MASTER SERVICES
AGREEMENT

This MASTER SERVICES AGREEMENT (“Agreement”) is made as of the later of the Parties’ signatures below (“Effective Date”) by and between Kaptio Ltd., a company registered in England and Wales with registered office at 10 John Street, London, WC1N 2EB, UK (“Kaptio”) and [Customer] United Kingdom (“Customer”) (Kaptio and Customer each a “Party” and together the “Parties” hereto).

All capitalized terms not immediately defined herein are defined as set forth in Section 29 hereof.

The Services to which Customer shall subscribe and Customer’s payment obligations for the same shall be set forth in one or more Order Forms that shall be subject to the terms and conditions of this Agreement. As part of the Services, Kaptio may provide Customers with Kaptio’s on-demand services (including a browser interface and data encryption, transmission, access and storage) as shall be more particularly set forth in an Order Form. Upon Customer’s registration for or use of on-demand services, all such Customer activity shall be subject to this Agreement.

WHEREAS:

1. Kaptio develops certain software applications and platforms that it makes available to subscribers.

2. Customer offers and operates FIT rail tours worldwide.

3. Customer wishes to subscribe to certain Services from Kaptio for use in Customer’s business operations.

4. Kaptio is willing to provide the Services subject to the terms and conditions of this Agreement.

5. This Agreement incorporates by reference certain terms of the agreement between Kaptio and salesforce.com (“SFDC”), all as set forth in Section 12 and Schedule 2 hereof, and which shall also apply to Customer’s use of all Kaptio travel platform subscription services that are integrated with and/or built upon salesforce.com and/or force.com.

NOW THEREFORE, THE PARTIES AGREE AS FOLLOWS:

1. License Grant & Restrictions;

   1. Subject to Customer’s compliance with all of the terms and conditions set forth in this Agreement (including the payment obligations in Section 7), Kaptio grants to Customer a non-exclusive, non-transferable, revocable worldwide right and license to use the Services solely for Customer’s own internal business purposes as set forth herein.

   2. Customer may grant sublicenses to companies in which Customer, or any shareholder of the Customer, owns the majority of equity shares and/or voting rights (“Customer Affiliates”) without the prior written consent of Kaptio. Upon request by Kaptio, Customer will provide Kaptio with a list of all Customer Affiliates to which a sublicense has been granted, as well as the number of respective Users of such Customer Affiliates. Notwithstanding the foregoing, under no circumstances may Customer grant a sublicense or any other use or access rights to any direct or indirect competitor of Kaptio (as determined by Kaptio in good faith). Customer will be deemed to have contravened this Agreement if any Customer Affiliate takes any act (or omits to do any act) which, if taken or omitted by Customer, would have been a contravention of this Agreement by Customer.

   3. Customer and Customer Affiliates may no longer access the Services if the respective entity becomes a direct competitor of Kaptio (as determined by Kaptio in good faith), except with Kaptio’s written consent. In addition, Customer and Customer Affiliates may not access the Services for any benchmarking or competitive purposes.

   4. Except as may be allowed by any applicable law that is incapable of exclusion by agreement between the Parties, and except to the extent expressly permitted under this Agreement, Customer and Customer Affiliates shall not:

      1. license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Services or the Content thereof in any way;

      2. attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services or Content in any form or media or by any means;

      3. attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; or

      4. reverse engineer or access the Services in order to:

         1. build a competitive product or services,

         2. build a product using similar ideas, features, functions or graphics of the

      Services, or

      3. copy any ideas, features, functions or graphics of the Services.

   5. User licenses cannot be shared or used by more than one individual User, but may be reassigned from time to time to new Users who are replacing former Users who have terminated employment or otherwise changed job status or function and no longer use the Services.

   6. Customer and Customer Affiliates shall not:

      1. send spam or otherwise duplicative or unsolicited messages in violation of applicable laws;

      2. send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or material that violates any third party privacy rights;

      3. send or store material containing software viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs;

      4. interfere with or disrupt the integrity or performance of the Services or the data contained therein; or

      5. attempt to gain unauthorized access to the Services or its related systems or networks.

   7. All rights not expressly granted to Customer in this Section 1 are reserved by Kaptio and its licensors.

   8. As may be requested by Customer from time to time, Kaptio shall provide Professional Services (including Deliverables) in accordance with Schedule 1 attached hereto.

2. Intellectual Property Ownership

   1. Kaptio (and its licensors where applicable) owns and shall continue to own all right, title and interest, including all related Intellectual Property Rights, in and to the Kaptio Travel Solutions Technology, the Content, the Services (including any Deliverables provided in conjunction with Professional Services), and any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or Customer Affiliates or any other party relating to the Services.

   2. Nothing in this Agreement shall convey to Customer or Customer Affiliates any rights of ownership in or related to the Kaptio Travel Solutions Technology or the related Intellectual Property Rights. The Kaptio name, logo, and product names associated with the Services are all trademarks of Kaptio or its third-party affiliates, and no right or license is granted to use them. Notwithstanding the foregoing, upon Kaptio’s written consent (revocable at any time in Kaptio’s sole discretion), Customer is authorized to use Kaptio´s name and logo for marketing purposes.

3. Kaptio’s Responsibilities

   1. Subject to Customer complying with this Agreement (including performing its obligations and responsibilities set forth in Section 4), Kaptio shall use reasonable endeavours to provide the Services in accordance with this Agreement in all material respects.

   2. Kaptio shall use reasonable endeavours to comply with any additional responsibilities as may be set forth in an Order Form.

   3. Kaptio shall comply with reasonable instructions from, and otherwise reasonably cooperate with, Customer.

   4. Kaptio shall take industry-standard steps to ensure the Services are virus-free and do not introduce any viruses or malware into Customer’s environment.

   5. Kaptio shall not introduce any unlawful, obscene or discriminatory material into the Customer´s environment.

   6. Kaptio shall maintain all necessary licences and consents for the provision of the Services.

4. Customer’s Responsibilities

   1. Customer shall cooperate with Kaptio in all matters relating to the Services and appoint a Customer manager in relation to the Services, who shall have the authority to bind Customer on matters relating to the Services.

   2. Customer is responsible for all activity occurring under Customer’s and Customer Affiliates’ User accounts, and Customer shall ensure that Customer, Customer Affiliates, and their respective Users abide by all applicable local, state, national and foreign laws, treaties and regulations in connection with their use of the Services, including those related to data privacy (including all applicable Data Protection Laws), international communications, and the transmission of technical or personal data.

   3. Customer shall require that all Customer Affiliates comply with the conditions and restrictions of this Agreement pertaining to the Services.

   4. Customer shall (a) notify Kaptio immediately of any known or suspected unauthorized use of any password or account or any other breach of security; (b) report to Kaptio immediately and use reasonable efforts to immediately stop any known or suspected unauthorised copying or distribution of Content by Customer and Customer Affiliates and their Users; and (c) not impersonate another Kaptio user or provide false identity information to gain access to or use the Services.

   5. Customers shall ensure that all of Customer’s and Customer Affiliates’ outgoing email campaigns are compliant with anti-spam laws of their respective countries, including any applicable Data Protection Law.

   6. From and after the Effective Date of this Agreement and for a period of twelve (12) months thereafter, Customer shall not, without the prior written consent of Kaptio, solicit or entice away from Kaptio or employ or attempt to employ any person who is, or has been, engaged as an employee, consultant or subcontractor of Kaptio in the provision of the Services. As a compromise of liquidated damages and not as a penalty, unless otherwise agreed by the Parties, if Customer breaches this Section 4.6, Customer will be liable to pay Kaptio a sum equivalent to the greater of (a) 40% of the then current annual remuneration paid by Kaptio to that employee, consultant or subcontractor, or (b) 40% of the annual remuneration to be paid by Customer to that employee, consultant or subcontractor.

   7. From and after the Effective Date of this Agreement and for a period of twelve (12) months after the termination of this Agreement, Kaptio shall not, without the prior written consent of Customer, solicit or entice away from Customer or employ or attempt to employ any person who is, or has been, engaged as an employee, consultant or subcontractor of Customer. As a compromise of liquidated damages and not as a penalty, unless otherwise agreed by the Parties, if Kaptio breaches this Section 4.7, Kaptio will be liable to pay Customer a sum equivalent to the greater of (a) 40% of the then current annual remuneration paid by Customer to that employee, consultant or subcontractor, or (b) 40% of the annual remuneration to be paid by Kaptio to that employee, consultant or subcontractor.

   8. If Kaptio’s performance of its obligations under this Agreement is prevented or delayed by any act or omission of Customer, its agents, subcontractors, consultants or employees, Kaptio shall not be liable for any costs, charges or losses sustained or incurred by Customer that arise directly or indirectly from such prevention or delay.

