Bullish (BULL) F-4/A Registration of securities (foreign) (amended)

Exhibit 10.33

CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***].

	Sales Order Form
	Sales Order Number	QUO-10000855
	Sales Order Date	30/06/2020
	Sales Order Expiry Date	30/06/2020

Quote Prepared For:
Account Name:	Block.one	Name:	Andrew Walton
Bill To:	B1 (Gibraltar) Limited	Phone:
	Suite 23, Portland House, Glacis Road,
	Gibraltar
	, GX11 1AA
	[***]
Quote Prepared By:
Name:	Kevin Yang	Email:	kevin.yang@jumio.com
Summary Quote Info:
Payment Terms:	See Payment Terms set forth in the Terms and Conditions	Total Price:	USD [***]

Subscription Services Details:

Product	Service Term (Months)	Service Start/End Dates	Transactions Included	Net Unit Price	Total Price
[***]	[***]	[***]	[***]	[***]	[***]
[***]	[***]	[***]	[***]	[***]	[***]
[***]	[***]	[***]	[***]	[***]	[***]
[***]	[***]	[***]	[***]	[***]	[***]
[***]	[***]	[***]	[***]	[***]	[***]
[***]	[***]	[***]	[***]	[***]	[***]
[***]	[***]	[***]		[***]	[***]
[***]	[***]	[***]		[***]	[***]
[***]		[***]		[***]	[***]

Terms & Conditions

This Order Form (“Order”) is entered by and between Jumio UK Ltd. Registered address: 21 Worship Street, 3rd Floor, London, United Kingdom, EC2A 2DW Registration number: 10561447and the Customer listed above (“Customer”). This Order constitutes a non-cancelable, non-refundable commitment to purchase the Services set forth above incorporating and subject to the terms in this Order and the terms and conditions of the Attached Agreement(s) (altogether the “Agreement”), and is effective as of the date this Order Form is signed by the Customer (“Effective Date”). All payment terms and commencement of services, as set forth in this Order Form, are measured from the Effective Date.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jumio HQ & Sales:	EMEA Sales:
395 Page Mill Road, Suite 150 • Palo Alto, CA 94306 • United States	21 Worship Street • London, EC2A 2DW • United Kingdom

	Sales Order Form
	Sales Order Number	QUO-10000855
	Sales Order Date	30/06/2020
	Sales Order Expiry Date	30/06/2020

Customer will pay Jumio in equal installments of the Fees to be payable on the following schedule:

[***]

[***]

[***]

[***]

[***]

- If (a) Customer fails to pay any invoice by the due date, and (b) payment has not been received by Jumio within five (5) business days after providing the Customer written notice thereof, all outstanding payments shall be immediately due and payable.

IN WITNESS WHEREOF, the Parties have caused this Agreement to be executed and delivered by their respective authorized representatives whose signatures appear below.

Customer:		Jumio:
Signature		Signature
Print Name	[***]	Print Name	[***]
Title	[***]	Title	[***]
Date Signed	02 July 2020	Dated Signed	01 July 2020

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jumio HQ & Sales:	EMEA Sales:
395 Page Mill Road, Suite 150 • Palo Alto, CA 94306 • United States	21 Worship Street • London, EC2A 2DW • United Kingdom

JUMIO TERMS AND CONDITIONS

REF: BLOCK.ONE FINANCIAL SERVICES

These terms and conditions (“Terms and Conditions”), effective 30 June 2020 are made by:

(1) Jumio UK Ltd.

Registered address: 21 Worship Street, 3rd Floor, London, United Kingdom, EC2A 2DW Registration number: 10561447

(“Jumio”);

and

(2) B1 (Gibraltar) Limited

Registered Address: Suite 23, Portland House, Glacis Road, Gibraltar

Company number: 119714

(“Customer”).

In consideration of the mutual covenants and promises contained in these Terms and Conditions, Jumio and Customer agree as follows:

1. DEFINITIONS.

1.1 “Additional Term” means an extension of the Initial Term, whether expressly agreed between the Parties, by an automatic extension pursuant to Section 2.3, or otherwise.

1.2 “Address Extraction” means the Optional Service described as such in Exhibit A.

1.3 “Affiliate” means any entity that the Customer (i) owns or controls, directly or indirectly, at least 50% of the stock, partnership shares or membership interests in an entity having the right to vote for or appoint directors thereto, and/or (ii) has the right to determine management direction whether through having a majority representation on a board of directors of a corporation or by holding, directly or indirectly through one or more subsidiaries, at least 50% of the general partnership interests of a partnership.

1.4 “Agreement” means these Terms and Conditions and any Sales Order that incorporates these Terms and Conditions and any applicable exhibits, schedules or other attachments, unless the context requires otherwise.

1.5 “Applicable Laws” means all applicable laws, regulations, statutes, codes of practice, governmental orders or guidance or orders of any other competent regulatory authority in any jurisdiction, which are applicable to any activities under this Agreement or any Sales Order.

1.6 “Asian Character Extraction” means the Optional Service described as such in Exhibit A.

1.7 “Authentication” means the Product described as such in Exhibit A.

1.8 “Authorised User” has the meaning set forth in Section 22.8.

1.9 “BAM Checkout” means the Product described as such in Exhibit A.

1.10 “Business Day” means Monday to Friday (excluding public holidays in New York City).

1.11 “Confidential Information” means any and all trade secrets, proprietary or confidential information, in whatever form, that are owned by a Party and/or reasonably considered by it to be confidential, that a Party has disclosed to the other Party prior to the Effective Date, or that a Party may disclose to the other Party on or after the Effective Date. Confidential Information includes, without limitation, the object code and source code to the Products, as defined below, and any information related to the business and affairs of the disclosing Party. Notwithstanding the foregoing, the following will not constitute Confidential Information for purposes of this Agreement: (a) information which was already in the receiving Party’s possession as a matter of record prior to the Effective Date and not disclosed to the receiving Party by the other Party to this Agreement; (b) information that is independently developed by the receiving Party as a matter of record; (c) information that is obtained from a third Party who, insofar as is known to the receiving Party, is not prohibited from transmitting the information to the receiving Party by a contractual, legal or fiduciary obligation to the disclosing Party; and (d) information which is or which becomes generally available to the public other than as a result of disclosure by the receiving Party.

1

1.12 “Customer” means the customer listed in the applicable Sales Order referring to these Terms and Conditions.

1.13 “Customer Group” means the Customer together with each of its Affiliates.

1.14 “Customer Portal” means the secure portal hosted by Jumio and made available to Customer for (a) accessing the Documentation, (b) configuring the Products including the activation of Optional Services (as applicable), and (c) viewing any stored Transactions during the storage period referred to in Section 9.

1.15 “Data Retention Policy” means Jumio’s policy for the retention of User Information which is available here: https://www.jumio.com/legal-information/privacy-policy/jumio-corp-privacy-policy-for-online-services/.

1.16 “Dispute” has the meaning set forth in Section 20.1.

1.17 “Document Verification” means the Product described as such in Exhibit A.

1.18 “Documentation” means the standard documentation, specifications, written instructions or explanatory material related to the installation, operation, use or maintenance of the Products and any subsequent versions thereof, available through the Customer Portal or on www.jumio.com.

1.19 “Effective Date” means the date on which Customer signs the applicable Sales Order.

1.20 “Fastfill” means the Product described as such in Exhibit A.

1.21 “Fees” means the aggregate of all license and other fees specified in the Sales Order.

1.22 “Force Majeure Event” has the meaning set forth in Section 22.17.

1.23 “Good Industry Practice” means the generally accepted industry standards applicable to Jumio, which include practices that would reasonably and ordinarily be expected from a supplier of services substantially similar to the Services that are the subject of this Agreement.

1.24 “Government Request” means a duly authorized investigation or request for information or other enquiry or request from any regulator, court or other governmental or quasi-governmental authority of competent jurisdiction specifically relating to the provision or receipt of the Services under this Agreement or any Sales Order.

1.25 “ID Verification” means the Product described as such in Exhibit A.

1.26 “Identity Verification” means the Product described as such in Exhibit A.

1.27 “Initial Term” means the period specified in the Sales Order, excluding any Additional Term(s).

1.28 “Intellectual Property Rights” means all intellectual property rights protected by law throughout the world, including all copyrights, copyright registrations and applications, trademark rights (including trade dress), trademark registrations and applications, patent rights (including the right to apply therefor), patent applications (including the right to claim priority under applicable international conventions) and all patents issuing thereon, industrial property rights, inventions (whether or not patentable), together with all utility and design, know-how, specifications, trade names, mask-work rights, trade secrets, moral rights, author’s rights, algorithms, rights in packaging, goodwill, and other intellectual and industrial property rights, as may exist now and hereafter come into existence, and all renewals and extensions thereof, regardless of whether any of such rights arise under the laws of the United States or of any other state, country or jurisdiction.

1.29 “Jumio” means Jumio UK Ltd., a United Kingdom entity, located at 21 Worship Street, 3rd Floor, London, United Kingdom, EC2A 2DW.

1.30 “Jumio Insights” means insights gained by Jumio during the course of performing the Services, but excludes all Jumio Results.

2

1.31 “Jumio Results” means all data and information provided by Jumio to Customer as part of, in response to, or as the output of a Transaction.

1.32 “Licensed Work” means the Products, Optional Services and the Documentation.

1.33 “Included Transactions” means the number of Transactions specified in a Sales Order representing the maximum number of Transactions that Customer is permitted to undertake pursuant to that Sales Order before Overages begin to accrue.

1.34 “Losses” means, losses, deficiencies, obligations, penalties, judgments, settlements, claims, payments, fines, interest costs and expenses of whatever nature (and “Loss” shall be construed accordingly).

1.35 “Maintenance and Support Charge” has the meaning set forth in Exhibit B.

1.36 “Multi-Doc Capture” means the Optional Service described as such in Exhibit A.

1.37 “Optional Services” means the optional services (in addition to the Products) made available for purchase as specified in Exhibit A.

1.38 “Overage” means a Transaction processed pursuant to a Sales Order in excess of the Included Transactions specified in that Sales Order.

1.39 “Parties” means Jumio and the Customer, and “Party” means one either of them.

1.40 “PCI DSS” means the Payment Card Industry Data Security Standard issued and maintained by the PCI Security Standards Council.

1.41 “Performance Reports” has the meaning set forth in Exhibit C.

1.42 “Performance Standards” has the meaning set forth in Exhibit C.

1.43 “Products” means Authentication, BAM Checkout, Document Verification, Identity Verification, Fastfill, ID Verification and Screening, and such other products marketed or sold by Jumio as are specified in the applicable Sales Order(s) referencing these Terms and Conditions; and “Product” means any one of them.

1.44 “Renewal Date” means the date on which any Additional Term commences.

1.45 “Sales Order” means, irrespective of its title, a document that (a) specifically refers to this Agreement; and (b) is signed by both Parties. In the event of a conflict between the provisions of this Agreement and the provisions of a Sales Order, the provisions of the applicable Sales Order will control.

1.46 “Screening” means the Product described as such in Exhibit A.

1.47 “Service Credit” has the meaning set forth in Exhibit C.

1.48 “Service Start Date” means the date specified in the Sales Order as the Service Start Date or if none, the Effective Date. For the avoidance of doubt, the Service Start Date will predate the Effective Date where necessary to ensure continuity of Service.

1.49 “Services” means the provision of the Products, the Optional Services and the Support Services.

1.50 “Support Services” means the services set forth in Exhibit B.

1.51 “Support Services Term” has the meaning set forth in Exhibit B.

1.52 “Term” means the Initial Term and any Additional Term(s).

1.53 “Terms and Conditions” has the meaning set forth in the preamble hereto.

1.54 “Transaction” means (a) a submitted ID Verification, Identity Verification or Document Verification scan which returns one of Jumio’s standard acknowledgement responses; (b) a submitted FastFill or BAM Checkout scan that returns one or more structured data fields for the purposes of conducting business with the User; and “Transactions” means any combination or multiple of them.

3

1.55 “TUPE” means the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) in the United Kingdom.

1.56 “Unused Transactions” has the meaning set forth in Section 4.4 herein.

1.57 “User” means an end-user initiating a Transaction.

1.58 “User Information” means information supplied by a User or the Customer in connection with a Transaction, including any personally identifiable information, images and metadata.

2. ORDERING SERVICES

2.1 Placing an Order. Except for Optional Services, an order for Services must be placed [***].

2.2 Optional Services. Customer may also purchase Optional Services during the Term by: [***].

2.3 Reporting on Consumption. Jumio will use commercially reasonable efforts to advise the Customer once 75% of Included Transactions have been consumed.

