StriveCloud Licensing Terms

STRIVECLOUD LICENSING TERMS 

These licensing terms (“Terms”), including the documents incorporated by reference herein (a.o. the  Quotation), govern your use of the StriveCloud Software (as defined below) and form a legal contract between StriveCloud BV is a Belgian private limited liability company with registered seat located at Coupure Rechts 620/10, 9000 Ghent, registered with the Crossroads Bank for Enterprises under company number  0647.559.033 (“StriveCloud”) and you or the entity that you represent (the “Licensee”). Hereinafter  StriveCloud and the Licensee are also jointly referred to as the “Parties” and each individually as a  “Party”. These Terms are filed and accessible via StriveCloud’s website. 

StriveCloud has developed customizable gamification software. The Licensee on the other hand wishes  to use the StriveCloud Software and other Services provided by StriveCloud. The Parties now wish to  enter into these Terms to stipulate the rights and obligations relating to the Licensee’s use of the  Services. 

These terms are only applicable to and can only be validly entered into by businesses. If you are agreeing to these terms for use of the Services by the legal entity which you are acting for (e.g. in the  capacity as employee or independent contractor), you agree on behalf of that legal entity which will be  bound by these terms. In such case, you warrant and represent that you have the authority to validly  bind that legal entity to these terms, and that “Licensee” will be interpreted as being your employer or  said legal entity who will be bound to these terms. 

If you are consumer (meaning a natural person who acts for purposes outside his trade, business, craft  or profession) or if you are a distributor, partner, or reseller of StriveCloud, you cannot validly enter  into these Terms and thus not make validly use of the Product. In such case, please contact the  StriveCloud legal department via legal@strivecloud.io.  

‍

Article 1. Definitions 

Capitalized terms used in these Terms shall have the following meaning, or shall have the meaning as  defined elsewhere in these Terms. 

“Confidential  Information”  means the content of these Terms, and all information communicated, disclosed  or otherwise exchanged between the Parties in the context of these Terms, either  directly or indirectly, such as but not limited to (technical) data, personal data,  reports, materials, documents, correspondence, Software, designs and business  information. Will not be considered as Confidential Information, information  which (i) was or becomes generally available to the public or industry without  breach of these Terms; (ii) was in the possession of the receiving Party at the  time of disclosure to it without obligation of confidentiality; (iii) was obtained  legitimately and lawfully by the receiving Party, e.g. from a third party who had  a lawful right to disclose such information to it without any obligation to restrict its further use or disclosure; or (iv) was independently developed by the  receiving Party without reference to or use of the Confidential Information of  the other Party. 

“Data Processing  Agreement”  means the data processing agreement attached here to as Annex 2. 

“Data Protection  Legislation”  means all applicable legislation regulating the processing of personal data,  including the EU General Data Protection Regulation no. 2016/679 of April  27th 2016 on the protection of natural persons with regard to the processing of  personal data and on the free movement of such data (“GDPR”) and the Belgian law of July 30th 2018 on the protection of natural persons with regard  to the processing of personal data, as well as future modifications.  

“Effective Date” means the date of the entry into force of these terms, as specified in the  Quotation. 

“Feature Page” means StriveCloud’s webpages specifying the details of the StriveCloud  Software and pricing information, such as https://strivecloud.io/conditions/.  

“Intellectual Property Rights” means any design rights, trademarks, domain names and trade or business  names (whether registered or unregistered), patents, copyright and related  rights, database rights, trade secrets, other intellectual property rights and  similar or equivalent rights anywhere in the world which currently exist or are  recognised in the future; and applications, extensions and renewals in relation  to any such rights.  

“Quotation” means any commercial document agreed between the Parties in writing,  specifying the provided Services, the license fees and the Effective Date (i.e. a  form of quotation, purchase order or other similar document).  

“Services” means the relevant StriveCloud Software, made available in the form of  software-as-a-service, and other services provided by StriveCloud as identified  in the Quotation and as described in further detail in the StriveCloud’s Feature  Pages. 

“Software” means shall mean, computer programs and related data that provide instructions  to the computer systems, whether in an executable form (object code) or a  human-readable form (source code), including documentation and preparatory  design material. 

“StriveCloud  Software” means the Software developed by StriveCloud and used by the Licensee under  these Terms, including enhancements, improvements and modifications.  

‍

Article 2. Scope and structure of these Terms 

2.1 These Terms govern the rights and obligations relating to the Licensee’s use of the StriveCloud  Software and related Services. 

2.2 These Terms consist of the main body of these Terms and the relevant Quotations. 

2.3 In case of conflicts between the provisions of the main body of these Terms and the Quotation,  the Quotation shall prevail (unless explicitly indicated otherwise). In case of conflicts between  the Quotation and the Feature Page, the Quotation will prevail.  

2.4 These Terms are deemed accepted by the Licensee, even when they are conflicting with the  Licensee’s general or special purchasing terms and conditions. The fact that StriveCloud did not  explicitly reject the terms and conditions of the Licensee referred to in any contract or Quotation  (as defined hereafter) cannot be interpreted by the Licensee as an acceptance by StriveCloud of  such terms and conditions. 

‍

Article 3. Rights and obligations of StriveCloud 

3.1 StriveCloud shall: 

a) perform the Services as described in the Quotation; 

b) provide support and maintenance in accordance with Annex 1. 

3.2 StriveCloud has the right to audit and inspect the Licensee’s use of the StriveCloud Software  and its obligations in this respect during normal business hours on giving reasonable notice  (except if such notice would defeat the purpose of the inspection), for the purpose of verifying  the Licensee’s compliance with the Agreement. Each Party shall bear its own costs related to  such inspection, provided that, in the event such audit determines that the Licensee has acted in  breach of the Agreement, in addition to any other rights and remedies available to StriveCloud in respect of such a breach, the Licensee shall bear the full cost of such inspection. 