5. Confidential Information and Privacy

   1. Without prejudice to any other confidentiality arrangements that may be agreed by the Parties from time to time, each Party receiving Confidential Information (“Receiving Party”) shall not at any time disclose to any person any Confidential Information of the other Party (“Disclosing Party”), except as permitted by Section 5.2.

   2. Each Receiving Party may disclose the Disclosing Party’s Confidential Information:

      1. to Receiving Party’s employees, officers, representatives or advisers who need to know such information for the purposes of exercising Receiving Party’s rights or carrying out its obligations in connection with this Agreement (with Receiving Party obliged to ensure that its employees, officers, representatives or advisers to whom it discloses Disclosing Party’s Confidential Information comply with this Section 5);

      2. as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority; or

      3. with the Disclosing Party’s prior written consent.

   3. Receiving Party shall not use Confidential Information for any purpose other than to exercise its rights and perform its obligations in connection with this Agreement.

   4. Termination or expiry of this Agreement shall not affect this Section 5, which shall survive indefinitely.

   5. The Parties will comply with any confidentiality obligations imposed upon them by any applicable Data Protection Law, and acknowledge that this Section 5 is in addition to, and does not relieve, remove or replace, either Party’s obligations or rights under any applicable Data Protection Law. Customer shall be the data controller of any personal data and shall ensure that it has all appropriate lawful basis for processing same, as well as notices in place to enable the lawful transfer of personal data to Kaptio for the duration and purposes of this Agreement.

   6. The Customer grants to Kaptio a right to use Customer’s trade name and trademarks and refer to Customer in reference to Company’s customer listings, case studies and other marketing documentation and activities relating to the Services.

6. Third Party Interactions

   1. During use of the Services, Customer and Customer Affiliates may voluntarily correspond with, purchase goods and/or services from, or participate in promotions by advertisers or sponsors showing their goods and/or services through the Services. Any such voluntary activity, and any terms, conditions, warranties or representations associated with such voluntary activity, is solely between Customer and the applicable third party, and Kaptio and its licensors shall have no liability, obligation or responsibility therefor.

   2. Kaptio does not endorse any sites on the Internet that are linked through the Services. Kaptio provides these links only as a matter of convenience, and in no event shall Kaptio or its licensors be responsible for any content, products, or other materials on or available from such sites.

7. Charges and Payment of Fees

   1. In consideration of the provision of the Services by Kaptio, Customer shall pay all fees and charges to Kaptio’s account in accordance with this Section 7 and any relevant Order Form.

   2. Except as set forth in Section 19 hereof, the annual subscription fees for the Services are non-cancellable and non-refundable. The aggregate number of User subscriptions, allowed passenger or online volume, and any other monthly proposals specified in an Order Form, cannot be decreased regardless of any termination, non-payment, non-use or other conduct or inaction.

   3. Kaptio will invoice Customer for all Services for the Initial Term and any renewal subscription terms as set forth in Section 8 hereof. Unless otherwise set forth in an Order Form, payment by Customer shall be made in advance, either annually or in accordance with any different billing frequency set forth in this Agreement, any relevant Order Form, and/or in the Schedules to this Agreement. Customer shall pay invoiced charges for the Services within fifteen (15) days of receipt of an invoice. Customer shall maintain complete and accurate billing and contact information in the Services.

   4. Added User licenses will be subject to the following:

      1. added licenses will be coterminous with the pre-existing License Term (either Initial Term or renewal term);

      2. the license fee for the added licenses will be the then current, generally applicable license fee; and

      3. licenses added in the middle of a billing month will be charged in full for that billing month.

   5. The prices specified in this agreement shall be subject to a 3% increase on the first anniversary of the date on which Go Live occurs (as agreed by the Parties) and applies to Kaptio Travel and Kaptio Pay.

   6. Kaptio reserves the right to review and increase its fees and charges to the extent specific third parties that provide services relevant to the Services increase fees and charges payable to them by Kaptio provided that (a) such increases are reasonable and proportionate to Customer’s share of the increased costs, and (b) Kaptio provides Customer with sufficient evidence of the increased third party costs. For the avoidance of doubt, this Section 7.6 shall not apply toward the three percent (3%) threshold in Section 7.5.

   7. All pricing terms are Confidential Information subject to Section 5 hereof.

8. Subscription Term, Billing and Renewal

   1. Kaptio shall provide the Services from the date agreed by the Parties in any particular Order Form, and if no such date has been agreed, then the date on which Kaptio first provides Services to Customer shall be deemed the Services start date for the purpose of this Agreement.

   2. Following the Initial Term, this Agreement and any existing Order Form will automatically renew for additional one (1) year periods (each a “Renewal Term”) unless terminated by either Party by providing written notice of non-renewal 60 days prior to the end of the then current subscription term.

   3. Kaptio charges and collects in advance for use of the Services. The renewal charge will be equal to the amount set forth on the then-current Order Form, plus the fee modifications according to Section 7.5, which shall be effective upon renewal and thereafter. Fees for other usage of the Services will be charged on an as-quoted basis. Kaptio’s fees are exclusive of all taxes, levies, or duties imposed by taxing authorities, and Customer shall be responsible for payment of all such taxes payable in connection with the provision of the Services to Customer.

   4. Customer shall provide Kaptio complete and accurate billing and contact information, including Customer’s legal company name, street address, e-mail address, and name and telephone number of an authorized billing contact and license administrator. Customer shall update this information immediately following any change to it.

   5. Customer will be billed in the currency stated on the relevant Order Form.

   6. In the case of free trials, notifications provided through the Services indicating the remaining number of days in the free trial shall constitute notice of termination.

9. Non-Payment and Suspension

   1. In addition to any other rights granted to Kaptio herein and under applicable law, Kaptio may suspend or terminate this Agreement and/or access to the Services as set forth in Section 9.2 below if Customer’s account falls into arrears, subject to Kaptio informing Customer of the impending suspension in writing (e-mail sufficient) with a final deadline for payment of thirty (30) calendar days from the date that the Customer’s account is overdue.

   2. Without prejudice to any other right or remedy that Kaptio may have, if Customer fails to pay Kaptio on the due date in accordance with Section 9.1:

      1. Customer shall pay interest on the overdue amount at the lesser of (i) the annual rate of 8% above the then current base rate of the Bank of England compounded monthly on any outstanding balance, or (ii) the maximum permitted by law, plus all expenses of collection (including attorney fees). Such interest shall accrue on a daily basis from the due date until payment of the overdue amount, whether before or after judgment. Customer will continue to be charged for User licenses during any period of suspension.

      2. Kaptio may suspend the Services until payment has been made in full.

      3. Kaptio may terminate this Agreement or any Order Form, subject to Section 9.3.

   3. All sums payable to Kaptio under this Agreement shall become due immediately upon its termination, despite any other provision herein to the contrary. Customer shall pay the balance due on Customer’s account computed in accordance with Section 7. The rights set forth in this Section 9.3 are without prejudice to any right to claim interest under the law, or any other such right under this Agreement.

   4. All amounts due under this Agreement shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).

10. Account Information and Customer Data

    1. At all times Customer and Customer Affiliates shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, propriety and ownership or right to use all Customer Data. Kaptio shall not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store any Customer Data caused by Customer or Customer Affiliates.

    2. Except as set forth in any applicable Data Protection Law, Kaptio has no obligation to retain Customer Data, and Customer Data will be irretrievably deleted if Customer’s account is terminated in accordance with Sections 20.1 or 20.2 hereof.

    3. Except in respect of termination by Kaptio under Sections 20.1 or 20.2 (to which the provisions of this Section 10.3 shall not apply), if this Agreement is terminated for any reason or expires, Kaptio will make available to Customer a file of Customer’s Data within 30 days of such termination or expiration in a form reasonably acceptable to Customer and at no cost to Customer.

    4. Upon Customer’s request and at Customer’s sole expense (at Kaptio’s applicable rates quoted to Customer at the time of the request), Kaptio may provide termination support for such period as agreed by the Parties up to a maximum of six (6) months following termination, as follows:

       1. subject to Section 10.3, Kaptio shall submit an offer for consulting services with regard to migrating Customer Data to another service on a time and material basis;

       2. the Parties shall agree on a reduction of payable User Licenses to a minimum number of administrator licenses required for migration; and

       3. the Term hereof shall be renewed for short term usage in order to support migration and parallel usage with the new system.

    5. Both Parties will comply with all applicable requirements of applicable Data Protection Law and the data protection obligations contained in the Data Processing Addendum. The provisions of Schedule 3 are in addition to, and do not relieve, remove or replace a Party’s obligations or rights under any applicable Data Protection Law. For purposes of applicable Data Protection Law, Customer is the Controller and Kaptio is the Processor. Either Party may, at any time upon not less than 30 days’ notice, revise Schedule 3 by replacing it with any applicable or updated controller-to-processor standard clauses or similar terms adopted under applicable Data Protection Law or forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

11. [Reserved.]

