Terms and Conditions


This Daml Hub BETA Terms of Service (the “Agreement”), is made and entered into by and between DA and the entity or person agreeing to these terms ("Customer"). “DA” means Digital Asset Holdings, LLC, a Delaware Limited Liability Company with offices at 4 World Trade Center, 150 Greenwich St., 47th Floor, New York, NY 10007.

This Agreement is effective as of the date Customer clicks to accept the Agreement (the "Effective Date"). If you are accepting on behalf of Customer, you represent and warrant that: (i) you have full legal authority to bind Customer to this Agreement; (ii) you have read and understand this Agreement; and (iii) you agree, on behalf of Customer, to this Agreement. If you do not have the legal authority to bind Customer, please do not click to accept. This Agreement governs Customer's access to and use of the Service. If you sign a separate agreement with DA with respect to the Services, such separate agreement shall govern your use of the Services.

1. Provision of the Services.

1.1 Services Use. Subject to this Agreement, during the Term, Customer may: (a) use the Services and (b) integrate the Services into any Application that has material value independent of the Services. Customer may not sublicense or transfer these rights except as permitted under the Assignment section of the Agreement.

1.2 Modifications.

a. To the Services. DA may make commercially reasonable updates to the Services from time to time.

b. To the Agreement. DA may make changes to this Agreement, including pricing (and any linked documents) from time to time. Unless otherwise noted by DA, material changes to the Agreement will become effective 30 days after they are posted, except if the changes apply to new functionality in which case they will be effective immediately.

c. To the Data Processing Annex. DA may only change the Data Processing Annex where such change is required to comply with applicable law, applicable regulation, court order, or guidance issued by a governmental regulator or agency, where such change is expressly permitted by the Data Processing Annex, or where such change:

(i) is commercially reasonable;

(ii) does not result in a degradation of the overall security of the Services;

(iii) does not expand the scope of or remove any restrictions on DA's processing of Customer Personal Data, as described in Section 4 (Scope of Processing) of the Data Processing Annex; and

(iv) does not otherwise have a material adverse impact on Customer's rights under the Data Processing Annex.

If DA makes a material change to the Data Processing Annex in accordance with this Section, DA will post the modification to the URL containing those terms.

1.3 Data Processing Annex. The Data Processing Annex is incorporated by this reference into the Agreement.

1.4 Eligibility. The Services are not targeted towards, nor intended for use by, anyone under the age of 16. By using the Services, Customer represents and warrants that they are 16 years of age or older. If Customer is under the age of 16, Customer may not, under any circumstances or for any reason, use the Services. DA may, in its sole discretion, refuse to offer the Services to any person or entity and change its eligibility criteria at any time. Customer is solely responsible for ensuring that this Terms of Service is in compliance with all laws, rules and regulations applicable to Customer and the right to access the Services is revoked where this Terms of Service or use of the Services is prohibited or to the extent offering, sale or provision of the Services conflicts with any applicable law, rule or regulation.

2. Payment Terms.

2.1 Online Billing. If Customer is using the free tier of the Services, Customer will can create up to 3 free ledgers (the "Free Allocation"). If Customer has signed up to become a "Daml Hub Pro" member, at the end of each calendar month following the date on which Customer becomes a "Daml Hub Pro" member, DA will automatically charge the credit card or debit card provided by Customer a price of $99 per month plus $0.01 per Ledger Minute and $0.025 per Ledger Event in excess of the Free Allocation. If Customer has entered into a separate agreement with DA for a "Daml Hub Enterprise" subscription, the pricing for such subscription shall be set forth in such separate agreement.

