&Open Enterprise Gifting Terms and Conditions

Enterprise Gifting Terms and Conditions

Version 1: 28th of August 2023

A. Unless expressly agreed otherwise, these terms and conditions including any schedules and annexes attached hereto (“Ts&Cs”) shall apply to each order form entered into between the customer entity identified therein (“Client”, “you”, “your”) and &Open Gifts Limited, an Irish Corporation with registered number 599378 with its registered office at 13 St. Clare’s Avenue, Harold’s Cross, Dublin 6W, Ireland (“&Open”, “we”, “us”, “our”) (each an “Order Form”).

B. These Ts&Cs and the Order Form (together, the “Agreement”) come into effect on the Effective Date (as identified in the Order Form) and set out the terms on which we will provide you with: (i) access to the &Open Enterprise gifting platform (the “Platform”); and (ii) the related Enterprise gifting products and services specified herein, (together, the “Services”).

C. This Agreement may be supplemented, amended or replaced from time to time, by mutual written agreement. Unless expressly agreed otherwise in the relevant Order Form, if there is any inconsistency between these Ts&Cs and an Order Form, these Ts&Cs shall prevail.

1. Scope of use and services

1.1 Subject to your continuing compliance with the terms of this Agreement and the payment of the Fees, we hereby grant to you (and your employees and contractors) a non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Services in the Region (as defined in the Order Form) from the Effective Date until the termination or expiry of this Agreement (the “Term”), solely for the purpose of enabling you to provide gifts (as agreed with you and ordered under Clause 2.2 (“Gifts”)) to recipients in the Region.

1.2 You shall ensure that the number of persons using the Platform does not exceed the Authorised Users (as noted in the Order Form). You agree to use the Services solely in accordance with all applicable laws and to not do, or omit to do, anything that would put us in breach of applicable law. Save to the extent that such restrictions are not enforceable under applicable law, you agree not to (and not to attempt to): (a) sell, copy, duplicate, rent, lend, distribute, transfer or assign all or any part of the use of the Services; (b) decompile, reverse engineer, disassemble, modify or otherwise try to discover any source code used in the performance of the Services; or (c) obtain unauthorised access to our computer systems or take part in any action interfering with the performance of the Services.

1.3 If you request changes (including customisations or integrations) to the Platform, implementation of such shall be at our sole discretion, subject to the payment by you of any relevant Implementation Fees described in Clause 3.1(e) and subject to Clause 4.1. You agree to provide us (and our subcontractors) with such assistance and access to information systems or tools (including via APIs) as required to perform the Services (including implementation services) and to otherwise meet our obligations hereunder. You acknowledge that we make no warranties and shall have no liability or obligation in relation to the use of any third party service for integrations or customisations that we have implemented at your request.

1.4 We reserve the right to monitor your use of the Services in order to ensure your compliance with this Agreement, and for the purposes of improving the operation and functionality of the Services and your use of them. We reserve the right at our discretion, without prejudice to our other rights and remedies to suspend, limit or withdraw your access to the Services, including: (a) for technical reasons relating to the performance and/or security of the Services; (b) where we are entitled to exercise a right of termination pursuant to this Agreement; or (c) if continuing to provide the Services would or is likely to infringe upon the intellectual property rights (“IPR”) or other rights of any third party.

1.5 We will take reasonable steps to ensure appropriate availability and performance of the Platform and to fix Platform related issues you report to us via email to: support@andopen.co, however, to the extent permissible under applicable laws we provide the Services on an “as is” and “as available” basis; and do not warrant, represent nor undertake that the Services shall: (a) be uninterrupted, secure, free of errors, omissions, defects, software viruses or other bugs; (b) be compatible with your IT environment; (c) not be subject to hacking or other attacks and/or failures of, software, data and/or transmission networks; or (d) that the Services will meet your requirements.

2. Supply, storage and distribution of gifts

2.1 During the Term, we shall use reasonable efforts to supply such quantities of Gifts as you may order for delivery in the Region under Gift Orders accepted by us in accordance with this Clause 2.

