NEWS Awesome Raised 1.2M

Learn more

NEWS Awesome Raised 1.2M

Learn more

General Terms & Conditions

Legal and Compliance.

Done.

1. Parties, Scope and Structure

1.1 These general terms and conditions (the Terms) govern each order form, statement of work, or similar document executed between Awesome Compliance Technology B.V., Lente 4, 8251 NT, Dronten, the Netherlands (Provider) registered with the Dutch Chamber of Commerce (KvK) under number 94986231, and with VAT identification number NL866960764B01 (the “Provider”), and the customer identified in the relevant Order Form (the “Customer”) (each a “Party”, together the “Parties”).



1.2 The Parties agree that the following documents form the Agreement, in the order of precedence listed below (highest first):

 (a) the Order Form (including any Statement of Work, if applicable);

 (b) the Data Processing Agreement (Addendum 1), if applicable;

 (c) the AI Terms (Addendum 2), if applicable;

 (d) the Beta Testing Terms (Addendum 3), if applicable; and

 (e) these General Terms and Conditions.
Customer’s general purchasing terms or conditions are expressly excluded.

2. Definitions

2.1 Capitalised terms have the meanings set out here or elsewhere in the Agreement.
Affiliate: any entity directly or indirectly controlling, controlled by, or under common control with a Party.
Authorised User: an individual authorised by Customer to access the SaaS.
Customer Data: data, documents, and materials uploaded to or generated in the SaaS by or for Customer.
Documentation: Provider’s user and admin documentation for the SaaS.
Order Form: a document executed by both Parties describing scope, term and fees.
SaaS: Provider’s hosted software services identified in the Order Form.
Services: implementation, configuration, training or support described in an Order Form/SOW.
Subscription Term: the initial term plus any renewal term for the SaaS.
Updates: error fixes, improvements and modifications to the SaaS.

3. Access, Use and Restrictions

3.1 Grant. During the Subscription Term, Provider grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right for its Authorised Users to access and use the SaaS for Customer’s internal business purposes, in accordance with the Agreement and Documentation.
3.2 Accounts. Customer shall maintain an admin account, keep registration data accurate, and ensure each login is used by a single natural person. Shared credentials are prohibited.
3.3 Security. Customer is responsible for (i) safeguarding credentials, (ii) configuring role-based access, and (iii) promptly notifying Provider of suspected unauthorised access. Provider may rely on actions taken via valid credentials.
3.4 Fair use & technical limits. Customer shall not circumvent technical controls, exceed agreed usage parameters or rate limits, perform penetration testing without prior written consent, or introduce malicious code.
3.5 Prohibited conduct. Customer shall not (i) copy, modify, or create derivative works of the SaaS; (ii) reverse engineer except to the extent permitted by applicable law; (iii) rent, lease, resell, or provide the SaaS to third parties; (iv) use the SaaS in violation of law, third-party IP or privacy rights, or to transmit spam or illicit content.
3.6 User quantity changes. Increases take effect when accepted by Provider (pro-rated fees may apply). Decreases take effect at the next renewal, unless agreed otherwise in the Order Form.

4. Provider Responsibilities; Availability & Support (non-SLA)

4.1 Provider will provide the SaaS and perform Services with reasonable skill and care by appropriately qualified personnel.
4.2 Provider targets commercially reasonable availability and will apply Updates at its discretion. If maintenance materially affects availability, Provider will use reasonable efforts to give prior notice.
4.3 Support is provided during business hours (CET/CEST) via the channels stated in the Order Form or Documentation.

5. Customer Responsibilities

5.1 Customer shall: (a) provide timely cooperation and accurate information; (b) maintain network connections to the SaaS; (c) implement reasonable anti-malware safeguards; and (d) maintain appropriate backup copies of Customer Data (unless otherwise agreed in writing).
5.2 Customer is liable for Authorised Users’ compliance and will indemnify and hold harmless Provider against third-party claims arising from Customer Data, unlawful use, or breach of this Agreement by Customer or its users.

6. Customer Data; Analytics Data

6.1 Ownership. As between the Parties, Customer owns Customer Data.
6.2 Licence. Customer grants Provider and its subprocessors a non-exclusive, worldwide, royalty-free licence to host, process, transmit, and display Customer Data solely to provide and improve the SaaS/Services and to ensure security, support and compliance.
6.3 Aggregated/De-identified Data. Provider may generate and use aggregated and de-identified data for analytics, benchmarking and product improvement, provided such data does not identify Customer or any data subject or Confidential Information.

7. Intellectual Property

7.1 Provider (and its licensors) retain all rights, title and interest in the SaaS, Documentation and related IP, including Updates and improvements. No rights are granted except as expressly stated.
7.2 Feedback. Customer grants Provider a perpetual, irrevocable, royalty-free licence to use suggestions or feedback, excluding Customer Data, for any lawful purpose.

8. Third-Party Services; Sub-processors

8.1 The SaaS may interoperate with third-party services. Provider is not responsible for third-party terms or performance unless expressly stated in the Order Form.
8.2 Provider may engage sub-processors to deliver the SaaS. The current list and locations are set out in Annex A (Sub-processors). Provider will give at least 15 days’ prior notice of changes; Customer may reasonably object on data protection grounds. If unresolved, Customer may terminate the affected services (pro-rated refund).