2.4 Renewal. A Sales Order will expire upon the expiration of the Term, and unless otherwise stated in the Sales Order, the terms of that Sales Order will automatically renew, [***].

2.5 Volume Forecasts. The Customer shall provide, in accordance with the mechanism set forth in each Sales Order (or where no such mechanism is described in a Sales Order, at the end of each calendar month), without obligation, an indicative and non-binding volume forecast of the number of Transactions it expects to be made in connection with the Services. Jumio shall remain obligated to meet the Performance Standards in accordance with the Customer’s volume forecasts from time to time, so long as such volume forecasts do not exceed the number of Transactions set forth in the applicable Sales Order. To the extent that Customer’s volume forecast exceeds the applicable Sales Order, Jumio will promptly inform Customer of the preparatory steps to be taken by Jumio in order to be able to meet such demand assuming a suitable Sales Order will be entered into. The parties agree that some Sales Orders may set out additional terms with respect to significant projected volume increases.

3. DESCRIPTION OF SERVICES

3.1 Provision of the Services. Subject to Customer’s compliance with the provisions of this Agreement, commencing on the Service Start Date and continuing throughout the remainder of the Term, Jumio will provide the Services in accordance with and subject to the terms of this Agreement, including where applicable, the Performance Standards.

3.2 Services License. Subject to Customer’s compliance with the provisions of this Agreement, Jumio grants to Customer and its Affiliates a worldwide, non-exclusive and non-transferable right and license to: (i) access and use the Licensed Work; and (ii) install and use the Products, in each case, solely in connection with the Services and, unless otherwise agreed between the Parties, solely for its internal business purposes to provide services directly to Users. Jumio reserves all rights in the Licensed Work and Services not expressly granted in this Section 3.2.

3.3 User Information License; Improvement of Services. Customer hereby grants to Jumio a license to use, reproduce, modify, create derivative works from, distribute, perform, transmit, anonymize and display the User Information (including any rights specifically pertaining to biometric information) necessary to provide the Services, including the right for Jumio to grant equivalent rights to its service providers that perform services that form part of or are otherwise used to perform the Services. Customer further grants Jumio all necessary rights to irrevocably use, reproduce, modify, create derivative works from, distribute, perform, transmit and display User Information in an anonymized or aggregated form that does not identify (and cannot be used to identify) individual persons or organizations (such as, by way of example and not by way of limitation, numbers of verifications) perpetually, in order to compile statistics regarding use of the Services and/or to develop and improve the Services.

4

3.4 Restrictions. Customer has no right to and shall not attempt to interfere with or disrupt the Services or the Licensed Work or attempt to gain access to any systems or networks that connect thereto (except as required to access and use the Services). Customer has no right to and must not:

(a) decompile, disassemble, or otherwise reverse engineer or attempt to reconstruct or discover, in any way, any source code, programming, algorithms, design structure, interoperability interfaces, concepts, construction methods underlying ideas, or file formats of the Licensed Work, for any purpose;

(b) remove any identification markings, including but not limited to copyright notices and trademarks, from the Licensed Work;

(c) make any modification or enhancement to the Licensed Work, or any portion thereof;

(d) copy, sell, resell, OEM, lease, assign, distribute or transfer in any manner or form, in whole or in part, the Licensed Work or Services;

(e) use the Licensed Work to develop or distribute any software product that competes in the marketplace with the Products or Services; or

(f) transfer any of its rights hereunder.

3.5 Acceptable Use. Customer acknowledges and agrees that Jumio does not monitor or police data transmitted through the Services and that Jumio shall not be responsible for the content of any such communications or transmissions.

3.6 Unauthorized Use. Customer further agrees to take [***] reasonable steps to ensure that unauthorized persons will not have access to any of the Licensed Work and that all authorized persons having access will refrain from any disclosure, duplication or reproduction of the Licensed Work except to the extent permitted under this Agreement.

4. FEES

4.1 Fees. The Customer must pay Jumio the Fees in the manner and amounts set forth in this Agreement. All payments will be nonrefundable, non-cancellable and irrevocable except as otherwise provided in this Agreement. Unless set forth in a Sales Order or as otherwise provided below with respect to Optional Services, the Fees are due and payable in United States dollars, in full, on the Effective Date or Renewal Date (as appropriate). Invoices to Customer must be sent to the email address indicated on the Sales Order. Unless otherwise specified in a Sales Order, payment obligations are unconditional and not dependent on a “go live” date or the use of the Products in a “live environment”.

4.2 Overages. Jumio will invoice and Customer must pay for Overages monthly in arrears, net thirty (30) days of Jumio’s invoice date. Fees for Overages will be calculated as the quantity of Overages multiplied by 100% of the individual Transaction rate set forth in the Sales Order, plus a commensurate increase in the Maintenance and Support Charge. Jumio may, at its sole discretion, permit Customer to consume transactions after the Term is expired provided that Transactions consumed after the Term will be invoiced as Overages, and notwithstanding any expiration of the Agreement, such Transactions will be subject to the terms and conditions of this Agreement.

4.3 Optional Services. Jumio will invoice and Customer must pay for Optional Services quarterly in arrears, net thirty (30) days of Jumio’s invoice date. Fees for Optional Services will be specified by Jumio at the time of activation of the Optional Services.

4.4 Unused Transactions. Customer acknowledges and agrees that any unused or unprocessed Transactions (or related services) under the Included Transactions limitation set forth in a Sales Order (“Unused Transactions”) will automatically expire at the end of the Initial Term or the then-applicable Additional Term and Customer shall not be entitled to a refund or credit for any Unused Transactions nor will Customer be entitled to rollover any Unused Transactions into an Additional Term or another or future agreement or arrangement.

4.5 Taxes. The amounts due to Jumio under this Agreement do not include bank fees, transfer fees, taxes, duties or similar fees. If Jumio does not receive full payment of the Fees or is required to pay (a) sales, use, property, value-added, withholding or other taxes, (b) any customs or other duties, or (c) any import, warehouse or other fees, associated with the importation or delivery based on the licenses granted or services performed under this Agreement or on Customer’s use of the Licensed Work or the Services, then such taxes, duties or fees will be billed to and paid by Customer. If Customer is permitted to declare any such taxes, Customer must declare and pay such taxes and Jumio will not be required to invoice Customer. This Section 4.5 does not apply to and Customer shall not be required to pay taxes based on Jumio’s gross receipts, income or payroll. Notwithstanding anything to the contrary herein,

5

Customer shall be entitled to deduct and withhold from the Fees under this Agreement such amounts as Customer is required to deduct and withhold with respect to the making of such payment under applicable tax laws. To the extent that amounts are so withheld and paid over to the appropriate tax authority by Customer, Customer shall immediately provide Jumio with proof of such withholding tax payment, and, accordingly, such withheld amounts shall be treated for all purposes of this Agreement as having been paid to Jumio.

4.6 Unless expressly agreed otherwise in a Sales Order:

(a) the Fees under such Sales Order are fixed and may not be increased by Jumio at any time during the Term of that Sales Order (including on account of inflation or to enable Jumio to manage increased volumes forecast by the Customer pursuant to Section 1); and

(b) the Fees under such Sales Order shall be fully-inclusive and shall compensate Jumio for all costs and expenses of whatever nature that Jumio may have incurred in connection with the performance of its obligations under this Agreement or such Sales Order.

4.7 Jumio may not deduct or set-off amounts payable to it from any other amounts owed to it by the Customer or any of its Affiliates, whether under this Agreement, any Sales Order or under any other agreement. The Customer may by notice in writing to Jumio, set-off any amounts owed by Jumio to the Customer against any amounts owed by the Customer to Jumio under any Sales Order.

5. CONSEQUENCES OF LATE PAYMENT

5.1 Account Suspension. If the payment of Customer’s Fees is overdue by more than twenty (20) days, Jumio shall notify the Customer. Jumio and the Customer shall work together in good faith to find a solution. In the event that a solution cannot be found within fifty (50) days of such notice, Jumio may immediately suspend or delay the provision of Services to Customer and remove net 30 payment terms (or any other credit terms or installment terms previously extended), and all amounts due will become due immediately. Suspension or delay of Services does not in any way negate or lessen Customer’s obligation to pay any Fees or expenses due under this Agreement.

5.2 Default Interest and Collection Costs. All undisputed payments which remain overdue for 30 days, will accrue interest at the lesser of (a) two and a half percent (2.5%) per month, or (b) the maximum rate permitted by applicable law; in each case, from the date due until fully paid.

5.3 Account Reactivation. If Jumio suspends Customer’s account for non-payment, Customer will be entitled to reopen or reinstate its account by: (i) paying all outstanding invoices; (ii) paying all late fees or charges associated with past due invoices; (iii) paying any fees Jumio may be charged for unsuccessful direct debit or credit card charge(s); and (iv) executing a direct debit authorization form or credit card charge authorization form expressly authorizing Jumio to debit its bank account or charge its credit card according to the payment terms set out in a Sales Order.

6. WARRANTIES

6.1 Service Warranties. Jumio warrants and undertakes to Customer that the Services:

(a) will be performed in a professional manner, in accordance with Good Industry Practice,

(b) in accordance with the terms of this Agreement and those set forth in the relevant Sales Order; and

(c) will substantially conform with the Documentation.

6.2 Mutual Warranties. In addition, each Party represents and warrants that (a) it has all right and authority necessary to enter into this Agreement, and (b) it has all necessary licenses, permits, authorisations, necessary approvals and registrations required to perform its obligations hereunder.

6.3 Disclaimer. Customer assumes sole responsibility and liability for results obtained from the use of the Products] and for conclusions drawn from such use, provided Jumio has complied with its warranties and undertakings in Clause 6.1 above. Jumio shall have no liability for any claims, losses, or damage to the extent caused by errors or omissions in any information provided to Jumio by Customer or Users in connection with the Products or Services.

6.4 THE FOREGOING WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, GOOD TITLE, OR SATISFACTORY QUALITY REGARDLESS OF WHETHER IMPOSED BY CONTRACT, STATUTE, COURSE OF DEALING, CUSTOM OR USAGE OR OTHERWISE.

6

6.5 SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES IN CERTAIN CIRCUMSTANCES. ACCORDINGLY, SOME OF THE LIMITATIONS SET FORTH ABOVE MAY NOT APPLY.

7. OBLIGATIONS

7.1 [***].

7.2 Customer’s Obligation to Keep Current. Customer shall use reasonable endeavours to ensure that all solutions, corrections, or improvements provided to it by Jumio are implemented by Customer within six months of being provided by Jumio. Customer further recognizes that its failure to so implement such solutions, corrections, and improvements may render the Products unusable or defective.

8. CONFIDENTIALITY OF INFORMATION.

8.1 Definitions. For the purposes of this Section 8, that party disclosing the Confidential Information shall be referred to as the “Disclosing Party” and the party receiving such Confidential Information shall be referred to as the “Receiving Party”.

8.2 Confidentiality Obligations. As between the Parties, the Confidential Information of each Party will remain its sole property. Each Party must protect Confidential Information from disclosure using the same care it uses to protect its own confidential information of like importance, but not less than reasonable care. The Party employing or engaging persons having access to the Confidential Information of the other Party is responsible and liable for their compliance with such confidentiality obligations. The Receiving Party shall (i) not use any of the Confidential Information otherwise than for the purpose of performing its obligations and exercising its rights under this Agreement or any Sales Order; (ii) at all times during and after the Term maintain the confidentiality of the Confidential Information; (iii) only make available the Confidential Information to such of its employees, contractors, agents and professional advisers who are under a duty of confidentiality and as have been informed by the Receiving Party of the confidential nature of the Confidential Information and of their obligations in respect thereof; and (iv) immediately on request of the Disclosing Party and in accordance with such request either: (a) return to the Disclosing Party all of the Confidential Information in its possession; or (b) destroy all of the Confidential Information in its possession, except to the extent the Receiving Party is required to retain copies of such Confidential Information for the purposes of compliance with Applicable Laws.

8.3 Notwithstanding the foregoing, if Receiving Party becomes, under lawful process, subject to a demand for discovery or disclosure of such information, it must give the Disclosing Party notice of the demand prior to furnishing the requested information and must, upon the request of and at the expense of the Disclosing Party, cooperate with the Receiving Party in seeking reasonable arrangements to protect the confidential nature of such information.

8.4 Enforcement. Both Parties acknowledge that, in the event of a breach of its obligations under this Section 8, the non-breaching Party may bring an appropriate legal action to enjoin any such breach of this Agreement without the need to obtain a bond or other security.