2.2 You may order Gifts via completing a written “gift order confirmation” specifying the type and quantity of Gifts required (each a “Gift Order”). Each Gift Order shall be deemed to be a separate offer by you to purchase the Gifts on the terms of this Agreement, including any Initial Minimum Order Quantities (as set out in the Order Form) specified by us, which we shall be free to accept or decline in our absolute discretion. No Gift Order shall be deemed to be accepted by us until we have issued either written notice of acceptance or an invoice in respect of the relevant Gift Order. While we will use reasonable efforts to meet any Gift Order properly submitted, we cannot guarantee the availability of Gifts and reserve the right to offer substitute gifts where the chosen Gifts are not available subject to prior consultation with you. We shall only deliver Gifts to recipients in the Region, unless otherwise agreed in writing. We will provide up to the maximum number of Gift curation iterations identified in the Order Form (“Gift Curation Iterations”) per Gift Order, above which we reserve the right to charge you an additional “Gift Curation Fee” which we will communicate to you prior to creating any further Gift Curation Iterations.

2.3 We will invoice you for each Gift Order upon the same being accepted by us in accordance with Clause 2.2 and you shall pay for each Gift Order prior to any Gift in such Gift Order being made available for distribution. Save with respect to Gifts that we are inbounding only for you (where title remains with you at all times), title to the Gifts shall pass to you on the later of our receipt of payment for the relevant Gift and delivery of the Gift to our Storage Facility. Risk in the Gifts passes to you when the Gift is delivered (as evidenced by our third party carrier’s delivery records) to the relevant Gift recipient.

2.4 We will notify you once the relevant Gifts (in respect of which we have received payment in full under a Gift Order) are ready for gifting. We will store the Gifts specified in each accepted Gift Order in our storage facilities (as may change from time to time) (“Storage Facility”) on your behalf until you instruct us to arrange for the delivery of the relevant Gift(s) to a recipient.

2.5 We reserve the right to charge long-term storage fees in respect of any Gifts that remain in the Storage Facility for 6 months or longer (“LT Storage Fees”) which we will communicate to you in writing prior to invoicing. In the event that you do not pay the relevant LT Storage Fees within 30 days of our invoice, we reserve the right, on at least 30 days’ prior written notice, to dispose, destroy or otherwise deal with the Gifts as we may determine in our sole discretion.

3. Fees and invoicing

3.1 You agree to pay the amounts identified in the Order Form (“Fees”) in accordance with this Clause 3, which may include any combination of the following. Unless otherwise stated below, Fees shall be based on our rate card provided to you from time to time and invoiced in accordance with the below for each relevant service:

(a) Platform Fees” in respect of our ongoing support and maintenance of the Platform, invoiced on the Effective Date, and thereafter either: (i) monthly in advance on the 1st of each month; or (ii) annually in advance on the anniversary of the Effective Date, as agreed in the Order Form.

(b) Gift Fees”, in respect of the price for Gifts purchased by you as identified in an accepted Gift Order, invoiced upon our acceptance of the relevant Gift Order.

(c) Fulfilment Fees” in respect of us arranging the fulfilment and shipping of Gift(s) to a recipient, invoiced monthly in arrears on the last business day of the relevant month in which we provide the relevant service.

(d) Inbounding Fees” in respect of us arranging for the delivery of Client-procured Gifts (if any) to the Storage Facility, invoiced monthly in arrears on the last business day of the relevant month in which we provide the relevant service.

(e) Implementation Fees” in respect of us providing Platform implementation services, which shall be a fixed fee communicated to you prior to us providing such services, invoiced on the Effective Date and thereafter in advance of the services commencing.

(f) LT Storage Fees”, as described in Clause 2.5, which shall be first invoiced on the 6 month anniversary of the relevant Gifts first being delivered to our Storage Facility and thereafter until the relevant Gifts no longer remain in our Storage Facility.

(g) Gift Curation Fees" as described in Clause 2.2, invoiced upon our acceptance of the relevant Gift curation request.

3.2 During the Term, &Open may increase or decrease the Fees in its sole discretion. Any change to the Platform Fees will only become effective upon commencement of a Renewal Term. We will give you reasonable prior notice of any change in Platform Fees to give you an opportunity to terminate before such change becomes effective. For the avoidance of doubt, any discount only applies for the Initial Term as set out in a particular Order Form and does not roll over to any Renewal Term.