‍

Article 4. Rights and obligations of the Licensee 

4.1 The Licensee shall: 

a) warrant that the StriveCloud Software shall only be used for professional purposes, in  accordance with the bonus pater familias standard and in accordance with these Terms; b) at all times ensure the confidentiality and security of accounts, user names and  passwords that have been created for or on behalf of the Licensee, its employees, agents,  contractors or other representatives; 

c) be responsible for all use of the StriveCloud Software via accounts or access rights that  have been created for or on behalf of the Licensee, including possible use by third parties  or unauthorized persons; and  

d) appoint a contact person for StriveCloud, who will provide StriveCloud with any  required information without undue delay.  

‍

Article 5. Pricing and Invoicing. 

5.1 The prices described in the Quotation will apply. StriveCloud reserves the right to modify the  price list included in its Feature Pages at any time and shall duly inform the Licensee before  such modifications take effect, which shall be at the start of the next Renewal Term (unless a  later date is communicated by StriveCloud). These modifications will enter into force from the  date of notification of these price modifications to the Licensee. The Licensee can object to  these changes within ten (10) calendar days from the notification date by sending an e-mail to  legal@strivecloud.io and can terminate these Terms with immediate effect by written notice if  no mutual agreement is found. In the event the Licensee has not notified StriveCloud of such  termination within the aforementioned ten (10) calendar days period, Licensee irrevocably and  unconditionally accepts such changes and will no longer be entitled to terminate these Terms  pursuant to this article 5.1. 

5.2 StriveCloud shall invoice one-time Services, such as the installation and set-up, after such  occurrence has been completed, unless otherwise agreed in the Quotation. StriveCloud shall  invoice the license fees in respect of the StriveCloud Software and any other Services on a  yearly basis, as agreed in the Quotation. Any fees payable under these Terms shall be considered  nonrefundable.  

5.3 The Licensee shall pay each invoice within thirty (30) calendar days after the date of invoice,  unless otherwise agreed in the Quotation. Payments shall be done by wire transfer to the account  indicated on the invoice. 

5.4 In the Quotation a maximum usage is mentioned (in the form of a maximum number of active  users or any other usage metric referred to in the Quotation). StriveCloud will monitor the  Licensee’s usage on a monthly basis and both Parties acknowledge and agree that the findings  of StriveCloud in this respect are conclusive and have probative value. In the event the  Licensee’s usage exceeds the maximum usage included in the Quotation, StriveCloud will take  note of the difference of that month and send an invoice containing the price of that difference,  using the applicable prices for usage set forth in the Quotation. In deviation from article 5.3,  invoices for usage excess will be payable within fifteen (15) calendar days after the date of  invoice. 

5.5 All amounts not paid by the Licensee on the relevant due date shall bear an interest for late  payment in accordance with the law of 8 August 2002 on combating late payments in  commercial transactions, without prior notice of default. All costs arising from collecting any outstanding claims, including but not limited to legal fees or administrative costs, and with as  minimum a fixed amount equal to the highest of fifteen percent (15%) of the unpaid amount or  two hundred and fify euros (EUR 250.00), are for the account of the Licensee and may be  recovered by StriveCloud. In addition, in case of non-payment of the license fees for the use of  the StriveCloud Software, StriveCloud has the right to suspend access to the StriveCloud  Software until all invoices in relation to such license fees are correctly paid. 

5.6 In case of future versions, enhancements, modifications or updates to the StriveCloud Software,  StriveCloud reserves the right to only make these new versions, enhancements, modifications  or updates available to the Licensee upon additional payment or increased prices, as the case  may be. 

‍

Article 6. Term and Termination 

6.1 These Terms enter into force on the Effective Date for the initial period agreed upon in the  Quotation (“Initial Term”). After the Initial Term, these Terms shall be automatically and  tacitly renewed for successive periods of one (1) year (“Renewal Term”), unless either Party  gives prior notice by registered letter at the latest one (1) month before expiration of the then  running Initial Term or Renewal Term. 

6.2 Either Party has the right to terminate these Terms with immediate effect and without prior  judicial intervention, in the following cases: 

i. in case of a material breach by the other Party, which in case it is capable of being  remedied is not remedied within fifteen (15) calendar days after receiving notice thereto  by the other Party; whereby, without being exhaustive, a breach of article 8 of these  Terms or of the Data Protection Legislation shall in any event be considered as  constituting a material breach; 

ii. notwithstanding article 5.5. of these Terms, in case of material or regular non- or  late-payments by the Licensee; or 

iii. in case when the other Party enters into liquidation, receivership, bankruptcy or other  insolvency-related proceedings, whether compulsorily or voluntarily, or the Party is  unable to pay its debts within the meaning of the applicable laws of the jurisdiction other  than for the purposes of reconstruction or amalgamation. 

Article 7. Confidentiality 

7.1 Each Party acknowledges and agrees to maintain the confidentiality of Confidential Information  provided by the other Party under or relating to these Terms, including after termination or expiry of these Terms. The Parties may not disclose the other Party’s

Confidential Information without the prior written permission of the other Party and shall only  use the Confidential Information for the purposes for which it was obtained. 

7.2 The Parties shall not disclose or disseminate the other Party’s Confidential Information to any  person other than those employees, agents, contractors or subcontractors in so far as strictly  required for the performance of these Terms. 

7.3 Notwithstanding the foregoing, each Party may disclose the other Party's Confidential  Information to its advisors (such as lawyers, accountants and auditors) or if required to do so by law. In such circumstances, each Party shall inform the other Party thereof in advance (in so far  as allowed by law) and shall limit the disclosure of Confidential Information to what is  necessary. 

7.4 Both Parties shall ensure that the confidentiality obligations under these Terms are also observed  by their respective agents, employees, advisors, representatives, contractors, subcontractors or  other persons for whom they are responsible and who are directly or indirectly involved in the  implementation of these Terms. 