2.3 Taxes.

Customer is responsible for any duties, customs fees, taxes, and related penalties, fines, audits, interest and back-payments relating to Customer’s purchase of the Services, including but not limited to national, state or local sales taxes, use taxes, value-added taxes (VAT) and goods and services taxes (GST) (collectively, "Taxes"). DA's standard pricing policies do not include and are not discounted or enhanced for any such Taxes. If DA becomes obligated to collect or pay Taxes in connection with Customer's purchase of the Services, those Taxes will be invoiced to that Customer as part of a billing process or collected at the time of purchase. In certain states, countries and territories, DA may determine if Customer's purchase of Services is subject to certain Taxes, and if so, may collect such Taxes and remit them to the appropriate taxing authority. If Customer believes that a given tax does not apply or that some amount must be withheld from payments to DA, Customer must promptly provide DA with a tax certificate, withholding receipt, tax identifier (e.g., VAT ID) or other adequate proof, provided such information is valid and sufficiently authorized by all appropriate taxing authorities. Customer must also provide DA with any tax identification information that is necessary for DA to comply with DA's tax obligations, as determined by DA from time to time. Customer will be solely responsible for any misrepresentations made or non-compliance caused by Customer regarding Taxes, whether with respect to DA or other parties, including any penalties, fines, audits, interest, back-payments or further taxes associated with such misrepresentations or non-compliance.

2.4 Invoice Disputes & Refunds. Any invoice disputes must be submitted prior to the payment due date. If the parties determine that certain billing inaccuracies are attributable to DA, DA will not issue a corrected invoice, but will instead issue a credit memo specifying the incorrect amount in the affected invoice. If the disputed invoice has not yet been paid, DA will apply the credit memo amount to the disputed invoice and Customer will be responsible for paying the resulting net balance due on that invoice. To the fullest extent permitted by law, Customer waives all claims relating to Fees unless claimed within sixty days after charged (this does not affect any Customer rights with its credit card issuer). Refunds (if any) are at the discretion of DA and will only be in the form of credit for the Services. Nothing in this Agreement obligates DA to extend credit to any party.

2.5 Suspension. If Customer is late on payment for the Services, DA may Suspend the Services or terminate the Agreement for breach pursuant to Section 8.2.

3. Customer Obligations.

3.1 Compliance. Customer is solely responsible for its Applications and Customer Data and for making sure its Applications and Customer Data comply with the AUP. DA reserves the right to review the Application and Customer Data for compliance with the AUP. Customer is responsible for ensuring all Customer End Users comply with Customer's obligations under the AUP, the Service Specific Terms, and the restrictions in Sections 3.3 and 3.5 below.

3.2 Privacy. Customer will obtain and maintain any required consents necessary to permit the processing of Customer Data under this Agreement.

3.3 Restrictions. Customer will not, and will not allow third parties under its control to: (a) copy, modify, create a derivative work of, reverse engineer, decompile, translate, disassemble, or otherwise attempt to extract any or all of the source code of the Services (subject to Section 3.4 below and except to the extent such restriction is expressly prohibited by applicable law); (b) use the Services for High Risk Activities; (c) sublicense, resell, or distribute any or all of the Services separate from any integrated Application; (d) create multiple Applications or Accounts to simulate or act as a single Application or Account, (respectively) or otherwise access the Services in a manner intended to avoid incurring Fees or exceed usage limits or quotas; (e) use the Services to operate or enable any telecommunications service or in connection with any Application that allows Customer End Users to place calls or to receive calls from any public switched telephone network; or (f) process or store any Customer Data that is subject to the International Traffic in Arms Regulations maintained by the Department of State. DA does not intend use of the Services to create obligations under HIPAA, and makes no representations that the Services satisfy HIPAA requirements. If Customer is (or becomes) a Covered Entity or Business Associate, as defined in HIPAA, Customer will not use the Services for any purpose or in any manner involving Protected Health Information (as defined in HIPAA) unless Customer has received prior written consent to such use from DA.

3.4 Third Party Components. Third party components (which may include open source software) of the Services may be subject to separate license agreements. To the limited extent a third party license expressly supersedes this Agreement, that third party license governs Customer's use of that third party component.

