Trust Center

These Subscription Terms, together with the Order (or a Statement of Work), govern the supply of software and services from Panaseer to the Customer.  It is essential that the Customer reads and understands the content of these Subscription Terms and the applicable Order or Statement of Work before signing.  By signing the Order or Statement of Work the Customer confirms that it has read these terms and agrees to be bound by them.

The parties may agree Orders for specific Licensed Software and/or Statements of Work for specific Professional Services. The Orders and the Statements of Work shall, together with these Subscription Terms, form the Subscription Contract governing the performance and receipt of such Licensed Software and Professional Services.

1. Definitions and Interpretation
1.1. In the Subscription Contract the following terms have the following meanings:
"Applicable Law" means any law, statute, statutory instrument, bylaw, order of a court of competent jurisdiction and any legal requirement of any regulatory, fiscal or governmental body to which the relevant Party is subject, in all cases to the extent in force from time to time and which applies to the relevant Party in undertaking any relevant activity pursuant to or in connection with the Subscription Contract;
"Confidential Information" means all trade secret, confidential or proprietary information of either Party including information concerning its products, services, customers, suppliers, business accounts, financial or contractual arrangements or other dealings, computer systems, test data, software, source and object code, technical information, business methods and development plans, contained in any format, whether or not communicated orally and whether or not marked “confidential”, including the Customer Materials and the Licensed Materials;
“Customer” means the customer as set out in the applicable Order;
"Customer Dependencies" means the obligations of the Customer in Clause 5.1 and any Order;
"Customer Materials" means all documents, data, instructions and other materials and information (excluding any Feedback, Anonymised Security Data and Software Usage Data) made available to Panaseer pursuant to the relevant Order or Statement of Work by or on behalf of the Customer to enable provision of the Professional Services, including such materials as are described in the relevant Order or Statement of Work;

"Data Protection Legislation" means to the extent applicable (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the Data Protection Act 2018 and EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (and regulations made thereunder) (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
"Decommissioning and Exit Services" means such assistance, which in Panaseer's reasonable opinion, is reasonably necessary to transfer the Customer Materials held by Panaseer to the Customer or (where agreed) a replacement supplier appointed by the Customer;
"Effective Date" means the date on which the last party signs the first Order under this Subscription Contract;
"Feedback" means feedback, suggestions, ideas, enhancement requests, recommendations or other information that the Customer provides to Panaseer and which relates to the Licensed Software;
"Fees" means Panaseer’s charges, royalties, fees and other remuneration and expenses described in the relevant Order or Statement of Work or these Subscription Terms, including the Licence Fees;
"Force Majeure Event" means any cause beyond the reasonable control of the affected Party, including any act of God, act of terrorism, governmental act, war, fire, flood, explosion or civil commotion, industrial action (excluding internal industrial action), failure in telecommunications services, or unauthorised interference with either Party’s systems or services via the internet;
"Initial Licence Period" means the licence period specified in an Order;
"IPR" means all copyright and related rights, database rights, trade marks, service marks, trade, business and domain names, rights in trade dress, getup, goodwill or to sue for passing off, rights in designs, patents or confidential information (including know-how and trade secrets) and any other intellectual property rights, registered or unregistered, in any part of the world;
"Licence Fees" means the licence fees set out in the relevant Order in respect of the Customer’s licence of the Licensed Software;
"Licence Limits" means the limits on the Customer’s licence to use the Licensed Software (whether in terms of device numbers, maximum number of end-users and/or data volumes) as specified in the relevant Order;
"Licence Period" means the period(s) of time during which the Licensed Materials are licensed to the Customer under an Order, each beginning on the relevant Order Effective Date and continuing for the Initial Licence Period, plus any Renewal Period;
"Licensed Materials" means all user guides, training materials, specifications and other documents provided by Panaseer to the Customer in respect of the Licensed Software and/or the Professional Services;
"Licensed Software" means the software modules specified in the relevant Order, which are licensed to the Customer under that Order;  
"Order" means a written order between Panaseer and Customer under these Subscription Terms, detailing the Licensed Software;    
"Order Effective Date" means the date of the last signature by a Party to the relevant Order;
“Panaseer” means Panaseer Limited a company registered in England and Wales with company number 09098199 whose registered office is Ashcombe Court, Woolsack Way, Godalming, Surrey, GU7 1LQ;
"Panaseer's Standard Business Hours" means the support hours stated in the Order;
"Permitted Purpose" means the Customer's internal business purposes (which shall not include allowing the use of the Licensed Software by, or for the benefit of, any person other than an employee of the Customer), subject to the Licence Limits;  
"Professional Services" means the services expressly described in the relevant Statement of Work and/or Specification;
"Rate Card" means the list of Panaseer's standard rates;
"Renewal Period" means the period described in Clause 14.3;
“Security Data” means security data ingested into the Licensed Software or insights derived from that data;
"Anonymised Security Data" means Security Data where all information that identifies a Customer, their assets or users has been anonymised.  This data may include generic qualifiers regarding the Customer's industry and / or size;
"Service Commencement Date" means the date specified as such in the relevant Statement of Work;
"Service Year" means each period of twelve consecutive months commencing on the relevant Service Commencement Date or any anniversary of that date;
“Software Usage Data” means usage information that is automatically collected and reported by the Software about how the Software is used by the Customer;
"Specification" means the document attached to or described as such in the relevant Order or Statement of Work setting out the facilities and functions of the Licensed Software and/or the scope and description of the Professional Services;
"Statement of Work" means an agreement entered into between Panaseer and the Customer for the provision of certain services, made pursuant and subject to these Subscription Terms;
"Statement of Work Effective Date" means the date of the last signature by a Party to the relevant Statement of Work or has the meaning given in the relevant Statement of Work;
"Statement of Work Term" has the meaning given in Paragraph 3 of the relevant Statement of Work;
"Statement of Work Year" means each period of twelve consecutive months commencing on the Statement of Work Effective Date or any anniversary of that date;
"Subscription Contract" means these Subscription Terms and each Order and Statement of Work entered into by the Parties;
"Subscription Contract Effective Date" means the date of the last signature by a Party to the first Order;
"Subscription Contract Period" means the period(s) of time during which the Licensed Materials are licensed to the Customer, beginning on the first Order Effective Date and continuing until termination of the final Order;
"Subscription Contract Year" means each period of twelve consecutive months commencing on the Subscription Contract Effective Date or any anniversary of that date;
"Subscription Terms" means Clauses 1 to 19 as set out herein;
"Territory" means the United Kingdom, or such other geographical area(s) that may be specified in the Order or Statement of Work; and
"Variation" has the meaning given to that term in Clause 19.4.

1.2  In this Subscription Contract:
(a) a reference to a "Clause" is to a Clause of these Subscription Terms;
(b) the headings are for convenience only and do not affect the interpretation of the Subscription Contract;
(c) references to any gender include any other gender and the singular includes the plural and vice versa;
(d) references to a “person” or a “company” include a natural person, corporate or unincorporated body (whether or not having separate legal personality);
(e) a reference to a statute or statutory provision is a reference to it as from time to time amended, consolidated, modified, extended, re-enacted or replaced and includes all statutory instruments, notices or orders made under it; and
(f) “including”, “include” or “includes” shall be deemed to be followed by “without limitation” unless the context requires otherwise.

1.3 In the event of any conflict or inconsistency between these Subscription Terms and an Order or Statement of Work, the Subscription Terms shall take precedence, unless in an Order or Statement of Work a provision of the Subscription Terms is specifically varied or disapplied (in each case, with express reference to the relevant varied or disapplied provision in the Subscription Terms), in which case the provision of the Order or Statement of Work shall take precedence only to the extent of such variation or disapplication.

2. Agreement Of Orders and Statements of Work
2.1. The Customer may from time to time request the supply of Licensed Software. No Licensed Software shall be provided until the Parties have entered into a binding Order.
2.2. The Customer may from time to time request the supply of certain professional or other services. No such services shall be provided until the Parties have entered into a binding Statement of Work. All Statements of Work shall adopt the format and content as agreed between the Parties.
2.3. Where the Customer and Panaseer wish to enter into a Statement of Work pursuant to these Subscription Terms, the Parties shall work together to complete and execute a Statement of Work.
2.4. An Order or a Statement of Work shall not enter into force or become legally binding unless the Order or the Statement of Work has been signed by the authorised representatives of both Parties to it.
2.5. Once an Order or Statement of Work is agreed between the Parties pursuant to Clause 2.4, that Order and Statement of Work shall form part of the Subscription Contract and be governed by these Subscription Terms.
2.6. Except where the context requires otherwise:
(a) each Order is to be interpreted independently of the other Orders; and
(b) each Statement of Work is to be interpreted independently of the other Statements of Work; and
(c) terms defined in a specific Order apply only in relation to the that Order and not in relation to any other Orders; and
(d) terms defined in a specific Statement of Work apply only in relation to that Statement of Work and not in relation to any other Statements of Work.

3. Panaseer Warranty
3.1. Subject to Clause 3.6, Panaseer shall provide the Licensed Software to the Customer as specified in the relevant Order and subject to the terms of these Subscription Terms and the relevant provisions of that Order.
3.2. Panaseer shall perform Professional Services using reasonable care and skill.
3.3. Panaseer shall use reasonable endeavours to:
(a) make the Licensed Software available at all times; and
(b) respond to the Customer's queries within a reasonable time frame, during Panaseer's Standard Business Hours.
3.4. Panaseer warrants that throughout the Licence Period, the Licensed Software will be provided using commercially reasonable skill and care, and will comply in all material respects with the Specification, except during any period during which the Decommissioning and Exit Services are provided, when the Parties agree and acknowledge that the Licensed Software may have reduced functionality.
3.5. Panaseer does not warrant that the Professional Services will be performed or that the Licensed Software will perform error-free or uninterrupted, that it will correct all Professional Services or Licensed Software errors, or that the Professional Services / Licensed Software will meet the Customer's requirements or expectations. Panaseer is not responsible for any issues related to the performance, operation or security of the Professional Services / Licensed Software that arise from the Customer's content or third-party content or services provided by third parties.
3.6. To the extent that the Customer fails to meet any of the Customer Dependencies, the Customer agrees that Panaseer shall:
(a) not be liable for a failure or delay in meeting any agreed delivery targets; and
(b) be entitled to recover any additional costs directly incurred as a result of the Customer's failure to meet the Customer Dependencies.
3.7. To assert a claim for breach of warranty, the Customer must notify Panaseer within 30 days of the breach occurring. Such notice shall be sent by email to legal@panaseer.com and must refer to this Clause 3.7, specifying the breach and requiring its remedy. Upon receipt of such notice, Panaseer shall, at its sole cost, use commercially reasonable efforts to correct the breach to correct the non-conformity within a reasonable period of time, not to exceed 30 days.  If Panaseer is unable to substantially correct the specified breach with such period, Panaseer shall, at the Customer's option either:
(a) allow the Customer to continue to use the Licensed Software and provide an appropriate adjustment, mutually agreed upon by the Parties, to the applicable Fee; or
(b) allow the Customer to terminate use of the Licensed Software, and refund any fees paid for Professional Services during the period of breach and any advance fees paid for Professional Services under this Agreement.
Subject to Clause 11.1, this Clause 3.6 sets out the Customer's exclusive remedy and Panaseer's entire liability for any breach of warranty.
3.8. Provided that the warranties in Clause 6.4 are and remain true, Panaseer warrants that:
(a) it has the right to license Licensed Materials to the Customer in accordance with Clause 4.1 and has obtained the benefit of all necessary licences, consents and permissions that it is aware are necessary to facilitate the relevant Order or Statement of Work; and
(b) use of the Licensed Materials pursuant to and in accordance with the relevant Order or Statement of Work will not infringe the IPR of any third party in the Territory.

4. Ownership Rights: Use of the Licensed Software and Licensed Materials
4.1. All IPR in the Licensed Software, the Licensed Materials and the Professional Services and any derivative works to any of the foregoing (excluding any part that is comprised of Customer Materials in the form received from the Customer) shall at all times remain vested in Panaseer (or its third party licensors) and the Customer shall acquire no rights in them save as expressly provided in these Subscription Terms and the relevant Order or Statement of Work.
4.2. In consideration of the Customer paying the Licence Fees to Panaseer, Panaseer grants the Customer a non-exclusive, non-transferable and non-sublicensable licence to use:
(a) the Licensed Software in the Territory during the Licence Period for the Permitted Purpose; and
(b) the Licensed Materials in the Territory during the Licence Period for the Permitted Purposes.
4.3. The Customer shall not use the Licensed Software and the Licensed Materials, or allow the Licensed Software and the Licensed Materials to be used, other than for the purposes and in the manner expressly permitted in the relevant Order or Statement of Work and these Subscription Terms.
4.4. The Licensed Software and the Licensed Materials may only be used for the sole benefit of the Customer and the Customer shall not sell, transfer, distribute or otherwise make the Licensed Software and the Licensed Materials available to, or use the Licensed Materials on behalf of, any third party.  Customer will not analyse, decompile or reverse engineer the whole or any part of the Licensed Software, or allow or cause a third party to do so.
4.5. The Customer acknowledges and agrees that if the Customer (including any employee of the Customer) exceeds the Licence Limit, Panaseer shall be entitled to charge additional licence fees in accordance with Clause 13 of these Subscription Terms.
4.6. Each Party shall use reasonable endeavours to ensure that it does not import any virus or other malicious code into the other’s computer systems.

5.  Customer Obligations and Restrictions
5.1. The Customer shall:
(a) provide such assistance and co-operation as may be reasonably requested by Panaseer to enable Panaseer to perform the Professional Services in accordance with the Subscription Contract, including by providing Panaseer’s personnel with access to, and use of, the Customer’s relevant data, equipment, documentation, information and advice; and
(b) notify Panaseer immediately upon becoming aware of any use of the Licensed Software or the Licensed Materials which is in breach of the terms of the Subscription Contract.