12. Restrictions on Customer when using SFDC Services

    1. Licenses sold by Kaptio are restricted for access to the Services only. This Agreement incorporates by reference certain terms of the agreement between Kaptio and SFDC, as set forth in Schedule 2 hereto (“SFDC Service Agreement”), which terms also apply to Customer’s use of all Kaptio travel platform subscription services that are integrated with and/or built upon salesforce.com and/or force.com (salesforce.com and force.com collectively, “SFDC Services”). Customer’s ongoing use of the Services shall constitute Customer’s acceptance of any updated version of the SFDC Service Agreement that may be issued by SFDC from time to time.

    2. As required by the SFDC Service Agreement, prior to granting access to the Kaptio Travel Solutions Technology, Customer shall impose the terms and conditions of the SFDC Service Agreement on Customer Affiliates such that Kaptio and SFDC are third party beneficiaries.

13. Compliance with Laws and Policies

In performing their respective obligations under this Agreement, each Party shall comply with all applicable laws, statutes and regulations, including the UK Bribery Act 2010 and the US Foreign Corrupt Practices Act (to the extent that such legislation applies to the Party).

14. Warranties

Each Party warrants that it has the legal power to enter into this Agreement. Additionally Kaptio warrants that it owns or otherwise has sufficient rights in the Services to grant Customer the rights contained in this Agreement. EXCEPT AS EXPRESSLY PRO

VIDED HEREIN, KAPTIO MAKES NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW

15. Escrow

The Parties shall enter into a separate agreement for the provision of “Escrow Services” with such services to be provided to Customer based on an agreement between Kaptio and it’s “Escrow Agent”, the third party provider of such service. The order form for the services shall state the annual fees for such services and any establishment fees for the services on a time and material basis. The Services shall protect Customer by giving Customer the right to the access and use of the Source Code and certain other technical information and/or documentation related to the Kaptio Software and Customer Platform and all the tools, materials, computer programs, data and items which will enable the Customer or a third party to support and maintain the Customer Platform in the circumstances contemplated in the separate agreement (“Escrow Agreement”). The Customer explicitly acknowledges and agrees that any material (including Source Code) released to Customer by the Escrow Agent shall be solely for Customer’s own internal operational purposes, and not for resale to any third party or for running a back-end data processing operation for any third party

16. Indemnification

    1. Each Party (“Indemnitor”) shall defend and hold harmless the other Party (“Indemnitee”), its officers, directors and employees against any claim by a third party that the Indemnitee’s use of any information, design, specification, instruction, software, data or material furnished by the Indemnitor infringes any patent, copyright, trademark, database right or confidentiality right, and shall indemnify the Indemnitee for any amounts awarded in judgment or settlement of such claims, provided that (a) the Indemnitor is given prompt notice of any such claim; (b) the Indemnitee provides reasonable cooperation to the Indemnitor in the defense and settlement of such claim, at the Indemnitor´s expense; and (c) the Indemnitor has sole authority to defend or settle the claim.

    2. In the defense or settlement of any claim, Kaptio may (a) procure the right for the Customer to continue using the Services; (b) replace or modify the Services so that they become non-infringing; or (c) if such remedies are not reasonably available, terminate this agreement upon five (5) days’ notice to Customer and refund any prepaid fees for that portion of the Services not delivered. Any liability or damages in relation to an event under this clause shall be capped to a level of 12 months of subscription fees.

    3. In no event shall Kaptio or its employees, agents and sub-contractors (“Kaptio Parties”) be liable to Customer to the extent that any alleged infringement is based on (a) a modification of the Services or Content by anyone other than any Kaptio Party; (b) Customer’s use of the Services or Content in a manner contrary to the instructions given by any Kaptio Party; or (c) Customer’s use of the Services or Content after Customer has been notified of the alleged or actual infringement by Kaptio or any appropriate authority.

    4. The foregoing sets forth Kaptio’s (including any other Kaptio Party’s) sole liability and Customer’s sole and exclusive remedy for infringement of any patent, copyright, trademark, database right or confidentiality right.

17. Limitation of Liability

    1. Except as specifically provided elsewhere in this Agreement:

       1. Customer assumes sole responsibility for results obtained from its use of the Services and the Content, and for conclusions drawn from such use. Kaptio shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided by Customer in connection with the Services, or any actions taken by Kaptio at Customer’s direction;

       2. all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement; and

       3. the Services and the Content are provided to Customer on an “as is” basis.

    2. Nothing in this Agreement excludes the liability of either Party for (a) death or personal injury caused by negligence; or (b) fraud or fraudulent misrepresentation.

    3. Subject to Section 17.1 and Section 17.2:

       1. no Party shall be liable to the other, whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise, for any loss of profits, loss of business, depletion of goodwill and/or similar losses, deletion or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and

       2. each Party’s aggregate liability in contract (including in respect of the indemnity at Section 16 above), tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance of this Agreement shall be limited to the total subscription fees paid for the Services during the 12 months immediately preceding the date the claim arose.

18. Third Party Rights

Except as otherwise specifically set forth herein, this Agreement is for the sole benefit of the Parties and their successors and permitted assigns. There are no third party beneficiaries to this Agreement, except that SFDC shall be a third party beneficiary solely as it relates to the SFDC Service Agreement.

19. Force Majeure

    1. “Force Majeure Event” means any circumstance not within a Party’s reasonable control, including (without limitation) acts of God; flood, drought, earthquake or other natural disaster; epidemic or pandemic; terrorist attack, civil war, civil commotion or riot; war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or break in diplomatic relations; nuclear, chemical or biological contamination; any law or any action taken by a government or public authority, including imposing an export or import restriction, quota or prohibition; collapse of buildings, fire, explosion or accident; any labor or trade dispute, strikes, industrial action or lockouts (other than in each case by the Party seeking to rely on this Section 19, or companies in the same group as that Party); or interruption or failure of utility services (e.g., the SFDC platform or other critical function provided by either SFDC, or Google GCP services).

    2. Provided it has complied with Section 19.3 below, a Party prevented, hindered or delayed by a Force Majeure Event from fully performing any of its obligations hereunder (“Affected Party”) shall not be in breach of this Agreement or otherwise liable for any such failure or delay in the performance of such obligations. The time for performance of such obligations shall be extended for the duration of the Force Majeure Event, and the corresponding obligations of the other Party will be suspended, and time for performance of such obligations extended, to the same extent as those of the Affected Party.

    3. The Affected Party shall (a) as soon as reasonably practicable after the start of the Force Majeure Event but no later than five (5) days from its start, notify the other Party of the Force Majeure Event, the date on which it started, its likely or potential duration, and the effect of the Force Majeure Event on its ability to perform any of its obligations under this Agreement; and (b) use all reasonable endeavors to mitigate the effect of the Force Majeure Event on the performance of its obligations.

    4. If the Force Majeure Event prevents, hinders or delays the Affected Party’s performance of its obligations for a continuous period of more than ninety (90) days, the other Party may terminate this Agreement by giving five (5) days’ written notice to the Affected Party.

    5. Collaboration: Both Parties commit to working together during a Force Majeure Event, demonstrating a cooperative approach.

    6. Reasonable Efforts: The Parties are expected to make a genuine, but not excessive, attempt to address the challenges posed by any Force Majeure Event.

    7. Third-Party Involvement: The clause explicitly encourages collaboration with third-party suppliers to mitigate potential costs and disruptions.

    8. Both parties agree to remain open and flexible in exploring options for reducing user levels or scaling services, as necessary, to ensure the sustainability of their respective teams during a Force Majeure Event (including where the Force Majeure Event prevents or hinders the ability of Customer to receive the full benefit of this Agreement (including the Services)).

    9. Without limiting any other provision in this Section 19, in the event of a Force Majeure Event, the Parties will assess the number of affected passengers included in the monthly software license. For example, if 3,000 booked passengers are unable to travel due to a Force Majeure Event, the Parties will collaborate to adjust the financial terms accordingly. This may include reallocating costs to future seasons or extending the term of the license agreement to reflect the impact of that Force Majeure Event.

    10. Upon the cessation of the Force Majeure Event, both Parties will resume their obligations as outlined in the original terms of this Agreement.