7.5 If any Confidential Information is disclosed other than as permitted under these Terms, the  relevant Party shall, as soon as they become aware of it, notify the other Party thereof and shall take all steps necessary to limit the consequences of such non-permitted disclosure and to  prevent further unauthorised disclosure. 

7.6 Upon termination or expiration of these Terms, each Party shall return and/or destroy, at the  other Party’s request, all Confidential Information received by the other Party. 

‍

Article 8. Processing of Personal Data and Security 

8.1 Each Party shall comply with their respective obligations under Data Protection Legislation in  accordance with the Data Processing Agreement. Amongst others, both Parties shall implement  appropriate technical and organizational measures to ensure a level of security appropriate to  the risk, taking into account the state of the art, the costs of implementation and the nature, scope, 

context and purposes of processing as well as the risks for data subjects. The security measures  adopted by StriveCloud are described in Annex 5 to these Terms. 

‍

Article 9. Sub-processors and other subcontractors 

9.1. StriveCloud is allowed to appoint sub-processors or other subcontractors for the performance of  these Terms. 

‍

Article 10. Intellectual Property Rights 

10.1. Nothing in these Terms shall be construed to constitute a transfer of Intellectual Property Rights,  unless explicitly indicated otherwise. 

10.2. StriveCloud hereby grants the Licensee, who accepts, and the Licensee’s authorized end users,  a non-exclusive, worldwide, non-transferable and non-assignable right to use, execute, store,  copy, distribute, and support the StriveCloud Software strictly in accordance with these Terms,  for the duration of these Terms. It is expressly understood that without StriveCloud’s explicit  written consent, the Licensee may not distribute the StriveCloud Software as such, but only as  an integral part of its own Software products. The fees for this license are as set out in the  Quotation and/or StriveCloud’s Feature Pages. 

10.3. StriveCloud may perform Software integrations, modifications, developments or enhancements specifically for or at the request of the Licensee, or based on any ideas,

suggestions or recommendations made by the Licensee (“Licensee Specific Developments”).  Such Licensee Specific Developments will be compensated as described in StriveCloud’s  Feature Pages. Any Intellectual Property Rights in such Licensee Specific Developments shall  vest exclusively in StriveCloud and shall become part of the StriveCloud Software licensed to  the Licensee in accordance with article 10.2 above. To the extent StriveCloud integrates third  party software for or at the request of the Licensee, the Licensee shall be fully responsible for  the use of this third-party software and warrants to StriveCloud that it has obtained all required  rights in this respect. 

10.4. StriveCloud may use the Licensee’s name and trademarks on its website, in client reference lists  and in other marketing materials. 

10.5. The Licensee must immediately notify StriveCloud in writing if any third party gains  unauthorized access to or use of StriveCloud Software, other proprietary materials or  Confidential Information. The Licensee shall take all reasonable steps to stop and further  prevent such unauthorized access or use. 

10.6. The Licensee shall ensure and warrants to have all necessary Software, tools, products or  materials required to allow StriveCloud to perform the Services and warrants to have obtained  all required rights in this respect, including third party license rights. All third-party Software  are subject to the terms and conditions of the third parties. 

10.7. StriveCloud shall defend and indemnify the Licensee against any founded and well substantiated claims brought by third parties to the extent such claim is based on an infringement  of any Intellectual Property Right of such third party by the StriveCloud Software, excluding  any claims resulting from (i) any unauthorized use of the StriveCloud Software, (ii)  modification to the StriveCloud Software made by the Licensee, its employees or any third  party, (ii) failure of the Licensee to use updated or modified StriveCloud Software provided by  StriveCloud to avoid a claim of infringement or misappropriation, (iii) combination of the  StriveCloud Software with othersystems, products, processes or materials to the extent that such  claim would have been avoided without such combination use of the StriveCloud Software. 

Such indemnity obligation shall be conditional upon the following: 

(i) StriveCloud is given prompt written notice of any such claim; (ii) StriveCloud is granted sole  control of the defense and settlement of such a claim; (iii) upon StriveCloud’s request, the  Licensee fully cooperates with StriveCloud in the defense and settlement of such a claim, at  StriveCloud’s expense, and (iv) the Licensee makes no admission as to StriveCloud’s liability  in respect of such a claim, nor does the Licensee agree to any settlement in respect of such a  claim without StriveCloud’s prior written consent. 

10.8. In the event the StriveCloud Software or any part thereof, in StriveCloud’s reasonable opinion,  is likely to become the subject of a third party infringement claim, StriveCloud shall have the  right, at its sole option and expense, to: (i) modify the ((allegedly) infringing part of the  StriveCloud Software so that it becomes non-infringing while preserving equivalent  functionality; (ii) obtain for the Licensee a license to continue using the StriveCloud Software  in accordance with these Terms; or (iii) terminate these Terms and pay to the Licensee an  amount equal to a pro rata portion of the license fees for the remaining part of the then current  Initial Term or Renewal Term. 

10.9. The Licensee shall defend and indemnify StriveCloud against any founded and  well-substantiated claims brought by third parties to the extent such claim is based on any breach  or violation by the Licensee or its personnel of any provisions of these Terms, applicable laws  or regulations, and/or fraud, intentional misconduct, or gross negligence committed by the  Licensee or its personnel. Such indemnity obligation shall be conditional upon the following:  (i) the Licensee is given prompt written notice of any such claim; (ii) the Licensee is granted sole control of the defense and settlement of such a claim; (iii) upon

Licensee’s request, StriveCloud fully cooperates with the Licensee in the defense and settlement  of such a claim, at Licensee’s expense, and (iv) StriveCloud makes no admission as to the  Licensee’s liability in respect of such a claim, nor does StriveCloud agree to any settlement in  respect of such a claim without the Licensee’s prior written consent. 