9. Indemnities

9.1 IP Indemnity by Provider. Provider will defend and indemnify Customer against third-party claims that Customer’s authorised use of the unmodified SaaS infringes EU or Dutch IP rights, subject to Customer: (a) promptly notifying Provider; (b) giving exclusive control of defence/settlement; and (c) providing reasonable cooperation. Provider may (at its option): (i) procure the right to continue use; (ii) replace or modify the SaaS to be non-infringing with substantially equivalent functionality; or (iii) terminate the affected services and refund prepaid fees for the remaining term. Provider has no liability for claims arising from Customer’s misuse, modifications not made by Provider, or combinations with non-Provider items.
9.2 Indemnity by Customer. Customer will defend and indemnify Provider against claims arising from Customer Data, unlawful content, or use of the SaaS in breach of the Agreement or law.

10. Warranties and Disclaimers

10.1 Provider warrants it will perform the Services professionally with reasonable skill and care.
10.2 No legal advice. Customer acknowledges the SaaS may include AI-assisted functionality and is not legal advice. Customer remains responsible for review and decision-making.
10.3 As-is elements. Except as expressly stated, the SaaS is provided “as is” and Provider disclaims implied warranties to the extent permitted by law.

11. Liability

11.1 Cap. Provider’s aggregate liability arising out of or related to the Agreement shall not exceed the fees paid (or payable) by Customer for the SaaS giving rise to the claim in the 12 months preceding the first incident.
11.2 Exclusions. Provider is not liable for indirect or consequential loss (including loss of profits, revenue, data, or business interruption).
11.3 Mandatory carve-outs. Nothing limits liability for death or personal injury, wilful misconduct or gross negligence (opzet of grove schuld) of a Party or its management, or for any liability which may not be excluded or limited under mandatory law.
11.4 The foregoing applies to all indemnities and remedies under the Agreement.

12. Fees, Invoicing and Payment

12.1 Fees are set out in the Order Form, exclusive of VAT and applicable taxes, payable in EUR.
12.2 Invoices are due 30 days net. Late amounts accrue statutory commercial interest (wettelijke handelsrente) and reasonable collection costs.
12.3 Provider may suspend the SaaS for undisputed overdue amounts after prior notice.
12.4 Indexation & increases. Provider may apply an annual CPI-style indexation at renewal and may adjust fees at renewal by written notice 30 days in advance. Customer may terminate the renewal if it objects to an increase before it takes effect.

13. Confidentiality

13.1 Each Party shall protect the other’s Confidential Information with at least reasonable care, use it solely for the Agreement, and disclose it only to personnel/contractors under confidentiality obligations.
13.2 Disclosures compelled by law are permitted with prior notice where lawful.
13.3 This clause survives 5 years after termination (trade secrets survive as long as protected by law).

14. Data Protection and Data Act Compliance

14.1 Personal Data (GDPR).
Where Provider processes Personal Data on behalf of Customer, the Parties shall comply with the Data Processing Agreement (Addendum 1) as required by Article 28 GDPR.
14.2 Non-Personal Data and the EU Data Act.
The Parties acknowledge that certain data processed in the SaaS may qualify as non-personal data under Regulation (EU) 2023/2854 (the Data Act). Each Party shall comply with the Data Act as applicable to its role (Data Holder, Data Recipient, or User).
14.3 Fair B2B Contract Terms.
If Customer qualifies as a small or medium-sized enterprise (SME) under the Data Act, Provider will not impose or rely on unfair terms within the meaning of Articles 13–19 Data Act. Any unfair term is void; the remainder of the Agreement stays effective and the Parties will replace the term with a fair equivalent.
14.4 Data Access and Use.
Provider remains Data Holder of data generated by the SaaS that is necessary for operation, security, or improvement, or cannot be disaggregated without revealing trade secrets. Where Customer is entitled to access data generated through the SaaS, Provider shall grant access on fair, reasonable and non-discriminatory (FRAND) terms, subject to confidentiality and security safeguards.

14.5 Trade Secrets and Security.
Nothing in this Agreement requires disclosure of trade secrets or confidential know-how without adequate protection. Provider may apply proportionate measures (e.g. redaction, secure viewers, NDAs) where data access could endanger security or reveal proprietary information.
14.6 Data Portability and Cloud Switching.
(a) Customer may request export of all exportable Customer Data and configuration data in a commonly used, machine-readable format (e.g. JSON/CSV).
(b) Provider will complete the export within 30 days of request (extendable if technically necessary).
(c) Until 12 January 2027, Provider may charge cost-based export fees; from that date onward, exports are free except for optional premium migration services.
(d) Provider shall not create obstacles that unreasonably hinder switching to another data-processing service.
(e) After export or 30 days post-termination (whichever first), Provider may delete remaining Customer Data, subject to statutory retention duties.
14.7 Interoperability.
Provider will progressively align its interfaces and export formats with applicable EU interoperability specifications adopted under the Data Act.
14.8 Public-Sector Requests.
If Provider receives a lawful request from a public-sector body or EU institution under the Data Act (exceptional-need basis), Provider shall (i) notify Customer unless prohibited, (ii) disclose only what is strictly required, and (iii) record the legal basis. Reasonable costs may be recovered if permitted.
14.9 Relationship with GDPR.
For mixed datasets, GDPR rules prevail for Personal Data; the Data Act applies to non-personal portions after anonymisation or separation.