6. Customer Materials
6.1. All IPR in the Customer Materials (in the form received from the Customer) shall at all times remain vested in the Customer (or its third party licensors) and Panaseer shall acquire no rights in it save as expressly provided in the relevant Order or Statement of Work.
6.2. The Customer grants Panaseer a non-exclusive, non-transferable licence to:
(a) use and copy the Customer Materials for the performance of the Professional Services and/or to incorporate the same into the Licensed Materials only; and
(b) use the Customer's name and logo to market the Customer as a customer.
6.3. Where Panaseer requests any feedback from the Customer regarding the Licensed Software, the Customer agrees that Panaseer may freely use, exploit and make available any and all Feedback without obligation to the Customer, and the Customer irrevocably assigns all rights, title, and interest in that Feedback to Panaseer.
6.4. The Customer warrants that:
(a) it has the right to license the Customer Materials to Panaseer in accordance with Clause 6.1; and
(b) use of the Customer Materials pursuant to and in accordance with the relevant Order or Statement of Work will not infringe the IPR of any third party.
6.5. Where any Customer Materials are to be published, distributed or displayed by Panaseer in the course of the Professional Services and/or in the Licensed Materials the Customer warrants that such Customer Materials will not:
(a) result in any breach of Applicable Law in any way; 
(b) contain any material which is pornographic, obscene, offensive, racist, abusive, harassing, bigoted, violent, criminal, discriminatory, libellous, defamatory, unlawful or illegal; and
(c) infringe the IPR of any third party,
and the Customer acknowledges that Panaseer is not responsible for determining whether or not any Customer Materials might result in a breach of this Clause 6.5 but may refuse to publish, distribute or display any Customer Materials where it reasonably suspects that such a breach might otherwise occur.

7. Confidentiality
7.1. Subject to Clause 7.2, each Party shall in respect of the other’s Confidential Information:
(a) keep it in strictest confidence and not make it available to any third party except as expressly authorised herein using the same standard of care that it uses with its own Confidential Information of a similar nature but with no less than reasonable care;
(b) only use it for the purposes of the Order or the Statement of Work and ensure that only those of its employees, contractors, advisors or agents who need to know have access to it; and
(c) ensure that any such employees and representatives are aware of and agree in writing to its confidential nature before they are allowed access to it.
7.2. Clause 7.1 does not apply to Confidential Information to the extent that:
(a) it is in the public domain otherwise than by breach of the Order or Statement of Work;
(b) it was lawfully in the receiving party’s possession or known to it by being in its use or being recorded in its files or computers or other recording media before receipt from the disclosing party, or has been lawfully developed by or for the receiving party independently of any Confidential Information disclosed to it by the disclosing party;
(c) it is disclosed to the receiving party by a third party on a non-confidential basis and is not, subject to any restriction as to its use or disclosure imposed by or on that third party at the time of disclosure;
(d) the receiving party is obliged to disclose it by Applicable Law, by any court of competent jurisdiction or any regulatory body, provided that (to the extent permitted by Applicable Law) it gives the disclosing party reasonable notice of such disclosure and the reasons for it;
(e) supply of the Professional Services requires Panaseer to disclose the Confidential Information to its subcontractors or infrastructure providers who are subject to similar obligations of confidentiality; or
(f) disclosure of the Confidential Information is permitted under the terms of the Order or Statement of Work or has been authorised in writing by the disclosing party.

8. Software Usage and Security Data
8.1. Panaseer may collect and use Software Usage Data for the following purposes:
(a) product improvement (in particular, product features and functionality, workflows and user interfaces) and development of new Panaseer products and services (including machine learning technologies);
(b) improving resource allocation and support;
(c) internal demand planning;
(d) improving product performance; and
(e) any other legitimate interest purpose which Panaseer may reasonably deem necessary.
8.2. Panaseer may collect and use Anonymised Security Data to offer enhanced insights for the Customer in the following ways:
(a) product improvement (in particular, product features and functionality, workflows and user interfaces) and development of new Panaseer products and services (including training machine learning technologies);
(b) identification of anonymised industry trends and developments, creation of indices and anonymous benchmarking;
(c) any other legitimate interest purpose which Panaseer may reasonably deem necessary.  
8.3. Anonymised industry trends, indices and anonymous benchmarks created from aggregated Anonymised Security Data shall not be shared with third parties in a manner attributable to the Customer or any individual.

9. Personal Data
9.1. Compliance with Data Protection Legislation: Each Party shall comply with its obligations under the Data Protection Legislation in relation to any personal data processed in connection with any Order or Statement of Work.  In this respect, both Parties will take appropriate technical and
organisational security measures, considering both the state-of-the-art technologies and the costs of implementation, against unauthorised or unlawful processing or further processing of personal data, and against accidental loss or destruction of, and damage to each Parties’ personal data.
9.2. Additional definitions: Where used in this Clause 9, the expressions process, personal data, controller, processor and data subject will have their respective meanings given in Data Protection Legislation.
9.3. Types of personal data processed: Customer may share personal data with Panaseer strictly for the purpose of enabling Panaseer to provide the Software and Professional Services (if applicable), such as names, addresses and business email addresses.
9.4. Data Processing Agreement: The parties acknowledge and agree that the provision and use of the Software and the provision of Professional Services, including, without limitation, any
information transmitted to, or stored by Panaseer, is governed by the Data Processing Agreement found at [insert link] (the "DPA"), incorporated as part of the Agreement.

10. Compliance with Laws
Panaseer and the Customer shall at all times comply with all Applicable Laws in respect of the subject matter of these Subscription Terms and any Order or Statement of Work.

11. Liability
11.1. Notwithstanding any other term of the Subscription Contract, neither Party limits or excludes its liability for:
(a) fraud or fraudulent misrepresentation;
(b) death or personal injury arising from its negligence; or
(c) any other liability which may not be limited or excluded under Applicable Law. 
11.2. Without prejudice to Clause 3.1, Panaseer gives no warranties and makes no representations as to the accuracy, completeness or availability of the Licensed Software, the Licensed Materials or the Professional Services and does not warrant or represent that the Licensed Software, the Licensed Materials or the Professional Services will be entirely error free.
11.3. Panaseer gives no warranties and makes no representations as to the suitability of the Licensed Software, the Licensed Materials or the Professional Services for any particular purpose (including the Customer’s own compliance with Applicable Law). The Customer is responsible for satisfying itself that the Licensed Software, the Licensed Materials and the Professional Services are suitable for any use to which it wishes to put them.
11.4. Panaseer may be asked or required to provide advice or assistance to the Customer which does not form part of the Professional Services. Panaseer does not hold itself out as an expert provider of such advice or assistance and shall have no liability if the Customer chooses to rely on it. Panaseer shall only be required to provide advice or assistance to the Customer pursuant to the terms of a Statement of Work, which has been signed by authorised representatives of both Parties, and Panaseer shall have no liability to the Customer for any advice or assistance provided beyond the scope of a Statement of Work.
11.5. Neither Party shall be liable for any special, indirect or consequential loss arising out of or in connection with the Subscription Contract or its subject matter, even if it had notice of the possibility of such loss.
11.6. Subject to Clause 11.1, Panaseer shall not be liable for:
(a) any loss of business, loss of profits, loss of anticipated savings, loss of reputation, loss of goodwill, business interruption, increase in bad debt or any loss incurred by any third party arising out of or in connection with the Subscription Contract or its subject matter even if it had notice of the possibility of such loss; or
(b) any defects in the Licensed Software, the Licensed Materials or the Professional Services which are attributable to defects in any Customer Materials.
11.7. Subject to Clauses 11.1 and 11.8, each Party's entire aggregate liability to the other Party for any Claim arising out of or in connection with:
(a) an Order shall not exceed an amount equal to 100% of the annualised Fees paid and payable by the Customer to Panaseer under such Order; and
(b) a Statement of Work shall not exceed an amount equal to 100% of the Fees paid and payable by the Customer to Panaseer under such Statement of Work.
11.8  Clause 11.7 shall not limit either Party's liability in respect of any Claim arising out of or in connection with Clause 7 (Confidentiality), Clause 9 (Personal Data) and Clause 12 (IPR Indemnity). Subject to Clauses 11.1, 11.5 and 11.6, Panaseer's maximum aggregate liability for all Claims arising out of or in connection with Clause 7 (Confidentiality), Clause 9 (Personal Data) and Clause 12 (IPR Indemnity) collectively shall not exceed:
(a) in respect of an Order, an amount equal to 200% of the annualised Fees paid and payable by the Customer to Panaseer under such Order; and
(b) in respect of a Statement of Work, an amount equal to 200% of the Fees paid and payable by the Customer to Panaseer under such Statement of Work.
11.9. Any amounts recovered by the Customer under or in connection with:
(a) Clause 11.8 shall reduce (and shall not be in addition to) the liability cap in Clause 11.7; and
(b) Clause 11.7 will not erode the separate liability cap in Clause 11.8.
11.10. Nothing in this Agreement shall entitle either Party to recover more than once for the same loss. If a Claim or series of Claims were to give rise to liability under the cap in Clause 11.7 and the cap in Clause 11.8, the Customer must elect which of the caps it is bringing the Claim or series of Claims under.
11.11. Subject to Clause 11.1, and except as expressly provided in the Subscription Contract, all conditions and warranties or terms of equivalent effect whether express or implied (by statute or otherwise) are excluded to the fullest extent permitted by Applicable Law.

12. IPR Indemnity
12.1. Subject to Clauses 12.3 to 12.5, Panaseer shall indemnify the Customer against all liabilities, costs, expenses, damages and losses (including reasonable professional costs and expenses) finally awarded by a court of competent jurisdiction or agreed in final settlement as a result of or in connection with any third party claim brought against the Customer for actual or alleged infringement of a third party's IPR arising out of, or in connection with, Panaseer's breach of the warranty under Clause 3.4 of the Subscription Terms.
12.2. Subject to Clause 12.3, the Customer shall indemnify Panaseer against all liabilities, costs, expenses, damages and losses (including reasonable professional costs and expenses) suffered or incurred by Panaseer as a result of or in connection with any claim brought against Panaseer for actual or alleged infringement of a third party's IPR arising out of, or in connection with, Panaseer's use of the Customer Materials in the provision of the Professional Services to the Customer. 
12.3. The indemnities in Clauses 12.1 and 12.2 are conditional upon the indemnified Party:
(a) notifying the indemnifying Party in writing within 12 months of becoming aware of any claim in respect of which it intends to seek indemnification from Panaseer ("Indemnified Claim");
(b) not making any admission of liability, agreement or compromise in relation to the Indemnified Claim without the prior written consent of the indemnifying Party;
(c) allowing the indemnifying Party sole conduct of the defence of the Indemnified Claim and all related settlement negotiations;
(d) providing the indemnifying Party with such assistance and information as the indemnifying Party may reasonably require to assist the indemnifying Party to defend or settle the Indemnified Claim; and
(e) using reasonable endeavours to mitigate the amount of the Indemnified Claim.
12.4. In the event of an Indemnified Claim, Panaseer reserves the right to:
(a) procure for the Customer the right to use the infringing Licensed Software free from any such infringement; or
(b) replace the infringing Licensed Software with non-infringing substitute materials which comply in all materials respects with the applicable terms of this Subscription Contract.
12.5. If the steps set out in Clause 12.4 are, in Panaseer's opinion, not reasonably commercially achievable within a reasonable period of time, Panaseer may terminate this Subscription Contract (in whole or in part) whereupon it shall refund in full any Fees paid by the Customer in respect of any period after the date of termination in respect of the whole or part of the Subscription Contract which is terminated by Panaseer.

13. Payment and Fees
13.1. The Customer shall pay the Fees to Panaseer, annually up front on 30 day payment terms, unless stated otherwise in the relevant Order. The Customer shall also reimburse Panaseer for those reasonable expenses incurred during performance of the Professional Services by Panaseer’s employees and consultants, provided such expenses shall be agreed in writing in advance by the Customer.
13.2. If the Customer wishes to license additional channels or modules in respect of the Licensed Software, Panaseer shall be entitled to charge the Customer an additional licence fee in respect of additional channels or modules in accordance with Panaseer’s then prevailing rates, subject to the Parties entering into a Variation of the relevant Order or Statement of Work in accordance with Clause 19.4(a) in respect of such additional channels or modules and the corresponding additional licence fee. 
13.3. Panaseer may increase the Fees:
(a) on each anniversary of the Order Effective Date in a proportion not exceeding the proportionate increase in the Retail Prices (all items) Index over the corresponding period or the last increase (if any) in the Fees, whichever is the later; and
(b) at the start of each Renewal Period in a proportion not exceeding 5% above the proportionate increase in the Retail Prices (all items) Index over the corresponding period or the last increase (if any) in the Fees, whichever is the later.
If the Retail Prices (all items) Index ceases to be published then Panaseer may select a comparable replacement index.
13.4. If the Customer exceeds the Licence Limits set out in the Order, Panaseer shall be entitled to:
(a) invoice for such overage on a pro-rata basis from day 31 after the date that the Licence Limits were exceeded until the end of the current contract year for any over-use up to 20% more than the License Limits; and
(b) re-assess the Fees for the remainder of the Licence Period based on such over-usage. For the avoidance of doubt, if Panaseer increases the Fees in accordance with this Clause 13.4(b), such increase will form the new minimum annual Fee amount and Panaseer shall not be obliged to reduce the Fees below this increased amount at any time during the Licence Period (irrespective of the Customer's usage throughout the remainder of the Licence Period); and
(c) oblige Customer to enter into good faith discussions relating to the Fees if the License Limits are exceeded by more than 20% at any time, and may limit usage up to the License Limits in the event such discussions are not concluded within a reasonable time frame.
13.5. Any applicable value added, sales or other tax, custom or excise ("Applicable Tax") is to be paid by the Customer at the prevailing rate on all sums due under the relevant Order or Statement of Work. All sums quoted in the relevant Order or Statement of Work are exclusive of any Applicable Taxes.
13.6. All sums due must be paid:
(a) within 30 days of the date of Panaseer’s invoice (or such other period as may be specified in the relevant Order or Statement of Work) (the "Due Date"); and
(b) in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of Applicable Tax which is required by law).
13.7. Without prejudice to any other right or remedy that Panaseer may have, where the Customer fails to pay Panaseer any sum due under this agreement on the Due Date, the Customer shall pay interest on the overdue sum from the Due Date until payment of the overdue sum, whether before or after judgment. Interest under this Clause will accrue each day at 4% a year above HSBC's base rate from time to time, but at 4% a year for any period when that base rate is below 0%.
13.8. Without prejudice to any other right or remedy that Panaseer may have, where the Customer fails to pay any amount due under the Subscription Contract on the Due Date and such amount remains unpaid for:
(a) 5 days or more following the Due Date, Panaseer may suspend the Professional Services or access to part or all of the Licensed Software until payment has been made in full; and
(b) 20 days or more following the Due Date, Panaseer may terminate the Subscription Contract with immediate effect by giving written notice to the Customer.
13.9. If, as a result of the Customer’s breach of the Subscription Contract, Panaseer is unable to invoice the Customer for any Fees on the date upon which Panaseer would have been permitted to invoice the Customer but for such breach, Panaseer shall be entitled to invoice the Customer for those Fees on the date it would have been entitled to invoice the Customer had the Customer complied with the Subscription Contract.