9. OWNERSHIP, STORAGE AND ACCESS TO DATA

9.1 Ownership of Data. As between Jumio and the Customer: (i) the Customer owns all User Information and Jumio Results, and (ii) Jumio owns all Jumio Insights.

7

9.2 User Information. With respect to all User Information, Jumio shall:

(a) [***]; and

(b) [***].

9.3 Storage of Data. Jumio will store User Information scanned for the retention period specified by the Customer in the Customer Portal, after which Jumio shall securely and permanently delete such User Information. [***].

9.4 Access to Stored Data. [***].

9.5 Deletion. [***]. Jumio shall delete any stored items in storage following expiration or termination of this Agreement once access to such data has been revoked in accordance with Section 9.4. Jumio’s responsibility for storing and deleting items is exclusively stated in this Section 9.

9.6 Customer Portal. Access to the Customer Portal is provided as part of the Services. Upon termination of this Agreement for any reason, access to the Customer Portal and any data therein will be revoked in accordance with Section 9.4. Jumio logs access to the Customer Portal, which contains the contact information of authorized users. Customer hereby authorizes Jumio to retain access logs for the Term.

10. INFORMATION SECURITY

10.1 Jumio warrants that:

(a) subject to Customer implementing reasonable information security practices (including timely deletion), Jumio shall be responsible for the security of User Information stored, processed or transmitted by Jumio pursuant to this Agreement; and

(b) it will maintain compliance with PCI DSS or other globally recognized security standard for the Term and will provide customer with a copy of its certificate of compliance upon request.

10.2 Jumio shall comply with the Jumio Security Policy, a copy of which is available via the Customer Portal, as may be updated from time to time. Jumio shall promptly notify Customer upon any update of the Jumio Security Policy.

10.3 Jumio shall comply with Exhibit D and promptly notify Customer upon any instance of non-compliance.

11. INTELLECTUAL PROPERTY

11.1 Ownership. As between Customer and Jumio, Jumio owns the Services and Licensed Work (and all copies of the Licensed Work), all improvements, modifications and derivative works thereof, and all Intellectual Property Rights therein or relating thereto are and shall remain the exclusive property of Jumio or its licensors. Except as set forth in this Agreement, Jumio does not grant any rights to the Services or Licensed Work to Customer or its Affiliates. Customer further acknowledges that Jumio retains all right, title and interest in the Licensed Work including all rights to patent, copyright, trade secret and, attributable to Jumio efforts, whether such efforts are independent or in conjunction with Customer.

11.2 Notices and Enforcement. Customer agrees that all trademark and intellectual property notices for the Licensed Work must be preserved unmodified. Customer hereby acknowledges and agrees that the Licensed Work constitute and contain valuable proprietary products and trade secrets of Jumio, embodying substantial creative efforts and confidential information, ideas, and expressions.

11.3 Customer Restrictions. Customer agrees not to challenge, directly or indirectly, any right or interest of Jumio in the Services or Licensed Work nor the validity or enforceability of Jumio’s rights under applicable law. Customer agrees not to directly or indirectly register, apply for registration or attempt to acquire any legal protection for, or any proprietary rights in, the Services or Licensed Work or to take any other action which may adversely affect Jumio’s rights or interest in the Services or Licensed Work in any jurisdiction.

8

11.4 Trademarks. Customer acknowledges Jumio’s ostensible ownership of the trademarks “Jumio,” “BAM Checkout,” “Document Verification”, “Netswipe”, “FastFill,” “Netverify”, “Trusted Identity as a Service” and any other the Product names, and all related trademarks and service marks. Customer further acknowledges that it will acquire no interest in such trademarks and service marks by virtue of this Agreement or the performance by Customer of its duties and obligations under this Agreement. Customer agrees not to use the name “Jumio” or any of the Product names or marks (or any confusingly similar name or symbol), in whole or in part, as part of Customer’s business or trade name nor shall it register or use internet domain names or social media websites with the use of the “Jumio” name.

12. INDEMNIFICATION

12.1 Customer Indemnification. Customer shall defend (or settle), indemnify and hold harmless Jumio, its officers, directors and employees, from and against any liabilities, losses, damages and expenses, including court costs and reasonable attorneys’ fees, arising out of or in connection with any third-party claim that a third party has suffered injury, damage or loss resulting from any Authorised User’s use of the Services for illegal purposes or in a manner that violates Sections 3.2, 3.3 or 3.4. Customer’s obligations under this Section 12.1 are contingent upon: (a) Jumio providing Customer with prompt written notice of such claim; (b) Jumio providing reasonable cooperation to Customer, at Customer’s expense, in the defense and settlement of such claim; and (c) Customer having sole authority to defend or settle such claim (except where Jumio is subject to a class action affecting more than one customer, in which case Jumio will use commercially reasonable efforts to consult with Customer as to the defense and settlement).

12.2 Jumio Indemnification. Jumio shall defend (or settle), indemnify and hold harmless the Customer Group and its officers, directors and employees against any liabilities, losses, damages and expenses, including court costs and reasonable attorney’s fees, arising out of or in connection with (i) any suit or action brought against Customer to the extent that it is based upon a claim that the Services infringe or misappropriate the Intellectual Property Rights of any third party, and (ii) to the extent permitted by Applicable Law, Jumio’s material breach of this Agreement being the primary cause of a regulatory fine being issued against the Customer or an Authorised User. Jumio’s obligations under this Section 12.2 (i) are contingent upon: (a) Customer providing Jumio with prompt written notice of such claim; (b) Customer providing reasonable cooperation to Jumio, at Jumio’s expense, in the defense and settlement of such claim; and (c) Jumio having sole authority to defend or settle such claim. In the event that Jumio’s right to provide the Services is enjoined or in Jumio’s reasonable opinion is likely to be enjoined, Jumio may obtain the right to continue providing the Services, replace or modify the Services so that they become non-infringing, or, if such remedies are not reasonably available, terminate this Agreement without liability to Customer. Jumio shall have no liability under this Section 12.1 to the extent that any third-party claims described herein are based on use of the Services in a manner that violates this Agreement or the instructions given to Customer by Jumio.

12.3 Exclusions. Notwithstanding the foregoing, Jumio will have no liability for any claim of infringement based upon any infringement claim for Customer’s: (a) use of a superseded or altered release of the Licensed Work if the infringement would have been avoided by the use of a current unaltered release of the Licensed Work that Jumio provided or made available to Customer; or (b) use of the Licensed Work which has been modified pursuant to either Customer’s specific request or Customer’s individual modifications or enhancements to the Products and where in either case the infringement was caused by such modification or enhancement; (c) use of the Licensed Work: (i) other than in accordance with this Agreement, (ii) other than under normal use as set forth in the Documentation, or (iii) in combination with other software or equipment not provided by Jumio if such infringement would not have occurred without such use or combination; or (d) continuing the allegedly infringing activity after notice.

12.4 TUPE Indemnification. If any Jumio employee claims that his or her employment has transferred to the Customer, any Authorised User, or to any of its or their subcontractors, as a consequence of, or in connection with, a termination of this Agreement or any Service or any Sales Order under TUPE (or similar Applicable Law in any other relevant jurisdiction), Jumio shall indemnify such the Customer or Authorised User (as the case may be) (on behalf of itself and such subcontractor) against any Losses arising from the employment or termination of employment of such a person.

13. RESPONSIBILITY FOR REGULATORY COMPLIANCE

13.1 Compliance. Jumio shall comply with all applicable laws and regulations which relate to the provision of the Services. Customer shall comply with laws and regulations which relate to the purchase of the Services or the provision of the Services to actual or potential Users. Without prejudice to its obligations under this Agreement and each Sales Order, each Party shall notify the other Party in writing as soon as possible after it becomes aware of any event or development (including, but not limited to, in relation to changes in Applicable Laws) that may have a material impact on its ability to perform its obligations under this Agreement or any Sales Order effectively or in accordance with Applicable Laws. Any changes to this Agreement or any Sales Order pursuant to such notification shall be made by written agreement between the parties.

9

13.2 Cooperation with Government Requests. Each Party shall deal directly with a regulator, court or other governmental or quasi-governmental authority in response to any Government Request it receives and relating to the provision of the Services under this Agreement in an open and co-operative way, including by:

(a) making informed representatives and any other personnel specified by the relevant body available for meetings with its representatives or appointees during normal business hours;

(b) giving representatives or appointees of the relevant body reasonable access to any premises and records; and

(c) answering truthfully, fully and promptly all questions which are put to it by the relevant body’s representatives or appointees,

and shall cause its personnel and use commercially reasonable efforts to cause each of its subcontractors shall do so. In no event shall a Party purport to represent or otherwise act on behalf of (in any capacity) the other Party during any engagement with such regulator, court, or other governmental or quasi-governmental authority.

13.3 In the event of any regulatory or other similar investigation or enquiry into the business or operations of the Customer or any Authorised User, and where that investigation or enquiry in any way concerns the provision of the Services, Jumio shall reasonably assist Customer in responding to that investigation or enquiry, including but not limited to by providing access to Jumio’s records relating to the Services and by providing such regulator access to such Jumio personnel as such regulator may request; in all cases provided that (a) Customer’s requests for Jumio’s assistance shall be reasonable in scope and timing based on the regulatory investigation or enquiry and (b) Customer shall reimburse any costs and expenses reasonably incurred by Jumio in connection with its assistance outside Jumio’s normal costs associated with providing the Services.

13.4 Audit.

(a) Jumio will use commercially reasonable efforts to cooperate with any audit initiated by a regulatory or similar government department or agency with authority over the Customer, to the extent necessary to allow the Customer to discharge any obligation under applicable law. Customer shall be responsible for all reasonable costs incurred by Jumio with respect to such audit.

(b) Jumio may engage a reputable, independent third party to audit Customer’s compliance with Section 7.1 at Jumio’s cost and expense, provided that in the event that the third party determines that Customer is not compliant with Section 7.1, Customer must: (i) implement all reasonable recommendations of the third party, and (ii) reimburse all third party expenses in connection with the audit conducted pursuant to this Section.

(c) [***].

(d) In addition to the above, the Customer may, acting reasonably, at any time require an audit to be carried out (i) in response to a Government Request; or (ii) if they reasonably believe that there has been a material breach of this Agreement or any Sales Order or Applicable Laws. Where practicable, the Customer shall provide Jumio with at least ten (10) Business Days’ advance notice of such audit, and provide written explanation for why the audit is required.

(e) As part of an audit conducted under Sections 13.4(c) or 13.4(d) Jumio shall permit the Customer to enter its premises (during normal working hours) and shall promptly provide reasonable access, cooperation and assistance (including relevant copies or reports and materials (except to the extent not permitted by Applicable Law)) as reasonably requested by the Customer.

10

14. GOVERNANCE

14.1 Governance. Each Party shall appoint a named contract manager to be the primary point of contact in relation to this Agreement, each Sales Order and the Services in this Section 14 (the “Contract Manager”). Each Party shall notify the name and contact details of the Contract Manager to the other Party prior to the commencement of the Services under any Sales Order. Either Party may change the identity of the Contract Manager at any time by providing reasonable written notice to the other Party.

15. REFERENCES FOR JUMIO’S SERVICES

15.1 Jumio may only reference and/or include Customer as part of Jumio’s marketing and advertising efforts with the Customer’s prior written consent. The Customer may reference Jumio as its verification service provider to regulators, users, and potential users and other governmental or self-regulatory agencies, as well as in its marketing materials as reasonably required by the Customer in connection with its business, and otherwise only with the written consent of Jumio.

16. TERM AND TERMINATION

16.1 Term. Unless otherwise set forth in a Sales Order, this Agreement shall remain in full force and effect unless terminated in accordance with the provisions of this Section 16.

16.2 Termination for Convenience. Customer may terminate this Agreement at any time by notice in writing provided that all Fees (whether or not earned, invoiced or due) have been paid in full.

16.3 Immediate Termination for Cause. Notwithstanding any provision in this Agreement to the contrary, either Party may terminate this Agreement at any time after the occurrence of any of the following events:

(a) the other Party is declared or acknowledges that it is insolvent or otherwise unable to pay its debts as they become due or upon the filing of any proceeding (whether voluntary or involuntary) for bankruptcy, insolvency or relief from its creditors;

(b) it is or will become unlawful under Applicable Laws for it to perform or comply with any one or more of its obligations under this Agreement;

(c) the Gibraltar Financial Services Commission (the “GFSC”) has required it to terminate this Agreement; or

(d) the other Party assigns or transfers this Agreement or any of its rights or obligations under this Agreement, without prior written approval (not to be unreasonably withheld), except as permitted under Section 22.6.

