<p>IMPORTANT-READ CAREFULLY: This end-user agreement is a legal agreement accepted by the client licensing the original purchase of software or software services, either an individual or a single entity, herein referred to as the client. This end-user agreement is a legal agreement between the client and CD LAB AG and any certified resellers and certified distributors of the WinCan software, which includes computer software, cloud software services, associated media, hardware, printed materials, and online or electronic documentation (SOFTWARE PRODUCT). By installing, copying, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, do not install or use the SOFTWARE PRODUCT and return it to your place of purchase.</p>

<p>SOFTWARE PRODUCT LICENSE: Copyright laws and international copyright treaties, as well as other intellectual property laws and treaties, protect the SOFTWARE PRODUCT. The SOFTWARE PRODUCT is licensed, not sold. SUPPORT SERVICES: You are provided with support services related to the SOFTWARE PRODUCT. The individual company the SOFTWARE PRODUCT is purchased from governs use of support service. COPYRIGHT CD LAB AG Systems or CD LAB AG (either one for each item recognized) own all title and copyrights in and to the SOFTWARE PRODUCT, the accompanying printed materials, and any copies of the SOFTWARE PRODUCT. LIMITED WARRANTY CD LAB AG warrants that (a) the SOFTWARE PRODUCT will perform substantially in accordance with the accompanying written materials for a period of ninety (90) days from the date of receipt, and (b) any Support Services provided by CD LAB AG and certified resellers, and certified distributors shall be commercially reasonable efforts to solve any problem issues. Some states and jurisdictions do not allow limitations on duration of an implied warranty, so the above limitation may not apply to you. CUSTOMER REMEDIES CD LAB AG, certified resellers, and certified distributors’ entire liability and your exclusive remedy shall be, at CD LAB AG’s option, either (1) return of the price paid, if any, or (b) repair or replacement of the SOFTWARE PRODUCT that does not meet the Warranty.</p>

<p>NO OTHER WARRANTIES APPLY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CD LAB AG AND ITS CERTIFIED RESELLERS AND CERTIFIED DISTRIBUTORS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGMENT, WITH REGARD TO THE SOFTWARE PRODUCT, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHERS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL CD LAB AG AND ITS CERTIFIED RESELLERS AND CERTIFIED DISTRIBUTORS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOSS OF DATA (FOR THE AVOIDANCE OF DOUBT DATA BACK UP FOR LOCAL INSTALLATIONS & CLOUD HOSTING IS THE CLIENTS RESPONSINILITY ENTIRERLY) , DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT OR THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF CD LAB AG AND ITS CERTIFIED</p>


<h3><strong>GDPR</strong></h3>

<h3><strong>DEFINITIONS</strong></h3>

<p>
    <strong>Data Protection Legislation: </strong>
    the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the General Data Protection Regulation ((EU) 2016/679) and any other directly applicable European Union regulation relating to privacy.
</p>

<p>
    <strong>UK Data Protection Legislation: </strong>
    any data protection legislation from time to time in force in the UK including the Data Protection Act 1998 or 2018 or any successor legislation.
</p>