15. Term, Renewal and Termination

15.1 The Agreement starts on the Effective Date in the Order Form and runs for the Subscription Term, renewing for successive 1-year terms unless either Party gives 60 days’ notice before the end of the then-current term.
15.2 Either Party may terminate for material breach not cured within 30 days of notice, or upon bankruptcy/insolvency events as permitted by law.
15.3 On termination: (a) access ceases; (b) Customer pays due fees; and (c) upon request within 30 days, Provider will make available a standard export of Customer Data, after which it may delete remaining Customer Data from active systems, subject to legal retention.

16. Changes to Terms

16.1 Provider may revise non-material Terms to reflect product, legal or operational updates with prior email or in-product notice. For material adverse changes, Provider will notify at least 15 days in advance; Customer may terminate the affected services before the effective date (pro-rated refund of prepaid fees).

17. Publicity

17.1 Provider may use Customer’s name and logo in client lists and case references. Customer may opt out by notice.

18. Assignment

18.1 Neither Party may assign the Agreement without the other’s consent, except that either Party may assign to an Affiliate or in connection with a merger, sale of all or substantially all assets or share sale, with notice.

19. Miscellaneous

19.1 Force majeure. Neither Party is liable for delays caused by events beyond reasonable control.
19.2 Severability; no waiver. If a provision is invalid, the remainder survives. Failure to enforce is not a waiver.

19.3 Notices. Legal notices must be in writing to the addresses in the Order Form; email is sufficient if receipt is verifiable.
19.4 Governing law and venue. Dutch law governs; the courts of Amsterdam, the Netherlands have exclusive jurisdiction.

Addendum 1
Data Processing Agreement

Section I
Clause 1
Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
(b) Awesome Compliance Technology BV (Lente 4, 8251 NT, Dronten) and the Customer as named in the Order Form have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
(c) These Clauses apply to the processing of personal data as specified in Annex I.
(d) Annexes I is an integral part of the Clauses.
(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.
(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

Addendum 1
Data Processing Agreement

Section I
Clause 1
Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
(b) Awesome Compliance Technology BV (Lente 4, 8251 NT, Dronten) and the Customer as named in the Order Form have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
(c) These Clauses apply to the processing of personal data as specified in Annex I.
(d) Annexes I is an integral part of the Clauses.
(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.
(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

Clause 2
Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annex or updating information in them.
(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 2
Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annex or updating information in them.
(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3
Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 3
Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4
Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 4
Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5
Docking clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing an Order Form.
(b) Once the Order Form (as mentioned in a) is completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in the Order Form.
(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

Clause 5
Docking clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing an Order Form.
(b) Once the Order Form (as mentioned in a) is completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in the Order Form.
(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

Section II - OBLIGATIONS OF THE PARTIES

Section II - OBLIGATIONS OF THE PARTIES

Clause 6
Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex I.

Clause 6
Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex I.

Clause 7
Obligations of the Parties

7.1. Instructions
(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex I.

7.4. Security of processing
(a) The processor shall at least implement the technical and organisational measures specified in Annex I to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors
(a) GENERAL WRITTEN AUTHORISATION: The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.
(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers
(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.
(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 7
Obligations of the Parties

7.1. Instructions
(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex I.

7.4. Security of processing
(a) The processor shall at least implement the technical and organisational measures specified in Annex I to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors
(a) GENERAL WRITTEN AUTHORISATION: The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.
(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers
(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.
(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8
Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
(3) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
(4) the obligations in Article 32 Regulation (EU) 2016/679/.
(d) The Parties shall set out in Annex I the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 8
Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
(3) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
(4) the obligations in Article 32 Regulation (EU) 2016/679/.
(d) The Parties shall set out in Annex I the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9
Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.

9.1 Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
(b) in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(2) the likely consequences of the personal data breach;
(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(b) the details of a contact point where more information concerning the personal data breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex I all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

Clause 9
Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.

9.1 Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
(b) in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(2) the likely consequences of the personal data breach;
(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(b) the details of a contact point where more information concerning the personal data breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex I all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

Section III - FINAL PROVISIONS

Section III - FINAL PROVISIONS

Clause 10
Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
(1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
(2) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679;
(3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679.
(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

Clause 10
Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
(1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
(2) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679;
(3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679.
(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I
Details of processing of personal data

ANNEX I
Details of processing of personal data

3. Sub-Processors

3. Sub-Processors

Sub-processor

Purpose

Location (primary processing)

  1. Scaleway

Cloud hosting, storage, compute

Netherlands

  1. Pinecone

Vector database

Belgium

  1. Postmark (ActiveCampaign, LLC)

Transactional email

United States

  1. Auth0 (Okta)

Identity & access management

Germany

  1. AWS

Cloud services (hosting/storage/compute)

Netherlands

6 Calendly

Scheduling (legal counsel bookings)

United States

7 OpenAI

Embeddings/inference for agentic layer

United States

8 Anthropic

Inference for agentic layer

United States

9 Google (Cloud/Gemini)

Cloud infra, auth, inference

United States

10 Mistral

Embeddings/inference

France

11 Cohere

Embeddings/inference

United States

12 Hugging Face

Model hosting/inference

United States

13 Langfuse

Configuration & observability (LLM ops)

United States

14 Logfire

Observability

United States

15 Sentry

Application monitoring

United States

4. Technical and Organizational Measures

The Processor shall implement and maintain the technical and organizational measures to protect
Personal Data as outlined in the Technical and Organisational Security measures-document. This
document details the Processor’s systematic approach to managing sensitive information, with the aim to secure the data against unauthorized access, alteration, disclosure and destruction.