16.4 Termination for Material Breach. Either Party may, at its option, terminate this Agreement for a material breach by the other Party after giving the other Party written notice, specifically identifying the breach on which termination is based, and fifty (50) days to cure such breach (except for a breach based upon non-payment of any sums due for which the breaching Party will have ten (10) days to cure such breach). If the breach is not cured within the appropriate time period, this Agreement will terminate without further action by either Party (with the exception of Customer obligation to remit payment for any amounts due).

16.5 Survival. Sections 3.3, 4, 5, 8, 9.1, 11, 12, this Section 16.5, 16.6, 16.7, 20.5, 21 and 22, any payment obligations under the Sales Order(s) and all provisions that by their nature are intended to survive termination of this Agreement shall continue in effect after expiry or termination of this Agreement.

16.6 Consequences of Termination. Upon termination of this Agreement for any reason Customer must immediately cease using the Services and Jumio shall be under no further obligation to provide the Services. Jumio shall cooperate (i) with Customer to develop and provide a transition plan for an orderly transition on termination that includes, among other things, a transition timeline and particulars of the resources to be assigned to implement the transition plan; and (ii) with Customer and Customer’s replacement service provider to provide termination assistance services and facilitate an orderly transition of Services following the termination of this Agreement. Where Customer has terminated the Agreement pursuant to Sections 16.3 or 16.4, Jumio will refund any prepaid fees for Services unconsumed calculated pro rata. Where the Agreement has been terminated for any other reason, Customer must immediately pay to Jumio all outstanding fees, charges, payment and expenses due, regardless if delivered, under this Agreement and any and all Sales Order(s). Upon any termination or expiration of this Agreement (a) both parties must return or destroy (at the other Party’s option and request) all of the other Party’s Confidential Information in its possession or control, and certify the same in writing and (b) Jumio shall upon written request from the Customer destroy all User Information in its possession or control, except that Jumio may retain a copy of all data that Jumio is required to retain under its Data Retention Policy. On receipt of a written request from the Customer, Jumio shall provide the Customer with a certificate of compliance with the provisions of this Section 16.6 signed on behalf of it by a duly authorized officer.

11

16.7 Payments on Termination. Other than in a situation of a material breach by Jumio, termination of this Agreement will not relieve Customer from any obligation to pay Jumio any amount due and owing prior to the termination date.

17. DATA PROCESSING AND PROTECTION

17.1 The Parties have entered into a Data Processing Agreement on or around the date of this Agreement, the terms of which are hereby incorporated in and form part of this Agreement as if set out in full herein.

18. INSURANCE, BUSINESS CONTINUITY AND DISASTER RECOVERY

18.1 For the Term Jumio shall maintain in force insurance policies with reputable insurance companies to cover its obligations and potential liabilities under this Agreement and all Sales Orders ([***]) and including public liability, professional indemnity, employer’s liability. All such insurance policies shall be primary without right of contribution from any insurance maintained by the Customer. Upon request from the Customer, Jumio shall provide copies of the insurance certificates for insurance taken out by Jumio in accordance with this Section 18.

18.2 For the Term Jumio shall maintain business continuity and disaster recovery plans in respect of the Services in existence as at the date of this Agreement (“Business Continuity Plans”). Upon Customer’s written request, Jumio shall promptly make available to Customer for review the Business Continuity Plans and shall promptly address any questions on the Business Continuity Plans raised by Customer. Jumio shall ensure that its Business Continuity Plans are comprehensive, adequate and designed to maintain and restore any affected operations with as little impact as practically possible (including in relation to the Services), and that they meet the requirements of Applicable Law and regulatory authorities. Jumio shall test the adequacy of their Business Continuity Plan (at least annually) and, on reasonable written request of the Customer, Jumio shall advise the Customer of the outcome of such test. Jumio shall ensure that its personnel and use its commercially reasonable efforts to ensure that its contractors comply with the Business Continuity Plans, if activated. Jumio shall provide reasonable information, in writing, to the Customer in relation to the Business Continuity Plans to enable the Customer to understand those arrangements.

18.3 Following the occurrence of a disaster or the occurrence of a Force Majeure Event:

(a) Jumio shall implement the Business Continuity Plans if and as applicable and shall continue to provide those Services which are not affected by the disaster or Force Majeure Event in accordance with the provisions of this Agreement and each Sales Order;

(b) in respect of those Services which are affected by the disaster or Force Majeure Event, Jumio shall continue to provide those Services in accordance with this Agreement and each Sales Order to the extent reasonably practicable and otherwise recover those Services in accordance with the applicable Business Continuity Plans; and

(c) each relevant member of the Customer Group shall comply with all reasonable obligations given to it in the event Jumio has provided written notice of any such obligations and those obligations are equally applicable to (and carried out by) Jumio’s Affiliates also affected by the disaster or Force Majeure Event.

19. EXPORT

19.1 Export Obligations. Customer agrees that it must not, directly or indirectly, export or re-export, or knowingly permit the export or re-export of, the Licensed Work, or any technical information about the Licensed Work, to any country for which the United States Export Administration Act, any regulation thereunder, or any similar United States law or regulation, requires an export license or other United States government approval, unless the appropriate export license or approval has been obtained.

20. DISPUTES

20.1 Dispute Procedure. The Parties shall resolve any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or invalidity hereof (each, a “Dispute”), under the provisions of Sections 20.2 and 20.3.

20.2 Escalation. The Parties shall first attempt in good faith to resolve any Dispute by negotiation and consultation between the Contract Managers. In the event that such Dispute is not resolved on an informal basis within 14 days after one Party provides notice to the other Party of such Dispute, either Party may, by written notice to the other Party, refer such dispute to the Chief Executive Officer (or equivalent) of each Party (or their nominee designated in a written notice to the other Party).

12

20.3 Court proceedings. Each of the parties may, in their sole discretion, commence court proceedings in accordance with Section 20.4 at any time (including prior to the relevant dispute being resolved in accordance with the procedure set forth in Sections 20.1 and 20.2).

20.4 Injunctive relief. Notwithstanding Sections 20.1 to 20.3, neither Party shall be restricted from seeking injunctive relief from a court at any time.

20.5 Governing Law and Jurisdiction. Any disputes or proceedings related or arising out of this Agreement will be governed by and construed in accordance with the substantive laws of England, without giving effect to its rules regarding conflicts of law. The sole and official language of this Agreement is English. The Parties agree that the exclusive venue for any action arising under this Agreement will be in the courts located in England.

21. LIMITATION OF LIABILITY

21.1 This Section 21 sets out the entire liability of each Party (including any liability for the acts or omissions of its employees, agents, representatives or contractors) to the other Party in respect of any breach of this Agreement or any Sales Order and any representation, statement or tortious act or omission including negligence arising under or in connection with this Agreement or any Sales Order.

21.2 EXCEPT FOR LIABILITY ARISING FROM CUSTOMER’S PAYMENT OBLIGATIONS HEREUNDER OR A PARTY’S OBLIGATIONS UNDER SECTION 3.4 (RESTRICTIONS), SECTIONS 8 (CONFIDENTIALITY OF INFORMATION), 9 (OWNERSHIP, ACCESS TO AND STORAGE OF DATA), 12 (INDEMNIFICATION) AND 13.1 (COMPLIANCE): (A) IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF INCOME, DATA, PROFITS, REVENUE OR BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE SERVICES, OR OTHER ECONOMIC LOSS, WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND WHETHER ANY CLAIM FOR RECOVERY IS BASED ON THEORIES OF CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY) OR OTHERWISE; AND (B) SUBJECT TO SECTION 21.4, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY AND ANY THIRD PARTY IN CONNECTION WITH THIS AGREEMENT EXCEED [***].

21.3 Exclusions. Subject to Section 21.4, the limits and exclusions set forth in this Section 21 do not apply to either party’s liability to the extent such liability cannot be excluded under Applicable Law. Notwithstanding any provision in this Agreement to the contrary, Jumio will not be responsible for and will bear no liability for any damages arising from any use of the Licensed Work, or any stoppages, slowdowns, performance problems or other problems that are the result of the circumstances outside of Jumio’s control including, but not limited to, a User’s inappropriate use of the Licensed Work, deficiencies or limitations in an end-user’s hardware or systems or software or processes, deficiencies or limitations in the Internet or broadband connection.

21.4 Special Indemnification Limit for Regulatory Fines. Jumio’s total liability to the Customer pursuant to the indemnity in Section 12.2(ii) (regulatory fines) shall be limited to [***].

21.5 Basis of Bargain. THE LIMITATIONS OF LIABILITY AND EXCLUSIONS OF DAMAGES SET FORTH IN THIS SECTION 21 ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN JUMIO AND CUSTOMER AND WILL APPLY TO THE MAXIMUM EXTENT ALLOWED UNDER APPLICABLE LAW.

22. GENERAL PROVISIONS

22.1 No Partnership. This Agreement does not create any relationship of association, partnership, joint venture or agency between the Parties. Neither Party will have any right or authority to assume, create or incur any liability or obligation of any kind against or in the name of the other Party.

22.2 Entire Agreement. This Agreement sets out the entire agreement and understanding between the Parties with respect to the subject matter in this Agreement. This Agreement supersedes all previous discussions and negotiations between the Parties and supersedes and replaces any and every other agreement, which may have existed between Jumio and Customer with respect to the contents of this Agreement. Any purchase order issued by Customer will not change or add to the terms and conditions of this Agreement.

13

22.3 Relationship Between the Parties. Work will be done at either Party’s respective premises, unless otherwise agreed. If work is done at Customer’s premises, Customer agrees to provide Jumio personnel with a safe workplace consistent with that provided to its own employees. Customer also agrees to provide reasonable access to key Customer personnel necessary for Jumio to perform the Services. Jumio personnel will observe all safety and access practices and other applicable rules in effect at such workplace, provided that reasonable notice of the rules has been given to Jumio.

22.4 Amendments. Except to the extent and in the manner specified in this Agreement, any modification or amendment of any provision of this Agreement must be in writing and bear the signature of the duly authorized representative of each Party.

22.5 No Waiver. The failure of either Party to exercise any right granted under this Agreement, or to require the performance by the other Party of any provision of this Agreement, or the waiver by either Party of any breach of this Agreement, will not prevent a subsequent exercise or enforcement of such provisions or be deemed a waiver of any subsequent breach of the same or any other provision of this Agreement.

22.6 Assignment and Subcontracting. Neither Customer nor Jumio may sell, assign or transfer any of its rights, duties or obligations under this Agreement without the prior written consent of the other Party, which shall not be unreasonably withheld. This Agreement is binding upon the successors and assigns of Customer and Jumio. As at the date of this Agreement, Jumio subcontracts infrastructure services to Amazon Web Services, Inc. and processing services to Jumio India Pvt Limited and Jumio SAS, and Customer hereby consents to Jumio’s use of such subcontractors. Jumio shall not change or replace any of the foregoing subcontractors or appoint any new subcontractors, without prior written approval of Customer (which shall not to be unreasonably withheld). Jumio shall remain liable for the performance of its obligations regardless of any sub-contracting and shall be liable for the acts and omissions of its sub-contractors as if those were Jumio’s own acts or omissions. The Customer may assign or transfer this Agreement and all Sales Orders to (i) any other member of the Customer Group or (ii) an entity publicly listed on a stock exchange of which Customer is a subsidiary, by notice in writing to Jumio and Jumio shall at the Customer’s request execute such documents as may be reasonably required to effect that assignment or transfer.

22.7 Third Party Beneficiaries. The Parties agree that no person or entity that is not a Party to this Agreement will be deemed to be a third-Party beneficiary or entitled to any rights under this Agreement.

22.8 Authorised Users. Jumio acknowledges that, while this Agreement is entered into by the Customer, both the Customer and other members of the Customer Group will rely on and use the benefit of the Services. Jumio accordingly agrees that the Customer is entitled to: (a) allow other members of the Customer Group (in this Section 22 collectively, “Authorised Users”) to use the Services and / or (b) to pass the benefit of the Services on to Authorised Users, provided that: (i) the Customer requires all Authorised Users to abide by the terms of this Agreement and each relevant Sales Order (subject to Section 22.13) and (ii) the Customer shall remain liable to Jumio for any breach of the terms of this Agreement by any Authorised Users.

22.9 Losses. For the purposes of this Agreement and each Sales Order, any Loss suffered by an Authorised User shall be deemed to be a Loss suffered by the Customer. The Customer shall (subject to Section 21 ) be responsible to make the claim for such Loss as if the Loss was suffered by the Customer itself. Jumio agrees to waive any objection that Jumio may have with respect to the Customer claiming for such Loss, including any claim that the Loss was not suffered by the Customer or that such Loss is too remote on account of the fact that it was suffered by an Authorised User.