14. Term
14.1. These Subscription Terms shall commence on the first Order Effective Date and shall continue for the Subscription Contract Period unless terminated by either Party in accordance with Clauses 13.8, 15 or 19.2(c) of the Subscription Terms.
14.2. Each Order shall commence on the Order Effective Date and shall continue for the Licence Period, unless terminated earlier by either Party in accordance with the terms of the relevant Order, or Clauses 13.8, 15 or 19.2(c) of the Subscription Terms.
14.3. Following the Initial Licence Period, each Order shall automatically renew for successive 1 year renewal terms unless either Party provides written notice to the other Party of its intent not to renew at least 3 months prior to the end of the then-current Initial Licence Period or Renewal Period.
14.4. Each Statement of Work shall commence on its Statement of Work Effective Date and shall continue for the Statement of Work Term, unless terminated earlier by either Party in accordance with the terms of the relevant Statement of Work, or Clauses 13.8, 15 or 19.2(c) of the Subscription Terms.

15. Termination, Expiry and Suspension  
15.1. Either Party may terminate an Order or a Statement of Work (including all licences granted under it) immediately on written notice if the other commits any material breach of these Subscription Terms or that Order or that Statement of Work and such breach is incapable of remedy or is not remedied to the non-defaulting Party’s reasonable satisfaction within 30 days of written notice sent to legal@panaseer.com specifying the breach and requiring its remedy. For the avoidance of doubt, a breach by a Party of these Subscription Terms shall not entitle a Party to terminate an Order or Statement of Work, and vice versa, and a breach by a Party of an Order or Statement of Work shall not entitle a Party to terminate any other Order or Statement of Work, unless expressly permitted in these Subscription Terms.
15.2. Either Party may terminate any Order or Statement of Work immediately on written notice if:
(a) in respect of the other a resolution is passed or an order is made for winding up (save for the purpose of a bona fide reconstruction or amalgamation);
(b) in respect of the other an administration order is made, or a receiver or administrative receiver is appointed over any of its property or assets; or
(c) the other Party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts, or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986 as if the words "it is proved to the satisfaction of the court" did not appear in sections 123(1)(e) or 123(2) of the Insolvency Act, or (being a partnership), has any partner to whom any of the foregoing apply,
provided that, in the case of Panaseer, it is permitted to do so under Applicable Law (e.g., s233B Insolvency Act 1986 as amended). Either Party may immediately on written notice to the other Party, terminate these Subscription Terms following the termination or expiry of all Orders and Statements of Work agreed between the Parties. 
15.3. Where any part of the Fees is payable in advance of the Licensed Software and/or the Professional Services to which they relate, Panaseer may suspend the delivery of the Licensed Software and/or the performance of those Professional Services until payment has been received.

16. Consequences of Termination or Expiry
16.1. Subject to Clause 16.4 and Clause 17, upon termination or expiry of an Order or Statement of Work, all licences granted under that Order or Statement of Work shall terminate automatically.
16.2. Subject to Clause 16.4 and Clause 17, on termination or expiry of an Order or Statement of Work or any licences under it the Customer shall, at the Customer's cost:
(a) promptly destroy, delete, or return to Panaseer the relevant Licensed Software (where possible, it being acknowledged that this may not apply in a software as a service context) and Licensed Materials (and all copies thereof) which remain in the possession or control of the Customer in respect of that Order or Statement of Work; and
(b) if requested, provide Panaseer with written confirmation, signed by a duly authorised person, that this Clause 16.2 has been complied with.
16.3. Subject to Clause 16.4 and Clause 17, on termination or expiry of an Order or Statement of Work Panaseer shall:
(a) promptly upon request destroy or delete any Customer Materials (and all copies thereof) which remain in the possession or control of Panaseer in respect of that Order or Statement of Work; and
(b) if requested, provide the Customer with written confirmation, signed by a duly authorised person, that Clause 16.3(a) has been complied with.
16.4. Each Party acknowledges that the other may have a standard data archiving policy which includes the creation and retention of backup copies of data and other information ("Retained Data") held on archive computer systems for legal, regulatory, compliance, IT restoration and disaster recovery purposes ("Retention Purposes"). Clauses 16.2 and 16.3 shall not apply to Retained Data held on such archive computer systems but such Retained Data may only be used for the Retention Purposes and provided each Party (as applicable) complies with Clause 7 and Applicable Laws in respect of the Retained Data.
16.5. Termination or expiry of the Subscription Contract (in whole or in part) does not affect any accrued rights or remedies of either Party.
16.6. Any terms of the Subscription Contract which are expressly or impliedly intended to have effect at or after termination will continue to apply notwithstanding termination or expiry.

17. Decommissioning and Exit Services
17.1. Promptly following the Customer's written notification to Panaseer that the Customer desires an Order to expire at the end of the Initial Licence Period, or at the end of any Renewal Period, the Parties shall promptly, and acting reasonably, seek to agree the scope and duration of the Decommissioning and Exit Services, together with an exit plan setting out the roles, responsibilities, and activities of each Party in connection with the Decommissioning and Exit Services. Each Party shall perform its allocated activities under the agreed exit plan.
17.2. In addition to payment of Licence Fees and any other applicable Fees, Panaseer shall charge the Customer on a time and materials basis for the Decommissioning and Exit Services at the prevailing rates set out in the Rate Card.
17.3. If the relevant Order was terminated by Panaseer under Clause 13.8(b) or Clause 15.1, then it shall not be required to commence the provision of Decommissioning and Exit Services until:
(a) all outstanding sums have been paid; and
(b) it has received monies on account in full for the anticipated Decommissioning and Exit Services and Licence Fees.
17.4. An Order may only expire or be terminated once the Decommissioning and Exit Services have been fully completed. Where the Decommissioning and Exit Services have not been fully completed by the end of:
(a) the Initial Licence Period, then, unless the reason for such non-completion is wholly or mainly due to a Panaseer delay or default, a Renewal Period will commence; or
(b) a Renewal Period, then, unless the reason for such non-completion is wholly or mainly due to a Panaseer delay or default, a further Renewal Period will commence.

18.Insurance
Panaseer shall have in place commercial insurance appropriate and commensurate with the risks generated by its operations from the Effective Date and shall maintain such appropriate insurance until the Subscription Terms are terminated by either Party pursuant to Clause 15 of these Subscription Terms.

19. Miscellaneous 
19.1. Assignment And Subcontracting
(a) Panaseer may assign any or all of its rights under these Subscription Terms and/or any Order or Statement of Work without the prior written consent of the Customer.
(b) The Customer shall not assign, transfer, charge or deal in any other manner with any or all of its rights or obligations under these Subscription Terms and/or any Order or Statement of Work without the prior written consent of Panaseer (such consent not to be unreasonably withheld or delayed).
(c) Subject to the Data Processing Agreement, Panaseer is entitled to subcontract the performance of any of its obligations under these Subscription Terms and/or any Order or Statement of Work but shall remain liable for its obligations under these Subscription Terms and/or any Order or Statement of Work to the same extent as if it had carried out the obligations itself.
19.2. Force Majeure
(a) Neither Party shall be liable to the other for any delay or non-performance of its obligations under these Subscription Terms and/or any Order or Statement of Work (except for its obligation to make payment) arising from any Force Majeure Event.
(b) The Party affected by the Force Majeure Event shall use reasonable endeavours to mitigate the effect of the Force Majeure Event and to recommence performance of its obligations under these Subscription Terms and/or the relevant Order or Statement of Work as soon as is reasonably practicable.
(c) If the affected Party is unable to perform its obligations under the relevant Order or Statement of Work by reason of the Force Majeure Event for more than four weeks, the unaffected Party may terminate the relevant Order or Statement of Work immediately by serving notice on the other and neither Party shall be liable to the other by reason of such termination.
19.3. Counterparts and Electronic Signature
(a) Each Order or Statement of Work may be executed in any number of counterparts, and all counterparts when taken together will constitute one and the same agreement, and either Party may enter into an Order or Statement of Work by executing a counterpart.  
(b) Each Order or Statement of Work (and, where applicable, each counterpart) may be executed by electronic signature by any of the Parties to any other Party and the receiving Party may rely on the receipt of such document so executed by electronic means as if the original had been received.
19.4 Variation and Waiver
(a) Any amendment, modification, variation or supplement to these Subscription Terms and/or any Order or Statement of Work ("Variation") shall only be binding on the Parties if it is:

• effected by way of a new Order duly executed pursuant to Clause 2.4;
• or otherwise made in writing and signed by an authorised signatory of each Party.

(b) References to the execution of these Subscription Terms and/or any Order or Statement of Work in Clauses 19.3(a) and 19.3(b) shall also apply to the execution of any Variation to it.
(c) Failure or delay by either Party to exercise or enforce any available rights or remedies under these Subscription Terms and/or any Order or Statement of Work or at law, or any single or partial exercise of any such rights or remedies, is not a waiver or exhaustion of those rights or remedies and shall not prevent or restrict their further exercise.
19.5. Third Party Rights
(a) The Parties do not intend to confer any rights on any third parties by virtue of these Subscription Terms and/or any Order or Statement of Work and any person which is not a Party to these Subscription Terms and/or any Order or Statement of Work shall have no right to enforce any of its terms.
19.6. Severance
(a)  If any provision or part provision of these Subscription Terms and/or any Order or Statement of Work is illegal or unenforceable such provision or part provisions shall be modified to the minimum extent necessary to give effect to the commercial intention of the Parties in order to make such provision or part provision valid, lawful or enforceable (as applicable), but without affecting the validity or enforceability of the remaining provisions or part provisions.
19.7. No Partnership, No Agency
(a) Nothing in these Subscription Terms and/or any Order or Statement of Work constitutes a partnership between the Parties. Neither Party is deemed to be the agent of the other for any purpose, and neither has the power or authority to bind the other or to contract in the name of the other, except as expressly set out in these Subscription Terms and/or any Order or Statement of Work.
19.8. Entire Agreement
(a) These Subscription Terms and/or any Order or Statement of Work sets out the entire agreement between the Parties in relation to its subject matter and supersedes all previous written or oral agreements, representations, undertakings, warranties or arrangements between the Parties in relation to that subject matter.
(b) Each Party acknowledges and agrees that in entering into these Subscription Terms and/or any Order or Statement of Work it has not relied on any statement, representation, assurance or warranty (whether made negligently or innocently) other than as expressly set out in these Subscription Terms and/or any Order or Statement of Work.
(c) Nothing in Clauses 19.8(a) or 19.8(b) shall exclude or limit any liability arising as a result of any fraud or fraudulent misrepresentation.
19.9. Notices
(a) All notices, requests, consents and authorisations made pursuant to these Subscription Terms and/or any Order or Statement of Work must be by post/hand or email.  Those by  post/hand must be sent to the recipient’s registered office, chief trading address, or any other premises specified in the Order or Statement of Work for this purpose or otherwise notified to the other Party. Notices shall be delivered by hand or sent by pre-paid first class post or other next working day delivery service. Correctly addressed notices delivered by hand are deemed to have been received at the time the notice is left at the proper address. Correctly addressed notices sent by pre-paid first class post or other next working day delivery service are deemed to have been received on the recipient’s second business day after posting.  Where notices are delivered to Panaseer by post or hand, an email should be sent concurrently to legal@panaseer.com, informing Panaseer that the notice has been sent.  Those notices solely by email to Panaseer must be sent to legal@panaseer.com with “Formal Contract Notice” in the header and those by email to Customer must be sent to the email address as set out in the Order or Statement of Work.   
19.10. Disputes
(a) In the event of any dispute arising out of in connection with these Subscription Terms and/or any Order or Statement of Work between the Parties ("Dispute"), the Parties shall endeavour to resolve the Dispute in accordance with this Clause 19.10(a), as follows:
(i) the Party raising the Dispute shall notify the other Party in writing setting out the nature and substance of the Dispute ("Dispute Notice");
(ii) the Customer Representative and Panaseer Representative (being those representatives named in the relevant Order or Statement of Work, shall meet to discuss the Dispute Notice within 10 Business Days of the other Party receiving Dispute Notice;
(iii) the Customer Representative and Panaseer Representative shall attempt to work together to resolve the Dispute and if no resolution is found and/or agreed between the Parties within 5 Business Days, then the Customer Representative and Panaseer Representative shall escalate the Dispute for resolution to their respective senior managers; and
(iv) if the Dispute remains unresolved for a further 10 Business Days following escalation of the Dispute to the Customer Representative's and Panaseer Representative's respective senior managers, then the Parties shall refer the Dispute for mediation under the Centre for Effective Dispute Resolution ("CEDR") rules then in force.
(b) Nothing in Clause 19.10(a) shall prevent a Party from taking action or making a claim against the other Party pursuant to Clause 19.11(b).
19.11. Governing Law and Jurisdiction
(a) The formation, existence, construction, performance, validity and all other aspects of these Subscription Terms and/or any Order or Statement of Work, any term of these Subscription Terms and/or any Order or Statement of Work and any non-contractual obligation undertaken or incurred in connection with these Subscription Terms and/or any Order or Statement of Work (including those arising out of pre-contractual dealings) will be governed by the laws of England.
(b) The Parties irrevocably agree that the courts of England shall have exclusive jurisdiction to hear and decide any suit, action or proceedings, and to settle any disputes, which may arise out of or in any way relate to these Subscription Terms and/or any Order or Statement of Work or its formation, existence, construction, performance or validity or of any non-contractual obligation undertaken or incurred in connection with these Subscription Terms and/or any Order or Statement of Work (including those arising out of pre-contractual dealings).
(c) The rights and remedies provided in these Subscription Terms and/or any Order or Statement of Work are cumulative and (except as otherwise stated) are not exclusive of any rights or remedies provided by Applicable Law.