4. Technical and Organizational Measures

The Processor shall implement and maintain the technical and organizational measures to protect
Personal Data as outlined in the Technical and Organisational Security measures-document. This
document details the Processor’s systematic approach to managing sensitive information, with the aim to secure the data against unauthorized access, alteration, disclosure and destruction.

Addendum 2
AI Terms

The following terms (“AI Terms”) are hereby added to, and become an integral part of, the Agreement. Capitalised terms not defined in these AI Terms have the meanings given in the Agreement. The Agreement applies to the AI Features with the following modifications.

(1) Use of AI Features.
Customer may submit Customer Data (including in the form of prompts or queries) to the AI Features (“Inputs”) and receive outputs from the AI Features (“Outputs”).
“AI Features” means large language models (LLMs) or other machine learning or artificial intelligence features of the Software.

(2) Training:
Awesome Compliance Technology may NOT use Inputs and Outputs to train the AI Features.


(3) Intellectual Property:
A. Inputs
Except for our express rights in the Agreement, as between Parties, Customer retains all intellectual property and other rights in Customer’s Inputs.
B. Outputs
Subject to the Agreement (including the restrictions it contains), Awesome Compliance Technology hereby grants to Customer a non-exclusive, worldwide, perpetual right and licence to reproduce, distribute, publicly display, publicly perform, and prepare derivative works of Output.

(4) Similar Output.
Customer acknowledges that Outputs provided to Customer may be similar or identical to Outputs independently provided by Awesome Compliance Technology to others.

(5) Infringement by Output.
Due to the nature of the AI Features, Awesome Compliance Technology does not represent or warrant that (a) Output does not incorporate or reflect third-party content or materials or (b) Output will not infringe third-party intellectual property rights. Awesome Compliance Technology is not liable for claims of intellectual property infringement or misappropriation by Output.

(6) DISCLAIMER.
OUTPUTS ARE GENERATED THROUGH MACHINE LEARNING PROCESSES AND ARE NOT TESTED, VERIFIED, ENDORSED OR GUARANTEED TO BE ACCURATE, COMPLETE OR CURRENT. CUSTOMER SHOULD INDEPENDENTLY REVIEW AND VERIFY ALL OUTPUTS AS TO APPROPRIATENESS FOR ANY OR ALL OF YOUR USE CASES OR APPLICATIONS. THE WARRANTY DISCLAIMERS AND LIMITATIONS OF LIABILITY IN THE AGREEMENT APPLY TO THE AI FEATURES.

(7) Third-Party Providers.
7.1 Awesome Compliance Technology has specified in Exhibit A any third parties that provide the AI Features.
7.2. Customer agrees to abide by any third-party terms and conditions relating to the AI Features specified in Exhibit A (“Third-Party Terms”).

(8) Special Restrictions on Use of AI Features.
8.1. Customer will comply with the special restrictions on use of the AI Features specified in Exhibit A.
8.2. Without limiting any restrictions on use of the Software in the Agreement, Customer will not and will not permit anyone else to:
a) use the AI Features or any Output to infringe any third-party rights,
b) use the AI Features or any Output to develop, train or improve any AI or ML models (separate from authorised use of the Cloud Service under this Agreement),
c) represent any Output as being approved or vetted by us unless we have reviewed and confirmed the Output in writing,
d) represent any Output as being an original work or a wholly human-generated work,
e) use the AI Features for automated decision-making that has legal or similarly significant effects on individuals, unless it does so with adequate human review and in compliance with laws, or
f) use the AI Features for purposes or with effects that are discriminatory, harassing, harmful or unethical.

Exhibit A
Third-Party Providers:
Open AI, Anthropic (Claude), Gemini (Google)

Third-Party Terms:
Open AI Terms: https://openai.com/policies
Anthropic (Claude): https://console.anthropic.com/legal/terms
Gemini: https://ai.google.dev/terms

Addendum 2
AI Terms

The following terms (“AI Terms”) are hereby added to, and become an integral part of, the Agreement. Capitalised terms not defined in these AI Terms have the meanings given in the Agreement. The Agreement applies to the AI Features with the following modifications.

(1) Use of AI Features.
Customer may submit Customer Data (including in the form of prompts or queries) to the AI Features (“Inputs”) and receive outputs from the AI Features (“Outputs”).
“AI Features” means large language models (LLMs) or other machine learning or artificial intelligence features of the Software.

(2) Training:
Awesome Compliance Technology may NOT use Inputs and Outputs to train the AI Features.


(3) Intellectual Property:
A. Inputs
Except for our express rights in the Agreement, as between Parties, Customer retains all intellectual property and other rights in Customer’s Inputs.
B. Outputs
Subject to the Agreement (including the restrictions it contains), Awesome Compliance Technology hereby grants to Customer a non-exclusive, worldwide, perpetual right and licence to reproduce, distribute, publicly display, publicly perform, and prepare derivative works of Output.