‍

Article 11. Liability 

11.1. StriveCloud’s liability under these Terms at any time shall be limited to the fees paid to  StriveCloud under these Terms during the twelve (12) months preceding the event giving rise  to damage, it being understood that during the first twelve (12) months of the Initial Term, the  liability cap shall be calculated by using the average monthly fees multiplied by twelve (12). 

11.2. StriveCloud cannot be held liable for: (i) damages resulting from the inadequate use of the  StriveCloud Software by the Licensee, (ii) damages resulting from inaccurate or incomplete  information and data provided by the Licensee and (iii) indirect, special, consequential, punitive  or incidental damages such as loss of profit, loss of business, reputational damage, financial  losses and loss of data. 

11.3. Except as expressly provided in these Terms and to the extent permitted under applicable law,  StriveCloud expressly disclaims all warranties, express or implied, including but not limited to  any warranties of merchantability, non-infringement, satisfactory quality and fitness of the  StriveCloud Software for a particular purpose. In particular, StriveCloud does not warrant that  the StriveCloud Software is error-free or that the use of the StriveCloud Software shall be secure  or uninterrupted, that StriveCloud will detect any or every defect in the Licensee’s systems or  that any or all problems with respect to the StriveCloud Software can be solved, and hereby disclaims any and all liability on account thereof. The StriveCloud Software will be provided  by StriveCloud under these Terms on an “as-is” and “as available” basis. 

11.4. Each party hereby excludes any extra-contractual liability related to the formation, performance,  and termination of this Agreement (and guarantees that its affiliated persons exclude this) with  respect to any other party and the directors, employees, shareholders, and direct or indirect  auxiliary persons of such other party and its affiliated persons, to the fullest extent permitted by  law (including in cases of gross negligence). 

‍

Article 12. General Provisions 

12.1. These Terms constitutes the entire agreement between the Parties relating to the subject matter  of these Terms. It replaces all previous arrangements, agreements or discussions between the  Parties, whether oral or written, relating to the same subject matter. 

12.2. All deviating or additional conditions to these Terms must be agreed upon in writing and signed  by duly authorized representatives. 

12.3. The Agreement may not be assigned to third parties unless with prior explicit consent of the  other Party, it being understood that StriveCloud may assign the Agreement to (i) a parent  company or subsidiary, (ii) an acquirer of all or substantially all of StriveCloud’s assets involved  in the operations relevant to the Agreement, or (iii) a successor by merger, (partial) split or other  combination. Any purported assignment in violation of this article will be void. This Agreement  may be enforced by and is binding on permitted successors and assigns. 

12.4. The provisions that by their nature are deemed to survive the termination or expiration of these  Terms, survive these Terms. 

12.5. These Terms shall not be construed as constituting a joint venture or partnership between the  Parties, who remain independent contracting parties

12.6. These Terms are divisible and if one or more of its provisions are declared invalid, the validity  of the remaining provisions will not be affected. To replace the invalid provision, the Parties  will negotiate a new provision that matches as closely as possible the original intention of the  Parties.

12.7. Notices under these Terms shall be sent to: 

a. For the Licensee: the contact details included in the Quotation or as otherwise  communicated by the Licensee, or lacking such details, the e-mail address usually used  by the Licensee for communication to StriveCloud;  

b. For StriveCloud: Legal Department, legal@strivecloud.io.  

12.8. These Terms are exclusively governed by Belgian law. The courts of Ghent, Belgium, are  exclusively competent for any disputes arising out of or in connection with these Terms.  

12.9. A Party shall be not be considered in breach of or in default under these Terms on account of,  and shall not be liable to the other Party for, any delay or failure to perform its obligations  hereunder (other than a failure to pay any amounts due under these Terms) by reason of fire,  earthquake, flood, explosion, strike, riot, war, terrorism, or similar event beyond that Party’s  reasonable control (each a “Force Majeure Event”); provided, however, if a Force Majeure  Event occurs, the affected Party shall, as soon as practicable, (a) notify the other Party of the  Force Majeure Event and its impact on performance under these Terms, and (b) use reasonable  efforts to resolve any issues resulting from the Force Majeure Event and perform its obligations  hereunder. In case the duration of the Force Majeure Event exceeds two (2) months, the other  Party shall have the right to terminate these Terms. 

‍

Article 13. Amendments 

13.1. StriveCloud may update or modify these Terms from time to time, including documents  incorporated herein by reference (such as the Quotation) for following reasons (i) applicable  law, including but not limited to, a change of such law advice or order based on applicable law,  (ii) minor changes to the Service, (iii) technical reasons, (iv) operational requirements, or  

(v) changes that are advantageous to Licensee. 

13.2. If a revision meaningfully reduces the Licensee’s rights, StriveCloud will use reasonable efforts  to notify Licensee (by, for example sending an email to the Licensee, posting on StriveCloud’s  website or Feature Pages or in the StriveCloud Software itself). Licensee must notify  StriveCloud within ten (10) calendar days of StriveCloud’s notice of the modifications that  Licensee do not agree with such changes, and StriveCloud (at StriveCloud’s option and as  Licensee’s exclusive remedy) may either: (i) permit Licensee to continue under the prior version  of these Terms until the start of Licensee’s next Renewal Term (after which the modified Terms 

will apply) or (ii) allow Licensee to terminate these Terms and receive a pro-rated refund  based on the unused portion of Licensee’s term under these Terms. 

13.3. In any event, any continued use of the Services after the moment the modifications take effect,  constitutes Licensee’s acceptance of the modifications. 

‍

List of Annexes 

Annex 1: Support & Maintenance  

Annex 2: Data Processing Agreement 

Annex 3: Details with regard to the Processing of Personal Data  

Annex 4: List of current Sub-processors 

Annex 5: Security Measures

‍

ANNEX 1 – SUPPORT AND MAINTENANCE 

StriveCloud provides the following support and maintenance services with respect to the StriveCloud  Software towards the Licensee: 

- Helpdesk: 

StriveCloud provides a helpdesk function which is only available for questions concerning the use  of the StriveCloud Software. StriveCloud’s helpdesk is available on business days between 8 a.m.  and 5 p.m. CET, excluding national holidays. The helpdesk can be contacted via the following  contact details: support@strivecloud.io.  