3.3 All payments made under this Agreement shall be made without set-off or deduction, in the currency stated on the relevant Order Form by wire transfer to our nominated bank account (save with respect to Platform Fees which shall be made via Direct Debit or automated card payment as agreed), within 30 days of the date of invoice. Except where the contrary is stated in an Order Form, all Fees are exclusive of applicable taxes and we may charge applicable taxes at the prevailing rate on any Fees. All Fees are stated exclusive of any additional taxes, levies or fees that may apply to the Services, which will be borne by you. If you do not make payment of any Fees as and when due, then: (a) interest shall accrue on the full amount outstanding at the rate of 4% above the base lending rate of Euribor from time to time, from the due date until the date of actual payment; and (b) we may suspend your access to the Services (or any of them).

4. Intellectual property rights

4.1 We own full right, title and interest in and to all IPR in the Services (including the Platform). Nothing in this Agreement shall operate to transfer ownership of any IPR: (a) belonging to you or us prior to the Effective Date; or (b) in any items which are independently developed by you or us otherwise than under this Agreement. Any IPR that we develop in connection with this Agreement (including any updates, upgrades, enhancements, modifications or customisations made to the Services) will be owned by us. All data (excluding Personal Data) generated as a result of your use of and our performance of the Services and all related systems (including the Platform) shall be and remain vested in us.

4.2 To the extent that you provide us with any IPR or data relating to your business in connection with our provision of the Services, including relating to your (or your affiliates’) products, customers, gifts, technical information, project plans, business processes, plans, strategies or financial data (“Client IPR”), you hereby grant to us a non-exclusive, worldwide, transferable, perpetual licence, royalty free (including the right to sublicence our affiliates and third party service providers) to use, adapt, translate, copy and analyse such Client IPR for the purposes of providing and improving the Services, including incorporating such Client IPR (including your logos) into the design of Gifts and the Platform and for co-marketing purposes. You represent and warrant that such use of the Client IPR will not infringe or violate the rights of any third party.

4.3 You hereby indemnify, keep indemnified and hold harmless us from and against any and all losses, damages, costs, expenses and other liability (including any legal costs) suffered or incurred by &Open, its directors, employees, representatives, contractors or subcontractors as a result of any third party dispute, claim, demand or action against &Open arising from: (a) your use of the Services; and/or (b) &Open’s use of the Client IPR under this Agreement.

4.4 You acknowledge that the Services incorporate certain third party IPR and information and that you will comply with any terms and conditions that are imposed from time to time on &Open and its licencees in relation to the same, as such terms and conditions will be notified by us to you in writing.

4.5 Neither party shall publish or use the name or logo of the other party without obtaining prior written approval from the other party, except as permitted by this Agreement or required to perform its obligations under this Agreement.

5. Warranties and representations

5.1 Each party warrants and represents that it is duly organised and existing under the laws of its respective jurisdiction and has obtained all such authorisations, consents, notifications and approvals required to fulfil its duties and to exercise its rights under this Agreement.

5.2 You represent, warrant and undertake that: (a) you have all such authorisations, consents, notifications and approvals required to provide the Platform to gift recipients; (b) you will not (and will not suffer or permit any third party to) use the Platform in a manner that would cause any party to be party to any unlawful act or transaction; and (c) you will procure that only your authorised employees, contractors and gift recipients will access and use the Platform.

5.3 Except as stated in this Clause 5, we exclude to the fullest extent permitted by law, all express, implied, statutory and customary warranties, terms and conditions including as to the merchantability, fitness for any particular purpose or otherwise with respect to the Services or any Gifts.

6. Limitation of liability

6.1 Subject to Clause 6.2 & 6.3, &Open’s maximum aggregate liability, whether based on an action or claim in contract, tort (including negligence), breach of statutory duty or otherwise arising out of, or in connection with, this Agreement shall in no circumstance exceed the total Fees paid under this Agreement in respect of the 12 month period prior to the event giving rise to the first claim.

6.2 Nothing in this Agreement shall exclude or in any way limit any liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or any other liability to the extent the same may not be excluded or limited as a matter of law.

6.3 Subject to Clause 6.2, &Open shall in no event be liable whether based on an action or claim in contract, tort (including negligence), breach of statutory duty or otherwise arising out of, or in connection with, this Agreement for: the loss, accuracy or completeness of Client Data; any loss of revenue, sales, profit, business, goodwill or anticipated savings (in each case whether direct or indirect); or any special, indirect, punitive or consequential loss.