1. LICENSE FOR TRIAL USE AND EVALUATION
(a) Panaseer hereby grants Customer a worldwide, royalty free, non-exclusive and non-transferable license to use internally the Software for evaluation purposes from the Start Date to the End Date as set out above (“the Initial Evaluation Period").
(b) "Use" within the terms of this Agreement shall be limited to the use of the Software code following a computer installation, (i.e. the reading in and storing of the Software, in whole or in part, on the Panaseer AWS Cloud Platform or such other platform as Panaseer may determine from time to time) in order to perform tasks and use the data and the reports therefrom solely for evaluation purposes.
(c) Customer shall have no obligation to license the Software following the Evaluation.  Any future license of the Software will be subject to a separate subscription agreement under Panaseer Subscription and Service Agreement.
(d) According to this Agreement, intellectual property rights of the Software, including but not limited to copyrights, patents, processes, and trademarks shall not be transferred to Customer. Customer acknowledges the intellectual property rights of Panaseer and shall not challenge the legal validity and scope of these rights for any reason.  Panaseer warrants that it owns such rights and has the right to allow customer to use the Software during the Evaluation.
(e) Any modifications, additions or new works created by Panaseer or derived from the Software will (together with all applicable intellectual property rights) be owned by Panaseer, and will be included as part of the Software at the sole discretion of Panaseer.
(f) Customer shall not (and shall not attempt to) reverse engineer, decompile, modify or make derivative works of the Software.
(g) Customer is responsible for maintaining the security of its login credentials used to access the Software and will not share those credentials with any third party or permit a third-party to use them.

2. TERM AND TERMINATION
(a) This Agreement shall commence on the date of last signature and shall continue in force until the end of the Initial Evaluation Period when it will automatically terminate.
(b) Should the Customer extend the Agreement beyond the Initial Evaluation Period, then the Customer may request an extension by notifying Panaseer by email specifying the desired duration of the extension in calendar weeks (“Extended Evaluation Period”).  Panaseer and you will use reasonable endeavors to agree a suitable extension period.  If agreed, Panaseer will agree such extension and the Agreement shall continue in force until the end of the Extended Evaluation Period.
(c) This Agreement may be terminated by the Customer upon immediate written notice to the Panaseer.   Panaseer also have the right to terminate the Evaluation at any time in its complete discretion and without liability.
(d) Upon expiration or termination of this Agreement, the license granted hereunder shall immediately terminate.  Under no circumstances shall Customer be permitted to use the Software following the expiration or termination of this Agreement without further written agreement.
(e) However, where the Software Evaluation proves successful; and while the Parties are in discussions with the intent to enter into a later Subscription and Service Agreement, then the Customer environment may be maintained at the complete discretion of Panaseer pending the outcome of such discussions.
(f) Termination of this Agreement does not affect any provision of this Agreement which are expressly or by implication intended to survive after that termination.

3. LIABILITY
THE SOFTWARE IS OFFERED “AS-IS” AND “AS-AVAILABLE” DURING THE EVALUTAION AND NO REPRESENTATIONS, CONDITIONS, WARRANTIES, OR OTHER TERMS OF ANY KIND ARE GIVEN IN RESPECT OF THE PLATFORM. PANASEER DOES NOT WARRANT THAT THE SOFTWARE WILL MEET YOUR EXPECTATIONS OR BE SECURE, ACCURATE, ERROR-FREE OR OPERATE ON AN UNINTERRUPTED BASIS OR IN COMBINATION WITH ANY OTHER SOFTWARE OR SYSTEM. THE PLATFORM AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE TRIAL MAY INCLUDE INACCURACIES OR ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION THEREIN. PANASEER MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PLATFORM AT ANY TIME. PANASEER MAKES NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES CONTAINED ON THE PLATFORM FOR ANY PURPOSE. PANASEER HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
YOU WARRANT AND HOLD US HARMLESS AGAINST ANY DAMAGE OF ANY NATURE AND ANY CLAIM OR LEGAL ACTION BY A THIRD-PARTY RELATING TO THE USE OF THE PLATFORM, INCLUDING BY YOUR OWN EMPLOYEES AND POTENTIAL CUSTOMERS. YOU WILL INDEMNIFY US FOR JUDGMENTS OF ANY KIND, AS WELL AS FOR PENALTIES, DAMAGES AND REASONABLE LAWYER FEES AND COURT COSTS.
OUR TOTAL LIABILITY ARISING OUT OF OR IN CONNECTION WITH THIS TRIAL OR THE TERMS OF USE, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE SHALL IN NO EVENT EXCEED ONE HUNDRED DOLLARS ($100) SAVE THAT NOTHING HEREIN IS INTENDED TO LIMIT LIABILITY WHICH CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW.

4. INTELLECTUAL PROPERTY
(a) You acknowledge that all right, title and interest in and to the Software and all underlying software, technology and other intellectual property belongs exclusively to Panaseer.  You shall at no time: (i) copy any feature or design; (ii) attempt to circumvent any security device or access or derive the source code or architecture of the software; (iii) use or access the Software in order to build a competitive solution or assist someone else to build a competitive solution; (iv) load or penetration test the Software or otherwise use the Software in any way that is, or could reasonably be expected to be, detrimental to Panaseer’s ability to provide services to any other customer; (v) use the Software in a manner that violates any applicable law or that is unlawful or fraudulent; or (vi) permit any third-party to do any of the foregoing.
(b) You will retain all rights in your own branding and any content that you upload to the Software. You agree that Panaseer will have a non-exclusive royalty free licence to use your branding and content for the purposes of providing the Evaluation (and, in the case of your branding, in publicity material).
(c) Where Panaseer requests any feedback from you regarding the Software, you agree that Panaseer may freely use, exploit and make available any and all feedback, suggestions, ideas, enhancement requests, recommendations or other information you provide to Panaseer relating to the Software (the “Feedback”) without obligation to you, and you irrevocably assign all rights, title, and interest in that Feedback to Panaseer.

5. CONFIDENTIALITY / DATA
(a) Each Party agrees that all information supplied by one Party and its affiliates and agents (collectively, the “Disclosing Party”) to the other (“Receiving Party”), including, without limitation:  (i) source and object code, prices, trade secrets, databases, hardware, software, designs and techniques, programs, engine protocols, models, displays and manuals, and the selection, coordination, and arrangement of the contents of such materials; and (ii) any unpublished information, will be deemed confidential and proprietary to the Disclosing Party, regardless of whether such information was disclosed intentionally or unintentionally or marked as “confidential” or “proprietary” (“Confidential Information”). 
(b) For the term of this Agreement and following its termination, both parties undertake to treat any Confidential Information received from the other party in the context of (or pursuant to) this Agreement in a confidential manner, and neither convey nor disclose such data or information to third parties nor use it for purposes other than for the performance of this Agreement. 
(c) Each Party recognizes the importance of the other’s Confidential Information.  In particular, each Party recognizes and agrees that the Confidential Information of the other is critical to their respective businesses and that neither Party would enter into this Agreement without assurance that such information and the value thereof will be protected.  Accordingly, each Party agrees as follows: (i) the Receiving Party will hold any and all Confidential Information it obtains in strictest confidence and will use and permit use of Confidential Information solely for the purposes of this Agreement.  Without limiting the foregoing, the Receiving Party shall use at least the same degree of care, but no less than reasonable care, to avoid disclosure or use of this Confidential Information as the Receiving Party employs with respect to its own Confidential Information of a like importance; and (ii) the Receiving Party may disclose or provide access to its responsible employees and agents who have a need to know and may make copies of Confidential Information only to the extent reasonably necessary to carry out its obligations hereunder.
(d) Unless you purchase a subscription to the Software before the end of the Evaluation, or unless Panaseer agrees otherwise in writing, all of your data in the platform (excluding any Feedback, Software Usage Data and Security Metrics Data) will be permanently deleted upon termination or expiry of this Agreement and Panaseer will not recover it.
(e) Each party agrees that, in the performance of its respective obligations hereunder, it shall comply with the provisions of any law applicable to the protection of personal data in effect from time to time, in each case to the extent it applies to each of them.
(f) Panaseer may collect and use Software Usage Data for the following purposes:

• product improvement (in particular, product features and functionality, workflows and user interfaces) and development of new Panaseer products and services (including machine learning technologies);
• improving resource allocation and support;
• internal demand planning;
• improving product performance; and
• any other legitimate interest purpose which Panaseer may reasonably deem necessary.

(g) Panaseer may collect and use Anonymized Security Data to offer enhanced insights for the Customer in the following ways:

•  product improvement (in particular, product features and functionality, workflows and user interfaces) and development of new Panaseer products and services (including machine learning technologies);
• identification of anonymized industry trends and developments, creation of indices and anonymous benchmarking; and
• any other legitimate interest purpose which Panaseer may reasonably deem necessary.

(h) Anonymized industry trends, indices and anonymous benchmarks created from aggregated Anonymized Security Data shall not be shared with third parties in a manner attributable to Customer or any individual.
(i) For the purposes of this clause 5:

• “Software Usage Data” means non-personally identifiable usage information that is automatically collected and reported by the Software about how the Software is used by Customer; and
• "Anonymized Security Data" means security data where all information that identifies a Customer, their assets or users has been anonymized.  This data may include generic qualifiers regarding Customer's industry and/or size.

6. FINAL PROVISIONS
(a) This Agreement shall enter into effect after being validly signed by both the parties.
(b) This Agreement contains all the agreements between the parties in connection with the provision of the services herein described.  No other representations whether verbal or written shall apply.  
(c) This Agreement and the rights and duties arising out of or in connection with it are not assignable or delegable to any third-party without expressed written permission.
(d) This Agreement, and any dispute, controversy or proceeding arising out of or relating to this Agreement or the subject matter hereof or the relationship between the parties hereto in connection with any case whether in contract, tort, common or statutory law, equity or otherwise, shall be governed by the substantive laws of the State of New York (without regard to conflict of law principles thereof or of any other jurisdiction that would cause the application of laws of any jurisdiction other than those of the State of New York) and subject to the jurisdiction of New York and/or the courts within New York City.

1. LICENSE FOR TRIAL USE AND EVALUATION
(a)  Panaseer hereby grants Customer a worldwide, royalty free, non-exclusive and non-transferable license to use internally the Software for evaluation purposes from the Start Date to the End Date as set out above (“the Initial Evaluation Period").
(b) "Use" within the terms of this Agreement shall be limited to the use of the Software code following a computer installation, (i.e. the reading in and storing of the Software, in whole or in part, on the Panaseer AWS Cloud Platform or such other platform as Panaseer may determine from time to time) in order to perform tasks and use the data and the reports therefrom solely for evaluation purposes.
(c) Customer shall have no obligation to license the Software following the Evaluation.  Any future license of the Software will be subject to a separate subscription agreement under Panaseer Subscription and Service Agreement.
(d) According to this Agreement, intellectual property rights of the Software, including but not limited to copyrights, patents, processes, and trademarks shall not be transferred to Customer. Customer acknowledges the intellectual property rights of Panaseer and shall not challenge the legal validity and scope of these rights for any reason.  Panaseer warrants that it owns such rights and has the right to allow customer to use the Software during the Evaluation.
(e) Any modifications, additions or new works created by Panaseer or derived from the Software will (together with all applicable intellectual property rights) be owned by Panaseer, and will be included as part of the Software at the sole discretion of Panaseer.
(f) Customer shall not (and shall not attempt to) reverse engineer, decompile, modify or make derivative works of the Software.
(g) Customer is responsible for maintaining the security of its login credentials used to access the Software and will not share those credentials with any third party or permit a third-party to use them.

2. TERM AND TERMINATION
(a) This Agreement shall commence on the date of last signature and shall continue in force until the end of the Initial Evaluation Period when it will automatically terminate.
(b) Should the Customer extend the Agreement beyond the Initial Evaluation Period, then the Customer may request an extension by notifying Panaseer by email specifying the desired duration of the extension in calendar weeks (“Extended Evaluation Period”).  Panaseer and you will use reasonable endeavors to agree a suitable extension period.  If agreed, Panaseer will agree such extension and the Agreement shall continue in force until the end of the Extended Evaluation Period.
(c) This Agreement may be terminated by the Customer upon immediate written notice to the Panaseer.   Panaseer also have the right to terminate the Evaluation at any time in its complete discretion and without liability.
(d) Upon expiration or termination of this Agreement, the license granted hereunder shall immediately terminate.  Under no circumstances shall Customer be permitted to use the Software following the expiration or termination of this Agreement without further written agreement.
(e) However, where the Software Evaluation proves successful; and while the Parties are in discussions with the intent to enter into a later Subscription and Service Agreement, then the Customer environment may be maintained at the complete discretion of Panaseer pending the outcome of such discussions.
(f) Termination of this Agreement does not affect any provision of this Agreement which are expressly or by implication intended to survive after that termination.