- Availability: 

StriveCloud maintains the availability of the StriveCloud Software to the best of its ability. The  Licensee accepts that the maintenance of the StriveCloud Software can give rise to a temporary  unavailability of the StriveCloud Software, which cannot last more than four (4) hours between 9  a.m. CET and 8 p.m. CET, unless the Parties derogate by indicating a longer period. 

No urgent interventions shall take place from Monday to Friday outside the timeslot indicated  above. If this seems to be impossible for StriveCloud, it shall notify the Licensee at least  twenty-four (24) hours in advance and, if possible, of the estimated duration of the intervention.  

- Incident Management: 

StriveCloud will manage incidents within its field of responsibility according to the following table.  The level of incident will be determined by StriveCloud. Response times and resolution times start  running as of the moment StriveCloud receives notice of an incident from the Licensee. StriveCloud  has the right to refuse its incident management if: (i) the incident is due to the wrongful use of the 

StriveCloud Software; (ii) the incident is due to a non-authorized modification of the StriveCloud Software; (iii) the Licensee prevents StriveCloud from performing maintenance and/or updates; (iv)  the incident is caused by an application that is not supported. 

Level of incident Response time Resolution time 

Critical (the functionality concerned is not  available and hinders the use of the  StriveCloud Software) 

4 hours 8 hours

High (the functionality concerned is limited  available and hinders the proper use of  StriveCloud Software)

4 hours 

2 working days

‍

Low (the functionality concerned is  available but certain problems arise)

4 hours 

3 weeks

‍

ANNEX 2 – DATA PROCESSING AGREEMENT 

This Data Processing Agreement describes specific terms in respect of the processing of Personal Data  by Strivecloud in connection with the provision of Services under the Agreement as may be provided to  the Licensee by Strivecloud in connection with the Agreement, the terms of which are incorporated  herein by reference. In the event of a conflict between the Agreement and any provision of this Annex,  the latter shall govern. Capitalized terms not otherwise defined herein, shall have the meaning specified  in the Agreement. 

1. DEFINITIONS AND INTERPRETATION 

1.1 For the purpose of this Data Processing Agreement, the following terms shall have the following  meaning. In case of any doubt or differences with the terms defined in the Data Protection  Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail. 

“Contact Person” means the individual(s) assigned by a Party and communicated to the other  Party as point of contact and representing the Party for (a part of) the  

Services. 

“Data Controller” means the natural or legal person, public authority, agency or any other body  which alone or jointly with others determines the purposes and means of the  

Processing of Personal Data. 

“Data Processor” means a natural or legal person, public authority, agency or any other body  which processes Personal Data on behalf of the Data Controller. 

“Data Protection  Legislation” 

means the EU Regulation 2016/679 on the protection of natural persons with  regard to the processing of personal data and on the free movement of such  data (General Data Protection Regulation), together with the codes of  practice, codes of conduct, regulatory guidance and standard clauses and  other related legislation resulting from such Directive or Regulation, as  updated from time to time.  

“Data Subject” means an identified or identifiable natural person to whom the Personal Data  relates. An identifiable person is one who can be identified, directly or  indirectly, in particular by reference to an identifier such as a name, an  identification number, location data, online identifier or to one or more  factors specific to the physical, physiological, genetic, mental, economic,  cultural or social identity of that person. The relevant categories of Data  Subjects are identified in Annex 3.  

“Personal Data” means any information relating to a Data Subject. The relevant categories of  Personal Data that are provided to Strivecloud by, or on behalf of the  Licensee are identified in Annex 3.  

“Personal Data  Breach” 

“Processing”,  

“Process(es)” or  “Processed” 

means a breach of security leading to the accidental or unlawful destruction,  loss, alteration, unauthorized disclosure of, or access to, Personal Data  transmitted, stored or otherwise processed in connection with the  provisioning of the Services.  

means any operation or set of operations which is performed upon Personal  Data or on sets of Personal Data, whether or not by automatic means, such  as collection, recording, organization, structuring, storage, adaptation or  alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,  restriction, erasure or destruction. 

“Services” means all services, functions, responsibilities and outputs of Strivecloud as  described in the Agreement. 

“Standard  Contractual  Clauses” means the standard contractual clauses of which the European Commission  on the basis of Article 26 (4) of Directive 95/46/EC decided that these offer  sufficient safeguards for the transfers of personal data to a third country, or  the data protection clauses adopted by the European Commission or by a  supervisory authority and approved by the European Commission in  accordance with the examination procedure referred to in Article 93(2) of  EU Regulation 2016/679. In the event of any such data protection clauses  adopted in accordance with EU Regulation 2016/679, including the  European Commission’s update on the 4^th of June 2021, such clauses shall  prevail over any standard contractual clauses adopted on the basis of  Directive 95/46/EC to the extent that they intend to cover the same kind of  data transfer relationship. 

“Sub-processor” means any subcontractor engaged by Strivecloud to perform a part of the  Services and who agrees to receive Personal Data intended for Processing  

on behalf of the Licensee in accordance with the Licensee’s instructions and  

the provisions of the Agreement. 

1.2 This Agreement forms an integral part of the Agreement. The provisions of the Agreement  therefore apply to this Data Processing Agreement. All capitalized terms not defined in this Data  Processing Agreement will have the meaning set forth in the Agreement. 

1.3 In case of conflict between any provision in this Data Processing Agreement and any provision  of another part of the Agreement, this Data Processing Agreement shall prevail. 

‍

2. SCOPE AND PURPOSE 

2.1 In connection with and for the purpose of the performance of the Services under the Agreement,  the Licensee commissions Strivecloud to process Personal Data in accordance with the  provisions of this Data Processing Agreement. 