3.5 Documentation. DA may provide Documentation for Customer's use of the Services. The Documentation may specify restrictions on how the Applications may be built or the Services may be used and Customer will comply with any such restrictions specified.

4. Suspension.

4.1 AUP Violations. If DA becomes aware that Customer's or any Customer End User's use of the Services violates the AUP, DA will give Customer notice of the violation by requesting that Customer correct the violation. If Customer fails to correct the violation within 24 hours of DA's request, then DA may Suspend all or part of Customer's use of the Services until the violation is corrected.

4.2 Other Suspension. Notwithstanding Section 4.1 (AUP Violations) DA may immediately Suspend all or part of Customer's use of the Services if: (a) DA believes Customer's or any Customer End User's use of the Services could adversely impact the Services, other customers' or their end users' use of the Services, or the DA network or servers used to provide the Services, which may include use of the Services for cryptocurrency mining without DA's prior written approval; (b) there is suspected unauthorized third-party access to the Services; (c) DA believes it is required to Suspend immediately to comply with applicable law; or (d) Customer is in breach of Section 3.3 (Restrictions). DA will lift any such Suspension when the circumstances giving rise to the Suspension have been resolved. At Customer's request, unless prohibited by applicable law, DA will notify Customer of the basis for the Suspension as soon as is reasonably possible.

5. Intellectual Property Rights; Use of Customer Data; Feedback; Benchmarking.

5.1 Intellectual Property Rights. Except as expressly set forth in this Agreement, this Agreement does not grant either party any rights, implied or otherwise, to the other's content or any of the other's intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data and the Application, and DA owns all Intellectual Property Rights in the Services.

5.2 Use of Customer Data. DA will not access or use Customer Data, except as necessary to provide the Services.

5.3 Customer Feedback. If Customer provides DA Feedback about the Services, then DA may use that information without obligation to Customer, and Customer hereby irrevocably assigns to DA all right, title, and interest in that Feedback.

5.4 Benchmarking. Customer may not publicly disclose directly or through a third party the results of any comparative or compatibility testing, benchmarking, or evaluation (each, a "Test") of the Services.

6. Technical Support Services

6.1 By Customer. Customer is responsible for technical support of its Applications.

6.2 By DA. DA will not provide any technical support for the Services except as set forth in the Services addendum to this Agreement or a separate agreement between Customer and DA.

7. Confidential Information.

7.1 Obligations. The recipient will not disclose the Confidential Information, except to Affiliates, employees, agents or professional advisors who need to know it and who have agreed in writing (or in the case of professional advisors are otherwise bound) to keep it confidential. The recipient will ensure that those people and entities use the received Confidential Information only to exercise rights and fulfill obligations under this Agreement, while using reasonable care to keep it confidential.

7.2 Required Disclosure. Notwithstanding any provision to the contrary in this Agreement, the recipient may also disclose Confidential Information to the extent required by applicable Legal Process; provided that the recipient uses commercially reasonable efforts to: (i) promptly notify the other party of such disclosure before disclosing; and (ii) comply with the other party's reasonable requests regarding its efforts to oppose the disclosure. Notwithstanding the foregoing, subsections (i) and (ii) above will not apply if the recipient determines that complying with (i) and (ii) could: (a) result in a violation of Legal Process; (b) obstruct a governmental investigation; and/or (c) lead to death or serious physical harm to an individual. As between the parties, Customer is responsible for responding to all third party requests concerning its use and Customer End Users' use of the Services.

8. Term and Termination.

8.1 Agreement Term. The "Term" of this Agreement will begin on the Effective Date and continue until the Agreement is terminated as set forth in Section 8 of this Agreement.

8.2 Termination for Breach. Either party may terminate this Agreement for breach if: (i) the other party is in material breach of the Agreement and fails to cure that breach within thirty days after receipt of written notice; (ii) the other party ceases its business operations or becomes subject to insolvency proceedings and the proceedings are not dismissed within ninety days; or (iii) the other party is in material breach of this Agreement more than two times notwithstanding any cure of such breaches. In addition, DA may terminate any, all, or any portion of the Services if Customer meets any of the conditions in Section 8.2(i), (ii), and/or (iii).