3. LIABILITY
(a) Subject to clause 3(d), the Software is offered “as-is” and “as-available” during the Evaluation and no representations, conditions, warranties, or other terms of any kind are given in respect of the Platform. Panaseer does not warrant that the Software will meet your expectations or be secure, accurate, error-free or operate on an uninterrupted basis or in combination with any other software or system. the platform and services included in or available through the Evaluation may include inaccuracies or errors. Changes are periodically added to the information therein. Panaseer may make improvements and/or changes in the platform at any time. Panaseer makes no representations about the suitability, reliability, availability, timeliness, and accuracy of the information, software, products, and services contained on the platform for any purpose. Panaseer hereby disclaims all warranties and conditions with regard to the information, software, products, and services, including all implied warranties or conditions of merchantability, fitness for a particular purpose and non-infringement.
(b) You warrant and hold us harmless against any damage of any nature and any claim or legal action by a third-party relating to the use of the Platform, including by your own employees and potential customers. You will indemnify us for judgments of any kind, as well as for penalties, damages and reasonable lawyer fees and court costs.
(c) Subject to clause 3(d), our total liability arising out of or in connection with this Evaluation, the Software or the terms of use, whether in contract, tort (including negligence) or otherwise shall in no event exceed one hundred pounds (£100). 
(d) Nothing in this Agreement limits any liability which cannot legally be limited or excluded, including liability for (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; or (iii) breach of the terms implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession).

4. INTELLECTUAL PROPERTY
(a) You acknowledge that all right, title and interest in and to the Software and all underlying software, technology and other intellectual property belongs exclusively to Panaseer.  You shall at no time: (i) copy any feature or design; (ii) attempt to circumvent any security device or access or derive the source code or architecture of the software; (iii) use or access the Software in order to build a competitive solution or assist someone else to build a competitive solution; (iv) load or penetration test the Software or otherwise use the Software in any way that is, or could reasonably be expected to be, detrimental to Panaseer’s ability to provide services to any other customer; (v) use the Software in a manner that violates any applicable law or that is unlawful or fraudulent; or (vi) permit any third-party to do any of the foregoing.
(b) You will retain all rights in your own branding and any content that you upload to the Software. You agree that Panaseer will have a non-exclusive royalty free licence to use your branding and content for the purposes of providing the Evaluation (and, in the case of your branding, in publicity material).
(c) Where Panaseer requests any feedback from you regarding the Software, you agree that Panaseer may freely use, exploit and make available any and all feedback, suggestions, ideas, enhancement requests, recommendations or other information you provide to Panaseer relating to the Software (the “Feedback”) without obligation to you, and you irrevocably assign all rights, title, and interest in that Feedback to Panaseer.

5. CONFIDENTIALITY / DATA
(a) Each Party agrees that all information supplied by one Party and its affiliates and agents (collectively, the “Disclosing Party”) to the other (“Receiving Party”), including, without limitation:  (i) source and object code, prices, trade secrets, databases, hardware, software, designs and techniques, programs, engine protocols, models, displays and manuals, and the selection, coordination, and arrangement of the contents of such materials; and (ii) any unpublished information, will be deemed confidential and proprietary to the Disclosing Party, regardless of whether such information was disclosed intentionally or unintentionally or marked as “confidential” or “proprietary” (“Confidential Information”). 
(b) For the term of this Agreement and following its termination, both parties undertake to treat any Confidential Information received from the other party in the context of (or pursuant to) this Agreement in a confidential manner, and neither convey nor disclose such data or information to third parties nor use it for purposes other than for the performance of this Agreement. 
(c) Each Party recognises the importance of the other’s Confidential Information.  In particular, each Party recognises and agrees that the Confidential Information of the other is critical to their respective businesses and that neither Party would enter into this Agreement without assurance that such information and the value thereof will be protected.  Accordingly, each Party agrees as follows: (i) the Receiving Party will hold any and all Confidential Information it obtains in strictest confidence and will use and permit use of Confidential Information solely for the purposes of this Agreement.  Without limiting the foregoing, the Receiving Party shall use at least the same degree of care, but no less than reasonable care, to avoid disclosure or use of this Confidential Information as the Receiving Party employs with respect to its own Confidential Information of a like importance; and (ii) the Receiving Party may disclose or provide access to its responsible employees and agents who have a need to know and may make copies of Confidential Information only to the extent reasonably necessary to carry out its obligations hereunder.
(d) Unless you purchase a subscription to the Software before the end of the Evaluation, or unless Panaseer agrees otherwise in writing, all of your data in the platform (excluding any Feedback, Software Usage Data and Security Metrics Data) will be permanently deleted upon termination or expiry of this Agreement and Panaseer will not recover it.
(e) Each party shall comply with the provisions of any law applicable to the protection of personal data in effect from time to time, including the UK General Data Protection Regulation and the Data Protection Act 2018, to the extent it applies to each of us.
(f) Panaseer may collect and use Software Usage Data for the following purposes:

• product improvement (in particular, product features and functionality, workflows and user interfaces) and development of new Panaseer products and services (including machine learning technologies);
• improving resource allocation and support;
• internal demand planning;
• improving product performance; and
•  any other legitimate interest purpose which Panaseer may reasonably deem necessary.

(g) Panaseer may collect and use Anonymised Security Data to offer enhanced insights for the Customer in the following ways:

• product improvement (in particular, product features and functionality, workflows and user interfaces) and development of new Panaseer products and services (including machine learning technologies);
• identification of anonymised industry trends and developments, creation of indices and anonymous benchmarking; and
• any other legitimate interest purpose which Panaseer may reasonably deem necessary.

(h) Anonymised industry trends, indices and anonymous benchmarks created from aggregated Anonymised Security Data shall not be shared with third parties in a manner attributable to Customer or any individual.
(i) For the purposes of this clause 5:

• “Software Usage Data” means non-personally identifiable usage information that is automatically collected and reported by the Software about how the Software is used by Customer; and
• "Anonymised Security Data" means security data where all information that identifies a Customer, their assets or users has been anonymised.  This data may include generic qualifiers regarding Customer's industry and/or size.

6. FINAL PROVISIONS
(a) This Agreement shall enter into effect after being validly signed by both the parties.
(b) This Agreement contains all the agreements between the parties in connection with the provision of the services herein described.  No other representations whether verbal or written shall apply.  
(c) This Agreement and the rights and duties arising out of or in connection with it are not assignable or delegable to any third-party without expressed written permission.
(d) This Agreement, and any dispute, controversy or proceeding arising out of or relating to this Agreement whether in contract, tort, common or statutory law, equity or otherwise, shall be governed by the laws of England and Wales and subject to the jurisdiction of the English Courts.

This Data Processing Agreement (the “DPA”) is entered into by and between Panaseer Limited, a company registered in England and Wales with company number 09098199 whose registered office is Ashcombe Court, Woolsack Way, Godalming, Surrey, GU7 1LQ (or its U.S. subsidiary Panaseer Inc), (both “Panaseer”), and the entity described as “Customer” in the Order or a Statement of Work, as applicable (the “Customer”).

Panaseer and Customer are hereinafter individually referred to as a “Party” and jointly, the “Parties”.

1. Background and Definitions
1.1 This DPA has been made in connection with and is a part of the Subscription Terms (“Agreement”) entered into between Panaseer and the Customer concerning Panaseer’s Software and Professional Services as described in the Agreement and the applicable Order or Statement of Work.
1.2 This DPA shall enter into effect as of the Effective Date of the Agreement.
1.3 The Agreement governs ordinary matters relating to the Software and Professional Services (if any) provided by Panaseer to the Customer and this DPA governs associated transfers of personal data. To the extent relating to the scope of this DPA on data protection, this DPA prevails in case of any discrepancies between this DPA and all other agreements, including the Agreement and its other appendices, made between the Parties.
1.4 Any term beginning with a capital letter and not defined herein shall have the meaning determined under the Agreement.
1.5 Any reference to this DPA is also a reference to its appendices.
1.6 The Agreement remains confidential between the Parties to the effect that any sub-processors may be informed of the contents of this DPA only to the extent necessary.

1.7 Definitions
Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
Data Protection Laws means all applicable laws, regulations, and standards regarding data protection, privacy, and the processing of personal data as applicable and binding on the Parties and/or the Services including but not limited to: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the Data Protection Act 2018 and EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (and regulations made thereunder) (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act 2020; and (iv) any and all applicable national data protection laws made under, pursuant to, or that apply in conjunction with, any of the above; in each case as may be amended or superseded from time to time;
CCPA means the California Consumer Privacy Act of 2018, together with all regulations implementing or supplementing the same, to the extent applicable to Panaseer in its performance of the Services. Only to the extent Panaseer processes personal information of Californian residents that Customer provides or makes available to Panaseer in connection with the Services, the CCPA Addendum (Appendix C) will apply.
EU SCCs means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, adopted by the European Commission decision (EU) 2021/914 of 4 June 2021;
Protected Data means personal data received from or on behalf of the Customer to the extent that it is processed by Panaseer on Customer’s behalf in connection with the performance of Panaseer’s obligations under the Agreement;
Services means the Software and Professional Services (if any) to be provided under the Agreement.
UK SCCs means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022.

2. Personal Data and data processing activities
2.1 This DPA defines and governs the personal data, the data subjects, the purposes and the data processing activities that will be carried out by the Parties while performing the Agreement and other matters and obligations relating to the processing, as defined and stated in Annex 2 hereto. The Annexes and Appendices to this DPA form part of both Parties’ documentation obligations under Data Protection Laws and must always reflect the actual circumstances.
2.2 The Customer warrants and undertakes that the personal data has been collected, processed and transferred in accordance with applicable Data Protection Laws, including but not limited to the legal grounds for processing and the requirement to provide data subjects with certain information.

3. Roles and instructions
3.1 Customer and Panaseer acknowledge that for the purpose of Data Protection Laws, where the Customer uses the Services and makes decisions about the personal data being processed via the Services, Customer is controller and Panaseer is processor. The Customer decides for which purposes and how Panaseer may process the personal data.
3.2 Panaseer may and shall process the personal data only pursuant to documented instructions from the Customer as set out in Annexes 1 and 2 and Appendices A, B and C, or other written instructions unless required to do so by Data Protection Laws to which Panaseer is subject. In such a case, Panaseer must inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.3 Customer retains control of the personal data and shall, at all times, comply with applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Panaseer. Customer shall ensure all instructions given by it to Panaseer in respect of Protected Data (shall at all times be in accordance with all Data Protection Laws. Nothing in the Agreement or this DPA relieves Customer of any responsibilities or liabilities under any Data Protection Laws.
3.4 Panaseer must delete and/or dispose of personal data in all systems and files only upon instructions of the Customer.

4. Confidentiality
4.1 The personal data provided to Panaseer by the Customer or otherwise obtained by Panaseer in the course of carrying out the Services is confidential.
4.2 Panaseer must ensure that only employees and other individuals who, at any given time, are required to process the personal data as part of their job have been authorised to do so.
4.3 Panaseer must further ensure that the individuals authorised to process the Customer’s personal data have undertaken a duty of confidentiality for all personal data to which they have access or that they are subject to an appropriate statutory duty of confidentiality.

5. Supporting the Rights of the Data Subjects
Considering the nature of processing and the information available to Panaseer, Panaseer shall implement appropriate technical and organisational measures to assist the Customer in the fulfilment of the Customer’s legal obligations under Chapter III (Rights of Data Subjects) of the EU GDPR.

6. Security
6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of the rights and freedom of natural persons, Panaseer shall implement appropriate technical and organisational measures to ensure a level of security appropriate for the risk, in particular the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the personal data transmitted, stored or otherwise processed.

7. International Transfers of Personal Data
7.1 The Customer agrees that Panaseer may transfer Protected Data to countries outside the EEA, the United Kingdom or to any international organisation(s) (an International Recipient), provided all transfers by Panaseer of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Agreement shall constitute the Customer’s instructions with respect to transfers in accordance with Section 3.
7.2 If Customer transfers personal data to Panaseer from the European Economic Area (EEA), Switzerland, or the United Kingdom (UK), the Parties will apply one of the following to the extent an Appropriate Safeguard is legally required in descending order of preference, such that the item highest on the list that is applicable and available will automatically apply during the term of this DPA: (i) a valid finding Adequacy Decision; (ii) any mechanism, derogation, exemption, or exception that the Parties are able to invoke, such as the consent of the relevant data subjects or a derogation under Article 49 of the EU GDPR; or (iii) the applicable EU SCCs and/or UK SCCs pursuant to Appendices A and B. Nothing in the interpretations of this DPA is intended to conflict with either Party’s rights or responsibilities under the EU SCCs or UK SCCs and, in the event of any such conflict, the EU SCCs or UK SCCs shall prevail, as applicable. To the extent a transfer mechanism other than the foregoing becomes reasonably available to the Parties after the effective date of this DPA, the Parties will consult with each other in good faith on whether to rely on such transfer mechanism in lieu of the applicable EU SCCs or UK SCCs.
7.3 Without prejudice to the generality of the foregoing, Customer agrees to the transfer of personal data to sub-processors outside of the UK or EEA pursuant to Section 8 or as otherwise notified to Customer by Panaseer pursuant to Section 8 below.

8. Sub-processors

8.1 Subject this section 8, Panaseer has the Customer’s general authorisation for the engagement of sub-processors a list of which (the “Sub-processor List”) is kept in the trust centre section on the Panaseer’s website at https://panaseer.com/sub-processors/ (“Website”). Panaseer shall ensure that the Sub-processor List is kept current and that any changes to the Sub-processor List are reflected on the Website.
8.2 Panaseer shall inform the Customer about any intended changes to the Sub-processor List reasonably in advance and by giving the Customer sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). If the Customer (acting reasonably) does not approve of a new sub-processor, the Customer may, within 7 (seven) days from the notification to the Customer, request that Panaseer move the Protected Data to another sub-processor by email to DPO@Panaseer.com. If a request is received from Customer within the time frame, Panaseer shall, within a reasonable period of time following receipt of such request, use all reasonable endeavours to ensure that the relevant sub-processor does not process any further Protected Data, and help identify an alternative. If such a request is not received within this time frame, the new sub-processor shall be deemed to have been approved.
8.3 Further, it is a condition for the use of the sub-processor(s) that Panaseer enters into a written agreement with the sub-processor stating the sub-processor’s duty to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of applicable Data Protection Laws.

9. Assistance to the Customer
9.1 Taking into account the nature of processing and the information available to Panaseer, at Customer’s cost and expense, Panaseer will assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the EU GDPR, i.e. with regard to security measures, notification of supervisory authorities, notification of individuals, preparation of data protection impact assessments and prior consultation with supervisory authorities.