‍

3. SPECIFICATION OF THE DATA PROCESSING 

3.1 Any Processing of Personal Data under the Agreement shall be performed in accordance with  the applicable Data Protection Legislation. 

3.2 For the performance of the Services, Strivecloud is a Data Processor acting on behalf of the  Licensee. As a Data Processor, Strivecloud will only act upon the Licensee’s instructions. The  Agreement, including this Data Processing Agreement, is the Licensee’s complete instruction  to Strivecloud with regard to the Processing of Personal Data. Any additional or alternate  instructions must be jointly agreed by the Parties in writing. The following is deemed an  instruction by Strivecloud to Process Personal Data: (1) Processing in accordance with the  Agreement and (2) Processing initiated by the Licensee users in their use of the Services. 

3.3 A more detailed description of the subject matter of the Processing of Personal Data in terms of  the concerned categories of Personal Data and of Data Subjects (envisaged Processing of  Personal Data) is contained in Annex 3.

‍

4. DATA SUBJECTS’ RIGHTS 

4.1 With regard to the protection of Data Subjects’ rights pursuant to the applicable Data Protection  Legislation, the Licensee shall facilitate the exercise of Data Subject rights and shall ensure that  adequate information is provided to Data Subjects about the Processing hereunder in a concise,  transparent, intelligible and easily accessible form, using clear and plain language. 

4.2 Should a Data Subject directly contact Strivecloud wanting to exercise his individual rights such  as requesting a copy, correction or deletion of his data or wanting to restrict or object to the  Processing activities, Strivecloud shall inform the Licensee of such request within five (5)  business days and provide the Licensee with full details thereof, together with a copy of the  Personal Data held by it in relation to the Data Subject where relevant. Strivecloud shall  promptly direct such Data Subject to the Licensee. In support of the above, Strivecloud may  provide the Licensee’s basic contact information to the requestor. the Licensee agrees to answer to and comply with any such request of a Data Subject in line with the provisions of the  applicable Data Protection Legislation. 

4.3 Insofar as this is possible, Strivecloud shall cooperate with and assist the Licensee by  appropriate technical and organizational measures for the fulfilment of the Licensee’s obligation  to respond to requests from Data Subjects exercising their rights. 

‍

5. CONSULTATION AND CORRECTION OF PERSONAL DATA 

5.1 Strivecloud will provide the Licensee, in its role of Data Controller with access to Personal Data  Processed under the Agreement, in order to allow the Licensee to consult and correct such  Personal Data. 

‍

6. DISCLOSURE 

6.1 Strivecloud will not disclose Personal Data to any third party, except (1) as the Licensee directs, (2) as stipulated in the Agreement, (3) as required for Processing by approved Sub processors in accordance with Article 9 or (4) as required by law, in which case Strivecloud  shall inform the Licensee of that legal requirement before Processing that Personal Data, unless  that law prohibits such information being provided on important grounds of public interest. 

6.2 Strivecloud represents and warrants that persons acting on behalf of Strivecloud and who are  authorized to Process Personal Data or to support and manage the systems that Process Personal  Data (i) have committed themselves to maintain the security and confidentiality of Personal  Data in accordance with the provisions of this Data Processing Agreement, (ii) are subject to  user authentication and log on processes when accessing the Personal Data and (iii) have  undertaken appropriate training in relation to Data Protection Legislation. Strivecloud shall  inform the persons acting on its behalf about the applicable requirements and ensure their  compliance with such requirements through contractual or statutory confidentiality obligations. 

‍

7. DELETION AND RETURN OF PERSONAL DATA 

7.1 At the latest within thirty (30) calendar days upon termination of the Agreement, Strivecloud  shall sanitize or destroy any Personal Data that it stores in a secure way that ensures that all  Personal Data is deleted and unrecoverable. Data used to verify proper data processing in  compliance with the assignment and data that needs to be kept to comply with relevant legal and  regulatory retention requirements may be kept by Strivecloud beyond termination or expiry of  the Agreement only as long as required by such laws or regulations.

‍

7.2 Upon written request submitted by the Licensee no later than five (5) calendar days prior to  termination of the Agreement, Strivecloud will provide the Licensee with a readable and usable  copy of the Personal Data and/or the systems containing Personal Data prior to sanitization or  destruction. 

‍

8. LOCATION OF PROCESSING 

8.1 Strivecloud will store Personal Data at rest within the territory of the European Union. 

8.2 Any Processing of Personal Data by Strivecloud personnel or subcontractors not located within  the European Union may be undertaken only following prior written approval of the Licensee  and the execution of one of the then legally recognized data transfer mechanisms, such as an  additional data processing agreement governed by the Standard Contractual Clauses. 

‍

9. USE OF SUB-PROCESSORS 

9.1 The Licensee acknowledges and expressly agrees that Strivecloud may use third party Sub processors for the provision of the Services as described in the Agreement. 

9.2 Any such Sub-processors that provide services for Strivecloud and thereto Process Personal  Data will be permitted to Process Personal Data only to deliver the services Strivecloud has  entrusted them with and will be prohibited from Processing such Personal Data for any other  purpose. Strivecloud remains fully responsible for any such Sub-processor’s compliance with  Strivecloud’s obligations under the Agreement, including this Data Processing Agreement. 

9.3 Strivecloud will enter into written agreements with any such Sub-processor which contain  obligations no less protective than those contained in this Data Processing Agreement, including  the obligations imposed by the Standard Contractual Clauses, as applicable. 

9.4 Strivecloud shall make available to the Licensee the current list of Sub-processors for the  Services identified in Annex 4. Such Sub-processors list shall include the identities of those  Sub-processors and their country of location. Strivecloud shall provide the Licensee with a  notification of a new Sub-processor before authorizing any new Sub-processor(s) to Process  Personal Data in connection with the provision of the Services under this Data Processing  Agreement. 