6.4 Any claim under this Agreement by you must be brought within 120 days of the relevant cause of action arising. Failure to do so will render the claim null and void.

7. Confidential Information

7.1 Each party agrees to hold all information of a confidential nature (whether or not marked as such and including written and oral information) of the other party (“Confidential Information”) in strict confidence and shall not, without the prior written consent of the other party, disclose to any third party such Confidential Information or use it in any way, commercially or otherwise, except in connection with the performance of this Agreement and only to those persons who have a need to know and are bound by obligations of confidentiality no less protective in all material respects than those set forth in this Agreement

7.2 Notwithstanding the other provisions of this Clause 7, either party may, after consultation with the other party where practicable, and where not precluded by law or by a regulatory or governmental or other authority, disclose Confidential Information of the other party if and to the extent: (a) required by law or by any regulatory or governmental or other authority with relevant powers to which either party is subject or submits (whether or not the authority has the force of law); (b) required by its professional advisers, officers, employees, consultants, subcontractors or agents to provide their services (and subject always to similar duties of confidentiality); (c) that information is in or has come into the public domain through no fault of that party; (d) that information has been rightfully received from a third party not under obligation of confidentiality to the disclosing party and without breach of this Agreement; or (e) that information has been approved for release by written authorisation of the other party.

8. Data processing

8.1 The Parties agree that the data processing terms set out at SCHEDULE 1 below (the terms of which are expressly incorporated into these Ts&Cs) applies to the extent &Open processes Personal Data on your behalf.

8.2 To the extent, &Open Processes Personal Data as a Controller (as that term is defined in the Schedule), please see our Privacy Notice.

9. Term and termination

9.1 This Agreement is effective from the Effective Date and, subject to Clauses 9.2 and 9.3, will, unless otherwise agreed in the relevant Order Form, continue for an initial term of 12 months from the Effective Date ("Initial Term") and thereafter for further successive terms of 12 months (each a "Renewal Term"), unless and until either party terminates this Agreement on no less than 30 days' prior written notice, such notice to take effect on expiry of the Initial Term or Renewal Term as applicable.

9.2 Either party may terminate this Agreement immediately on written notice to the other in the event of any material breach by the other party of this Agreement, which breach, if remediable, is not remedied within 30 days of the non-defaulting party serving written notice requiring it to remedy such breach.

9.3 We may, without prejudice to any of our other rights or remedies, terminate this Agreement in whole or part immediately: (a) by written notice to you if you fail to pay any overdue amounts under this Agreement within 30 days’ written notice from us to pay the relevant overdue fees; or (b) by providing you with no less than 3 months’ written notice of termination.

9.4 Termination by us: (a) under Clauses 9.2 or 9.3(a) shall not entitle you to any Platform Fees already paid with respect to the relevant Initial Term or Renewal Term (as applicable); and (b) shall be without prejudice to our right to recover damages in relation to the termination or circumstances thereof.

9.5 In the event that this Agreement is terminated or expires, for whatever reason: (a) you must immediately: (i) cease using the relevant Services; (ii) pay all Fees payable in respect of Services and/or Gifts provided up to the date of termination or expiry; and (iii) return (or on our request, destroy) all of our Confidential Information within your possession or control (including any copies); and (b) we shall use commercially reasonable efforts within 30 days of termination or expiry to remove and destroy all content and data uploaded on the Platform by you or a user for the purpose of the Services (“Client Data”) (except any Personal Data which is dealt with in accordance with the Schedule) unless we are required by applicable laws or any governmental or regulatory authority to keep a copy of the same.

9.6 Any termination or expiry of this Agreement (howsoever occasioned) shall not affect any accrued rights or liabilities of either party, nor shall it affect the coming into force or the continuance in force of any provision of this Agreement which is expressly or by implication intended to come into force or continue in force on or after termination. Unless mutually agreed otherwise in the Order Form, this Clause 9 sets out the only grounds on which this Agreement may be terminated prior to its expiry.

10. Miscellaneous

10.1 Interpretation. In this Agreement, any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.

10.2 Force Majeure. &Open shall not be liable for failure or delay in performing any of its obligations under this Agreement if such failure or delay is due to any event outside of its reasonable control.