20. Termination

    1. Without affecting any other right or remedy available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party if:

       1. the other Party commits a material breach of any term of this Agreement (which, for the avoidance of doubt, includes any material breach of any obligations in Schedule 4, any Order Form or any SOW) or the SFDC Service Agreement that is irremediable or, if such breach is remediable, fails to remedy it within 30 days after being notified in writing to do so;

       2. the other Party is deemed unable to pay its debts within the meaning of Section 123 of the United Kingdom Insolvency Act 1986 or Section 101 of the United States Bankruptcy Code (as each may be applicable);

       3. (i) the other Party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with any of its creditors; or (ii) a petition is filed, a notice is given, a resolution is passed, or an order is made, in connection with the winding up of that other Party; except in either case for the sole purpose of a scheme for a solvent amalgamation of that other Party with one or more other companies or the solvent reconstruction of that other Party;

       4. an application is made to court by the other Party, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other Party;

       5. the holder of a qualifying floating charge over the assets of that other Party has become entitled to appoint or has appointed an administrative receiver;

       6. a person becomes entitled to appoint a receiver, or a receiver is appointed, over all or any of the assets of the other Party;

       7. a creditor or encumbrancer of the other Party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other Party’s assets and such attachment or process is not discharged within 14 days;

       8. any event occurs or proceeding is taken with respect to the other Party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events set forth in sub-Section 20.1(c) to Section 20.1(g); or

       9. the other Party threatens to or actually suspends or ceases carrying on all or a substantial part of its business.

    2. Any (a) breach of Customer’s payment obligations or (b) unauthorized use of the Kaptio Travel Solutions Technology or the Services, shall constitute a material breach of this Agreement following which Kaptio may (without prejudice to any other right or remedy) (i) immediately terminate User passwords, accounts or otherwise suspend use of the Services, or (ii) terminate this Agreement with immediate effect by giving written notice to Customer. Kaptio may terminate a free account at any time in its sole discretion.

    3. Without affecting any other right or remedy available to it, the Customer may terminate any Order Form and/or the Agreement by giving not less than six (6) months’ written notice to Kaptio if there is a change of control (within the meaning of section 1124 of the Corporation Tax Act 2010) of Kaptio which results in Kaptio being controlled by a Trade Buyer.

    4. Should any actual or proposed change in control (within the meaning of section 1124 of the Corporation Tax Act 2010) or business purpose of Customer result or potentially result, in Kaptio´s reasonable opinion, in Customer becoming a direct competitor of Kaptio, then Kaptio shall be entitled to terminate the Agreement for cause immediately upon written notice.

    5. On termination or expiry of this Agreement, the following Sections shall continue in force: Section 2 (Intellectual Property Ownership), Section 5 (Confidential Information and Privacy), Section 17 (Limitation of Liability), Section 23 (Conflict), Section 28 (Governing Law and Jurisdiction), together with any other provisions that expressly or by implication are intended to survive the termination or expiry of this Agreement.

21. Notices

    1. Notices shall be delivered to the other Party’s project manager or to the first address listed in the applicable Order Form (if to Customer) or to Kaptio’s address on the Order Form (if to Kaptio) (“Notice Address”).

    2. Any notice or other communication given to a Party in connection with this Agreement shall be in writing and shall be delivered by courier with tracking number service at the Notice Address. Any notice or communication shall be effective upon receipt as indicated by the courier tracking number and/or recipient signature.

    3. Notwithstanding the foregoing, the service of any formal legal proceedings or any documents in any legal action (including, when applicable, any arbitration or other method of dispute resolution) commenced in the courts of the Governing Jurisdiction (as defined in Section 28) shall be served on the Parties as follows:

       1. In the case of Kaptio, Oury Clark Solicitors of 10 John Street, London, WC1N 2EB are appointed as its agent for the receipt of service; and

       2. In the case of Customer, to its registered address.

22. Waiver

    1. A waiver of any right or remedy under this Agreement or by law is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default.

    2. A failure or delay by a Party to exercise any right or remedy provided under this Agreement or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under this Agreement or by law shall prevent or restrict the further exercise of that or any other right or remedy.

23. Conflict

This Agreement shall apply to the exclusion of any other terms that Customer seeks to impose or incorporate, or which are implied by trade, custom, practice or course of dealing. To the extent of any conflict or inconsistency between the provisions in the body of this Agreement and any schedule hereto and any Order Form, the terms of the body of this Agreement shall prevail, followed by the Order Form, followed by the schedule.

24. Required Modification to Terms

Kaptio reserves the right to modify this Agreement or its policies relating to the Services at any time that SFDC modifies its terms and conditions for the SFDC Platform and/or the SFDC Services either generally in the market or specifically towards Kaptio, and such modification by SFDC requires Kaptio to modify the Services and/or the respective terms and conditions vis-à-vis Customer.

25. Severability

    1. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, such shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this Section 25 shall not affect the validity and enforceability of the rest of this Agreement.

    2. If any provision or part-provision of this Agreement is invalid, illegal or unenforceable, the Parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable and, to the greatest extent possible, achieves the intended commercial result of the original provision.

26. Assignment and Other Dealings

    1. This Agreement is personal to each Party. Subject to clause 26.2, a Party shall not assign, transfer, mortgage, charge, subcontract, declare a trust over or deal in any other manner with any of its rights and obligations under this Agreement without the written approval of the other Party.

    2. Notwithstanding clause 26.1, the Parties acknowledge and agree that this Agreement may be assigned by Kaptio to a parent or subsidiary of Kaptio without Customer’s consent.

    3. Any purported assignment in violation of this Section 26 shall be void.

27. Dispute Resolution Procedure

    1. The Parties shall attempt to resolve any dispute relating to this Agreement through negotiations between senior executives who have authority to settle the issue.

    2. If the matter is not resolved by negotiation within 14 days of receipt of a written ‘invitation to negotiate, the Parties shall enter into mediation to settle such a dispute and will do so in accordance with Centre for Effective Dispute Resolution (CEDR) Model Mediation Procedure. Unless otherwise agreed between the Parties within 14 days of notice of the dispute, the mediator will be nominated by CEDR. To initiate the mediation a Party must give notice in writing (“ADR notice”) to the other Party referring the dispute to mediation. A copy of the referral should be sent to CEDR.

    3. The mediation will start not later than 30 days after the date of the ADR Notice. The commencement of a mediation will not prevent the Parties commencing court proceedings where a delay in such commencement would materially prejudice a Party’s position.

    4. If the matter is not resolved by mediation, the Parties shall be free to pursue a resolution by any other means.

28. Governing Law and Jurisdiction

This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales (“Governing Jurisdiction”). Each Party irrevocably agrees that the courts of the Governing Jurisdiction shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising in connection with this Agreement or its subject matter or formation.

29. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement, Order Forms, and any schedule to this Agreement now or hereafter associated herewith:

“Affiliate”, in relation to a person, means a parent company or subsidiary of that person.

“Confidential Information” means all confidential or proprietary information disclosed orally or in writing by one Party to the other that is identified as confidential or whose confidential nature is reasonably apparent. Confidential Information shall not include information that (a) is or becomes a part of the public domain through no fault of the receiving Party; (b) was in the receiving Party’s lawful possession prior to the disclosure; (c) is lawfully disclosed to the receiving Party without restriction on disclosure or any breach of confidence; (d) is independently developed by the receiving Party; or (e) is required to be disclosed by law.

“Content” means the audio and visual information, documents, software, products and services contained or made available by Kaptio to Customer or Customer Affiliates in the course of using the Services.

“Customer Data” means any data, information or material provided or submitted by Customer and Customer Affiliates to the Services in the course of using the Services.

“Data Processing Addendum” means the document appended as Schedule 3 to this Agreement that sets out the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined therein) associated with the Services.

“Data Protection Law” means all laws, regulations, legislative and regulatory requirements, and codes of practice applicable to the processing of personal data in connection with this Agreement.

“Deliverable” means the work product, reports, data, milestones, and customizations, deliverables or other items developed, generated, created or otherwise delivered by Kaptio in connection with any Professional Services.

“Initial Term” means the initial period as set forth in the first Order Form;

“Intellectual Property Rights” means unpatented inventions, patent applications, patents, design rights, copyrights, trademarks, service marks, trade names, domain name rights, mask work rights, know-how and other trade secret rights, and all other intellectual property rights, derivatives thereof, and forms of protection of a similar nature anywhere in the world;

“Kaptio Travel Solutions Technology” means all of Kaptio’s proprietary technology (including software, hardware, products, processes, algorithms, user interfaces, know-how, techniques, designs and other tangible or intangible technical material or information) made available to Customer by Kaptio in providing the Services;

“License Term” means the period between order start date and end date as set forth in the relevant Order Form.

“Order Form” means a written order completed by Customer for Kaptio’s provision of Services setting out, amongst other things, the specific scope of Services; the number of Users; the Services Start Date and any other terms specifically associated with the Services to be provided by Kaptio in conjunction with, and subject to, this Agreement.

“Professional Services” means consulting, development, implementation, integration, training, and/or other professional services to be provided by Kaptio as identified in any applicable Order Form, SOW, or other agreement between the Parties.

