kind

e) tax status and social security information, including contributions and deductions

f) employment contracts or elements thereof including commencement and termination dates and changes to pay and other relevant conditions of work such as entitlements

g) details of hours worked, overtime and related measures such as holiday accruals

h) only if payments are to be made, banking information such as bank account details and history of payments

i) previous pay records

j) User ID, IP address and audit trail for iConnect users

k) AML ID&V data and copies of documentation (such as passport or proof of address) for Employees and others authorising banking arrangements

Data Classification: Confidential Page 25

5. Sensitive Personal Data

Data such as long term illness or data on race, ethnic origin or religion may be included in or inferred from data being processed if (and only if) payroll calculations, statutory or regulatory filings or third-party services such as employer schemes are dependent on this class of data (including both direct requirements to supply data and obligations on Client to retain supporting data for tax calculations and statutory filings).

6. Categories of Data Subjects

6.1 Data subjects are Employees of Client or Client Affilliates or other persons identified by Client or acting as agents of Client.

7. Recipients of the Personal Data

In the course of delivering the Services, data will be received by:

● statutory authorities (including tax authorities)

● providers of employment-related services (such as pension providers)

● if payments are required, providers of payment services.

8. Data Transfers

No cross-border data transfers will be made by the Provider.

9. Retention

7 years according to the local privacy and data protection laws.

10. Supplier DPO

Ms. Becky Lo / +852 3106 2622 / becky.lo@galaxy-hk.com

Data Classification: Confidential Page 26

Annex 2

Template Breach Notification Form

Data Security Breach notifications must [be made [electronically and] shall contain at least the following minimum details regarding the Data Security Breach:

1. Nature of the Breach

[Supplier to insert a description of the breach, including the categories and approximate number of affected Data Subjects.]

2. Likely Consequences

[Supplier to insert a description of the likely consequences of the breach, e.g., risk of identity theft, media coverage, etc.]

3. Mitigating Measures

[Supplier to insert description of the measures taken/to be taken to address the breach and mitigate its effects.]

Data Classification: Confidential Page 27

Annex 3

Standard Contractual Clauses

Name of the data exporting organisation: Immedis Limited registered in Ireland with company registration number 586847 whose registered office is at IDA Business and Technology Park, Ring Road, Kilkenny, Ireland;

(the data exporter)

And

Name of the data importing organisation: Galaxy Payroll Services Limited whose registered office is 21/F., Central 88, 88-98 Des Voeux Road Central, Central, Hong Kong ;

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1 to this Annex 3.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC.

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

Data Classification: Confidential Page 28

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Data Classification: Confidential Page 29

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC.

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Data Classification: Confidential Page 30

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

Data Classification: Confidential Page 31

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Data Classification: Confidential Page 32

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely the law of Ireland.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

Data Classification: Confidential Page 33

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely, namely the law of England.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Data Classification: Confidential Page 34

On behalf of the data exporter (Customer):

Name (written out in full): Mark Graham

Position:  Chief Commercial Officer

Address:  IDA Business and Technology Park,
Ring Road, Kilkenny, Ireland;

Signature	/s/ Mark Graham
(stamp of organisation)

On behalf of the data importer (Supplier):

Name (written out in full): Frank Lao

Position:  Managing Director

Address:  25th Floor, ovest
77 wing Lok street sheung wan,
Hong Kong

Signature	/s/ Frank Lao
(stamp of organisation)

Data Classification: Confidential Page 35

Appendix 1 to the Annex 3 Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Customer will undertake the role of Data Controller and will transfer relevant employee information to the Processor.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Supplier will undertake the role of Processor for payroll services on behalf of the Data Controller on the understanding that all required consents are in place.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

The Data Subjects are the employees or contractors of Data Controller’s clients and their affiliates.

Categories of data

The personal data transferred concern the following categories of data (please specify):

The following personal data may be involved in the Processing if and only if required.

a) name, date of birth, address, email address, phone numbers

b) statutory and employer-related personal identifiers

c) salary information including:

i) all aspects of compensation, including external earnings information

ii) participation in employer schemes such as pensions, life assurance and health insurance

iii) statutory payments including sick pay, parental leave pay, etc.

d) non-salary payments such as business expenses paid via payroll and value and taxation of benefits in kind

e) tax status and social security information, including contributions and deductions

f) employment contracts or elements thereof including commencement and termination dates and changes to pay and other relevant conditions of work such as entitlements

g) details of hours worked, overtime and related measures such as holiday accruals

h) only if payments are to be made, banking information such as bank account details and history of payments

i) previous pay records

j) User ID, IP address and audit trail for iConnect users

k) AML ID&V data and copies of documentation (such as passport or proof of address) for Employees and others authorising banking arrangements

Data Classification: Confidential Page 36

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Data such as long term illness or data on race, ethnic origin or religion may be included in or inferred from data being processed if (and only if) payroll calculations, statutory or regulatory filings or third-party services such as employer schemes are dependent on this class of data (including both direct requirements to supply data and obligations on Client to retain supporting data for tax calculations and statutory filings).

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The Processing entails collection, storage, retrieval, use, combination, calculation, transformation, summarisation and reporting, disclosure by transmission, dissemination or otherwise making available, erasure, destruction and all other Processing which need to be performed to provide the Services, which may include but is not limited to

● calculation of gross-to-nett pay for Employees of Client on a Payroll and reporting this to Client

● filing of required statutory/regulatory returns in the relevant jurisdiction and, where included in the Services,

● arranging for payments to Employees and third parties (such as taxation authorities) to be made and

● if so required, making such payments.