10. Personal Data Breaches
10.1 In case of a Personal Data Breach relating to the Personal Data, Panaseer shall notify the Customer without undue delay of when Panaseer is made aware of the Personal Data Breach.
10.2 Taking into account the nature of processing as well as the information available to Panaseer, following a personal data breach at Panaseer, Panaseer shall assist the Customer in ensuring compliance with the Customer’s legal obligations in connection with the notification of personal data breaches to supervisory authorities and to data subjects.
10.3 Further, following a personal data breach at Panaseer, taking into account the nature of processing as well as to the extent the information is available to Panaseer, Panaseer must use its best efforts to provide the Customer with the information stated in the EU GDPR Article 33 without undue delay, to enable the Customer to comply with any statutory obligations.
10.4 If and to the extent that it is not possible to immediately provide the information mentioned under clauses 10.1 – 10.3, the information can be provided gradually but no later than 72 hours from when Panaseer was made aware of the personal data breach.

11. Demonstration of compliance and audits

11.1 Panaseer must upon written request make available to the Customer reasonable information necessary to demonstrate its compliance with the obligations stipulated in this DPA and applicable Data Protection Laws.
11.2 Panaseer shall, at Customer’s expense, allow for and contribute to audits, including inspections, conducted by the Customer, auditors mandated by the Customer, or public authorities in competent jurisdictions. The auditor in question must be subject to confidentiality, either contractually or by law.
11.3 The above clauses 11.1 and 11.2 shall not be applicable if Panaseer can present an audit report produced by an external qualified auditor and no older than 12 months without any material remarks regarding compliance with Data Protection Law and the compliance with this DPA.

12. Information
12.1 Panaseer shall immediately inform the Customer if, in its opinion, an instruction infringes any applicable Data Protection Laws.
12.2 To the extent relevant, the Customer must inform Panaseer of any legislation other than the EU or UK GDPR, as for example any special, local requirements for the storage of Personal Data in the country of the Customer. If such special legislation flows down and imposes additional obligations on Panaseer beyond the EU and UK GDPR, the Parties must discuss the additionally required adaption to systems and processes and the payment for any such adaption.

13. Liability
13.1 To the maximum extent allowed by applicable laws, the Parties’ liabilities arising out of or in connection with this DPA, whether in contract, tort or under any other theory of liability, will be subject to any aggregate limitation of liability and any exclusions of damages set forth in the Agreement, and any reference to the liability of the Parties shall mean the aggregate liability under the Agreement and this DPA together.
13.2 Panaseer will not be liable for any claim brought by a data subject arising from any action by Panaseer to the extent that such action resulted directly from the Customer’s instructions. In such case, the Customer shall indemnify, keep indemnified and defend at its own expense Panaseer against all associated costs, claims, damages or expenses incurred by Panaseer.
13.3 When acting as separate controllers (or where the parties are deemed to be joint controllers) of any Protected Data hereunder, each Party shall only be liable for its own breach of the applicable Data Protection Laws or of this DPA and shall not be jointly and/or severally liable with the other Party for the other Party’s breach. Each Party shall on their own be liable for any administrative fines that a supervising authority may impose due to their processing.

14. Severability
14.1 If any of the clauses of this DPA is held invalid, this shall not affect the validity of the remaining DPA.

15. Term and termination
15.1 This DPA shall remain in force for as long as the duration of the Agreement or longer, if terms in the Agreement, this DPA or requirements set out in applicable legislation require so.
15.2 This DPA shall terminate without notice at the time of termination/expiry of the Agreement.
15.3 This DPA applies to all processing of personal data carried out by Panaseer in connection with the provision of the Services and to all personal data held by Panaseer whether held on the date of this DPA or held or received after its expiry or termination. Hence, this DPA, including relevant provisions of the Agreement, will survive for as long as Panaseer processes personal data, also if such processing takes place after termination of this DPA.
15.4 After the end of the provision of the Services and at the termination of this DPA (whichever time is the latest), Panaseer shall, at the discretion of the Customer, delete or return all existing copies of the personal data and delete all existing copies of the personal data processed on behalf of the Customer except for any personal data that Panaseer may be obligated to store according to mandatory laws (as applicable).
15.2 This clause 15 and the relevant references will survive any termination of this DPA.

16. Governing law and venue
16.1 This DPA and all non-contractual or other obligations arising out of or in connection with it are subject to the governing law and jurisdiction provisions of the Agreement, except with respect to (i) the EU SCCs, which shall be governed by the law of Ireland, and (ii) the UK SCCs, which shall be governed by the laws of England and Wales.

17. Appendices
17.1 The following Appendices to this DPA constitute an integral part of the DPA:
Annex 1: Information about the processing operations
Annex 2: Minimum security requirements
Appendix A: EU SCCs
Appendix B: UK SCCs
Appendix C: CCPA Addendum

18. Signatures
18.1 This DPA is effective and deemed agreed on signature of the Agreement.

ANNEX 1
Information about the processing operations

Data subjects
Panaseer processes personal data about the following categories of data subjects for the Customer:
• Customer’s employees, contractors or similar with access to Panaseer’s Software.

Categories of personal data
Panaseer processes the following general categories of personal data about the categories of data subjects below on behalf of the Customer:
• email, first name and last name of data subjects, IP address.

Special categories of personal data
Panaseer processes the following special categories of personal data about the categories of data subjects above on behalf of the Customer:
• None.

Purpose
Panaseer’s processing of personal data for the Customer is carried out for the following purpose:
● For the purposes of undertaking its obligations and exercising its rights in connection with the Customer’s use of the Software, and the provision of the Professional Services:
o For Customer to be able to use the Software which is owned and managed by Panaseer.
o For Panaseer to be able offer support and Professional Services to the Customer.

Data Processing Activities/nature of processing operation
Panaseer’s processing of personal data for the Customer is carried out through the following activities:
• Performance of the Services described in the Agreement, including hosting and data storage, Software updates and maintenance, Customer support and training, analytics and reporting.

Duration
Indefinitely, for as long as the Agreement is in force, and until the Customer either a) asks for the personal data to be deleted, or b) asks for the data to be returned, with any copies being deleted by Panaseer.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing.
Any sub-processors, as Included in the sub-processor List, will be used solely to process the same subject matter and personal data as already processed by Panaseer, and to the same nature and with the same duration as already described in this Annex 1.

ANNEX 2
Technical and Organisational Measures

1. Storage limitation
Panaseer is required to limit the storage of personal data processed for the Customer by:
o Deleting personal data stored concerning users of the service within 12 months after time of collection.
o Upon request from the Customer delete personal data concerning users of services or customer service representatives.

2. Information security policy
Panaseer shall have a documented information security policy, which is defined and approved by the management, published and communicated to its staff and other relevant parties.

3. Information security organisation
Panaseer shall have staff with appointed responsibilities for ensuring an appropriate information security.

4. Staff security
4.1 Panaseer shall in the recruitment process conduct adequate controls for applicants according to applicable legislations and ethic codes, which shall be in proportion to the business operations, the categories of personal data given access to and risk levels.
4.2 Panaseer shall ensure that all personnel with access to personal data processed for the Customer have a confidentiality obligation towards Panaseer and receive continued information security training.
4.3 Panaseer shall have an employee offboarding process which includes removal of access rights and return of IT equipment.

5. Personal data handling
5.1 Panaseer shall handle personal data processed for the Customer as confidential information.

6. Access Control
6.1 Users shall only have access to personal data, personal data processing resources, networks and network services that are needed to perform their duties and for which they have received explicit permission to access.
6.2 Panaseer shall prevent unauthorised access to personal data processed for the Customer by (at least) implementing activity logs which register user activities and can give information about what personal data has been exposed to unauthorised access, modification, erasure or destruction.

7. Physical security
7.1 Physical access to Panaseer’s systems and processing environment shall be restricted to authorised personnel.
7.2 Physical access to personal data processed for the Customer shall be restricted and require identifiable and personal authentication scheme.
7.3 Equipment shall be placed and protected to minimise risks for environment related threats and dangers and unauthorised access.

8. Communication security
8.1 Personal data processing resources containing personal data or which are part of the system of the processing shall be protected.
8.2 Panaseer shall apply up-to-date security measures for electronic messages to actively protect against viruses, malware, ransomware and other harmful software.
8.3 Development, test and production environments shall be separated to minimise the risk for unauthorised access or changes in the production and other environments.
8.4 Data from the Customer cannot be used in test or development environments.

9. Confidentiality and non-disclosure agreements
Panaseer shall ensure that requirements for confidentiality or non-disclosure agreements reflecting Panaseer needs for the protection of information are identified, regularly reviewed and documented.

10. Information security awareness, education and training
Panaseer shall ensure all of its employees and, where relevant, contractors, receive appropriate awareness education and training and regular updates in organisational policies and procedures. as relevant for their position. All employees shall be subject to regular phishing tests.

11. Acceptable use of assets
Panaseer shall implement rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented and implemented.

12. Information Classification
Panaseer shall ensure that all information assets are classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

13. Information systems audit controls
Panaseer shall implement carefully planned and agreed upon audit requirements and activities involving verification of operational systems to minimize disruptions to business processes.

14. Networks controls
Panaseer shall ensure networks are managed and controlled to protect information in systems and applications and ensure groups of information services, users and information systems are appropriately segregated.

15. Secure system engineering principles
Panaseer shall ensure principles for engineering secure systems are established, documented, maintained and applied to any information system implementation efforts.

16. System security and acceptance testing
Panaseer shall ensure testing of security functionality is carried out during development and that acceptance testing programs and related criteria are established for new information systems, upgrades and new versions. Panaseer shall ensure test data is selected carefully, protected and controlled.

17. Electronic messaging
Panaseer shall ensure information involved in electronic messaging shall be appropriately protected.

18. Controls against malware
Panaseer shall implement detection prevention and recovery controls to protect against malware, combined with appropriate user awareness.

19. Management of technical vulnerabilities
Panaseer shall implement technical vulnerabilities mitigation to reduce exposure to such vulnerabilities and ensure appropriate measures are taken to address the associated risk.

20. Planning information security continuity
Panaseer shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or a disaster.

21. Information backup
Panaseer shall implement a backup policy defining the requirements for backup of information, software and systems.

22. Access control policy
Panaseer shall have an access control policy which is documented and reviewed periodically based on business and information security requirements.

23. Policy on the use of cryptographic controls
Panaseer shall have developed and implemented a policy on the use of cryptographic controls for the protection of the information.

24. Secure disposal or re-use of equipment
Panaseer shall ensure all equipment items containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

25. Media Disposal
Panaseer shall ensure all media is disposed of securely when no longer required, using formal procedures.

26. Reporting and responding to information security events
Panaseer shall ensure information security events are reported through appropriate management channels as quickly as possible and shall ensure information security incidents are responded to in accordance with the documented procedures.

Appendix A
EU Standard Contractual Clauses for the transfer of personal data to third countries

Where the transfer involves a transfer of EEA Protected Data outside of the EEA (“Ex-EEA Transfer”) and the mechanisms referenced in Clause 7.2 (i) or (ii) of this DPA do not apply, such transfer shall be governed by the EU SCCs.

1. Controller-Processor

Considering that the processing activities between the Parties constitute a Controller-Processor relationship, Module 2 of the EU SCCs shall apply and shall be completed as follows:
i. All explanatory notes and footnotes deleted.
ii. As the Ex-EEA Transfer is a controller to processor transfer, only the provisions relating to Module 2 apply to such ex-EEA Transfer, and the provisions relating only to Modules 1, 3 and 4 are deleted and shall not apply to such ex-EEA Transfer.
iii. Clause 7 the Optional provision shall not apply.
iv. In respect of Clause 9 (sub-processors), Option 2 general written authorisation applies, and the minimum time period for the data importer to specifically inform the data exporter in writing of any intended changes to that list in accordance with Clause 9 shall be 7 days.
v. The “OPTION” in Clause 11(a) shall not apply and the wording in square brackets in that Clause shall be deleted.
vi. In respect of Clause 13(a) (supervision), the following wording shall apply: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I C, shall act as competent supervisory authority.
vii. In respect of Clause 17 (governing law), Option 1 shall apply, and the Member State governing law shall be the law of Ireland.
viii. In respect of Clause 18 (choice of forum and jurisdiction), the relevant courts shall be the courts of Ireland.

2. Appendix to the EU SCCs

In all cases, the Appendix to the EU SCCs shall be completed as follows:

– Annex I (A) is completed as follows in accordance with the data flows between the Parties:

Data Exporter – where Customer is the exporter, this shall be completed with the Customer details as set out in this DPA; where Panaseer is the exporter, this shall be the Panaseer entity as defined in this DPA.

Data Importer – where Customer is the importer, this shall be completed with the Customer details as set out in this DPA; where Panaseer is the importer, this shall be the Panaseer entity as defined in this DPA.
– Annex I (B) is completed with the information set out in Annex 1 of this DPA.

– Annex I (C) is the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them.

– Annex II is completed with the information set out at Annex 2 of this DPA.

– Annex III is completed with the information set out in the Sub-processor List.

3. Swiss Addendum to the EU SCCs

The Parties agree that for transfers of personal data from Switzerland subject exclusively to the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws”), the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the following provisions shall apply:

i. General and specific references in the EU SCCs to EU GDPR, or EU or Member State Law, shall have the same meaning as the equivalent reference in Swiss Data Protection Laws.

ii. In respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as personal data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

iii. Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

iv. In respect of disputes, the choice of forum and jurisdiction as set out in the EU SCCs shall apply. For data subjects habitually resident in Switzerland, the law and courts of Switzerland are an alternative place of jurisdiction.

Appendix B

UK STANDARD CONTRACTUAL CLAUSES

The Parties agree that to the extent there are transfers of Personal Data from the United Kingdom, and the mechanisms referenced in Clause 7.2 (i) or (ii) of this DPA do not apply, the UK SCCs shall apply and shall be incorporated hereby by reference.

In addition, where the UK SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

Part 1 – Tables:

• Table 1: For the purposes of Table 1 of the UK SCCs, the names of the parties, their roles and their details shall be set out as per the details stated in this DPA and the Agreement.