22.10 Rights and Licenses. Where any rights or licences have been granted to the Customer pursuant to this Agreement, the Customer is hereby authorised (without incurring any additional cost or charge) to allow Authorised Users to utilise those rights and licences for the purposes of receiving the Services for its internal business purposes to provide services directly to Users as set forth in this Agreement and each relevant Sales Order.

22.11 No Direct Contract. Save as set forth in Section 22.10 and subject to Section 22.11, there shall be no direct contractual relationship between Jumio on the one hand, and an Authorised User on the other hand. Instead, the Customer shall be responsible for procuring that each Authorised User complies with the provisions of this Agreement and each relevant Sales Order to the extent that those provisions would have applied to that Authorised User’s use or benefit of the Services, had that Authorised User entered into this Agreement or the relevant Sales Order in its own name. For the purposes of this Agreement and each Sales Order, any Loss suffered by Jumio as a result of a breach of this Agreement by an Authorised User shall be deemed to be a Loss caused by the Customer. The Customer agrees to waive any objection that the Customer may have with respect to Jumio claiming such Loss from the Customer, including any claim that the Loss was not caused by the Customer or that such Loss is too remote on account of the fact that it was caused by an Authorised User.

22.12 Customer Responsibility. Notwithstanding Section 22.10, only the Customer shall:

(a) be responsible and liable to pay the Fees and no Authorised User shall be required to make any payment to Jumio, unless the parties have agreed otherwise in writing; and

14

(b) be authorised to make and agree any changes to this Agreement and each Sales Order and Jumio may not agree to any changes requested by any Authorised User unless approved in writing by the Customer; and

(c) raise and resolve any disputes arising in relation to this Agreement and each Sales Order and no Authorised User shall be involved in the resolution of any such disputes unless permitted by the Customer.

22.13 Issuing Invoices to Authorised Users. Where instructed by the Customer in writing, Jumio shall issue (or re-issue) any invoice which would otherwise be issued to the Customer under Section 4 to such Authorised User as the Customer may nominate. Jumio shall issue such invoice, and otherwise accept payment of the Fees in respect of which the invoice relates, directly from such Authorised User in accordance with the terms of Section 4 as if such Authorised User was the Customer.

22.14 Notices. All notices, requests, reports, submissions and other communications permitted or required to be given under this Agreement will be deemed to have been duly given if such notice or communication is in writing and sent by personal delivery or by airmail, cable, telegram, telex, facsimile transmission, email or other commercial means of rapid delivery, postage or costs of transmission and delivery prepaid, to Jumio at the address specified below and to Customer at the address specified in the Sales Order until such time as either Party gives the other Party not less than ten (10) days’ prior written notice of a change of address in accordance with the provisions of this Agreement; provided that any termination requests must be sent to [***].

Jumio UK Ltd.

Attention: General Counsel

21 Worship Street, 3rd Floor

London

United Kingdom, EC2A 2D

22.15 Force Majeure. Neither Party shall be liable hereunder by reason of any failure or delay in the performance of its obligations hereunder (except for the payment of money) on account of events beyond the reasonable control of such Party, which may include without limitation, strikes, riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, governmental action, earthquakes (each a “Force Majeure Event”). Upon the occurrence of a Force Majeure Event, the non-performing Party will be excused from any further performance of its obligations affected by the Force Majeure Event for so long as the event continues and such Party continues to use commercially reasonable efforts to resume performance.

22.16 Enforceability. If any provision of this Agreement is determined by a court of competent jurisdiction to be in violation of any applicable law or otherwise invalid or unenforceable, such provision will to such extent as it is determined to be illegal, invalid or unenforceable under such law be deemed null and void, but this Agreement will otherwise remain in full force and effect. Furthermore, it is the intention of the Parties that in lieu of such illegal, invalid, or unenforceable provision, there automatically be added as a part of this Agreement a provision as similar in terms to such illegal, invalid, or unenforceable provision as may be possible and be legal, valid, and enforceable.

22.17 Relief. In the event a dispute arises under this Agreement, the prevailing Party will be entitled to all reasonable costs and expenses incurred by it in connection with such dispute (including, without limitation, all reasonable attorney’s fees and costs incurred before and at any trial, arbitration or other proceeding), as well as all other relief granted in any suit or other proceeding.

22.18 Publicity. Neither Party may publicize or disclose to any third Party any of the terms or provisions of this Agreement, or the discussions relating to any of the contents of this Agreement, without the prior written consent of a duly authorized officer of the other Party, except as required by law or to a Party’s actual or prospective investors, lenders and acquirers and their respective attorneys and advisors, in each case that are subject to obligations to keep such disclosure confidential.

22.19 Counterparts. This Agreement may be executed in two (2) or more counterparts, each of which will be considered an original, but all of which together will constitute one and the same instrument. Counterparts may be delivered via facsimile, electronic mail (including PDF or any electronic signature complying with the U.S. federal ESIGN Act of 2000, e.g., www.docusign.com) or other transmission method, and any counterpart so delivered will be deemed to have been duly and validly delivered and be valid and effective for all purposes.

22.20 Headings. The headings in this Agreement are for the convenience of reference only and have no legal effect.

15

IN WITNESS WHEREOF, the Parties have executed these Terms and Conditions as of the date stated above.

The Customer
B1 (Gibraltar) Limited
Signature
Name	[***]
Title	[***]
Date Signed	02 July 2020
Jumio
Jumio UK Limited
Signature
Name	[***]
Title	[***]
Date Signed	01 July 2020

16

EXHIBIT A – PRODUCTS AND OPTIONAL SERVICES

AUTHENTICATION

Jumio’s authentication product which can be used to authenticate a previously enrolled User by comparing biometric face identities captured using a proprietary process. A User can be authenticated for an unlimited number of times during the applicable Term.

BAM CHECKOUT

Jumio’s proprietary software application that leverages Jumio’s credit card and document scanning technology to assist in mobile transaction completion or checkouts. The BAM Checkout Service is divided geographically as follows:

• BAM Checkout US/Canada

BAM Checkout, for Users with US government-issued driver’s licenses or identification cards or Users with Canadian government-issued driver’s licenses, includes the ability to scan the bar code on a government-issued driver’s license or identification cards to populate checkout forms or any other applicable forms, using embossed credit or debit cards, or government-issued driver’s license information.

• BAM Checkout Rest of World

For Users who have a non-US or non-Canadian government-issued driver’s license or identification card, BAM Checkout only allows for the scan of the User’s credit card.

DOCUMENT VERIFICATION

Jumio’s process for using commercially reasonable efforts to extract certain data fields from specific document types including utility bills and bank statements.

FASTFILL

Jumio’s data extraction capabilities wrapped into a standalone product that populates forms or individual data fields by extracting the necessary information from personal identification documents (without verification of said document) for the purpose of reducing User keystrokes.

ID VERIFICATION

Jumio’s proprietary personal identification document capture and verification software application, comprising computer vision and analytics, and/or manual verification by ID experts using a proprietary software application. ID Verification enables real-time ID scanning and verification on websites and mobile applications helping to reduce risk and minimize fraud for online transactions.

Where specified in the Sales Order, ID Verification may include:

• Identity Verification - a feature of ID Verification that determines whether the person on an identification document is the person presenting that document in a transaction.

• Screening - data provided via Jumio’s ID Verification process is used to determine whether an individual may or may not be listed on an Enhanced Sanctions, Politically Exposed Persons or Adverse Media database. Jumio will advise if there is a potential match based on name and date of birth. In the event there is a potential match, a data set containing the potential match(es) will be provided to the Customer for further review and analysis.

17

OPTIONAL SERVICES

Where so requested by the Customer, ID Verification may include:

• Address Extraction - a feature of ID Verification that delivers additional address data points extracted from an identification document. Address Extraction is only applicable for identification documents from certain countries.

• Asian Character Extraction – the extraction by optical character recognition of the specified Asian character sets, provided that no charge will be levied for Transactions which fail to return any structured data.

• Multi-Doc Capture - Jumio’s ability to capture and securely store complimentary documents that are needed for KYC or consumer on-boarding purposes. The documents can be stored in conjunction with an ID or independently.

• Such other services as are made available by Jumio as Optional Services.

18

EXHIBIT B –SUPPORT SERVICES

1. DEFINITIONS. FORTHE PURPOSESOFTHIS EXHIBIT:

1.1 “Critical Error” means an Error that causes the Licensed Work to be unavailable to a majority of customers.

1.2 “Error” shall mean an error, defect or omission that prevents the Licensed Work’s successful operation in accordance with the applicable specifications.

1.3 “Significant Error” means an Error that causes material features of the Licensed Work to be unavailable to a majority of customers.

2. MAINTENANCE AND SUPPORT SERVICES

2.1 Customers must purchase maintenance and support services as specified in this Section 2 below (the “Maintenance and Support Charge” or MS”). The services will include for the duration specified in the Sales Order:

(a) Maintaining the Products so that they operate in conformity with all applicable Documentation;

(b) Appointment of a solutions engineer;

(c) Using commercially reasonable efforts to correct all Errors discovered or otherwise made known to Jumio;

(d) Promptly providing Customer with all modifications, refinements, corrections, and enhancements that Jumio incorporates into and makes a part of Products and does not separately price or market;

(e) Providing customer support by telephone accessible via the telephone numbers listed in the Customer Portal, and through [***];

(f) Notify Customer within thirty (30) minutes of becoming aware of a Critical Error or a Significant Error;

(g) Notify Customer within ninety (90) minutes of becoming aware of an Error;

(h) Using commercially reasonable efforts to provide a program fix or work-around for reported Product related problems within the following timeframes:

(1) Critical Errors: Jumio shall respond with a temporary solution within two (2) hours and a permanent solution within five (5) Business Days.

(2) Significant Errors: Jumio shall respond with a temporary solution within four (4) hours and a permanent solution within ten (10) Business Days.

(3) Errors: Jumio shall respond with a temporary solution within eight (8) hours and a permanent solution within fifteen (15) Business Days.

(i) Enabling self-service reporting through the Customer Portal;

(j) Emailing advance communication of planned outages;

(k) Performing a quarterly business review;

(l) Providing automatic monthly reporting;

(m) Providing product performance feedback and optimization advice;

(n) Providing early notification of product releases;

(o) Advocating for enhancement requests designed by Customer; and

19

(p) Providing an error or defect reporting service by which Customer can communicate any Errors, defects, or omissions requiring further investigation,

together, the “Support Services”.

2.2 Upon becoming aware of any Error, Jumio will investigate or perform required assistance in the investigation of the Error and provide Customer with detailed information about the Error. Jumio will take all commercially reasonable steps to mitigate the effects of the Error and upon the request of Customer, cooperate with Customer in seeking reasonable solutions to remedy the Error. Upon request by Customer, Jumio shall promptly provide any information in connection with an Error.

3. INTEGRATION SERVICES

3.1 Customer may agree to purchase professional services to support the integration of the product (“Integration Services”) as specified in this Section 3. Implementation Services will be performed using professional skill, care and experience at the Customer’s direction and control and to the value set forth in the Sales Order.

3.2 Customer Responsibility. Notwithstanding the assistance provided by Jumio pursuant to this Section 3, Customer acknowledges that the integration of the Product is Customer’s responsibility.

4. CUSTOMER RESPONSIBILITIES

4.1 To receive Support Services, Customer must at all times fulfill the following responsibilities:

(a) Training. Customer must ensure that Customer personnel are trained on use of the Products and the application programs, operating systems and hardware on or with which the Products are used;

(b) Systems. Customer must provide and maintain in good operating condition any systems (including computers, operating systems and other facilities) specified by Jumio as being required for operation of the Products;

(c) Instructions. Customer must follow Jumio’s documented processes and procedures for use and administration of the Products; and

(d) Cooperation. Customer must allow Jumio reasonable access (at no charge) to Customer’s systems to perform diagnostics and maintenance, including remote access.

5. EXCLUSIONSTO SUPPORT SERVICES.

5.1 Jumio will have no obligation of any kind to provide Support Services of any kind for problems in the operation or performance of the Products to the extent caused by any of the following (each, a “Customer-Generated Error”):

(a) non-Jumio software or hardware products (including without limitation, the operating systems, networks and facilities on which the Products operate) or use of the Products in conjunction therewith;

(b) modifications to the Products made by any Party without Jumio’s express written authorization;

(c) Customer’s use of the Products other than as authorized in this Agreement or as provided in the Documentation; or

(d) Customer’s use of Products other than the currently supported release(s) of the Products or any Error corrections or updates thereto provided by Jumio.