“Services” means the Software (see description at https://docs.kaptioapis.com/platform-overview/-/Overview) and any Professional Services ordered by the Customer via an Order Form or a SOW.

“SOW” means a written statement of work completed by the Parties for Kaptio’s provision of Professional Services (including any Deliverables), and setting out any terms specifically associated with the Professional Services to be provided.

“Trade Buyer” means any organisation that sells, or that has an Affiliate that sells, one or more Travel Products directly to consumers.

“Travel Products” means group tours and packaged holidays,

“User” means each of Customer’s and Customer Affiliates’ employees, representatives, consultants, contractors or agents who are authorized to use the Services and have been supplied user identifications and passwords by Customer (or by Kaptio at Customer’s request).

30. Entire Agreement

    1. This Agreement (inclusive of any schedules or Order Form entered into by the Parties from time to time and any documents or materials referred to in this Agreement) constitutes the entire agreement between the Parties with respect to the subject matter hereof, and supersedes and extinguishes all prior and contemporaneous agreements, proposals, representations, promises, assurances, warranties and understandings between them (whether written or verbal), concerning its subject matter.

    2. Each Party agrees that it shall have no remedies and no claim in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set forth in this Agreement.

Signed by Steini Helgason _____________________________ ____________

for and on behalf of Kaptio Limited Chief Financial Officer Date

Signed by Kerry Jenkin ___________________________ _____________

for and on behalf of customer Date

CUSTOMER

Professional Services Supplemental Terms

1. Statements of Work. The Professional Services to be performed and Deliverables to be provided by Kaptio for Customer (“Work”) shall be set forth in a Statement of Work (“SOW”) executed by the Parties, which shall be governed by this Agreement. A sample form of SOW is attached as Exhibit A to this Schedule 1. Kaptio shall provide to Customer all Work, including all labour, deliverables, materials, and other resources incidental to the Professional Services, necessary to provide and perform the requirements set forth in a SOW. Each SOW shall contain the following information at minimum: (a) the term of the SOW, (b) detailed description of the Work to be delivered, including any necessary collaboration or cooperation by Customer; and (c) all fees and expenses, including any SOW-specific payment terms.

2. Change Control Process. Changes to the Work shall be subject to the mutual agreement of the Parties. Within thirty (30) days of receiving notice from Customer of a proposed change, Kaptio shall provide Customer with a written statement of the estimated hours required (or fixed price if requested by Customer) to complete the change and any proposed price increase or decrease that would result from the proposed change. Upon execution by both Parties of an amended SOW, Kaptio shall proceed in accordance with the change.

3. [Reserved.]

4. Inspection; Acceptance and Rejection. The SOW shall set forth any agreed testing and inspection requirements, including iterative collaboration between the Parties as related to the development, implementation, and maintenance of the Software or Private App (whether deployed in test or production environments), including new features thereof (“Acceptance Testing”).
a. Acceptance Criteria. Kaptio shall ensure that all Work: (i) conforms to applicable specifications set forth in the SOW; and (ii) satisfies any end-to-end system testing, user acceptance testing, and unit testing, all as may be set forth in the SOW (collectively, the “Acceptance Criteria”).
b. Required Training. Kaptio shall provide Customer with training and assistance as set forth in the SOW.
c. Non-Acceptance. At any time during the ten (10) day period following Customer’s receipt of the Work and any required training (“Acceptance Period”), Customer may notify Kaptio in writing that the Work fails to meet the Acceptance Criteria and specifying Customer’s basis for such notice. Kaptio shall promptly use best efforts to correct the deficiencies (“Corrected Work”) within no more than thirty (30) days from the notification or such other period as the Parties may agree. All Corrected Work shall be subject to Acceptance Testing.
d. Default Acceptance. Customer’s operation or use of the Work, other than for Acceptance Testing, shall be deemed to be Customer’s acceptance.

5. Kaptio Staff.
a. Staff. Kaptio shall have the right to determine which of its employees, agents, representatives or subcontractors (“Staff”) shall be assigned to perform the Work under a SOW; provided, however, that subject to scheduling and staffing considerations, Kaptio shall use commercially reasonable efforts to fulfill Customer’s request for specific individuals.
b. Removal and Replacement of Personnel. Upon written notice from Customer specifying, in Customer’s good faith belief, the reasons that a member of Kaptio’s Staff should be removed from performance of the Work, and except as prohibited by law, Kaptio shall promptly remove and replace such individual with a different individual of comparable qualifications.

6. Access to Facilities. Kaptio shall have access to Customer facilities as necessary for Kaptio to perform the Work, subject to Kaptio’s compliance with Customer’s reasonable security, safety and other rules, regulations and procedures.

7. Effect of Termination. Upon termination or expiration of any SOW, Kaptio shall deliver to Customer all work in process, drafts, and other materials developed and paid for in connection with the Professional Services.

Exhibit A
Form of Statement of Work

This Statement of Work (“**SOW**”) is made as of \_\_\_\_\_\_\_\_\_\_\_\_ (“**SOW Effective Date**”) by and between Kaptio Ltd., a company registered in England and Wales with registered office at 10 John Street, London, WC1N 2EB, UK (“**Kaptio**”) and \[Customer AND ADDRESS (“**Customer**”) (Kaptio and Customer each referred a “**Party**” and collectively the “**Parties**” hereto).  This SOW is governed by the provisions of the Master Services Agreement previously executed by the Parties and dated as of \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ (“**Agreement**”). Capitalized terms used in this SOW not defined herein have the meanings ascribed to them in the Agreement. 

1. SOW Term. The term of this SOW shall commence as of __________ and expire on ___________, unless earlier terminated pursuant to Section 20 (Termination) of the Agreement.
2. Description of Professional Services. [Description of Professional Services, including any training to be performed by Kaptio.]
3. Deliverables. [Detailed description of the Deliverables provided pursuant to this SOW.]
4. [Reserved]
5. Schedule. The Professional Services to be provided shall commence on _________ and shall be completed not later than ___________. [Include milestones, project plans, and delivery dates.]
6. Acceptance Criteria. [Include testing procedures and quality standards or specifications, acceptance criteria, testing plans, etc.]
7. Fees. [Description of Fees.]
8. Training. [Detailed list of required training to be provided to Customer by Kaptio.]
9. [Reserved]
10. Additional Terms and Conditions.

IN WITNESS WHEREOF, the Parties have executed this SOW as of the SOW Effective Date.

KAPTIO LIMITED CUSTOMER

Signature: Signature:

Printed Name: Printed Name:

Title: Title:

Salesforce Service Agreement

Customer agrees to the following provisions of the SFDC Service Agreement which shall take effect between Kaptio Travel Solutions and Customer as well as between Customer and SFDC, which shall be a third party beneficiary. Prior to granting access to the Kaptio Travel Solutions On-Demand Service, Customer shall impose the terms and conditions of the SFDC Service Agreement also on Customer Affiliates in a way that Kaptio Travel Solutions and SFDC are third party beneficiaries. For the purpose of clarification: The termination right pursuant to Section 6 hereunder shall be interpreted as a termination right on the part of SFDC but not as a termination right of Kaptio Travel Solutions. The SFDC Service Agreement only applies to customers who are direct customers of Kaptio Travel Solutions and have purchased all licenses including the Force.com Platform Embedded Edition licenses from Kaptio Travel Solutions. Customers who have purchased Force.com Platform or CRM licenses from Salesforce.com directly come under the Salesforce.com Master Service Agreement which can be found on the Salesforce.com website.

“AppExchange” means the online directory of on- demand applications that work with the Service, located at http://www.appexchange.com or at any successor websites.

“Reseller” means Kaptio Ltd. and its subsidiaries.

“Reseller Application” means the Kaptio Travel Solutions On-Demand Service

“Service” means the online, Web-based platform service provided by SFDC to Reseller in connection with Reseller’s provision of the Reseller Application to Customer.

“SFDC CRM Service” means the online, Web-based application and platform service generally made available to the public via http://www.salesforce.com and/or other designated websites, including associated offline components but excluding AppExchange applications.

“SFDC” means salesforce.com.

“Users” means Customer’s employees, representatives, consultants, contractors or agents who are authorized to use the Service subject to the terms of this SFDC Service Agreement as a result of a subscription to the Reseller Application having been purchased for such User, and have been supplied user identifications and passwords by Customer (or by Salesforce.com or Reseller at Your request).

“You” and “Your” means customer which has contracted to purchase subscriptions to use the Reseller Application subject to the conditions of this SFDC Service Agreement, together with any other terms required by Reseller.

“Your Data” means all electronic data or information submitted by Customer as and to the extent it resides in the Service.