(4) Similar Output.
Customer acknowledges that Outputs provided to Customer may be similar or identical to Outputs independently provided by Awesome Compliance Technology to others.

(5) Infringement by Output.
Due to the nature of the AI Features, Awesome Compliance Technology does not represent or warrant that (a) Output does not incorporate or reflect third-party content or materials or (b) Output will not infringe third-party intellectual property rights. Awesome Compliance Technology is not liable for claims of intellectual property infringement or misappropriation by Output.

(6) DISCLAIMER.
OUTPUTS ARE GENERATED THROUGH MACHINE LEARNING PROCESSES AND ARE NOT TESTED, VERIFIED, ENDORSED OR GUARANTEED TO BE ACCURATE, COMPLETE OR CURRENT. CUSTOMER SHOULD INDEPENDENTLY REVIEW AND VERIFY ALL OUTPUTS AS TO APPROPRIATENESS FOR ANY OR ALL OF YOUR USE CASES OR APPLICATIONS. THE WARRANTY DISCLAIMERS AND LIMITATIONS OF LIABILITY IN THE AGREEMENT APPLY TO THE AI FEATURES.

(7) Third-Party Providers.
7.1 Awesome Compliance Technology has specified in Exhibit A any third parties that provide the AI Features.
7.2. Customer agrees to abide by any third-party terms and conditions relating to the AI Features specified in Exhibit A (“Third-Party Terms”).

(8) Special Restrictions on Use of AI Features.
8.1. Customer will comply with the special restrictions on use of the AI Features specified in Exhibit A.
8.2. Without limiting any restrictions on use of the Software in the Agreement, Customer will not and will not permit anyone else to:
a) use the AI Features or any Output to infringe any third-party rights,
b) use the AI Features or any Output to develop, train or improve any AI or ML models (separate from authorised use of the Cloud Service under this Agreement),
c) represent any Output as being approved or vetted by us unless we have reviewed and confirmed the Output in writing,
d) represent any Output as being an original work or a wholly human-generated work,
e) use the AI Features for automated decision-making that has legal or similarly significant effects on individuals, unless it does so with adequate human review and in compliance with laws, or
f) use the AI Features for purposes or with effects that are discriminatory, harassing, harmful or unethical.

Exhibit A
Third-Party Providers:
Open AI, Anthropic (Claude), Gemini (Google)

Third-Party Terms:
Open AI Terms: https://openai.com/policies
Anthropic (Claude): https://console.anthropic.com/legal/terms
Gemini: https://ai.google.dev/terms

Addendum 3
Legal Services

1. Parties and Scope
1.1 These General Terms and Conditions for Legal Services (the “Terms”) govern all offers, proposals, engagements, and agreements (collectively, the “Agreement”) under which Awesome Compliance Technology B.V., registered at  Lente 4, 8251 NT, Dronten, the Netherlands (“ACT”) registered with the Dutch Chamber of Commerce (KvK) under number 94986231, and with VAT identification number NL866960764B01 (“ACT”)  provides legal, compliance, and privacy-related advisory services (“Services”) to a business customer (“Client”).
1.2 These Terms apply to all relationships between ACT and Client, unless otherwise agreed in writing. Any general terms and conditions of the Client are expressly excluded.
1.3 The Services may include, among others, GDPR and privacy compliance support, AI Act readiness assessments, policy and governance documentation, data protection impact assessments, contract reviews, risk assessments, compliance training, outsourced DPO or AI Officer support, implementation work and advice and related consultancy.
1.4 These Terms do not govern the use of ACT’s software platform, digital tools, or AI modules, which are subject to the above-mentioned SaaS terms and conditions.

2. Formation of Agreement
2.1 An Agreement is formed once the Client accepts an offer or proposal from ACT, or when ACT confirms an assignment in writing (including by email).
2.2 Oral commitments and arrangements are binding only after written confirmation by ACT.
2.3 Each engagement is a separate Agreement, even if it follows previous or future assignments.

3. Nature and Scope of Services
3.1 ACT performs the Services with due professional care, diligence, and in accordance with applicable laws and generally accepted professional standards.
3.2 Unless explicitly stated otherwise in writing, ACT does not act as a law firm, attorney-at-law, or regulated legal practice, and does not provide legal representation in court, regulatory, or enforcement proceedings.
3.3 Any deadlines for deliverables are indicative unless expressly agreed in writing as binding.

4. Client Obligations
4.1 The Client shall provide ACT with all necessary information, documents, and access to personnel or systems reasonably required to perform the Services.
4.2 The Client warrants that all information provided is accurate, complete, and lawful.
4.3 If the Client fails to provide timely cooperation, ACT may suspend performance and charge additional fees or extend agreed timelines accordingly.

5. Fees and Payment
5.1 Fees are as stated in the applicable proposal, offer, or Statement of Work (“SOW”). Unless otherwise agreed, Services are billed on a time-spent basis at ACT’s prevailing hourly or daily rates or flat fees per document/advice.
5.2 All fees are exclusive of VAT and other applicable taxes or levies.
5.3 Invoices are payable within 14 days of the invoice date, without deduction or set-off.
5.4 If the Client fails to pay on time, ACT may suspend work, charge statutory commercial interest (Art. 6:119a BW), and recover collection costs.
5.5 If an estimate or budget is provided, it is indicative only and not a fixed or capped fee unless expressly agreed in writing or when flat fees have been offered by ACT and agreed upon between Parties.