5.2 If Jumio determines that it is necessary to perform Support Services for a problem in the operation or performance of the Products that is caused by a Customer-Generated Error, then Jumio will notify Customer thereof as soon as Jumio is aware of such Customer-Generated Error and, provided Jumio has obtained Customer’s prior approval, Jumio will have the right to invoice Customer at Jumio’s then-current published time and materials rates for all Support Services performed by Jumio to resolve such Customer-Generated Error.

20

6. AMENDMENTS

6.1 Jumio shall have the right to modify the Support Services as set forth in this Exhibit B, which changes shall be effective as between Jumio and Customer once Jumio has obtained Customer’s written acceptance or failing that, at the beginning as of the next Support Services Term (defined below). Jumio shall have the right to charge additional fees for Support Services with respect to any version of the Products other than the currently supported release(s) of the Products, which additional fees must be recorded in the relevant Sales Order.

7. TERMAND TERMINATIONOF SUPPORT SERVICES

7.1 Term. The term of this Exhibit B, or of any specific Support Services set out herein will commence on the date specified for those Support Services in the Sales Order and, unless terminated earlier in accordance with the terms of this Agreement, will remain in effect for the applicable period specified in that Sales Order (“Support Services Term”).

7.2 Termination of Support Services. Customer may terminate any Support Services, at any time, upon ninety (90) days’ notice to Jumio. Termination of any Support Services by Customer does not terminate this Agreement. Upon any termination of this Agreement, all Support Services Terms will automatically terminate. Under no circumstances will Customer be entitled to a refund of any pre-paid Maintenance and Support Charges.

21

EXHIBIT C - PERFORMANCE STANDARDS

1. PERFORMANCE STANDARDS

1.1 With respect to the relevant Product under a Sales Order, unless the Product only operates on a User’s device, Jumio will meet the following performance standards during each month (the “Performance Standards” and, each, a “Performance Standard”):

Product	Performance Standard
[***]	[***]
	[***]
	[***]
[***]	[***]
	[***]
	[***]
[***]	[***]
	[***]
	[***]
	[***]
[***]	[***]
[***]	[***]
	[***]
	[***]
[***]	[***]

1.2 In the case of each Performance Standard (except the Availability Performance Standard): (i) the measurement time of that Performance Standard shall commence when Jumio receives a readable image and conclude when Jumio sends a response to Customer; (ii) the calculation shall exclude throttled Transactions pursuant to Section 3 below. Performance Standards are assessed on a “per Product” basis; and (iii) for the avoidance of doubt, the Performance Standards do not apply when the Product operates exclusively on a User’s mobile device.

22

1.3 In the case of the Availability Performance Standard, unavailability caused by Customer-Generated Errors, scheduled downtime or Force Majeure events is excluded from the calculation of Availability. Jumio will use commercially reasonable efforts to schedule downtime for routine maintenance of Products and Services outside of business hours Pacific Standard Time.

1.4 Customer and Jumio shall work in good faith and cooperatively to establish benchmarks on High Severity Errors based on Jumio Results. “High Severity Error” shall mean a completed scan by Jumio which does not comply with other elements of Customer’s KYC program.

2. PERFORMANCE STANDARDS

2.1 Jumio shall ensure that the Services meet or exceed the Performance Standards at all times during the Term and Customer may request a review and modification to the Performance Standards 30 days prior to each Renewal Term.

2.2 Jumio shall implement monitoring and reporting tools and procedures to monitor its performance against the Performance Standards and shall report its performance against the Performance Standards to the Customer on a monthly basis in the Performance Reports. If Jumio fails to do so in respect of any Performance Standards, it shall be deemed not to have met the affected Performance Standards.

2.3 Jumio shall give the Customer reasonable access to all metrics and underlying data used by Jumio to assess its performance and compliance against the Performance Standards, at the Customer’s reasonable request.

2.4 If a Performance Standard has not been achieved, without prejudice to its other obligations under this Agreement, Customer may request an explanation of why it was not achieved and the remedial steps to be taken or already taken by Jumio to ensure the relevant Performance Standard(s) are met moving forward.

2.5 Where Performance Standards are not met in any month, Service Credits shall arise. Service Credits shall be calculated in accordance with the provisions of this Exhibit C and / or the relevant Sales Order. Where Service Credits arise, Jumio shall promptly and clearly report to the Customer the volume of such Service Credits and how they were calculated.

3. REPORTING.

3.1 Jumio shall provide a written report [***] following the end of each calendar month to the Customer which provides the information set forth in Sections 3.2 and 3.3 in respect of that calendar month (the “Performance Report”) in each case in sufficient detail to allow the Customer to monitor Jumio’s performance of its obligations under this Agreement and each Sales Order to its reasonable satisfaction.

3.2 The Performance Report shall include, at a minimum, information relating to:

(a) the number of Transactions initiated by Users;

(b) the number of Transactions completed by Jumio;

(c) the number of Unused Transactions; and

(d) which Products have been provided by Jumio in each Transaction.

3.3 Notwithstanding Section 3.2 the Customer may from time to time request reasonable additions to the Performance Report but Jumio shall not be obligated to provide reports that are not part of its standard service offering.

3.4 The Performance Report shall take such written form as agreed between the parties from time to time. Jumio shall ensure that no Performance Report contains User Information.

3.5 Each Party is permitted to:

(a) retain all Performance Reports and other information obtained in accordance with this Section 3 as long as they require, including following the termination or expiry of this Agreement or any Sales Order; and

23

(b) use all Performance Reports and other information obtained in accordance with this Section 3 for any purpose it requires (subject to compliance with Sections 8 and 9 of the Terms and Conditions) including in order to allow the Party to comply with Applicable Laws.

4. SERVICE CREDIT

4.1 In the event Jumio fails to meet either of the Performance Standards for a Product under a Sales Order during two (2) or more consecutive months, Jumio will grant Customer a discount as follows:

(a) [***];

(b) [***]; and

(c) [***].

each a “Service Credit”.

Any such Service Credits will be applied to future invoices.

5. FORECASTING DEPENDENCY

5.1 Customer acknowledges that Jumio’s ability to meet the Performance Standards for ID Verification and Document Verification is dependent on accurate volume forecasting. Where:

(a) Customer’s daily usage increases by 5,000 when compared with the prior week’s daily average; and

(b) Jumio has not received at least five (5) days prior warning of such increase;

then Jumio may throttle Customer’s usage to a level which minimizes the impact on Jumio’s other customers.

6. REMEDY

6.1 Unless otherwise agreed in a Sales order, Service Credits are not a sole remedy and shall be without prejudice to any other rights or remedies that the Customer may have pursuant to this Agreement. This means that, where Jumio fails to meet the applicable Performance Standards, Jumio may be liable for Service Credits and the Customer shall also be entitled to exercise other remedies it may have (including under any applicable service warranties and/or exercising its right to terminate for material breach, if and as applicable). Where the same Performance Standard failure gives rise to both Service Credits and other remedies suffered by the Customer or any Authorised User, the Customer shall not be compensated more than once for the same failure.

6.2 In the event Customer pays Jumio for a license of more than one month, and upon Jumio’s failure to meet the Performance Standards, Customer will be entitled to a credit in the amount equal to the monthly discounts set forth in Section 2 above. Customer must promptly notify Jumio if the Products are not meeting the Performance Standards and claim a credit within ten (10) Business Days of the end of the month in question.

24

EXHIBIT D – INFORMATION SECURITY

1. DEFINITIONS

1.1 For the purposes of this Exhibit and unless the context provides otherwise, capitalized terms used shall have the meanings given below:

“Access” means with respect to Jumio Personnel, actual access to any Customer premises, systems, Customer Data or other information, property or assets of Customer or its Affiliates, whether by physical presence or by any electronic means;

“Customer Confidential Information” means the Confidential Information belonging to Customer or its Affiliates;

“Customer Data” means all Customer Confidential Information, User Information and all other data, records, files, content or information, in any form or format accessed, collected, received, stored or maintained by Jumio or any of its Affiliates from or on behalf of Customer or any of its Affiliates, or otherwise in connection with the Agreement and the provision of the Services or the parties’ performance of or exercise of rights under or in connection with the Agreement and derived from the foregoing, even if anonymized;

“Jumio Personnel” means all officers, employees, staff, other workers, agents, contractors and consultants of Jumio, its Affiliate or any Permitted Sub-Contractor who are engaged in the provision of the Services from time to time.

[***];

“Permitted Sub-Contractor” means any subcontractor (including an Affiliate of Jumio) to whom Jumio is permitted to subcontract any part of the Services in accordance with the Agreement;

“Security Incident” shall mean any actual, suspected or threatened incident of accidental, unauthorized or unlawful access to, acquisition, processing, use or disclosure of or any theft, loss of or damage to or alteration or destruction of Customer Data or other information belonging to any other person in connection with the Agreement;

2. PERMITTED PURPOSE & GENERAL SECURITY OBLIGATIONS

2.1 Jumio has implemented and shall maintain a written information security program that includes policies and procedures that contain administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of Customer Data and shall otherwise comply in all respects with the Customer’s information security requirements set forth in this Exhibit. Such safeguards shall be reasonably designed to (i) ensure the security and confidentiality of Customer Data; (ii) protect against any anticipated threats or hazards to the security or integrity of Customer Data; and (iii) protect against unauthorized access to or use of Customer Data that could result in substantial harm or inconvenience to any person. Except as expressly authorized under the Agreement, Jumio shall only Access, collect, use, store, and transmit the Customer Data as permitted under Applicable Law for the purpose of providing the Services (“Permitted Purpose”).

2.2 At all times, Jumio shall, and shall cause Jumio Personnel to, perform the Services and operate and maintain the Jumio Service delivery facilities and systems with the highest level of care, skill and diligence in accordance with: (i) best industry practice; (ii) all Applicable Laws; (iii) the terms of the Agreement including the security requirements set out or referred to in this Exhibit; and (iv) the security standards set forth in ISO 27001 (Information Security Requirements Specifications) and, if applicable, the controls set forth in Jumio’s Statement on Standards for Attestation Engagements (SSAE) No. 18 audit reports for Reporting on Controls at a Service Organization, Service Organization Controls (SOC) Type 1, 2, or 3 audit reports (together the “Security Standards”).

3. SECURITY REVIEW PROCESS

Upon the Customer’s request, to confirm Jumio’s compliance with the Agreement and Security Standards, Jumio shall promptly and accurately complete a written information security questionnaire provided by the Customer, or a third party on the Customer’s behalf, regarding Jumio’s business practices and information technology environment in relation to the Services being provided by Jumio pursuant to the Agreement and Jumio shall fully cooperate with such inquiries. Jumio shall, provide evidence of an industry standard review process satisfactory to the Customer (such as the SFG Shared Assessment SIG, Cloud Security Alliance CAIQ, SSAE 18 SOC).

4. SYSTEM, INFRASTRUCTURE & PHYSICAL SECURITY

4.1 Jumio shall provide and shall procure that any Permitted Sub-Contractors shall provide a secure environment implementing security measures meeting or exceeding the Security Standards.

25

4.2 Jumio and any Permitted Sub-Contractor must ensure and demonstrate separation between customers to the Customer’s satisfaction and must encrypt stored and transmitted Customer Data. The key must be specific to the Customer and must not be known to or shared with other customers or tenants or any other third parties.

5. ACCESS CONTROLS; AUTHENTICATION & ENCRYPTION

5.1 Jumio shall restrict Access to only Jumio Personnel with a “need-to-know” for a Permitted Purpose and shall not, and shall ensure that the Jumio Personnel do not, Access, use, modify, copy, delete, distribute, publish, communicate, restore or store Customer Data in Jumio’s possession or control (or in possession of any Affiliate of Jumio or any Jumio Personnel), or attempt to do or allow any entity or individual to do any of the foregoing, except as expressly authorized in this Agreement or in writing by Customer. Jumio will regularly review (at least once every 60 days) the list of Jumio Personnel with Access and remove accounts for which Access is no longer necessary. Customer reserves the right to refuse any of the Jumio Personnel Access, which shall only be given to the extent necessary for such individual to perform his or her role as part of the Services.

5.2 Jumio shall ensure that Customer Data, cannot be read, copied, modified, or removed without Customer’s prior written authorization both during storage and during transmission or transport.

5.3 Jumio shall prohibit and prevent any person who does not have the specific authorization by Customer from carrying out any of the acts specified in paragraph 5.1.

5.4 Jumio shall use Multi-Factor Authentication, or such other type of authentication satisfactory to Customer, to protect against unauthorized access to any of its systems on which Customer Data is located or stored.