• Table 2: For the purposes of Table 2 of the UK SCCs, the boxes shall be completed with the information Appendix A which sets out the version of the EU SCCs which this UK SCCs are appended to, including the selected modules, clauses, optional provisions and Appendix Information. For the avoidance of doubt, England and Wales laws shall apply and English courts shall have jurisdiction.

• Table 3: “Appendix Information” is completed as set out in Annexes 1, 2 and 3 of this DPA.

• Table 4: For the purposes of Table 4, the parties agree that neither the Importer nor the Exporter may end the UK Addendum as set out in Section 19.

Part 2 Mandatory Clauses:

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of those Mandatory Clauses, are incorporated by reference.

Appendix C

CCPA ADDENDUM

This CCPA Addendum complements the DPA between Panaseer and Customer, and shall apply only to the extent Panaseer processes personal information of Californian residents that Customer provides or makes available to Panaseer in connection with the Agreement.

1. Definitions

i. The terms “consumer”, “device”, “personal information”, “processing”, “sell”, “service provider” and “third party” shall have the meaning ascribed to them in the CCPA. For the avoidance of doubt, ‘personal information’ includes, but is not limited to, the types of data described in Annex A to the DPA. Capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.
ii. “Permitted Service Provider” means third party service providers engaged by Panaseer to process Customer Personal Information on Panaseer’s behalf to assist in the performance of the Services that are set out in clause 8 of the DPA.
iii. “Personal Information” means all personal information of California residents that Customer provides or makes available to Panaseer, or that Panaseer otherwise processes on Customer’s behalf, in each case, in connection with Panaseer’s provision of the Services pursuant to the Agreement.

2. Processing of Personal Information

i. This Addendum applies to the collection, retention, use, disclosure, and sale of Personal Information.

ii. Customer is a business and appoints Panaseer as a service provider to process the Personal Information on behalf of Customer.

iii. Panaseer’s collection, retention, use, disclosure, or sale of Personal Information for its own purposes independent of Customer’s use of the Services specified in the Agreement are outside the scope of this Addendum.

iv. Panaseer will comply with the CCPA and treat all Personal Data subject to the CCPA in accordance with the provisions of the CCPA. Panaseer will not:

(a) sell Personal Information;
(b) retain, use or disclose any Personal Information for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing Personal Information for a commercial purpose other than providing the Services; or
(c) retain, use or disclose Personal Information outside of the direct business relationship between Panaseer and Customer.

v. The parties acknowledge and agree that the Processing of Personal Information authorized by Customer’s instructions described in the Agreement and the DPA is integral to and encompassed by Panaseer’s provision of the Services and the direct business relationship between the parties. The parties acknowledge and agree that Panaseer access to Customer’s Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

vi. To the extent that any usage data is considered Personal Information, Panaseer is the business with respect to such data and will Process such data in accordance with its privacy policy found at https://panaseer.com/privacy-policy/
vii. Panaseer and Customer certify that they understand and will comply with the obligations and restrictions set forth in the DPA and the Agreement as required under the CCPA.

Sub-processors

Current sub-processors as of July 2024

Data protection is a matter of trust and your trust is important to us. We respect your privacy and personal space.

The protection and the lawful collection, processing and use of your personal data is therefore an important concern. To ensure that you feel secure when visiting our website or otherwise engaging with our company, we want you to know that we strictly observe the legal obligations set forth in the GDPR and the national data protection laws. We would like to inform you here about our data collection and data use as it pertain to Panaseer’s compliance with GDPR regulations.

For us, data protection is a corporate matter of high priority and we only work with partners who can also demonstrate an appropriate level of data protection. We only process your data if you have given us your consent. This consent may be implicit — based on the existence of a prior contact or a potential or active contract. Otherwise, it will be explicit — based on your expression of desire to have us process data to further a legitimate business interest.

We are pleased to inform you in detail about the handling of your data within our company. Following this introduction, we present to you Panaseer’s data protection policy which covers both the currently applicable national legal framework and the requirements of the General Data Protection Regulation (GDPR) valid throughout Europe from 25 May 2018.
You can print or save this document by using the usual functionality of your browser. The following data protection declaration explains which data is collected, which data we process, and ultimately, how we use, hold, correct, and dispose of data.

I. Name and address of the data controller
The data controller as defined in the General Data Protection Regulation and other national data protection laws, as well as other data protection regulations, is:
Mark Ashworth
Email: DPO@Panaseer.com

II. General information on data processing
1. Scope of processing of personal data
We only collect and use personal data of our customers, employees, contractors, applicants and website users insofar as this is necessary to pursue the mission statement of our organisation to provide high-quality products, services and information to the public. The collection and use of personal data takes place routinely only with individuals’ express or implied consent. An exception applies in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is otherwise permitted by law.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) shall serve as the legal basis for the processing of personal data.
In the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR shall serve as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR shall serve as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR shall serve as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.
3. Data erasure and storage time
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by laws or other provisions to which the data controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

III. Provision of the website and creation of log files
1. Description and scope of data processing
Every time you visit our website, our system automatically collects data and information from the computer system of the calling computer.
The following data may be collected:
• Information about the browser type and version used
• The user’s operating system
• The user’s Internet service provider
• The IP address of the user
• Date and time of access
• Websites from which the user’s system reaches our website
• Websites accessed by the user’s system through our website
• Country and language settings of the browser (control page)
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this the IP address of the user must remain stored for the duration of the session.
The data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
These purposes also constitute our justified interest in processing personal data as per Art. 6 para. 1 lit. f GDPR.
4. Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the event that data is collected in order to make the website available, this is the case once each session has ended.
If the data is stored in log files, this will happen after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
5. Right to objection and removal
Collecting the data in order to make the website available, and saving this data in log files, is necessary in order to operate the website. Therefore, the user does not have a right to object to this.

IV. Use of cookies
a) Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is called up again. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.
The following data is stored and transmitted in the cookies:
• Language settings
• Country settings
• Session settings (Session ID)
We also use cookies on our website which enable an analysis of the user’s surfing behaviour.
This allows the following data to be transmitted:
• Search terms used
• Frequency of page views
• Use of website functions
• Subpages visited and session length
• How to get to and from our website
User data that is collected in this way is rendered pseudonymous by technical means. Therefore, it is no longer possible to assign the data to the visiting user. The data will not be stored together with other personal data of our users.
b) Targeting
On our websites, data is collected on the basis of cookie technology to optimise our advertising and the entire online offering. These data are not used to identify you personally, but serve only a pseudonymous evaluation of the use of the homepage. Your data will never be combined with the personal data stored by us. With this technology we can present you advertising and/or special offers and services whose content is based on the information obtained in connection with the clickstream analysis. Our aim is to make our online offer as attractive as possible for you and to present you with advertising that corresponds to your areas of interest.
c) Third party cookies
We may make use of some advertising partners who help to make the internet offer and the websites more interesting for you. For this reason, cookies from partner companies may also stored on your hard drive when you visit the websites. These are temporary/permanent cookies that are automatically deleted after a specified time. These temporary or permanent cookies (lifetime 14 days to 10 years) are stored on your hard disk and delete themselves after a specified time. We are dedicated to ensuring that the cookies of our partner companies also only contain pseudonymous mostly even anonymous data. Some of our advertising partners may also collect information about which pages you have previously visited or which products you were interested in, for example, in order to be able to show you the advertising that best suits your interests. These pseudonymous data will never be combined with your personal data. Their sole purpose is to enable our advertising partners to address you with advertising that might actually be of interest to you.
d) How can you prevent the storage of cookies?
Depending on the browser used, you can set that a storage of cookies is only accepted if you agree. If you only want to accept the cookies we use, but not the cookies of our service providers and partners, you can select the setting in your browser “Block third party cookies”. Usually, the help function in the menu bar of your web browser shows you how you can reject new cookies and deactivate cookies already received. We recommend that you always log out completely of shared computers that are set so that cookies and flash cookies are accepted.
e) Legal basis for data processing
The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR.
f) Purpose of data processing
The purpose of implementing technically necessary cookies is to make it easier for users to use the websites. Some of the features on our website cannot be offered without the use of cookies. It must be possible to recognise the browser even after the user goes to a new page on the site.
We use cookies for the following applications:
• Adjusting language settings
• Country settings
• Visitor recognition (session handling)
The user data collected by technically necessary cookies are not used to create user profiles.
The analysis cookies are used to improve the quality of our website and its content. The analysis cookies tell us how the website is being used, which allows us to continuously improve our offerings.
These purposes also constitute our justified interest in processing personal data as per Art. 6 Sec. 1 lt. f GDPR.
g) Duration of storage, possibility of objection and elimination
Cookies are stored on the user’s computer and transmitted to our site. Therefore, you as a user also have complete control over the use of cookies. You can adjust your web browser’s settings in order to disable or limit the transmission of cookies. Previously saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, you may not be able to use all of the website’s features to their fullest extent.

V. Newsletter or Other Corporate Outreach
1. Description and scope of data processing
On our website, we may offer users the opportunity to register by providing personal data. The registration can be realised in different ways (e.g. via telephone, email, through personal contact at trade fairs, submission of business cards, personal contact, etc.). If you are registering on our website, the data is entered into an input screen and transmitted to us and saved. In other cases, our employees enter the data into our systems. The data will not be passed on to third parties unless you consent.
The following data may be collected during the registration process:
• Company
• VAT ID
• Industry
• Title
• First name
• Last name
• Street
• House number
• Postcode
• City
• Region
• Country
• Phone number
• Fax number
• E-mail
• Topic of the message
• Message
If the customer has logged utilizing access data, he or she can send a message and check the box for sending the newsletter. The following data is collected:
• Topic of the message
• Message
If the user is not yet registered, he or she will be registered in this process.
In addition, the following data is collected upon registration:
• Date and time of registration
During the registration process, your consent is obtained for the processing of the data and reference is made to this data protection declaration.
If you actively request information on our website or email us with an inquiry, we may subsequently use your contact data to send you a newsletter. In such a case, the newsletter sent will only contain information relative to our company and its offerings. In addition, the newsletter will also contain an “unsubscribe” function. This will denote your right to “opt-out” and revoke your prior consent.
Apart from use for our email marketing tool (i.e., Salesforce), data is not passed on to third parties in connection with data processing for sending newsletters. The data will be used exclusively for sending the newsletter or making other direct contact with you as contemplated by the type of contact you made with the company.
2. Legal basis for data processing
The legal basis for the processing of the data after registration for the newsletter by the user is Art. 6 para. 1 lit. a GDPR.
3. Purpose of data processing
The collection of the user’s e-mail address serves to send the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used.
4. Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The other personal data collected during the registration process will generally be deleted after a period of seven days.
5. Right to objection and removal
The subscription to the newsletter or other contacts may be cancelled by the user concerned at any time. For this purpose there is a corresponding link available in every newsletter or electronic message issued by our company.

VI. Registration
1. Description and scope of data processing
On our website, we offer users the opportunity to register by providing personal data. The data is entered into an input screen and transmitted to us and saved. The data will not be passed on to third parties. The following data is collected during the registration process:
At the time of registration, the following data is also stored:
• Company
• VAT ID
• Industry
• Title
• First name
• Last name
• Street
• House number
• Postcode
• City
• Region
• Country
• Phone number
• Fax number
• E-mail
• Date and time of registration
In the course of the registration process, the user’s consent to the processing of this data is obtained.
2. Legal basis for data processing
The legal basis for processing the data is Art. 6 para. 1 lit. a, b GDPR if the user has given his or her consent.
3. Purpose of data processing
A registration of the user is necessary for the provision of certain contents and services offered by our company.
Similarly, a registration of the user is necessary for the fulfilment of a contract with the user or for the execution of pre-contractual measures.
4. Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
This is the case for those data collected during the registration process to fulfil a contract or to carry out pre-contractual measures when the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data of the contractual partner in order to fulfil contractual or legal obligations.
5. Right to objection and removal
As a user you have the possibility to cancel the registration at any time. You can change the data stored about you at any time.
You can change or adapt the data in the following ways:
• By phone
• By mail
• By email
• Some data on the website may be changed
If the data is required to fulfil a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as there are no contractual or statutory obligations to the contrary.

VII. Contact form and e-mail contact
1. Description and scope of data processing
A contact form is available on our website which can be used for electronic contact. If a user accepts this possibility, the data entered in the input screen will be transmitted to us and stored. This data may include:
• Company
• VAT ID
• Industry
• Title
• First name
• Last name
• Street
• House number
• Postcode
• City
• Region
• Country
• Phone number
• Fax number
• E-mail
• Topic of the message
• Message
• Date and time of contact
If the user has logged in with his or her access data, the following data will be stored:
• Topic of the message
• Message
• Date and time of contact
Your consent is obtained for the processing of the data during the sending process and reference is made to this Privacy Policy.
Alternatively, you can contact us via the e-mail address provided. In that case, the user’s personal data transmitted by e-mail will be stored.
In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.
2. Legal basis for data processing
The legal basis for the processing of data is Art. 6 para. 1 lit. a GDPR with the user’s consent.
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
3. Purpose of data processing
The processing of the personal data from the input mask only serves the aim of handling the establishment of contact. In the event of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
4. Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input screen of the contact form and those that were sent by e-mail, this is the case when the respective conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.
The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.
5. Right to objection and removal
The user has the possibility to revoke his or her consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued.
The revocation of the consent and the objection of the storage can take place as follows:
• By phone
• By mail
• By email
All personal data stored in the course of contacting us will be deleted in this case.

VIII. Disclosure of your data to third parties
In order to make our website as user-friendly and convenient as possible, we occasionally use the services of external service providers. Panaseer has vetted our website service provider and believes that they are also compliant with their privacy obligations under the law. Our due diligence includes the confirmation that our critical business partners also comply with their obligations under GDPR.
Data processing is carried out on the legal basis of Art. 6 para.1 lit f (legitimate interest) of the EU General Data Protection Regulation (EU GDPR). Our legitimate interest comprises the optimisation of our online offerings and our website. Because the privacy of our visitors is of paramount importance to us, the IP address is anonymised as early as possible and login or device IDs are converted into a unique key that is not assigned to a person. We are assured that our website service provider does not use it for any other purpose, combine it with other data or pass it on to third parties.
You can object to the aforementioned data processing at any time, as far as it is person-specific. Your objection has no detrimental consequences for you.