9.5 If the Licensee objects to the use of a new Sub-processor that will be processing the Licensee’s  Personal Data, then the Licensee shall notify Strivecloud in writing within ten (10) calendar  days after receipt of Strivecloud’s written request to that effect. In such a case, Strivecloud will use reasonable efforts to change the affected Services or to recommend a commercially  reasonable change to the Licensee’s use of the affected Services to avoid the Processing of  Personal Data by the Sub-processor concerned. If Strivecloud is unable to make available or  propose such change within sixty (60) calendar days, the Licensee may terminate the relevant  part of the Agreement regarding those Services which cannot be provided by the Strivecloud  without the use of the Sub-processor concerned. To that end, the Licensee shall provide written  notice of termination that includes the reasonable motivation for non-approval. The Licensee  will bear the costs incurred in relation to this article 9.5. 

‍

10. TECHNICAL AND ORGANIZATIONAL MEASURES 

10.1 Strivecloud has implemented and will maintain appropriate technical and organizational  measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction in  accordance with Annex 5. 

‍

11. PERSONAL DATA BREACHES 

11.1 In the event of a (likely or known) Personal Data Breach and irrespective of its cause, the  Strivecloud shall notify the Licensee without undue delay and at the latest within forty-eight (48) hours after having become aware of (the likelihood or occurrence of) such Personal Data  Breach, providing the Licensee with sufficient information and in a timescale, which allows the  Licensee to meet any obligations to report a Personal Data Breach under the Data Protection  Legislation. Such notification shall as a minimum specify: 

- the nature of the Personal Data Breach; 

- the nature or type of Personal Data implicated in the Personal Data Breach, as well as  the categories and numbers of Data Subjects concerned; 

- the likely consequences of the Personal Data Breach; 

- as the case may be, the remedial actions taken or proposed to be taken to mitigate the  effects and minimize any damage resulting from the Personal Data Breach. 

11.2 Strivecloud shall without undue delay further investigate the Personal Data Breach and shall  keep the Licensee informed of the progress of the investigation and take reasonable steps to  further minimize the impact. Both Parties agree to fully cooperate with such investigation and  to assist each other in complying with any notification requirements and procedures. 

11.3 A Party’s obligation to report or respond to a Personal Data Breach is not and will not be  construed as an acknowledgement by that Party of any fault or liability with respect to the  Personal Data Breach. 

12. CUSTOMER RESPONSABILITIES 

12.1 The Licensee shall comply with all applicable laws and regulations, including the Data  Protection Legislation. 

12.2 The Licensee remains responsible for the lawfulness of the Processing of Personal Data  including, where required, obtaining the consent of Data Subjects to the Processing of his or her  Personal Data. 

12.3 The Licensee shall take reasonable steps to keep Personal Data up to date to ensure the data  are not inaccurate or incomplete with regard to the purposes for which they are collected. 

12.4 With regard to components that Licensee provides or controls, including but not limited to  workstations connecting to Services, data transfer mechanisms used, and credentials issued to  the Licensee’s personnel, the Licensee shall implement and maintain the required technical and  organizational measures for protection of Personal Data. 

12.5 The Licensee shall limit its initiatives to conduct an audit or inspection to no more than once a  year, except in the event that (i) it is legally required to do so, (ii) Strivecloud has experienced a  Personal Data Breach in the preceding twelve (12) months that has affected the Licensee's  Personal Data or (iii) in the event of a mutual agreement, and shall notify Strivecloud of such  request at least thirty (30) business days prior to the audit. The Licensee shall bear all costs for  conducting an audit or inspection.

13. NOTIFICATIONS 

13.1 Unless legally prohibited from doing so, Strivecloud shall notify the Licensee as soon as  reasonably possible, and at the latest within five (5) business days of becoming aware of the  relevant circumstances, if it or any of its Sub-processors: 

(i) receives an inquiry, a subpoena or a request for inspection or audit from a competent  public authority relating to the Processing; 

(ii) intends to disclose Personal Data to any competent public authority outside the scope  of the Services of the Agreement; 

(iii) receives an instruction that infringes the Data Protection Legislation or the obligations  of this Data Processing Agreement. 

13.2 In this respect, Strivecloud shall co-operate as requested by the Licensee to enable the Licensee  to comply with any assessment, enquiry, notice or investigation under the Data Protection  Legislation, which shall include the provision of: 

(i) all data requested by the Licensee (which is not otherwise available to the Licensee)  within the reasonable timescale specified by the Licensee in each case, including full  details and copies of the complaint, communication or request and any Personal Data it  holds in relation to the relevant Data Subject(s); and 

(ii) where applicable, providing such assistance as is reasonably requested by the Licensee  to enable the Licensee to comply with the relevant request within the Data Protection  Legislation statutory timescales. 

13.3 Any notification under this Data Processing Agreement, including a Personal Data Breach  notification, will be delivered to one or more of the Licensee’s Contact Persons via email  possibly supplemented by any other means Strivecloud selects. Upon request of the Licensee,  Strivecloud shall provide the Licensee with an overview of the contact information of the  registered Licensee’s Contact Persons. It is Licensee’s sole responsibility to timely report any  changes in contact information and to ensure the Licensee’s Contact Persons maintain accurate  contact information. 

‍

14. TERM AND TERMINATION 

14.1 This Agreement enters into force on the date of its signing by all Parties and remains in force  until Processing of Personal Data by Strivecloud is no longer required in the framework of or  pursuant to the Agreement.

‍

ANNEX 3: DETAILS WITH REGARD TO THE PROCESSING OF PERSONAL DATA 

This Annex determines the subject matter, duration, nature and purpose of the processing, the types of  personal data and categories of data subjects and the retention period of the personal data. 

Types of personal data: 

- First and last name; 

- Birthdate; 

- Gender; 

- Address details; 

- E-mail address; 

- Data relating to data subject’s activity on StriveCloud’s digital services; 

- IP-addresses; 

- Web browser and device type; 

- Gamertag. 