5.5 Jumio shall implement controls, including encryption, or such other type of controls satisfactory to Customer, to protect Customer Data held or transmitted by Jumio both in transit over external networks and at rest.

6. JUMIO PERSONNEL; SECURITY AWARENESS TRAINING

6.1 Jumio Personnel shall be qualified to perform their duties and to oversee Jumio’s compliance with the Security Standards and other obligations set forth in this Exhibit.

6.2 Jumio shall have designated a qualified individual responsible for overseeing and implementing its information security program and enforcing its policies and procedures thereunder.

6.3 Jumio shall ensure that all Jumio Personnel receive up to date security awareness training appropriate to their job function and that annual security awareness training is performed requiring Jumio Personnel to acknowledge that they have read and understood Jumio’s security standards and procedures.

7. REQUIRED BACKGROUND CHECKS

Jumio shall ensure that all Jumio Personnel have passed background verification checks (including cyber security, criminal and financial reviews) and, in respect of Permitted Sub-Contractor personnel, Jumio shall either obtain certification from the Permitted Sub-Contractor that a background verification check (including a cyber security, criminal and financial background review) for an individual who will have Access, has been satisfactorily completed by a reputable search firm or that Jumio will require that such checks be conducted for any such individual prior to Access being provided.

8. EXCHANGE OF INFORMATION

8.1 Jumio shall have policies, procedures and controls in place to protect Customer Data and information exchanged through any communication channel to ensure compliance with the Security Standards.

8.2 [***].

8.3 Without prejudice to paragraph 8.2, Jumio shall ensure that all electronic messaging systems enforce adequate safeguards to protect emails in transit and storage. Cryptographic solutions must be in place to guarantee the confidentiality and integrity of data sent by email.

26

9. RISK ASSESSMENT; TESTING

9.1 [***].

9.2 Jumio shall regularly test its security systems and processes to ensure they meet the requirements of the Security Standards and will provide summary evidence of such testing to Customer upon request.

9.3 In addition, scanning of Jumio’s service delivery facilities and systems will be performed to verify that no security weaknesses are introduced by any changes to systems or system configurations and any identified vulnerabilities managed.

9.4 Jumio shall design and implement information safeguards to control the risks identified through the risk assessment and shall evaluate and adjust its information security program and the Security Standards in light of the results of testing.

9.5 [***].

9.6 Jumio shall have systems and procedures in place to ensure that the Customer, or a third party on behalf of the Customer, can conduct continuous external monitoring (to the extent reasonably required by Customer) of Jumio’s performance of its obligations under this Exhibit. To the extent that the Customer identifies any breach by Jumio of its obligations under this Exhibit, Jumio shall (without prejudice to the other rights of the Customer under this Exhibit and the Agreement) immediately address such breach to the reasonable satisfaction of the Customer.

10. MEDIA STORAGE & INFORMATION BACK-UP

10.1 Customer Data shall not be stored on portable devices including laptops, Personal Digital Assistants, smartphones, MP3 devices, and USB devices unless the Customer Data on the portable device is encrypted and secured from unauthorized access. Customer Data, if stored in non-electronic formats, must be stored in locked cabinets with appropriate physical security access controls.

10.2 [***].

11. MONITORING

11.1 Jumio shall have procedures in place for monitoring the processing of Customer Data and information at Jumio’s service delivery facilities and systems and shall report all suspicious activity to the Customer promptly including through the use of automated reporting processes, as set forth in the Security Standards.

11.2 Without prejudice to the generality of paragraph 11.1, Jumio shall implement detection, prevention, and recovery controls to protect against malicious software, which is no less than current industry best practice and perform appropriate Jumio Personnel training on the prevention and detection of malicious software.

12. SECURITY INCIDENTS

12.1 Jumio shall have documented procedures in place for the management of a Security Incident. In the event of a Security Incident Jumio shall (without prejudice to the Customer’s other rights and remedies): (A) notify the Customer [***] of all Security Incidents in accordance with paragraph 12.2, and in each case such notice shall include details of the circumstances of the Security Incident, including: (i) the timing and nature of the Security Incident; (ii) the information, the subject of the Security Incident and the extent to which is was compromised; (iii) when the Security Incident was discovered; (B) take all steps necessary to investigate and remedy the circumstances that led to the Security Incident as well as to cure the Security Incident itself, such steps to include consultation with Customer’s internal security team; and (C) fully cooperate with the Customer with respect to the Customer’s (or Customer’s representative’s) investigation of the Security Incident and the Customer’s actions in response to the consequences thereof.

12.2 Jumio’s notice in accordance with clause 12.1 shall be given to the Customer by email at [***] or such other address as may be notified by Customer to Jumio.

27

12.3 Jumio shall remain solely liable to the Customer and the Customer Group for any and all losses, damages, costs, fines, or other monetary sanctions or expenses and other liabilities (including legal fees) incurred by, or awarded against, or agreed to be paid by the Customer or the Customer Group arising out of, or in relation to, a Security Incident.

13. AUDIT

13.1 On at least an annual basis, Jumio shall conduct site audits of the information technology and information security controls for all facilities and systems used in complying with its obligations under the Agreement, including obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices. [***]. Jumio will promptly address any exceptions noted on the SOC reports, or other audit reports, with the development and implementation of a corrective action plan by Jumio’s management.

13.2 [***]

14. RETENTION & DISPOSAL

14.1 Jumio shall retain Customer Data only for the purpose of, and only as long as is necessary for, the Permitted Purpose. Jumio shall promptly (but within no more than 72 hours after the Customer’s request) return to the Customer and permanently and securely delete all Customer Data upon and in accordance with the Customer’s notice requiring return and/or deletion of the Customer Data.

14.3 If Jumio is required by law to retain archival copies of Customer Data for regulatory purposes, this archived Customer Data must be encrypted where the system hosting or storing the encrypted file(s) does not have access to a copy of the key(s) used for encryption.

15. SUBCONTRACTING

Jumio shall ensure that any Permitted Sub-Contractors and their personnel comply with the this Exhibit and the Security Standards, and Jumio agrees that: (a) it is responsible and liable for the acts and omissions of any Permitted Sub-Contractors as if they were acts or omissions of Jumio; and (b) it shall remain solely liable to Customer for the performance of Jumio’s obligations under this Agreement, notwithstanding any use of Permitted Sub-Contractors.

28

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“Agreement”), effective June 30, 2020 (the “Effective Date”) is made by:

Jumio UK Ltd.

Registered address: 21 Worship Street, 3rd Floor, London, United Kingdom, EC2A 2DW

Registration number: 10561447

(“Jumio”);

and

B1 (Gibraltar) Limited

Registered Address: Suite 23, Portland House, Glacis Road, Gibraltar

Company number: 119714

(“Customer”).

Each a “Party” and together the “Parties”.

1. DEFINITIONS AND INTERPRETATION

1.1. This Agreement constitutes a schedule to the service agreement entered into by the Parties (the “Principal Agreement”) for provision of the Services by Jumio. Unless otherwise stated herein, the Principal Agreement shall take precedence over this Agreement.

1.2. The terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Processing” or “Processes” used in this Agreement shall have the same meaning as given to them under the EU Regulation 2016/679 (the “GDPR”).

1.3. In this Agreement, the following terms shall have the meanings set out below:

1.3.1 “Customer Personal Data” means any Personal Data Processed by Jumio or its Sub-Processor on behalf of the Customer pursuant to or in connection with the Principal Agreement.

1.3.2 “Data Protection Laws” means the GDPR, national laws of EU Member States supplementing the GDPR and, to the extent applicable, the data protection or privacy laws of any other country.

1.3.3 “Restricted Transfer” means a transfer that would be prohibited by Data Protection Laws in the absence of Standard Contractual Clauses or the implementation or entry into any equivalent appropriate safeguard under the applicable Data Protection Laws which shall be agreed by the Parties.

1.3.4 “Request” means a request from a Data Subject to exercise his/her rights under the Data Protection Laws in respect of Personal Data.

1.3.5. “Services” means the services to be provided by Jumio pursuant to the Principal Agreement.

1.3.6. “Special Categories of Personal Data” shall have the meaning set out in Article 9 GDPR.

1.3.7. “Standard Contractual Clauses” means the contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the transfer of personal data from the European Union to processors established in third countries (and any successor clauses), or any other standard contractual clauses issued by the EU Commission which replace such clauses from time to time.

1.3.8. “Sub-Processor” means any person (including any third party but excluding an employee of Jumio) appointed by or on behalf of Jumio to Process Customer Personal Data on behalf of Jumio.

2. PROCESSING OF PERSONAL DATA UNDER THE INSTRUCTIONS OF COMPANY

2.1 The details of the scope and purpose and duration of the Processing of the Customer Personal Data covered by this Agreement are set out in Annex 1.

2.2 Jumio processes the Customer Personal Data only on behalf of the Customer and in compliance with its instructions and the Principal Agreement and this Agreement, unless required to do so by Data Protection Laws to which Jumio is subject; in such a case, Jumio shall inform the Customer of that legal requirement before processing, unless EU or EU Member State law prohibits such information on important grounds of public interest.

2.3 Instructions shall generally be given in writing, unless the urgency or other specific circumstances require another (e.g. oral, electronic) form. Instructions in another form than in writing or in electronic form shall be documented by the Customer in electronic form and such documentation shall be provided by Customer to Jumio within two weeks of issuing the instruction.

2.4 Jumio shall immediately inform the Customer if, in its opinion as a lay person, an instruction infringes the GDPR or other Data Protection Law. Customer acknowledges that Jumio will not seek legal counsel to determine whether any particular instruction infringes the GDPR or other Data Protection Law. Moreover, Customer acknowledges that Jumio will not provide any legal advice under this Agreement.

3. CONFIDENTIALITY

3.1 Jumio shall ensure that access to Customer Personal Data is restricted to authorized employees of Jumio and/or any Sub-Processors. Jumio ensures that personnel who are authorized to process Customer Personal Data have signed agreements requiring them to keep all Customer Personal Data confidential, and that personnel processing Customer Personal Data receive adequate training on compliance with the data protection provisions under this Agreement and Data Protection Laws.

4. SECURITY

4.1 Jumio shall implement and maintain, at its cost and expense, the technical and organizational measures set out in Annex 2 which the Parties consider adequate to comply with Article 32 GDPR. Subject to an additional remuneration to be agreed between the Parties, Jumio undertakes to implement additional technical and organizational measures as instructed by the Customer. With this undertaking, Jumio is endeavoring to comply with its obligation to assist the Customer in ensuring its compliance with its obligations pursuant to Article 32 GDPR.

4.2 Jumio shall provide the Customer with reasonable co-operation and assistance in complying with its obligations under Article 32 of the GDPR, taking into account the nature of processing and the information available to Jumio. The Customer shall bear all reasonable costs related to the co-operation and assistance provided by Jumio under this Clause 4.2.

5. SUB-PROCESSING

5.1 Without prejudice to clause 22.6 of Jumio Terms and Conditions, Jumio shall give the Customer prior written notice of the appointment of any new Sub-Processor, including full details of the Processing to be undertaken by the Sub-Processor. If, within two weeks of receipt of that notice, the Customer does not object to the appointment on reasonable grounds, the Sub-Processor is authorized by the Customer. If the Customer objects to the proposed appointment on reasonable grounds, Jumio has the right to terminate this Agreement and the Principal Agreement, subject to giving 60 days’ prior notice.

5.2 Jumio is authorized by the Customer to use the Sub-Processors set out in the Annex 1.

5.3 With respect to each Sub-Processor, Jumio shall ensure that the arrangement between Jumio and the Sub-Processor is governed by a written contract including terms which offer the same level of protection for the Customer Personal Data as those set out in this Agreement.

6. DATA SUBJECT RIGHTS

6.1 Jumio shall provide the Customer with reasonable co-operation and assistance in complying with any Data Subject Request received by the Customer or Jumio relating to Customer Personal Data and in particular shall:

6.1.1 respond to any Data Subject Request concerning any Customer Personal Data by redirecting them to the Customer;

6.1.2 provide access to the Customer to a web-based self-service customer portal (“Customer Portal”) where the Customer can access Customer Personal Data as necessary to comply with a Request; or

6.1.3 where the Customer is not able to comply with a Request using the Customer Portal, the Customer may request Jumio to perform, within 5 work days, the processing necessary to comply with the Request, subject to separate remuneration to be agreed between the Parties.