5.6 ACT may adjust its rates or tariffs annually, or at any time in case of inflation, cost increases, or changes in the scope or nature of the Services. Adjusted rates will apply thirty (30) days after written notice to the Client. For ongoing engagements, the Client may terminate the Agreement within this notice period if it does not agree to the revised rates.

6. Confidentiality
6.1 Both Parties shall keep all confidential information obtained in the context of the Agreement strictly confidential and shall not disclose it to third parties without prior written consent, except as required by law.
6.2 This obligation continues after termination of the Agreement.
6.3 ACT may share confidential Client information with its employees, contractors, and advisors involved in the assignment on a need-to-know basis, provided they are bound by confidentiality obligations.

7. Data Protection
7.1 The Data processor agreement Addendum 1 applies to the provision of services when Personal Data is processed.

8. Intellectual Property
8.1 All intellectual property rights in documents, methods, tools, templates, reports, analyses, or deliverables developed or provided by ACT remain the exclusive property of ACT or its licensors.
8.2 The Client obtains a non-exclusive, non-transferable license to use deliverables solely for its internal business purposes.
8.3 The Client shall not reproduce, disclose, or commercially exploit any ACT materials without prior written consent.
8.4 Any pre-existing intellectual property or materials provided by the Client remain the Client’s property.

9. Use of Third Parties
9.1 ACT may engage subcontractors or independent professionals to assist in providing the Services.
9.2 ACT remains responsible for the performance of its obligations under the Agreement.

10. Liability and Indemnification
10.1 ACT performs the Services with due skill, care, and diligence expected from a competent and experienced provider of legal, privacy, and compliance advisory services. ACT is not a law firm and does not provide regulated legal representation, but the Client may expect ACT to apply a high professional standard consistent with senior legal and compliance practitioners.
10.2 ACT is liable only for damages that are the direct result of a proven professional error by ACT in the performance of the Services. A professional error means a materially negligent act or omission that a reasonably competent advisory professional would not have made under similar circumstances.
10.3 ACT maintains appropriate professional liability insurance for advisory services. ACT’s liability is limited to the amount paid out under its professional liability insurance policy for the relevant event.
10.4 If, for any reason, the insurer does not pay out, ACT’s total liability, whether contractual or otherwise, is limited to the amount of fees paid by the Client for the Services in the twelve (12) months preceding the event giving rise to the claim.
10.5 ACT is not liable for indirect or consequential damages, including lost profits, loss of goodwill, reputational harm, loss of data, or business interruption.
10.6 ACT is not liable for damages resulting from incomplete, inaccurate, or late information provided by the Client, nor for decisions or actions taken by the Client based on ACT’s deliverables without appropriate internal review.
10.7 Claims must be reported to ACT in writing as soon as reasonably possible, and in any case within sixty (60) days after the Client discovers or should reasonably have discovered a potential error. Claims expire twelve (12) months after the act or omission giving rise to the claim.
10.8 These limitations do not apply in cases of intent or deliberate recklessness by ACT’s management.

11. Force Majeure
11.1 ACT shall not be liable for any failure or delay in performing its obligations due to circumstances beyond its reasonable control, including but not limited to power failures, internet disruptions, strikes, illness, or government measures.
11.2 If the force majeure situation continues for more than sixty (60) days, either Party may terminate the Agreement in writing without liability for compensation.

12. Term and Termination
12.1 The Agreement remains in effect for the duration specified in the proposal or until completion of the Services.
12.2 Either Party may terminate the Agreement by written notice with a 30-day notice period, unless otherwise agreed.
12.3 Either Party may terminate immediately in case of a material breach that remains uncured after written notice, or if the other Party becomes insolvent or enters bankruptcy.
12.4 Upon termination, the Client shall pay for all Services performed up to the termination date.
12.5 Provisions that by their nature are intended to survive termination (e.g., confidentiality, IP, liability) shall remain in force.

13. Applicable Law and Jurisdiction
13.1 The Agreement and these Terms are governed by Dutch law.
13.2 Any dispute arising out of or relating to the Agreement shall be submitted exclusively to the competent court in Amsterdam, the Netherlands.
13.3 The applicability of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is excluded.

14. Miscellaneous
14.1 If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be replaced by a valid one reflecting the original intent as closely as possible.
14.2 ACT may amend these Terms from time to time. The amended Terms shall apply to new or ongoing engagements upon notice to the Client.
14.3 Communications may be made by email unless otherwise required by law or contract.
14.4 These Terms, together with any proposal or SOW, constitute the entire agreement between the Parties and supersede all prior understandings.