<ol>
    <li>
        <strong>DATA PROTECTION</strong>
        <ol>
            <li>Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. In this clause 1, <strong>Applicable Laws</strong> means (for so long as and to the extent that they apply to the Company) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and <strong>Domestic UK Law</strong> means the UK Data Protection Legislation and any other law that applies in the UK.</li>
            <li>The parties acknowledge that for the purposes of the Data Protection Legislation, the Buyer is the data controller and the Company is the data processor (where <strong>Data Controller</strong> and <strong>Data Processor</strong> have the meanings as defined in the Data Protection Legislation). Schedule 1 sets out the scope, nature and purpose of processing by the Company, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, <strong>Personal Data</strong>) and categories of Data Subject.</li>
            <li>The parties acknowledge that CD LAB AG is the holding company of WinCan Europe Limited and develops and manages all software and cloud solutions. Therefore for the purposes of the Data Protection Legislation CD LAB AG has access to all Personal Data that the Company processes under this agreement. </li>
            <li>Without prejudice to the generality of clause 1.1, the Buyer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Company for the duration and purposes of this agreement.</li>
            <li>
                Without prejudice to the generality of clause 1.1, the Company shall, in relation to any Personal Data processed in connection with the performance by the Company of its obligations under this agreement:
                <ol>
                    <li>process that Personal Data only on the written instructions of the Buyer unless the Company is required by Applicable Laws to otherwise process that Personal Data. Where the Company is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Company shall promptly notify the Buyer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Company from so notifying the Buyer;</li>
                    <li>ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); </li>
                    <li>ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and</li>
                    <li>
                        not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Buyer has been obtained and the following conditions are fulfilled:
                        <ol>
                            <li>the Buyer or the Company has provided appropriate safeguards in relation to the transfer;</li>
                            <li>the data subject has enforceable rights and effective legal remedies;</li>
                            <li>the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and</li>
                            <li>the Company complies with reasonable instructions notified to it in advance by the Buyer with respect to the processing of the Personal Data;</li>
                        </ol>
                    </li>
                    <li>assist the Buyer, at the Buyer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;</li>
                    <li>notify the Buyer without undue delay on becoming aware of a Personal Data breach;</li>
                    <li>at the written direction of the Buyer, delete or return Personal Data and copies thereof to the Buyer on termination of the agreement unless required by Applicable Law to store the Personal Data; and</li>
                    <li>maintain complete and accurate records and information to demonstrate its compliance with this clause 1.</li>
                </ol>
            </li>
            <li>The Buyer consents to the Company appointing Amazon Web Services, Inc (AWS Europe from 1st July 2018) as a third-party processor of Personal Data under this agreement. The Company confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party's standard terms of business. The Buyer further consents to the Company appointing third-party processors of Personal Data under this agreement for the purposes of software development and technical support. The Company confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this clause 1.6.</li>
            <li>When appointing Amazon Web Services, Inc the Company shall use a hosting location in the same geographical region as the Buyer. In using Amazon Web Services, Inc therefore the Company confirms subject to clauses 1.9 and 1.5(d) and in line with the Data Protection Legislation for Buyers within the UK and EU only that it will not transfer Personal Data outside of the European Economic Area.  </li>
            <li>Either party may, at any time on not less than 30 days’ notice, revise this clause 1 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).</li>
            <li>The Buyer acknowledges that by installing the software or utilising its cloud services it consents to CD LAB AG acting as a third-party processor of Personal Data under this agreement. The Buyer further acknowledges that CD LAB AG is a company registered in Switzerland and therefore Personal Data will be transferred outside the EU in order to perform the Company’s contract with the Buyer. There is an adequacy decision by the European Commission in respect of Switzerland. This means that Switzerland is deemed to provide an adequate level of protection for Personal Data. The Company confirms that it has entered or (as the case may be) will enter into a written agreement incorporating terms which are substantially similar to those set out in this clause 1. As between the Buyer and the Company, the Company shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 1.</li>
        </ol>
    </li>
</ol>


<h3><strong>Schedule 1	Processing, Personal Data and Data Subjects</strong></h3>


<ol>
    <li>
        <strong>Processing by the Company</strong>
        <ol>
            <li>
                <strong>Scope</strong>
                <p>Implementation of the Company’s software which includes the transfer of information and data between the Buyer’s system to the Company’s server and Amazon cloud services and access by the Company and CD LAB AG to that information and data as administrator and for the purposes of software support.</p>
            </li>
            <li>
                <strong>Nature</strong>
                <ol>
                    <li>Recording data</li>
                    <li>Organisation of data</li>
                    <li>Structuring of data</li>
                    <li>Storage of data</li>
                    <li>Alignment or combination of data</li>
                    <li>Adaptation or alteration of data</li>
                    <li>Retrieval of data</li>
                    <li>Consultation relating to data</li>
                    <li>Use of data</li>
                    <li>Erasing data</li>
                    <li>Destroying data</li>
                    <li>Disclosure by transmission or dissemination or otherwise making available data</li>
                    <li>System development</li>
                </ol>
            </li>
            <li>
                <strong>Purpose of processing</strong>
                <p>It is necessary for entering and performing this contract and for the Company to provide its professional and advisory services and IT System management.</p>
            </li>
            <li>
                <strong>Duration of the processing</strong>
                <p>For the duration of the retainer with the Buyer. Three months following the termination or expiration of the retainer with the Buyer the Company shall destroy any data. Within the three months following termination or expiration of the retainer the Buyer can reactivate its account (reactivation is not guaranteed following account expiry) and by doing so the Company shall have access to any data retained. Where a Buyer’s account is dormant for three months an automated removal process will occur deleting all account information and all associated data. Following deletion all data will be unrecoverable.</p>
            </li>
        </ol>
    </li>
    <li>
        <strong>Types of personal data</strong>
        <ol>
            <li>
                Personal details
                <ol>
                    <li>Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.</li>
                </ol>
            </li>
        </ol>
    </li>
    <li>
        <strong>Categories of data subject</strong>
        <p>The Buyer and individuals the Buyer collects data on.</p>
    </li>
</ol>