7. PERSONAL DATA BREACH

7.1 Jumio shall notify the Customer within 24 hours if it becomes aware of any actual or suspected personal data breach as defined in Article 4 No. 12 GDPR that affects Customer Personal Data (“Personal Data Breach”). This notification shall describe

7.1.1 the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of records of Customer Personal Data concerned;

7.1.2 the likely consequences of the Personal Data Breach; and

7.1.3 the measures taken or proposed to be taken by Jumio to address the Personal Data Breach.

7.2 With the notification above, Jumio is endeavoring to comply with its obligation to assist the Customer in ensuring compliance with its obligations pursuant to Articles 33 and 34 GDPR.

7.3 If requested by the Customer, Jumio shall engage, at Customer’s cost and subject to an additional remuneration to be agreed between the Parties and the terms of the engagement being agreed by the Customer, a PCI Forensic Investigator to investigate and analyze any Personal Data Breach.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

8.1 Jumio shall provide the Customer with reasonable co-operation and assistance in complying with its obligations under Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to Jumio.

8.2 The Customer shall bear all reasonable costs related to the co-operation and assistance provided by Jumio under Clause 8.1.

9. DELETION OR RETURN OF COMPANY PERSONAL DATA

9.1 After the termination of this Agreement, Jumio shall in accordance with the timeframes set out in the Principal Agreement delete and procure the deletion of all Customer Personal Data or (at the Customer’s option) allow the Customer to download or retrieve all Customer Personal Data, unless EU or EU Member State law requires storage of the Customer Personal Data.

10. AUDIT RIGHTS

10.1 Jumio shall make available to the Customer on request in a timely manner such information as is reasonably required by the Customer to demonstrate Jumio’s compliance with its obligations under this Agreement.

10.2 Jumio shall engage an approved third party auditor to audit Jumio’s compliance with PCI DSS and provide Customer an attestation of its compliance upon request.

10.3 If such attestation is not considered sufficient in Customer’s reasonable opinion to demonstrate Jumio’s compliance with its obligations under this Agreement, then Jumio shall permit and contribute to audits conducted by the Customer or an independent auditor mandated by the Customer for the purpose of demonstrating Jumio’s compliance with its obligations under this Agreement. This shall be subject to the Customer (i) bearing the costs of such audit or inspection, including a reasonable remuneration to be paid to Jumio, (ii) giving Jumio reasonable prior notice of such audit and/or inspection, and (iii) ensuring that any auditor is subject to binding obligations of confidentiality and that such audit or inspection is undertaken so as to cause minimal disruption to Jumio’s business.

11. RESTRICTED TRANSFERS

11.1 Jumio shall not make a Restricted Transfer of the Customer Personal Data without the prior written approval of the Customer.

11.2 The Customer and Jumio hereby enter into the Standard Contractual Clauses set out in the Annex 3 below. The Parties acknowledge that Annex 3 forms an integral part of this Agreement. If there is any conflict or inconsistency with regard to the transfer of the Personal Data between the terms of the Standard Contractual Clauses and this Agreement or the Principal Agreement, the terms of the Standard Contractual Clauses will prevail.

11.3 The parties shall take all other steps as reasonably required under the applicable Data Protection Laws in order to ensure that a Restricted Transfer is carried out in compliance with Data Protection Laws.

12. TERM AND TERMINATION

12.1 This Agreement shall be subject to the same term as the Principal Agreement. Any termination of the Principal Agreement shall automatically result in the termination of this Agreement.

13. GOVERNING LAW AND JURISDICTION

13.1 The Parties to this Agreement hereby submit to the choice of jurisdiction and law stipulated in the Principal Agreement with respect to any disputes or claims arising under this Agreement.

14. MISCELLANEOUS

14.1 If any provision of this Agreement should be invalid or unenforceable, the other provisions of this Agreement shall continue in effect. The invalid or unenforceable provision shall be replaced, to the extent permitted by law, by such provision as most closely reflects the economic intent of the invalid provision.

14.2 Except to the extent and in the manner specified in this Agreement, any modification or amendment of any provision of this Agreement must be in writing and bear the signature of the duly authorized representative of each Party.

IN WITNESS WHEREOF, the Parties have executed this Agreement to be effective as of the Effective Date.

B1 (Gibraltar) Limited

Signature

Name [***]

Title [***]

Date Signed	02 July 2020
Jumio UK Ltd.

Signature

Name [***]

Title [***]

Date Signed. 01 July 2020

ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

1. Brief description of the Customer’s activities relevant to the transfer

Financial services, including operating and administering an online financial services platform.

2. Subject matter and duration of the Processing of Customer Personal Data

Throughout the term of the Agreement, Jumio acting as a Data Processor will process Personal Data provided to it by the Customer in order to provide Jumio’s online identity verification solutions to the Customer as agreed by the Parties in the Principal Agreement.

3. The nature and purpose of the Processing of Customer Personal Data

The provision of online identity verification solutions as set out in the Principal Agreement.

4. The types of Customer Personal Data to be Processed

First and last names, date of birth, personal number, ID image, email address, photograph (selfie), IP addresses, behavioral data and other data that the Customer instructs Jumio to collect from end-users or their devices.

5. The types of Customer Personal Data that qualify as Special Categories of Personal Data

Any Special Categories of Personal Data contained on identity cards / documents provided by the Data Subject.

6. The categories of Data Subjects to whom the Customer Personal Data relates

End-users of the Customer’s services.

7. Processing operations

Jumio receives the Customer Personal Data either from the Customer or from Data Subjects directly and processes the data to the extent necessary to perform the online identity verification services to the Customer. Customer Personal Data is retained for as long as instructed by the Customer.

8. Permitted Sub-Processors and transfers:

Name	Services
(Set out here the name and registered address of Sub-Processors)	(Set out here the permitted services that they will undertake in relation to Customer Personal Data)
Any member of the Jumio Group, including •  Jumio Software Development GmbH, Lunaplatz 5-10, 4030 Linz, Austria (“Jumio AT”); •  Jumio India Pvt. Ltd., 204-206, 2nd floor, Geetanjali Tower, Bombay, Walon Ka Bagh, Civil Lines, Ajmer Road, Jaiput – 302020, Rajasthan, India (“Jumio IN”); and	Management of Customer Portal and manual verification of Personal Data

•  Jumio SAS, Calle 94 No. 51B- 43 Piso 6 Centro Empresarial Buró 51, Barranquilla, Atlantico, Colombia (“Jumio CO”).
Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA	Provision of a hosted data center
For customers using Jumio Screening: IVXS UK Limited trading as ComplyAdvantage 4th Floor, 90 Long Acre, London, WC2E 9RA, UK	Provision of automated watchlist, PEPs screening and monitoring database

ANNEX 2: INFORMATION SECURITY REQUIREMENTS

Customer shall ensure that all information security requirements, where applicable, shall be established and agreed upon by each supplier which may access, process, store, communicate the organization’s information. Jumio shall comply with our defined information security requirements (see below) and those set out in the Principal Agreement.

The information security requirements between Customer and Jumio are the following:

Incident management

Jumio shall maintain, update, document, review and resolve all incidents relating to Customer systems or data and notify Customer of the incident with no undue delay.

In case of an incident defined as, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”, the new breach notification regime under the GDPR will apply.

Without undue delay after becoming aware of it, send a notification to the contact details below (or such other details as Customer may notify to Jumio), along with an outline of the breach including but not limited to the following:

• A description of the nature of the personal data breach, including, where possible,

• the categories and approximate number of data subjects concerned

• the categories and approximate number of data records concerned

Reporting an Incident:

• Email: VulnerabilityReporting@block.one

• Phone: To be advised.

Jumio Information Security Policy

Jumio shall implement and maintain a written Information security policy and shall communicate it to all Jumio personnel and all other third-parties permitted to have access to Customer’s data or Jumio systems.

Asset management

Jumio shall treat all end-user information and Customer data in accordance with the information asset’s classification and shall apply necessary controls to uphold the security of that information asset.

Jumio shall ensure that all Customer’s data held or transported on data storage media (including laptop computers) shall be encrypted and protected against unauthorized access, corruption, loss or disclosure. Jumio shall similarly ensure all backup and archival media containing Customer’s data or other classified information shall be encrypted and protected against unauthorized access, corruption, loss or disclosure. Jumio shall not store Customer’s data on portable disk drives, magnetic tapes, memory sticks or other similar removable storage devices.

Jumio shall prevent unauthorized access to or use any of Customer’s assets containing sensitive information.

Access control

Jumio shall ensure that all its personnel are security authenticated using multi-factor authentication and authorized before being granted access to Customer’s systems, applications or data. User access rights shall be regularly reviewed and the “least privilege” principal must be employed.

Authentication data such as passwords must not be stored in a form that allows the authentication data to be recovered in readable or decipherable form.

System configuration

Jumio shall develop and implement security controls to restrict remote access to Jumio systems, to only authorized individuals. User activity shall be logged and subject to review.

System monitoring

Jumio shall maintain logs of all key events that have the potential to impact the confidentiality, integrity and availability of the Customer’s services.

Jumio shall keep such logs for a period of at least 13 months or such longer period as agreed to by the Parties after creation, or as reasonably requested by Customer.

Jumio shall review logs of all key events (which may indicate issues, incidents or breaches) within Jumio systems and shall, upon identification of any material incidents and/or breaches follow the Customer’s Incident management requirements stated above.

Communication security

Jumio shall manage and control their networks, to protect information in systems and applications and to ensure system resilience against disasters and malicious attacks (e.g. DDOS).

Jumio shall ensure that all external connections to Jumio’s networks and applications shall be individually identified, verified, recorded, risk-assessed and approved by Jumio.

Jumio shall ensure that all traffic networks not owned or managed by Jumio are routed through a firewall, prior to being allowed access to Jumio’s network. Firewalls must ensure secure connections between internal and external systems and shall be configured so as to only allow the intended and authorized traffic to pass through, where applicable.

Information involved in electronic messaging should be appropriately protected.

Cryptography

Jumio shall securely manage cryptographic keys at all times in accordance with documented control requirements and procedures and using hardware security modules and shall protect Customer’s data from unauthorized access or destruction.

Malware protection

Jumio shall establish and maintain up-to-date protection against malicious code including protection against transferring malicious code to Customer’s systems, customers and other third- parties.

System development

Jumio shall perform all system development activities in specialized development environments, e.g. test environment, isolated from the live environment and protected against disruption and disclosure of information. Jumio shall ensure that systems are developed considering relevant laws and regulations as well as mitigating possible security risks. Jumio shall perform quality assurance of key security activities during the development lifecycle and shall conduct penetration testing of all major updates and releases before they are rolled out.

Change management

Jumio shall test, review and apply changes to any part of Jumio systems. Jumio shall implement emergency fixes when available and approved.

Vulnerability and patch management

Jumio shall develop and implement vulnerability and patch management strategy that is supported by management controls, procedures and operational documentation.

Jumio shall implement vulnerability mitigation, information security patches and other relevant security vulnerability updates when available and approved.

Jumio shall not use any components that are no longer supported by their original

Physical security

Jumio shall maintain, update, test and comply with written security standards and policies that address Jumio’s protection of Customer’s assets, data or property. Jumio shall review its physical security environment at least annually. Jumio shall ensure that all Jumio personnel comply with the Physical security requirements and have appropriate training in order to do so Jumio shall maintain, log, test and employ access controls to ensure that only authorized personnel may enter any premises controlled by Jumio from which services are delivered.

The access controls at a minimum shall include a robust, documented and auditable process for issuance and removal of access credentials and designed to limit authorized personnel’s access to Jumio facilities as reasonably appropriate for such personnel’s role.

ANNEX 3: STANDARD CONTRACTUAL CLAUSES

Commission Decision C(2010)593

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: See the definition of the term Customer on page 1 of this Agreement.

Address: See the contact details of the Customer on page 1 of this Agreement.

Other information needed to identify the organisation: See additional information on the Customer on page 1 of this Agreement.

(the data exporter)

And

Name of the data importing organisation:                             Jumio UK Ltd.

Address: Jumio UK Ltd., 21 Worship Street, 3rd Floor, London, United Kingdom, EC2A 2DW

Tel.: 650-424-8545                                                      e-mail:  Privacy@jumio.com

Other information needed to identify the organisation: See additional information on Jumio on page 1 of this Agreement.

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer¹

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

¹  Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses². Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

²  This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The Customer; the relevant activities are set out in Annex 1, Section 1.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Jumio; the relevant activities consist of providing online identity verification solutions.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

See Annex 1, Section 6.

Categories of data

The personal data transferred concern the following categories of data (please specify):

See Annex 1, Section 4.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

See Annex 1, Section 5.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

See Annex 1 Section 7.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties. Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Annex 2.