8.3 Termination for Convenience. Customer may stop using the Services at any time. Customer may terminate this Agreement for its convenience at any time on prior written notice and upon termination, must cease use of the applicable Services. DA may terminate this Agreement for its convenience at any time without liability to Customer to the extent permitted by law.

8.4 Effect of Termination. If the Agreement is terminated, then: (i) the rights granted by one party to the other will immediately cease; (ii) all Fees owed by Customer to DA are immediately due upon receipt of the final electronic bill; (iii) Customer will delete any Application and any Customer Data; and (iv) upon request, each party will use commercially reasonable efforts to return or destroy all Confidential Information of the other party.

9. Publicity. Customer is permitted to state publicly that it is a customer of the Services, consistent with the Trademark Policy. DA may include Customer's name and logo in a list of DA customers, online or in promotional materials. DA may also verbally reference Customer as a customer of the Services. Neither party needs approval if it is repeating a public statement that is substantially similar to a previously-approved public statement.

10. Representations and Warranties. Each party represents and warrants that: (a) it has full power and authority to enter into the Agreement; and (b) it will comply with all laws and regulations applicable to its provision, or use, of the Services, as applicable.


12. Limitation of Liability.



12.3 Exceptions to Limitations. These limitations of liability do not apply to violations of a party's Intellectual Property Rights by the other party, indemnification obligations, or Customer's payment obligations.

13. Indemnification.

13.1 By Customer. Unless prohibited by applicable law, Customer will defend and indemnify DA and its Affiliates against Indemnified Liabilities in any Third-Party Legal Proceeding to the extent arising from: (i) any Application or Customer Data; or (ii) Customer's, or Customer End Users', use of the Services in violation of the AUP.

13.2 By DA. DA will defend and indemnify Customer and its Affiliates against Indemnified Liabilities in any Third-Party Legal Proceeding to the extent arising solely from an Allegation that use of DA's technology used to provide the Services infringes or misappropriates the third party's patent, copyright, trade secret, or trademark.

13.3 Exclusions. This Section 13 will not apply to the extent the underlying Allegation arises from:

a. the indemnified party's breach of this Agreement;

b. modifications to the indemnifying party's technology by anyone other than the indemnifying party;

c. combination of the indemnifying party's technology with materials not provided by the indemnifying party; or

d. use of non-current or unsupported versions of the Services;

13.4 Conditions. Sections 13.1 and 13.2 will apply only to the extent:

a. The indemnified party has promptly notified the indemnifying party in writing of any Allegation(s) that preceded the Third-Party Legal Proceeding and cooperates reasonably with the indemnifying party to resolve the Allegation(s) and Third-Party Legal Proceeding. If breach of this Section 13.4(a) prejudices the defense of the Third-Party Legal Proceeding, the indemnifying party's obligations under Section 13.1 or 13.2 (as applicable) will be reduced in proportion to the prejudice.

b. The indemnified party tenders sole control of the indemnified portion of the Third-Party Legal Proceeding to the indemnifying party, subject to the following: (i) the indemnified party may appoint its own non-controlling counsel, at its own expense; and (ii) any settlement requiring the indemnified party to admit liability, pay money, or take (or refrain from taking) any action, will require the indemnified party's prior written consent, not to be unreasonably withheld, conditioned, or delayed.

13.5 Remedies.

a. If DA reasonably believes the Services might infringe a third party's Intellectual Property Rights, then DA may, at its sole option and expense: (a) procure the right for Customer to continue using the Services; (b) modify the Services to make them non-infringing without materially reducing their functionality; or (c) replace the Services with a non-infringing, functionally equivalent alternative.

b. If DA does not believe the remedies in Section 13.5(a) are commercially reasonable, then DA may Suspend or terminate Customer's use of the impacted Services.