Addendum 3
Legal Services

1. Parties and Scope
1.1 These General Terms and Conditions for Legal Services (the “Terms”) govern all offers, proposals, engagements, and agreements (collectively, the “Agreement”) under which Awesome Compliance Technology B.V., registered at  Lente 4, 8251 NT, Dronten, the Netherlands (“ACT”) registered with the Dutch Chamber of Commerce (KvK) under number 94986231, and with VAT identification number NL866960764B01 (“ACT”)  provides legal, compliance, and privacy-related advisory services (“Services”) to a business customer (“Client”).
1.2 These Terms apply to all relationships between ACT and Client, unless otherwise agreed in writing. Any general terms and conditions of the Client are expressly excluded.
1.3 The Services may include, among others, GDPR and privacy compliance support, AI Act readiness assessments, policy and governance documentation, data protection impact assessments, contract reviews, risk assessments, compliance training, outsourced DPO or AI Officer support, implementation work and advice and related consultancy.
1.4 These Terms do not govern the use of ACT’s software platform, digital tools, or AI modules, which are subject to the above-mentioned SaaS terms and conditions.

2. Formation of Agreement
2.1 An Agreement is formed once the Client accepts an offer or proposal from ACT, or when ACT confirms an assignment in writing (including by email).
2.2 Oral commitments and arrangements are binding only after written confirmation by ACT.
2.3 Each engagement is a separate Agreement, even if it follows previous or future assignments.

3. Nature and Scope of Services
3.1 ACT performs the Services with due professional care, diligence, and in accordance with applicable laws and generally accepted professional standards.
3.2 Unless explicitly stated otherwise in writing, ACT does not act as a law firm, attorney-at-law, or regulated legal practice, and does not provide legal representation in court, regulatory, or enforcement proceedings.
3.3 Any deadlines for deliverables are indicative unless expressly agreed in writing as binding.

4. Client Obligations
4.1 The Client shall provide ACT with all necessary information, documents, and access to personnel or systems reasonably required to perform the Services.
4.2 The Client warrants that all information provided is accurate, complete, and lawful.
4.3 If the Client fails to provide timely cooperation, ACT may suspend performance and charge additional fees or extend agreed timelines accordingly.

5. Fees and Payment
5.1 Fees are as stated in the applicable proposal, offer, or Statement of Work (“SOW”). Unless otherwise agreed, Services are billed on a time-spent basis at ACT’s prevailing hourly or daily rates or flat fees per document/advice.
5.2 All fees are exclusive of VAT and other applicable taxes or levies.
5.3 Invoices are payable within 14 days of the invoice date, without deduction or set-off.
5.4 If the Client fails to pay on time, ACT may suspend work, charge statutory commercial interest (Art. 6:119a BW), and recover collection costs.
5.5 If an estimate or budget is provided, it is indicative only and not a fixed or capped fee unless expressly agreed in writing or when flat fees have been offered by ACT and agreed upon between Parties.

5.6 ACT may adjust its rates or tariffs annually, or at any time in case of inflation, cost increases, or changes in the scope or nature of the Services. Adjusted rates will apply thirty (30) days after written notice to the Client. For ongoing engagements, the Client may terminate the Agreement within this notice period if it does not agree to the revised rates.

6. Confidentiality
6.1 Both Parties shall keep all confidential information obtained in the context of the Agreement strictly confidential and shall not disclose it to third parties without prior written consent, except as required by law.
6.2 This obligation continues after termination of the Agreement.
6.3 ACT may share confidential Client information with its employees, contractors, and advisors involved in the assignment on a need-to-know basis, provided they are bound by confidentiality obligations.

7. Data Protection
7.1 The Data processor agreement Addendum 1 applies to the provision of services when Personal Data is processed.

8. Intellectual Property
8.1 All intellectual property rights in documents, methods, tools, templates, reports, analyses, or deliverables developed or provided by ACT remain the exclusive property of ACT or its licensors.
8.2 The Client obtains a non-exclusive, non-transferable license to use deliverables solely for its internal business purposes.
8.3 The Client shall not reproduce, disclose, or commercially exploit any ACT materials without prior written consent.
8.4 Any pre-existing intellectual property or materials provided by the Client remain the Client’s property.

9. Use of Third Parties
9.1 ACT may engage subcontractors or independent professionals to assist in providing the Services.
9.2 ACT remains responsible for the performance of its obligations under the Agreement.

10. Liability and Indemnification
10.1 ACT performs the Services with due skill, care, and diligence expected from a competent and experienced provider of legal, privacy, and compliance advisory services. ACT is not a law firm and does not provide regulated legal representation, but the Client may expect ACT to apply a high professional standard consistent with senior legal and compliance practitioners.
10.2 ACT is liable only for damages that are the direct result of a proven professional error by ACT in the performance of the Services. A professional error means a materially negligent act or omission that a reasonably competent advisory professional would not have made under similar circumstances.
10.3 ACT maintains appropriate professional liability insurance for advisory services. ACT’s liability is limited to the amount paid out under its professional liability insurance policy for the relevant event.
10.4 If, for any reason, the insurer does not pay out, ACT’s total liability, whether contractual or otherwise, is limited to the amount of fees paid by the Client for the Services in the twelve (12) months preceding the event giving rise to the claim.
10.5 ACT is not liable for indirect or consequential damages, including lost profits, loss of goodwill, reputational harm, loss of data, or business interruption.
10.6 ACT is not liable for damages resulting from incomplete, inaccurate, or late information provided by the Client, nor for decisions or actions taken by the Client based on ACT’s deliverables without appropriate internal review.
10.7 Claims must be reported to ACT in writing as soon as reasonably possible, and in any case within sixty (60) days after the Client discovers or should reasonably have discovered a potential error. Claims expire twelve (12) months after the act or omission giving rise to the claim.
10.8 These limitations do not apply in cases of intent or deliberate recklessness by ACT’s management.