1. Use of Service**.**

   1. Each User subscription to the Reseller Application shall entitle one User to use the Service via the Reseller Application, subject to the terms of this SFDC Service Agreement, together with any other terms required by Reseller. User subscriptions cannot be shared or used by more than one User (but may be reassigned from time to time to new Users who are replacing former Users who have terminated employment with Customer or otherwise changed job status or function and no longer require use of the Service). For clarity, Customer’s license to use the Service hereunder does not include a license to use the SFDC CRM Service. If Customer wishes to use the SFDC CRM Service or any of its functionalities or services it must, visit www.salesforce.com to contract directly with SFDC for such services. In the event Customer access to the Reseller Application provides Customer with access to the SFDC CRM Service generally or access to any SFDC CRM Service functionality within it that is in excess to the functionality described in the Reseller Application’s user guide, and Customer has not separately subscribed under a written contract with SFDC for such access, then Customer agrees to not access and use such functionality, and Customer agrees that its use of such functionality would be a material breach of this Agreement.

      2. Notwithstanding any access Customer may have to the Service via the Reseller Application, Reseller is the sole Indemnitor of the Reseller Application and Customer is entering into a contractual relationship solely with Reseller. In the event that Reseller ceases operations or otherwise ceases or fails to provide the Reseller Application, SFDC has no obligation to provide the Reseller Application or to refund Customer any fees paid by Customer to Reseller. Customer

         (i) is responsible for all activities occurring under Customer User accounts;

         (ii) are responsible for the content of all Your Data; shall use commercially reasonable efforts to prevent unauthorized access to, or use of, the Service,

         (iii) and shall notify Reseller or Salesforce.com promptly of any such unauthorized use it becomes aware of; and

         (iv) shall comply with all applicable local, state, federal and foreign laws and regulations in using the Services.

      (d) Customer shall use the Service solely for its internal business purposes and shall not:

      (i) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Service available to any third party, other than to Users or as otherwise contemplated by this SFDC Service Agreement;

2. send spam or otherwise duplicative or unsolicited messages in violation of applicable laws;

3. send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material that is harmful to children or violates third party privacy rights;

4. send or store viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs;

5. interfere with or disrupt the integrity or performance of the Service or the data contained therein; or

6. attempt to gain unauthorized access to the Service or its related systems or networks.

   (e) Customer shall not (i) modify, copy or create derivative works based on the Service; (ii) frame or mirror any content forming part of the Service, other than on its own intranets or otherwise for its own internal business purposes; (iii) reverse engineer the Service; or (iv) access the Service in order to (A) build a competitive product or service, or (B) copy any ideas, features, functions or graphics of the Service.

2. Third-Party Indemnitors.

Reseller and other third-party Indemnitors, some of which may be listed on pages within SFDC’s website and including Indemnitors of AppExchange applications, offer products and services related to the Service, the SFDC CRM Service, and/or the Reseller Application, including implementation, customization and other consulting services related to customers’ use of the Service and/or the SFDC CRM Service, and applications (both offline and online) that interoperate with the Service, SFDC CRM Service, and/or the Reseller Application, such as by exchanging data with the Service, the SFDC CRM Service, and/or the Reseller Application, or by offering additional functionality within the user interface of the Service, the SFDC CRM Service, and/or the Reseller Application through use of the Service and/or SFDC CRM Service’s application programming interface. SFDC does not warrant any such third-party Indemnitors or any of their products or services, including but not limited to the Reseller Application or any other product or service of Reseller, whether or not such products or services are designated by SFDC as “certified,” “validated” or otherwise. Any exchange of data or other interaction between Customer and a third-party Indemnitor, including but not limited to the Reseller Application, and any purchase by Customer of any product or service offered by such third-party Indemnitor, including but not limited to the Reseller Application, is solely between Customer and such third-party Indemnitor. In addition, from time to time, certain additional functionality (not defined as part of the Service) may be offered by SFDC or Reseller to Customer, for an additional fee, on a pass-through or OEM basis pursuant to terms specified by the licensor and agreed to by Customer in connection with a separate purchase by Customer of such additional functionality. Customer’s use of any such additional functionality shall be governed by such terms, which shall prevail in the event of any inconsistency with the terms of this SFDC Service Agreement.

3. Proprietary Rights.

Subject to the limited rights expressly granted hereunder, SFDC reserves all rights, title and interest in and to the Service, including all related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth in this SFDC Service Agreement. The Service is deemed SFDC Confidential Information, and Customer will not use it or disclose it to any third party except as permitted in this SFDC Service Agreement.

4. Compelled Disclosure.

If either Customer or SFDC is compelled by law to disclose Confidential Information of the other party, it shall provide the other party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the other party’s cost, if the other party wishes to contest the disclosure.

5. Suggestions.

Customer agrees that SFDC shall have a royalty-free, worldwide, transferable, sub-licenseable, irrevocable, perpetual license to use or incorporate into any SFDC products or services any suggestions, enhancement requests, recommendations or other feedback provided by Customer or Customer’s Users relating to the operation of the Service and/or the SFDC CRM Service.

6. Termination.

Customer’s use of the Service may be immediately terminated and/or suspended upon notice due to (a) a breach of the terms of this SFDC Service Agreement by Customer or any User, that is either (i) deemed to be irretrievable by Reseller and/or SFDC, or (ii) where such breach is capable of remedy has not been remedied within 14 days of notice, (b) the termination or expiration of Reseller’s agreement with SFDC pursuant to which Reseller is providing the Service as part of the Reseller Application to You, and/or (c) a breach by Reseller of its obligations to SFDC with respect to the licenses it is providing to You in connection with this SFDC Service Agreement. For the avoidance of doubt this provision shall have no impact on Reseller`s obligations arising out of the Master Service Agreement between Reseller and Customer, except the use of the Service is terminated and/or suspended upon notice due to a breach of the terms of this SFDC Service Agreement by You or any User.

7. Subscriptions Non-Cancellable.

Subscriptions for the Service are non-cancellable during a subscription term, unless otherwise specified in Customer’s agreement with Reseller.

8. Data Storage.

The Service includes a certain cumulative amount of storage per User subscription for no additional charge as indicated by Reseller. Additional storage may be available for purchase from the Reseller.

9. No Warranty.

Salesforce.com makes no warranties of any kind, including but not limited to with respect to the service, the SFDC CRM service, and/or the reseller application, whether express, implied, statutory or otherwise. Salesforce.com makes no representation, warranty, or guarantee as to the reliability, timeliness, quality, suitability, availability, accuracy or completeness of the reseller application. Salesforce.com does not represent or warrant that

(a) the reseller application will be available, secure, timely, uninterrupted or error free or operate in combination with the salesforce.com service or any other application, software, hardware, system or data,

(b) the reseller application or the service will meet your requirements or expectations,

(c) any data stored using the reseller application will be accurate, reliable, or secure,

(d) errors or defects in reseller application or the service will be corrected, or

(e) the reseller application or the systems used by reseller to make reseller application available are free of viruses or other harmful components. The service is provided strictly on an “as is” basis. To the maximum extent permitted by law, salesforce.com disclaims all conditions, representations and warranties, whether express, implied, statutory or otherwise, with respect to reseller application and the service, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, or non-infringement of third party rights.

10. No liability.

In no event shall SFDC have any liability to you or any user for any damages , including but not limited to direct, indirect, special, incidental, punitive, or consequential damages, or damages based on lost profits, however caused and, whether in contract, tort or under any other theory of liability, whether or not you have been advised of the possibility of such damages.

11. Further Contact.

SFDC may contact Customer regarding new SFDC service features and offerings.

12. Google Programs and Services.

Service features that interoperate with the Google programs and services depend on the continuing availability of applicable Google application programming interfaces (“APIs”) and programs for use with the Service. If Google Inc. ceases to make such APIs and/or programs available on reasonable terms for the Service, SFDC may cease providing such Service features without entitling You or Reseller to any refund, credit, or other compensation.

13. Third Party Beneficiary.

SFDC shall be a third party beneficiary to this Agreement between Customer and Reseller solely as it relates to this SFDC Service Agreement.

14. Governance

This SFDC Service Agreement will be governed exclusively by, and construed exclusively in accordance with, the laws of England, without regard to its conflict of law provisions.

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 29(3) and (4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29 (3) and (4) Regulation (EU) 2018/1725.

(c) These Clauses apply to the processing of personal data as specified in Annex II.

(d) Annexes I to IV are an integral part of the Clauses.

(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2

Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.

(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3

Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.

(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5

Docking Clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.

(b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.

(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 6

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7

Obligations of the Parties

7.1. Instructions

(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.

(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

(a) The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.

(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.

(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8

Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorized to do so by the controller.

(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions

(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:

(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;

(3) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;

(4) the obligations in Articles 33, 36 to 38 Regulation (EU) 2018/1725.

(d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9

Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.