13.6 Sole Rights and Obligations. Without affecting either party's termination rights, this Section 13 states the parties' only rights and obligations under this Agreement for any third party's Intellectual Property Rights Allegations and Third-Party Legal Proceedings.

14. U.S. Federal Agency Users. The Services were developed solely at private expense and are commercial computer software and related documentation within the meaning of the applicable Federal Acquisition Regulations and their agency supplements.

15. Miscellaneous.

15.1 Notices. All notices must be in writing and addressed to the other party's legal department and primary point of contact. The email address for notices being sent to DA's Legal Department is legal@digitalasset.com. Notice will be treated as given on receipt as verified by written or automated receipt or by electronic log (as applicable).

15.2 Assignment. Neither party may assign any part of this Agreement without the written consent of the other, except to an Affiliate where: (a) the assignee has agreed in writing to be bound by the terms of this Agreement; (b) the assigning party remains liable for obligations under the Agreement if the assignee defaults on them; and (c) the assigning party has notified the other party of the assignment. Any other attempt to assign is void.

15.3 Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

15.4 No Agency. This Agreement does not create any agency, partnership or joint venture between the parties.

15.5 No Waiver. Neither party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under this Agreement.

15.6 Severability. If any term (or part of a term) of this Agreement is invalid, illegal, or unenforceable, the rest of the Agreement will remain in effect.

15.7 No Third-Party Beneficiaries. This Agreement does not confer any benefits on any third party unless it expressly states that it does.

15.8 Equitable Relief. Nothing in this Agreement will limit either party's ability to seek equitable relief.


15.10 Amendments. Except as set forth in Section 1.2(b) or (c), any amendment must be in writing, signed by both parties, and expressly state that it is amending this Agreement.

15.11 Survival. The following Sections will survive expiration or termination of this Agreement: 5, 7, 8.4, 12, 13, and 15.

15.12 Entire Agreement. This Agreement sets out all terms agreed between the parties and supersedes all other agreements between the parties relating to its subject matter. In entering into this Agreement, neither party has relied on, and neither party will have any right or remedy based on, any statement, representation or warranty (whether made negligently or innocently), except those expressly set out in this Agreement. The terms located at a URL referenced in this Agreement and the Documentation are incorporated by reference into the Agreement. After the Effective Date, DA may provide an updated URL in place of any URL in this Agreement.

15.13 Conflicting Terms. If there is a conflict between the documents that make up this Agreement, the documents will control in the following order: the Agreement, and the terms at any URL. If DA provides this Agreement in more than one language for the country of your billing address, and there is a discrepancy between the English text and the translated text, the English text will govern.