Nature of the processing: 

- Personal data processing in the context of the functioning of the StriveCloud Software and the  proper (technical) operation and security thereof. 

Purpose of the processing by StriveCloud: 

- Functioning of the StriveCloud Software; 

- Providing the functionalities of the StriveCloud Software; 

- Account registration; 

- Communication with accounts; 

Duration of the processing and retention period of personal data: 

- The personal data are processed by StriveCloud during the term of these Terms. - The Licensee requests StriveCloud to store the personal data for a period of twelve months after  termination of these Terms. 

- In any case, personal data of a user will be deleted by StriveCloud after 1 year of inactivity on the  user’s account.

‍

ANNEX 4: LIST OF CURRENT SUB-PROCESSORS 

- Google: Google Cloud Platform 

(Hosting and location is always closest to customer location or on customer request) - Hetzner (Only for staging servers) 

- Pusher 

- Twilio (Sendgrid) 

All the following subprocessors are only active if the customer enables the functionality: 

- Google Analytics 

- Slack 

- Paymentsystems: CCV, Stripe, Mollie, Paypal, Tangerine, Fortumo - Gameservices like Dathost, Riot Games, Discord, Twitch, Playable - Venly

‍

ANNEX 5: SECURITY MEASURES 

This Annex contains an overview of the technical and organizational security measures that  StriveCloud will implement: 

Type of measure Description 

Roles and responsibilities 

All StriveCloud employees have elevated permissions, yet all data access is logged permanently. All StriveCloud employees are aware of the consequences of accessing data and applicable legislation. Security regulations are provided to all StriveCloud employees and included into  their employment contract. 

Pre-employment screening

All StriveCloud employees have gone through a background check  before employment. 

Password settings 

All passwords require at least 8 characters and can use the full range of  ASCII characters. Passwords never leave the Licensee’s systems without  being hashed. All stored passwords will be dynamically salted to prevent  decoding. Passwords are only resettable if the user has access to the email  address configured in the account. For admin accounts, other guidelines  are used. Authentication requires a 100-character personalized password  which is managed in LastPass. If any key would get lost (which has never  happened and is impossible using a key management solution), a new key  would be generated and shared with that single person using LastPass. 

Distribution of account name and password

Passwords are never sent by StriveCloud to a user. Administrators or users  with more access rights will only receive their keys using LastPass.

Password reset 

Password resets are managed by the password reset page, only the sent  email can prove your identity. Password resets for administrators or users  with more access rights have never happened before, if for any reason  they would happen a new secure 100 characters-randomized string will  be saved to the LastPass account of that 

employee/administrator.

Remote user access 

All access is remote, although without 2FA.

Remote site access 

All third parties we provide access to use a traced key of which all logs  can be followed to source IP addresses, so no missed traffic is possible.

Vulnerability scanning and patching 

All services are using containerized environments which use weekly  updates to ensure the latest security updates are being used.

Hardening 

Only proxy servers are able to connect to our cloud network. All other  traffic is blocked from the start. None of the services use default  passwords, instead they use Production environment passwords only  known and accessible by a single person. We do not use a CIS benchmark  yet do have all required firewalls and use ACL’s.

Malware protection 

No anti-virus is installed on our Linux servers. All latest security patches  are being used and monitored to ensure latest updates are being used. 

Logging and monitoring 

All logs are gathered and accessible up to 2 years in the past. Log data is  analyzed frequently. Strange/Unexpected behaviour is directly noted to  the development team as a notification.

Cryptography 

As per request all domains will be protected with a separate PKI certificate  instead of a wildcard certificate. Usually for a platform we deploy this  will exist out of 6 different keys which are stored securely in our cloud.

(Web and Mobile)  

Application Security

All Applications are reviewed before being published.

Identity and Access Management

All authentication is done by user and password. Each user has individual  access to the necessary parts of the application. All access rights are being  checked monthly to ensure no unwanted left behind keys/users.

Asset registration 

All our assets are tracked in the cloud to ensure direct contact to the  owner, access to their physical location and network location.

Change registration 

All deploys are done behind the screens in a test environment before  being published live. Larger and more time-consuming changes are done overnight after being approved.

Media cleaning 

All media is deleted by the Google Cloud (our server host) policy. More  info can be found here: https://cloud.google.com/security/deletion/

Correct date and time 

Our platforms allow different time zones/time settings. All times are  always checked, read and written on our servers.

Network segmentation and security zoning

None of our Cloud networks are interconnected except for certain clusters using a single port and transport communication protocol to  other zones of our infrastructure.

Applications sharing a platform

None of our applications share data except if requested by a client.

Software versions 

Only software versions must be used for the system that are supported by the supplier.

System Data backup 

Backups are made daily and stored for at least one month over a variety  of locations. Restores are tested weekly to ensure functionality.

Business Continuity Management

All processes enforced by StriveCloud are written down and easily transferable to ensure continuity.

Business Continuity Plans

All our environments are fully tested before deploys to ensure  functionality. Any updates which may have an impact on the experience  are performed outside of regular visitor hours and will not be noticed. If  any services are performed during daytime and a downtime is expected a  timely notice will be given.

Traffic data 

All traffic data is stored anonymously, this includes logs, billings, market analysis. It is not possible to link back traffic to a user.

Separating environments

We do use containerized clusters for our hosting, yet all licensees are  entirely separated of each other to ensure separation of data and networking.

Net Neutrality 

We never obstruct or delay services on purpose.

Cookies 

Licensees are being informed after signup about the installed cookies, further explanation is also provided in the policy.

Security Patches 

We will resolve all security vulnerabilities as soon as possible. A security update is performed within 3 days (at the latest) after we have been made aware.

Database protection 

Databases are protected by validating inputs, access is only given to other  servers for production environments and functions with large impact are  only able to be executed after an approval.1

‍