9.1 Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

(b) in obtaining the following information which, pursuant to Article 34(3) Regulation (EU) 2018/1725, shall be stated in the controller’s notification, and must at least include:

(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(2) the likely consequences of the personal data breach;

(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(c) in complying, pursuant to Article 35 Regulation (EU) 2018/1725, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

(b) the details of a contact point where more information concerning the personal data breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 34 and 35 of Regulation (EU) 2018/1725.

SECTION III – FINAL PROVISIONS

Clause 10

Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

(1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;

(2) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;

(3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.

(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I LIST OF PARTIES

Controller:

Name

Company Number:

Address:

Contact person’s name:

Position and contact details:

Signature and accession date:

Processor:

Name: Kaptio Limited

Company number: 10399216

Address: 10 John Street, London, WC1N 2EB, United Kingdom

Contact person’s name: Steingrímur Helgason

Position and contact details: CFO, steingrimur@kaptio.com

Signature and accession date:

ANNEX II: DESCRIPTION OF THE PROCESSING

Categories of data subjects whose personal data is processed: Customers

Categories of personal data processed: General personal data e.g. name and address, family circumstances, residence, car, phone number, date of birth,

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No special category data processed.

Nature of the processing

Collection, storing, alteration, adaptation, retrieval, disclosure by transmission, combination, restriction, erasure of personal data.

Purpose(s) for which the personal data is processed on behalf of the controller

Provision by the processor of a customer relationship management system for the controller.

Duration of the processing

From the effective dates of the Master Subscription and Master Services agreements between the Parties until termination of said agreements.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

The nature of the data processing is different between individual sub-processor, this includes collecting, storing, altering, adopting, retrieving, disclose by transmission, combine, restrict, erasure of personal data. The duration of the processing by sub-processors is from the effective dates of the Master Subscription and Master Services agreements between the processor and controller until termination of said agreements.

Sub-processors include: Salesforce.com - Amazon Web Service - Google Cloud Platform – Heroku – Cloudinary – Sengrid – Elastic – Loggly – NewRelic.

ANNEX III TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 **Overview**  

Kaptio is a Salesforce AppExchange partner that offers technology components built on the Salesforce Platform and APIs and infrastructure run on Heroku & Google.

The combined Kaptio and Salesforce solution acts as a Processor. We act upon instructions of the controller but we are also responsible for privacy compliance. For the Salesforce platform, the following measures that Salesforce has taken as a Data Processor can be accessed here: https://compliance.salesforce.com/en/gdpr

Overview of Measures

Area	Measure
Pseudonymisation and encryption of personal data	Salesforce has robust security and privacy programs in place that meet the highest standards in the industry. Personally Identifiable Information (“PII”) comprising title, first and last name, email and phone number is obfuscated within the booking journey at the creation of reservation stage and stored in this state in the logging database. PII is NOT transferred in any form where analytic data is passed to the Kaptio data lake (Elastic). In certain circumstances, for operational purposes only, PII is stored in a Java Script object that is required during the booking process with a 3rd party supplier (aggregators). Kaptio has a task in the development backlog to encrypt the Java Script object when it is stored and decrypt when required.
Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	The Salesforce Services are operated in a multi-tenant architecture that is designed to segregate and restrict access to Customer Data based on business needs. The architecture provides an effective, logical data separation for different customers via customer-specific unique identifiers and allows customers and users role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions. Data is only processed as instructed by the customer throughout the entire chain of processing activities by Salesforce and it’s sub-processors
Ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Salesforce backs up each customer environment and data can be restored from these environments There is no logging database backup in place as this data is not critical for audit purposes but is very valuable for support and issue identification on a case by case basis.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing	Data protection is at the top of mind of Kaptio´s officers and employees and we are constantly refining our technical and organisational measures. We have a privacy policy for our employees that is updated regularly and is part of the employee handbook. Furthermore, when we take on a new client or if the processing is altered we conduct a Data Protection Impact Assessment to negate risks and comply with the GDPR.
User identification and authorisation	Different levels of user access can be assigned to a customer’s users. The Salesforce Service also allows customers to assign permissions based on a user’s role. All Salesforce users require a unique username and password. Two factor authentication is also available and Kaptio recommends it is enabled for all users. The password rotation policy is configurable within the Salesforce environment Any user accessing Salesforce is recorded Kaptio currently utilises token-based authentication to access the logging databases
The protection of data during transmission	Data transmission within the Salesforce environment and communication with the Kaptio multi-tenanted service is via Hypertext Transfer Protocol Secure. Kaptio IP addresses are in many cases whitelisted by the 3rd party suppliers but this is dependent on the 3rd party supplier API requirements / operational constraints.
The protection of data during storage	Protections for Personal Data are described in the customers contract with Salesforce, namely; (i) the Master Subscription Agreement, and (ii) the Data Processing Addendum. For GCP / Heroku hosted services PII is programmatically obfuscated by Kaptio software during the create reservation phase of the booking process and all steps thereafter.
Ensuring physical security of locations at which personal data are processed	Kaptio products and services are all managed by 3rd parties and cloud-hosted, therefore the physical security for these sites is managed by others e.g. Salesforce and Google
Ensuring events logging	Salesforce provides us with the necessary event logging and audit trails from a system of record perspective. Kaptio has also put in place an event logging system for API consumptions where PII data is obfuscated.
Ensuring system configuration, including default configuration	Salesforce provides us with the necessary backup and audit trails for configurational data. This is also where the API configuration is managed.
Internal IT and IT security governance and management	The Salesforce Data Processing Addendum contains a contractual commitment by Salesforce that its personnel may access PII only in accordance with customers’ documented instructions for specific purposes.
Certification/assurance of processes and products	No specific certification has been conducted.
Ensuring data minimisation	Only data essential to the normal commercial operation for customer is logged. Customers can, at their own discretion, create additional data fields and store extended information the type of which can´t be controlled by Kaptio.
Ensuring data quality	As part of our Salesforce solution, we have put in data validation and data integrity checks to ensure that our databases contain normalised and consistent data sets. However, the majority of the data quality and governance is sitting with our customers.
Ensuring limited data retention	Customers choose how long to retain customer data, including PII, in the Salesforce Services. Unless otherwise specified in the SPARC (Security, Privacy and Architecture) documentation, Salesforce does not delete customer data, including PII, during a subscription term, unless instructed to do so by the customer. After a customers contract with Salesforce terminates, Salesforce deletes customer data, including PII, in the manner described in the SPARC documentation. Data retention in the logging databases is based on information pertaining to already departed/completed itineraries. ONLY confirmed booking data is stored for more than 30 days and this is removed either when an itinerary is complete or based on instructions from the customer regarding data retention.
Ensuring accountability	The Kaptio GDPR officer is accountable for the Security Information processes within the organisation and working with clients to ensure as a sub-processor all GDPR and PCI requirements have adhered/maintained to the satisfaction of both Parties.
Allowing data portability and ensuring erasure	Kaptio has the ability to port, extract and erase data within 14 days or a request from a Controller

Service Level Agreement Schedule

Kaptio commits to its customers that it will use commercially reasonable efforts to make services available 24 hours a day, 7 days a week, with an availability target of 99.5%, except for circumstances outlined in the Master Service Agreement (MSA).

Every customer gets access to our Support Team with our Standard Service Level Agreement (SLA) plan.

Inclusions and Support channels

Kaptio will provide the Customer with the following support services:

• Addressing technical problems that cause an interruption to service availability or product malfunction (defined as per Product documentation);
• Addressing technical problems that cause Kaptio products to run sub-optimally;
• Technical assistance through the provision of Support documentation; and
• Developer support, but limited to reporting suspected Kaptio bugs on the Kaptio APIs.

Named Contacts nominated by the Customer are allowed to submit online cases via Kaptio’s online support and ticketing system, the Kaptio Support Portal. Unlimited use of self-serve help articles are also available on the Kaptio Community portal.

Kaptio support may utilize supplemental channels as part of the process of diagnosing and resolving any requests opened through the portal, these supplemental channels may be in the form of Virtual Meetings through Google Meet or other alternative platforms.

In addition to requests in the support portal, our systems are monitored and its status can be viewed anytime via https://status.kaptioapis.com/. Our status page provides status updates on Severity-1 and other system-wide issues.

Salesforce org status is available via the Salesforce Trust https://trust.salesforce.com/

In the event of a severity 1 issue, Named Contacts must first submit a ticket through the designated portal, providing all necessary details. Once the ticket is submitted, a message to inform the Kaptio team can be sent to escalate the issue further.

Support Hours

Kaptio shall provide 24x5 support coverage (00:00 - 23:59 AEST, Monday to Friday) upon Go-live, except for public holidays as defined in Annex A - Public Holidays for UK and Canada for all issues in the English language.

24x7 on demand support is available for Severity 1 issues (described in severity level section).