15.14 Definitions.

  • "Account" means Customer's Daml Hub account.
  • "Affiliate" means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party.
  • "Allegation" means an unaffiliated third party's allegation.
  • "Application(s)" means any application Customer creates using the Services, including any source code written by Customer to be used with the Services.
  • "AUP" means the Acceptable Use Policy attached to this Agreement.
  • "Confidential Information" means information that one party (or an Affiliate) discloses to the other party under this Agreement, and which is marked as confidential or would normally under the circumstances be considered confidential information. It does not include information that is independently developed by the recipient, is rightfully given to the recipient by a third party without confidentiality obligations, or becomes public through no fault of the recipient. Subject to the preceding sentence, Customer Data is considered Customer's Confidential Information.
  • "Control" means control of greater than fifty percent of the voting rights or equity interests of a party.
  • "Customer Data" means content provided to DA by Customer (or at its direction) via the Services under the Account.
  • "Customer End Users" means the individuals Customer permits to use the Application.
  • "Data Processing Annex" means the Data Processing Annex attached to this Agreement.
  • "Documentation" means the documentation (as may be updated from time to time) in the form generally made available by DA to its customers for use with the Services https://hub.daml.com/docs.
  • "Feedback" means feedback or suggestions about the Services provided to DA by Customer.
  • "Fees" means the applicable fees for each Service and any applicable Taxes. The Fees are set forth here: https://hub.daml.com/pricing/
  • "High Risk Activities" means activities where the use or failure of the Services could lead to death, personal injury, or environmental damage (such as operation of nuclear facilities, air traffic control, life support systems, or weaponry).
  • "HIPAA" means the Health Insurance Portability and Accountability Act of 1996 as it may be amended from time to time, and any regulations issued under it.
  • "Indemnified Liabilities" means any (i) settlement amounts approved by the indemnifying party; and (ii) damages and costs finally awarded against the indemnified party and its Affiliates by a court of competent jurisdiction.
  • "Intellectual Property Rights" means current and future worldwide rights under patent, copyright, trade secret, trademark, and moral rights laws, and other similar rights.
  • "Legal Process" means a data disclosure request made under law, governmental regulation, court order, subpoena, warrant, governmental regulatory or agency request, or other valid legal authority, legal procedure, or similar process.
  • "Services" means the Daml Hub service.
  • "SLA" means the service levels set forth in the Service Level Annex attached to this
  • "Suspend" or "Suspension" means disabling or limiting access to or use of the Services or components of the Services.
  • "Taxes" means any duties, customs fees, or taxes (other than DA's income tax) associated with the purchase of the Services, including any related penalties or interest.
  • "Term" has the meaning set forth in Section 9 of this Agreement.
  • "Third-Party Legal Proceeding" means any formal legal proceeding filed by an unaffiliated third party before a court or government tribunal (including any appellate proceeding).

Acceptable Use Policy

Your use of the Service is subject to this Acceptable Use Policy. Capitalized terms have the meaning given to them in the Agreement between You and DA.

You agree not to, and to not allow third parties to use, the Service:

  • to violate, or encourage the violation of, the legal rights of others (including, without limitation, storage or transmittal of any material that violates the Intellectual Property Rights of any entity or person);
  • to engage in, promote or encourage illegal activity;
  • to engage in the purchase, sale, or other transaction of any asset or other item that would violate or cause DA to violate any applicable law, including without limitation, the Securities Exchange Act of 1934;
  • for any unlawful, invasive, infringing, offensive, defamatory or fraudulent purpose;
  • to store or transmit infringing, offensive, libelous, or otherwise unlawful or tortious material, (including any materials which illegal, obscene, indecent, defamatory, incites racial or ethnic hatred, violates the rights of any entity or person, harms or threatens the safety of any entity or person or may otherwise constitute a breach of any applicable law);
  • to intentionally store or distribute Malicious Code or any items of a destructive or deceptive nature;
  • to interfere with the use of the Service, or the equipment used to provide the Service, by DA's other clients;
  • to disable, interfere with or circumvent any aspect of the Service;
  • to generate, distribute, publish or facilitate unsolicited emails, promotions, advertisements or other solicitations; or
  • to use the Service, or any interfaces provided with the Service, to access any other products or services of DA or its subcontractors in a manner that violates the terms of service of such other product or service.

Service Levels

General Service Commitment

If Customer is using the free tier of the Services, Customer is not entitled to any support or service level commitments for its use of the Services.

If Customer is a "Daml Hub Pro" subscriber, DA will use commercially reasonable efforts to make the Services available with a Monthly Uptime Percentage of at least 99.9% during any monthly billing cycle.

Data Processing Terms Annex

The European General Data Protection Regulation (GDPR) may impose specific obligations on Customer with regard to its vendor relationships. The GDPR requires companies to conduct appropriate due diligence on processors and to have contracts containing specific provisions relating to data protection.

The Agreement contains provisions requiring each party to comply with all applicable laws. This Data Processing Annex (this "Annex") documents the data protection requirements imposed upon the parties by the GDPR. To the extent applicable, this Annex is hereby incorporated by reference into the Agreement in order to demonstrate the parties' compliance with the GDPR. For the purposes of this Annex, "Processor" means DA.