DATA EXPORTER
Name:	Mark Graham
Authorised Signature	/s/ Mark Graham

DATA IMPORTER
Name:	Frank Lao
Authorised Signature	/s/ Frank Lao

Data Classification: Confidential Page 37

Appendix 2 to the Annex 3 Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Technical and organisational security controls are implemented in accordance with the ISO27001 information security standard; to which Immedis are certified, by our external accreditation body.

1. Overview

1. This document outlines the methods, procedures and application measures that Immedis have implemented to protect the employee data received from its Clients. The relevant subcontractors who are working with Immedis client data are required to have these or equivalent standards in place and by entering into a Service Agreement with Immedis, the partner confirms reflective measures of such standards. This is a summary document which whilst covering technical subjects, is targeted at any reader that would be a stakeholder in employee data security. This document is for an overview purpose, whilst still subject to GDPR and any and all governing laws and regulations.

2. Communication security

1. Enhanced security and encryption protocols across the entire Immedis estate are in line with industry standards. The methods that have been deployed within this solution provide leading industry communications protection and encryption methods, securing data in transit.

2. TLS/SSL Server certificate issued by a Trusted Root Certification Authority.

3. Web server protocol use is restricted to TLS1.2 only, all other protocols considered to be weak or broken are disabled.

4. Only cipher suites considered secure are enabled.

5. The web server prevents the use of clear text communication with the HTTP Strict Transport Security (HSTS) policy. This also protects against protocol downgrade attacks and cookie hijacking.

6. Immedis’ internal infrastructure is hardened to the same standards as the external one. In addition to all the above measures the internal infrastructure communications are further secured with the use of network zoning and host-based firewalls; this means that even in the event of a network breach and passive eavesdropping the same encryption and security protocols apply end to end to ensure no data is transmitted in clear text.

7. All communication channels are secured.

3. Data security

1. File storage encryption is achieved through Amazon Web Services S3 native bucket encryption [using Amazon S3-managed keys]; https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html.

2. Doubly encrypted sensitive data: bank details encrypted at field level within the already encrypted database. This is achieved through the deployment of database encryption algorithms within the mid-tier API layer of iConnect using triple-DES and a 168bit cypher.

Data Classification: Confidential Page 38

3. Data pseudonymisation: no personal identifiers used in public-facing security layer. The Immedis application security architecture has been designed with this concept as a key principle, so for example if a user is registered for the Immedis Portal with their email address as their username, the Portal architecture swaps this for a randomly generated unique key to ensure that the person cannot be identified within the communications traffic (which is heavily encrypted as outlined above anyway).

4. Data retention

1. There is an implementation of strict data retention policy across our estate and all customer data, with the standard data retention period of 90 days being applied and automatically/systematically being enforced across all transient (non-final payroll results) data.

2. For finalised payroll and tax data, this is retained in line with statutory requirements, with the standard of current tax year plus six previous years being applied unless a local legislative requirement supersedes this.

5. Architectural security

1. Data protection by default and by design: no access principles across technology. All customer data are deemed to be highly sensitive and require the highest levels of protection. As a consequence of this, there is no segregation of data for which this security applies.

2. Least access principles are applied to the Immedis services, with no data access being granted by default, these are applied by the Immedis System Administration Team.

3. Segregated three-tier secure architecture with:

1. Highly secure front-end user portal.

2. Separated mid-tier application program interface (API) layer giving further security and access control as well as managing the data interactions between the user and the database.

3. Separately managed and secured relational database system managed within the final third layer of the application.

4. Firewall segregated LAN, WAN and DMZ for the above.

4. Segregated application architecture: The Immedis payroll processing application layer is restricted to be accessible only from within Immedis secured offices, ensuring an additional layer of network security.

6. Physical security

1. Offices applicable are fully secured facilities with physical access measures in place across all payroll processing locations.

2. Each location has a physically manned reception area, which also includes a visitor access procedure.

3. Visitor access procedures apply to all staff not normally present at that location, including members of Immedis staff that are visiting a site that is not their normal office location.

Data Classification: Confidential Page 39

7. Process security

1. Subcontractor management due diligence and service review processes are fully in place.

2. Software automated data retention policies are applied across the Immedis architecture, ensuring that data retention cut-offs are adhered to and data outside of this is purged.

3. ISO27001:2013 accreditation is fully in place across all Immedis global locations (through Certification Europe).

4. Data Protection Officer (DPO) and Information Security (IS) Champions embedded across the Immedis organisation.

5. Data breach notification policy and escalation procedures built into standard operating procedures.

8. Policy measures

1. Under the new General Data Protection Regulations (GDPR) which come into force on 25^th May 2018 across all citizens of the European Union, it is a requirement that the Client provides Immedis with written confirmation regarding employees’ permission to hold data for the purpose of payroll processing. This is a standard clause which is being introduced into all Immedis contracts and for which all individuals must adhere to.

IN WITNESS whereof this Addendum has been entered into by the Parties on the date and year first herein written.

SIGNED for and on behalf of		SIGNED for and on behalf of
IMMEDIS LIMITED		Galaxy Payroll Services Limited
By		by
Signature:	/s/ Mark Graham	Signature:	/s/ Frank Lao
Name:	Mark Graham	Name:	Frank Lao
Title:	Chief Commercial Officer	Title:	Managing Director
Date:	7/2/2019	Date:	7/2/2019

Data Classification: Confidential Page 40