11. Force Majeure
11.1 ACT shall not be liable for any failure or delay in performing its obligations due to circumstances beyond its reasonable control, including but not limited to power failures, internet disruptions, strikes, illness, or government measures.
11.2 If the force majeure situation continues for more than sixty (60) days, either Party may terminate the Agreement in writing without liability for compensation.

12. Term and Termination
12.1 The Agreement remains in effect for the duration specified in the proposal or until completion of the Services.
12.2 Either Party may terminate the Agreement by written notice with a 30-day notice period, unless otherwise agreed.
12.3 Either Party may terminate immediately in case of a material breach that remains uncured after written notice, or if the other Party becomes insolvent or enters bankruptcy.
12.4 Upon termination, the Client shall pay for all Services performed up to the termination date.
12.5 Provisions that by their nature are intended to survive termination (e.g., confidentiality, IP, liability) shall remain in force.

13. Applicable Law and Jurisdiction
13.1 The Agreement and these Terms are governed by Dutch law.
13.2 Any dispute arising out of or relating to the Agreement shall be submitted exclusively to the competent court in Amsterdam, the Netherlands.
13.3 The applicability of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is excluded.

14. Miscellaneous
14.1 If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be replaced by a valid one reflecting the original intent as closely as possible.
14.2 ACT may amend these Terms from time to time. The amended Terms shall apply to new or ongoing engagements upon notice to the Client.
14.3 Communications may be made by email unless otherwise required by law or contract.
14.4 These Terms, together with any proposal or SOW, constitute the entire agreement between the Parties and supersede all prior understandings.

Addendum 4
Beta Testing Terms (Early Access / Pilot)

1. Scope and Purpose. Provider may grant Customer limited, revocable access to Beta Features (pre-release or experimental functionality) solely for testing and evaluation in non-production environments, unless expressly permitted otherwise in writing.

2. Availability; Support. Beta Features are provided as is without SLA, support or availability commitments. Provider may modify, suspend or withdraw Beta Features at any time.

3. Data & Privacy. Customer will avoid submitting any personal data or confidential production data to the Beta Features. The Beta environment is intended only for evaluation and feedback. This ensures that testing can take place safely and without exposing individuals or operational systems. If, in exceptional cases, the Parties explicitly agree in writing to use personal data, such processing will be governed by the DPA.

4. Confidentiality. All information about the Beta Features (including performance and feedback) is Provider Confidential Information. No public disclosures, benchmarks or comparative tests without Provider’s prior written consent.

5. Feedback. Customer grants Provider a perpetual, royalty-free licence to use feedback, suggestions and test results for any purpose, including improving the SaaS and commercialising Beta Features.

6. IP; Output. The IP and know-how in Beta Features remain with Provider. Any outputs generated are subject to the AI Terms (where applicable) and must be independently reviewed by Customer.

7. Warranty & Liability. Beta Features are provided as is and at Customer’s risk. To the maximum extent permitted by law, Provider disclaims all warranties and will have no liability for or arising from Beta Features, except for wilful misconduct or gross negligence. Mandatory law carve-outs apply.

8. Termination. Either Party may terminate Beta access at any time on written notice. Upon termination, Customer will stop using the Beta Features and delete related materials on request.

9. Conversion. Provider may offer to convert Beta Features to generally available features under an Order Form. Fees may apply. Migration/rollback assistance may be offered at Provider’s standard rates.

Addendum 4
Beta Testing Terms (Early Access / Pilot)

1. Scope and Purpose. Provider may grant Customer limited, revocable access to Beta Features (pre-release or experimental functionality) solely for testing and evaluation in non-production environments, unless expressly permitted otherwise in writing.

2. Availability; Support. Beta Features are provided as is without SLA, support or availability commitments. Provider may modify, suspend or withdraw Beta Features at any time.

3. Data & Privacy. Customer will avoid submitting any personal data or confidential production data to the Beta Features. The Beta environment is intended only for evaluation and feedback. This ensures that testing can take place safely and without exposing individuals or operational systems. If, in exceptional cases, the Parties explicitly agree in writing to use personal data, such processing will be governed by the DPA.

4. Confidentiality. All information about the Beta Features (including performance and feedback) is Provider Confidential Information. No public disclosures, benchmarks or comparative tests without Provider’s prior written consent.

5. Feedback. Customer grants Provider a perpetual, royalty-free licence to use feedback, suggestions and test results for any purpose, including improving the SaaS and commercialising Beta Features.

6. IP; Output. The IP and know-how in Beta Features remain with Provider. Any outputs generated are subject to the AI Terms (where applicable) and must be independently reviewed by Customer.

7. Warranty & Liability. Beta Features are provided as is and at Customer’s risk. To the maximum extent permitted by law, Provider disclaims all warranties and will have no liability for or arising from Beta Features, except for wilful misconduct or gross negligence. Mandatory law carve-outs apply.

8. Termination. Either Party may terminate Beta access at any time on written notice. Upon termination, Customer will stop using the Beta Features and delete related materials on request.

9. Conversion. Provider may offer to convert Beta Features to generally available features under an Order Form. Fees may apply. Migration/rollback assistance may be offered at Provider’s standard rates.