1. For purposes of this Annex, "GDPR" means Regulation (EU) 2016/679, the General Data Protection Regulation, together with any additional implementing legislation, rules or regulations that are issued by applicable supervisory authorities. Words and phrases in this Annex shall, to the greatest extent possible, have the meanings given to them in Article 4 of the GDPR. In particular:

a. "Personal Data" has the meaning given to it in Article 4(1) of the GDPR: "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person," but only to the extent such personal data pertains to residents of the European Economic Area (EEA) or are otherwise subject to the GDPR.

b. "Personal Data Breach" has the meaning given to it in Article 4(12) of the GDPR: "[any] breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

c. "Processing" has the meaning given to it in Article 4(2) of the GDPR: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."

d. "Subprocessor" means any processor as defined in Article 4(8) of the GDPR: "[any] natural or legal person, public authority, agency or other body which processes personal data" on behalf of the Processor (including any affiliate of the Processor)."

e. "Transfer" means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means.

2. In accordance with GDPR Article 28(1), Processor represents that it has implemented appropriate technical and organisational measures in such a manner that its Processing of Personal Data will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.

3. In accordance with GDPR Article 28(2), the Processor shall not engage any Subprocessor without prior specific or general written authorisation of Customer. Customer hereby consents to the use of Google, Inc. as a Subprocessor. In the case of general written authorisation, the Processor shall inform Customer of any intended changes concerning the addition or replacement of other Subprocessors and give Customer the opportunity to object to such changes. The Processor shall also comply with the requirements for subprocessing as set forth in Article 28(4), namely that the data protection obligations set forth herein (and as may otherwise be agreed by the Processor in the Agreements) such be imposed upon the Subprocessor, so that the Processor's contract with the Subprocessor contains sufficient guarantees that the Processing will meet the requirements of the GDPR.

4. In accordance with GDPR Article 28(3), the following terms are incorporated by reference into the Agreements:

(a) The Processor shall only process the Personal Data (i) as needed to provide the Services, (ii) in accordance with the specific instructions that it has received from Customer, including with regard to any Transfers, and (iii) as needed to comply with law (in which case, the Processor shall provide prior notice to Customer of such legal requirement, unless that law prohibits this disclosure);

(b) Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) Processor shall take all security measures required by GDPR Article 32, namely:

i. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (A) the pseudonymisation and encryption of Personal Data; (B) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (C) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (D) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

ii. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

iii. The Processor shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not process such Personal Data except upon instructions from Customer, unless the Processor is required to do so by EEA Member State law.

(d) Taking into account the nature of the processing, Processor shall reasonably assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights;

(e) Taking into account the nature of processing and the information available to the Processor, Processor shall comply with (and shall reasonably assist Customer to comply with) the obligations regarding Personal Data Breaches (as set forth in GDPR Articles 33 and 34), data protection impact assessments (as set forth in GDPR Article 35), and prior consultation (as set forth in GDPR Article 36);

(f) At Customer's discretion, the Processor shall delete or return all the Personal Data to Customer after the end of the provision of services relating to Processing, and delete existing copies unless applicable EEA member state law requires storage of the Personal Data;

(g) The Processor shall provide Customer with all information necessary to demonstrate compliance with the obligations laid down in the GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer; and

(h) The Processor shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

5. The Processor shall not Transfer any Personal Data (other than to Subprocessors) without the prior consent of Customer. The Processor understands that Customer must approve and document that adequate protection for the Personal Data will exist after the Transfer, using contracts that provide sufficient guarantees (such as standard contractual clauses) unless another legal basis for the Transfer exists.

6. The Processor will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of the Personal Data. Processor will notify Customer without undue delay in the event of any Personal Data Breach.

7. The Processor shall maintain all records required by Article 30(2) of the GDPR, and (to the extent they are applicable to Processor's activities for Customer) Processor shall make them available to Customer upon request.