IX. Rights of the data subject
Where your personal data is processed, you are deemed a data subject as defined in the GDPR and you have the following rights vis-a-vis the controller:
1. Right to information
You can request confirmation from the controller about whether your personal data is being processed by us.
If such processing has taken place, you can request the following information from the controller:
• the purposes for which the personal data is being processed;
• the categories of personal data being processed;
• the recipients and/or categories of recipients to whom your personal data has been or will be disclosed;
• the planned storage period for your personal data or, if no concrete information can be provided in this regard, criteria for determining the storage period;
• the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• any available information on the origin of the data if the personal data are not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information about whether your personal data is transmitted to a non-EU country or an international organization. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
2. Right to rectification
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The controller shall make the correction without undue delay.
3. Right to restriction of processing
Under the following conditions, you may request that the processing of your personal data be restricted:
• if you dispute the accuracy of the personal data concerning you for a period of time that enables the data controller to verify the accuracy of the personal data;
• the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
• the controller no longer needs the personal data for the purposes of the processing, but you do need them to assert, exercise or defend legal claims, or
• if you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If the processing of your personal data has been limited, this data – aside from its storage – may only be processed with your consent or in order to assert, exercise or defend legal claims or to protect the rights of another natural or legal person, or for the sake of an important public interest of the Union or a member state.
If the processing restriction has been imposed according to the aforementioned conditions, you will be informed by the data controller before the restriction is lifted.
4. Right to deletion
a) Obligation to delete data
You may request the data controller to delete the personal data relating to you without delay and the controller is obligated to delete this data without delay if one of the following reasons applies:
• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent, on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
• You file an objection against the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 para. 2 GDPR.
• The personal data concerning you have been processed unlawfully.
• Your personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
• Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
b) Information to third parties
If the data controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of the personal data.
c) Exemptions
The right to deletion does not exist insofar as the processing is necessary
• for exercising freedom of expression and information;
• for compliance with a legal obligation which requires processing under a law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to under a) is likely to render impossible or seriously impair the attainment of the objectives of such processing, or
• to assert, exercise or defend legal claims.
5. Right to information
If you have exercised your right to have the data controller correct, delete or limit the processing, he/she is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
The controller is entitled to be informed of such recipients.
6. Right to data transferability
You have the right to receive your personal data that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another controller without hindrance by the controller to whom the personal data was provided, as long as
• the processing is based on a declaration of consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
• processing is carried out using automated methods.
In exercising this right, you also have the right to request that your personal data be transferred directly from one data controller to another, insofar as this is technically feasible. This should not impair other people’s freedoms or rights.
The right to transferability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
The data controller no longer processes the personal data concerning you, unless he or she can prove compelling reasons worthy of protection for the processing, which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If your personal data is being processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling where this is connected to such direct marketing.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the possibility to exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
8. Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. Revoking your consent will not affect the legality of any processing that took place before the revocation.
9. Automated decision in individual cases including profiling
Although Panaseer does utilize automation to process personal data, you are advised that you have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision
• is necessary for the conclusion or performance of a contract between you and the controller,
• is admissible by law of the Union or of the Member States to which the controller is subject and that law contains appropriate measures to safeguard your rights, freedoms and legitimate interests, or
• with your express consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g applies, and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
In the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state his or her point of view and to challenge the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the country where you reside, work or suspect of infringement, if you believe that the processing of your personal data is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

X. Conclusion:
We sincerely hope this helps outline your rights and our obligations vis-a-vis your privacy and that you will trust Panaseer to ensure the proper handling of any personal information you provide to us.

This privacy policy applies between you, the User of this Website and Panaseer Limited, the owner and provider of this Website. Panaseer Limited takes the privacy of your information very seriously. This privacy policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website. Please read this privacy policy carefully.

1. Definitions and interpretation
1.1. In this privacy policy, the following definitions are used:
Data – collectively all information that you submit to Panaseer Limited via the Website or by any other means. This definition incorporates, where applicable, the definitions provided in the UK General Data Protection Regulation and the Data Protection Act 2018;
Cookies – a small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in the clause below (Cookies);
Panaseer Limited, we or us – Panaseer Limited, a company incorporated in England and Wales with registered number 09098199 whose registered office is at Ashcombe Court, Woolsack Way, Godalming, Surrey, GU7 1LQ;
UK and EU Cookie Law – the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011;
User or you – any third party that accesses the Website and is not either (i) employed by Panaseer Limited and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Panaseer Limited and accessing the Website in connection with the provision of such services; and Website – the website that you are currently using, www.panaseer.com, and any sub-domains of this site unless expressly excluded by their own terms and conditions.
1.2. In this privacy policy, unless the context requires a different interpretation:
1.2.1. the singular includes the plural and vice versa;
1.2.2. references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy;
1.2.3. a reference to a person includes firms, companies, government entities, trusts and partnerships;
1.2.4. “including” is understood to mean “including without limitation”;
1.2.5. reference to any statutory provision includes any modification or amendment of it;
1.2.6. the headings and sub-headings do not form part of this privacy policy.

2. Scope of this privacy policy
2.1. This privacy policy applies only to the actions of Panaseer Limited and Users with respect to this Website. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.

3. Data collected
3.1. We may collect the following Data, which includes personal Data, from you:
3.1.1. Name
3.1.2. Job Title;
3.1.3. Profession;
3.1.4. Contact Information such as email addresses and telephone numbers;
3.1.5. IP address (automatically collected);
3.1.6. Web browser type and version (automatically collected);
3.1.7. Operating system (automatically collected);
3.1.8. A list of URLs starting with a referring site, your activity on this Website, and the site you exit to (automatically collected);
in each case, in accordance with this privacy policy.

4. Our use of Data
4.1. For purposes of the Data Protection Act 1998, Panaseer Limited is the “data controller”.
4.2. We will retain any Data you submit for 12 months.
4.3. Unless we are obliged or permitted by law to do so, and subject to any third party disclosures specifically set out in this policy, your Data will not be disclosed to third parties. This does not include our affiliates and / or other companies within our group.
4.4. All personal Data is stored securely in accordance with the principles of the Data Protection Act 1998. For more details on security see the clause below (Security).
4.5. Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:
4.5.1. internal record keeping;
4.5.2. improvement of our products / services;
4.5.3. transmission by email of promotional materials that may be of interest to you;
4.5.4. contact for market research purposes which may be done using email, telephone, fax or mail. Such information may be used to customise or update the Website;
in each case, in accordance with this privacy policy.

5. Third party websites and services
5.1. Panaseer Limited may, from time to time, employ the services of other parties for dealing with certain processes necessary for the operation of the Website. The providers of such services do not have access to certain personal Data provided by Users of this Website.

6. Links to other websites
6.1. This Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.

7. Changes of business ownership and control
7.1. Panaseer Limited may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of Panaseer Limited. Data provided by Users will, where it is relevant to any part of our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the Data for the purposes for which it was originally supplied to us.
7.2. We may also disclose Data to a prospective purchaser of our business or any part of it.
7.3. In the above instances, we will take steps with the aim of ensuring your privacy is protected.

8. Controlling use of your Data
8.1. Wherever you are required to submit Data, you will be given options to restrict our use of that Data. This may include the following:
8.1.1. use of Data for direct marketing purposes; and
8.1.2. sharing Data with third parties.

9. Functionality of the Website
9.1. To use all features and functions available on the Website, you may be required to submit certain Data.
9.2. You may restrict your internet browser’s use of Cookies. For more information see the clause below (Cookies).

10. Accessing your own Data
10.1. You have the right to ask for a copy of any of your personal Data held by Panaseer Limited (where such Data is held) on payment of a small fee, which will not exceed £10.

11. Security
11.1. Data security is of great importance to Panaseer Limited and to protect your Data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure Data collected via this Website.
11.2. If password access is required for certain parts of the Website, you are responsible for keeping this password confidential.
11.3. We endeavour to do our best to protect your personal Data. However, transmission of information over the internet is not entirely secure and is done at your own risk. We cannot ensure the security of your Data transmitted to the Website.

12. Cookies
12.1. This Website may place and access certain Cookies on your computer. Panaseer Limited uses Cookies to improve your experience of using the Website. Panaseer Limited has carefully chosen these Cookies and has taken steps to ensure that your privacy is protected and respected at all times.
12.2. All Cookies used by this Website are used in accordance with current UK and EU Cookie Law.
12.3. Before the Website places Cookies on your computer, you will be presented with a message bar requesting your consent to set those Cookies. By giving your consent to the placing of Cookies, you are enabling Panaseer Limited to provide a better experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however certain features of the Website may not function fully or as intended.
12.4. This Website may place the following Cookies:
Strictly necessary cookies – These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
Analytical/performance cookies – They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
12.5. You can choose to enable or disable Cookies in your internet browser. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser.
12.6. You can choose to delete Cookies at any time; however you may lose any information that enables you to access the Website more quickly and efficiently including, but not limited to, personalisation settings.
12.7. It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.

13. Transfers outside the European Economic Area
13.1. Data which we collect from you may be stored and processed in and transferred to countries outside of the European Economic Area (EEA). For example, this could occur if our servers are located in a country outside the EEA or one of our service providers is situated in a country outside the EEA. We also share information with our group companies, some of which are located outside the EEA. These countries may not have data protection laws equivalent to those in force in the EEA.
13.2. If we transfer Data outside the EEA in this way, we will take steps with the aim of ensuring that your privacy rights continue to be protected as outlined in this privacy policy. You expressly agree to such transfers of Data.

14. General
14.1. You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.
14.2. If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.
14.3. Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
14.4. This privacy policy is governed by and interpreted according to English law. All disputes arising under this privacy policy are subject to the exclusive jurisdiction of the English courts.

15. Changes to this privacy policy
15.1. Panaseer Limited reserves the right to change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the privacy policy on your first use of the Website following the alterations.

You may contact Panaseer Limited by email at info@panaseer.com.
November 01 2023

FAQs

These FAQs address the issues that matter to our customers and prospects. If you can’t find what you’re looking for, then get in touch.

Has Panaseer achieved ISO27001 certification?

Yes, we have. We were re-certified in November 2023 and a copy of our Statement of Applicability; ISO certificate is displayed in this section of the website and our external audit report summary is available upon request under NDA.

Does Panaseer have a risk management framework?

Yes, we are aligned to ISO31000.

Does Panaseer have formal information security policies that are reviewed at least annually?

Yes, we have policies covering all aspects of information security that form a part of our ISMS (Information Security Management System). At a high level, these policies include; Starters and leavers; Cryptography; BYOD; Anti-virus; Cloud security; Supplier management; Risk management; Vulnerability management; Incident management; Asset management; and more.

Is Panaseer cloud-based and what cloud service provider do you use?

Yes, our solution is SAAS (Software as a Service) and is hosted in AWS (Amazon Web Services). We have regions in the EU (European Union), US, and Canada which provides digital sovereignty for our clients operating out of those regions.

Will my organization’s data be encrypted?

Yes, all data is encrypted at rest (AES 256) and in transit (TLS – Transport Layer Security – 1.2).

Does Panaseer conduct disaster recovery tests at least annually?

Yes, annually. These summarized reports are available upon request under a MNDA.

Does Panaseer have somebody managing its Information Security Management System full-time?

Yes, our ISMS is managed by our full-time Information Security Manager.

Does Panaseer perform regular backups and are they encrypted and tested?

Yes, we perform regular backups, and are fully encrypted and tested.

Does Panaseer have a Secure Development Lifecycle program?

Yes, we follow OWASP10 best practices and our SSDLC (Secure system development lifecycle) is fully embedded in our development workflow and all developers are trained both on the SSDLC and the OWASP10.

Does Panaseer conduct mandatory security training for all staff?

Yes, all staff are trained twice a year, and the training is mandatory. The training covers all the core aspects of information security and privacy.

Does Panaseer have a business continuity plan?

Yes, and it is tested over the course of three years in full. We also conduct yearly tabletop exercises as well as yearly disaster recovery testing.

Does Panaseer conduct vulnerability scans?

Yes, we conduct regular DAST (Dynamic application security testing), SAST (Static application security testing) and dependency scanning across our environments and all findings are subject to our remediation policy. We have a dedicated team that tracks open vulnerabilities.

Does Panaseer conduct regular internal and external audits?

Yes, we have our own technical internal audits, we also hire specialized consultants to audit our ISMS and we have external auditors for our ISO27001 certification.

Is there an incident management process and will Panaseer disclose a serious breach in a timely manner?

Yes, we have a very thorough incident management process which is tested and audited. We would notify a customer in the event of a breach within 24 hours.

Is Panaseer compliant with privacy laws/regulations?

Yes, we are, and we conducted a full GDPR (General Data Protection Regulation) gap analysis in 2022.

Is Panaseer covered by cyber insurance?

Yes, we are. We have adequate multi-layered cyber insurance in place with reputable insurers.

Does Panaseer conduct regular penetration testing?

Yes, annually, or when a major change occurs. These reports are available upon request under NDA, and any findings are subject to our remediation policy.

Does Panaseer monitor its suppliers for security-related risk?

Yes, we have a supplier relationship process whereby we screen all suppliers and monitor them.

Do Panaseer employees undergo background checks?

Yes, all Panaseer employees who handle client data undergo full background checks.

Does Panaseer have a change control policy?

Yes, this is covered in our SSDLC. In short, all changes must have approval.

Are Panaseer’s endpoints protected from malware and other security risks?

Yes, our entire estate is protected from malware, patched regularly, encrypted, and has MFA (Multi-Factor Authentication) and SSO.

Which sub-processors does Panaseer use and how is my data processed with them?

We use AWS as our Cloud Service Provider, Snowflake as our data warehouse, and Pendo as our User Analytics platform. These are essential sub-processors to ensure our Platform is delivered as efficiently as possible. All sub-processors have undergone due diligence and a data protection impact assessment has been conducted. These are available upon request under a mutual non-disclosure agreement.

AWS hosts our Infrastructure (IAAS), Snowflake mirrors this environment and Pendo collects usernames and user behavior, it does not collect any vulnerability data.