Exclusions

First-level support is excluded from this service agreement as the Customer is deemed responsible for providing first-level (Level 1) technical support for their end users. This is defined as, but is not limited to:

• Password Resets;
• Non-technical inquiries related to the use of the Kaptio Travel Platform related to day-to-day operations;
• Issues related to Computer Networks or Internet Service providers that may prevent business users from using the platform; and
• Salesforce Issues caused by customization performed by a third-party duly authorized by the Customer or an issue on the Salesforce platform itself.

In instances where an issue arises directly from an extension added to the Kaptio Travel Platform or an interoperability conflict between Kaptio’s solutions/Workarounds and Customer’s extensions/configurations, Kaptio commits to providing necessary support. This support is limited to analyzing and addressing issues where Kaptio’s solutions or Workarounds impede the functionality of Customer’s extensions or configuration. However, this does not extend to problems originating solely from third-party customizations not directly interacting with Kaptio’s systems or issues on the Salesforce platform itself.

In addition, any inquiries submitted via non-official support channels are not covered by this agreement until such time that the request is submitted via an official support channel, only at this time shall the objectives outlined in this document shall apply.

Severity levels

Issues will be categorized and handled according to an assigned severity level, as follows:

• Severity 1 – An incident that prevents the use of the Kaptio travel platform that affects a majority of an organization where no Workaround is available. This includes system unavailability and major data integrity issues.
• Severity 2 – Major functionality is impacted or performance degradation is experienced. Issue is persistent and affects several users and/or key functionality. Short term Workarounds might be available, but not scalable.
• Severity 3 – Inquiry regarding a routine technical issue; information requested on application capabilities, navigation, installation or configuration; bug affecting a small number of users. Reasonable Workaround available.
• Severity 4 - Minor enhancements or fixes requested by the Customer where there is no impact to the functionality of the platform. Reasonable Workaround available.

Kaptio reserves the right to adjust the initial severity level assigned to a support ticket following a thorough triage and preliminary diagnosis of the issue, provided that this is done in consultation with the Customer.

Response and Resolution times

The following SLA targets are in effect for Standard SLA plan:

Severity Level	Time to First Response	Update Time	Interim Fix or Workaround	Permanent Fix or Long-term Action Plan Towards Permanent Fix
Severity 1(Sev1)	1 hour*	2 hours	8 hours	10 Days
Severity 2 (Sev2)	4 hours	2 hours	24 hours	15 Days
Severity 3 (Sev3)	8 hours	48 hours	15 days	90 Days
Severity 4 (Sev4)	24 hours	48 hours	N/A	N/A

*For clarity, all hours and days stated on this table refer to business hours and business days (except for Sev-1). For Sev-2 and Sev-3 tickets reported outside business hours, the times set in the table above start from the beginning of the next business day. As an example, if a Sev-3 issue is opened on Friday at 17:30 EST (21:30 GMT), this ticket’s SLA metrics only start at 4:00 EST (9:00 GMT) the following Monday.

Definition of Terms

Named Contacts - Users the customer identifies as primary liaisons between Customer and Kaptio for technical support. The customer shall notify Kaptio whenever Named Support Contact responsibilities are transferred to another individual.

Time to first response - The initial period wherein a support ticket is assigned to a member of the support team and the team member provides the initial acknowledgment on the ticket

Update Time - The period by which Kaptio will provide updates to the Customer via the Ticket. The period specified defines the frequency of updates during business hours

Workaround - A temporary fix implemented by Kaptio aimed to reduce or eliminate any faults in order to restore the functionality of the platform. A Workaround does not constitute a permanent fix unless it is deemed otherwise by both parties. The term “Workaround” means a temporary bypass, procedure, or routine meeting the following three criteria: the temporary bypass, procedure, or routine: (i) when implemented, eliminates the adverse effect of the Error without material loss of performance, function, or feature; (ii) its implementation and utilization does not require unreasonable effort by users; and (iii) is a temporary solution.

Interim Fix or Workaround - The period by which a Workaround is provided to the Customer provided that one is available. Otherwise, a written notice that a Workaround is unavailable must be provided by Kaptio.

Permanent Fix or Long-term Action Plan Towards Permanent Fix - If a permanent fix is available for the issue, it must be deployed within this period of time. If it is not available, a plan of how the issue will be addressed permanently shall be provided in writing to the Customer.

Support Model and Workflow

Kaptio Support shall be responsible for providing level 2 and 3 support for Customer’s Named Contacts for any issues identified within the Kaptio Travel platform. The Customer’s Named Contacts are responsible for providing level 1 or end-user support to the Customer’s business users, in addition to performing initial triage before engaging Kaptio Support.

When a ticket is opened by a Named Contact in the Kaptio Support Portal, all pertinent details must be provided in the ticket including its severity before being submitted. Once a ticket is submitted, Kaptio Support shall acknowledge all incoming tickets based on the severity defined in accordance with the timelines stipulated in the Response and Resolution Times section of this agreement. Should multiple tickets be submitted wherein the severities are equal, Kaptio Support shall acknowledge and action these tickets on a first-come-first-serve basis.

During the lifecycle of a Support Ticket, Kaptio Support may request additional information from the Customer to facilitate troubleshooting, and if required, access to the Customer’s production org may be requested by our Support Team and the Customer shall delegate temporary, time-limited access to Kaptio Support. Updates shall be provided as they become available.

Should a solution require a change to a Customer’s org, it is the Customers responsibility to enact the required changes as recommended by Kaptio Support. Should the Customer wish to have Support perform the required changes, written approval must be provided to Support before changes can be made. This approval shall be obtained on a case-by case basis notwithstanding any prior approval that may have been provided on any previous cases.

A support ticket is considered closed if a satisfactory resolution is provided that fulfills all of the following criteria (i) a response that addressed the nature of the inquiry made by the customer (ii) a reasonable Workaround is provided to the Customer in writing (iii) a permanent fix is made available on a patch or an upgrade that the Customer installs and tests in their pre-production environment prior to deployment.

If a fix or Workaround is unavailable, Kaptio must provide a go-forward plan on how the issue is planned to be resolved. This plan must be provided in-writing and upon the communication of the plan, the SLA response time defined in the Section Response and Resolution times is no longer applicable to the issue report.

Should there be a lack of response from the Customer, Kaptio will send out 2 follow-up messages on the ticket at 48 hour intervals. If there is no response, the ticket will be closed 5 business days after the second follow-up.

Should a similar issue reoccur on a closed ticket, a new one must be submitted and the previous issue be referenced in the new ticket.

Severity-1 issues that are closed will trigger the creation of an incident report document to be sent to the Customer no more than 7 days after incident close.

Reporting on Support Tickets

Named Contacts shall be given access to the Advanced Portal Report, a self-serve reporting app integrated with the Kaptio Support Portal that allows customers to track outstanding and completed support tickets. Within the app, ticket age and proposed next steps as well as any fix versions (where applicable) can be viewed. A user guide shall be provided as part of the onboarding process of the Customer into Kaptio Support.

Any reasonable additional reporting ticket requirements can be requested by the Customer to Kaptio who can then assess the feasibility of the request.

SLA reports are provided to the Customer on a frequency and medium agreed upon by both parties. A sample report is provided in Appendix B - SLA report template for reference.

Minimum Supported Versions and Bug Fixes

The Kaptio package version that is deployed to a Customer’s production environment must be the latest major version generally available (GA) for the Kaptio Travel Platform or the version prior to the latest release (“Minimum Supported Version”). By way of example, if the latest GA release is version 18, the Customer’s org must have at least version 17 installed.

The release of bug fixes is determined by the issue’s severity. Sev-1 and Sev-2 bug fixes are issued in the form of patches for the current version in the customer’s organization where possible in accordance with the supported version clause of this SLA. Sev-3 and Sev-4 bug fixes are only released as part of a Major or Minor release per Kaptio’s release schedule.

Any issue that requires a patch or other release that is older than the minimum supported version is exempt from the SLA targets provided above as patching older versions of the Kaptio Travel Platform is more complex.

Waiver

This SLA plan and its provisions are waived in the event that any of the conditions stipulated on the Master Service Agreement under Force Majeure is triggered. Kaptio shall inform the Customer in writing should the SLA plan be waived and follow-up communication in writing shall be sent when the SLA plan and its provisions are reinstated.

In addition, any tickets that are part of the Exclusions section of this SLA are not covered by the response times defined in the Response and Resolution times in this document.

Appendix A - Canada and UK Common Public Holiday list

Date	Holiday	Country
December 25	Christmas Day	Canada, United Kingdom
December 26	Boxing Day	Canada, United Kingdom
January 1	New Year’s Day	Canada, United Kingdom
	Good Friday	Canada, United Kingdom
	Easter Monday	Canada, United Kingdom