10.3 Severability. Each of the provisions in the Agreement are severable. In case any part of the Agreement should be considered as illegal, invalid or unenforceable, the remaining stipulations of the Agreement will continue to remain in full force and effect and will be interpreted and applied as if the section considered as unenforceable was not contained in the Agreement.

10.4 Entire Agreement. These Ts&Cs, together with each Order Form, set out the entire agreement and understanding between the parties in respect of the subject matter of this Agreement, and shall apply to the exclusion of any of your terms set out or referred to in, or appended to, any agreements or correspondence between the parties. Both parties acknowledge and agree that nothing in this Agreement shall affect, supersede or override our agreement between you or any of your affiliates and &Open or its parent or its affiliates in respect of your use of the on-demand marketplace services pursuant to these On-Demand Client Terms and Conditions: andopen.co/terms, which shall be separate and distinct from this Agreement. Each party acknowledges that it is not relying on, and shall have no remedies in respect of, any undertakings, representations, warranties, promises or assurances (whether made innocently or negligently) that are not set forth in this Agreement.

10.5 Assignment. You may not, without the prior written consent of &Open, assign or transfer (including by way of novation) this Agreement or any of your rights or obligations hereunder to any third party. You hereby irrevocably consent in advance to &Open assigning or transferring (including by way of novation) this Agreement or any of its rights or obligations hereunder to any of its affiliates, and to the subcontracting of any element of the Services to any third party.

10.6 Waiver and Amendment. Save in respect of clause 6.4, no delay in exercising or non-exercise by any party of any of its rights, powers or remedies under or in connection with this Agreement shall operate as a waiver of that right, power or remedy. No modification or amendment to this Agreement shall be effective unless in writing and signed by both Parties.

10.7 No Partnership or Agency. Nothing in this Agreement constitutes, or shall be deemed to constitute, a partnership between the parties nor make a party the agent of the other party.

10.8 Notices. Notices, reports and communications may be sent to each party via electronic mail, in the case of &Open to legal@andopen.co and in the case of you to the email address specified in the Order Form. Notices will be deemed received at the time of email transmission.

10.9 Third Party Rights. No third party will have the right to enforce any provision of this Agreement as a third party beneficiary or otherwise.

10.10 Governing Law and Jurisdiction. This Agreement and any non-contractual rights or obligations arising out of, relating to, or having any connection with it shall be governed by and construed in accordance with the laws of Ireland. The parties irrevocably agree that the courts of Ireland shall have exclusive jurisdiction to settle any disputes or claims arising out of or in connection with the foregoing.

10.11 &Open may use Client’s name, logo, and trademarks to identify Client as a user of the Services on &Open's website and other marketing materials, in accordance with the Client’s trademark usage guidelines (if provided in writing to &Open) (in each case “Reference Materials”). Client grants us a worldwide, perpetual, royalty-free license to use and incorporate Reference Materials for the purposes stated above. If Client becomes dissatisfied with the Services, it may at any time revoke our right to use Reference Materials. Furthermore, the client agrees to be contacted about participating in a customer success story.

10.12 If we ask, you agree to provide at least 2 references each quarter by phone to our prospective customers. We’ll work with you to agree on a suitable date and time for such calls.

Schedule 1: Data Processing Addendum

1. Definitions

1.1 For the purposes of this Schedule, the following expressions have the following meanings unless the context requires otherwise:

1.1.1 Applicable Data Protection Laws” means (i) the Applicable EU/UK Data Protection Laws and (ii) the Applicable US Privacy Laws;

1.1.2 Applicable EU/UK Data Protection Laws” means (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the DPA, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;

1.1.3 Applicable US Privacy Laws” means US federal, state, or local laws, rules and regulations regarding privacy and/or governing the collection, use, disclosure or storage of Personal Information and/or Personal Data that may be collected, processed or disclosed in connection with this Agreement, in each case as may be amended, consolidated or superseded from time to time;

1.1.4 Where applicable EU/UK Data Protection Laws apply, the terms “Controller”, “Data Subject”, “Personal Data”, “Process”, “Processed”, “Processing” or “Processor” shall each have the meaning as set out in the relevant Applicable EU/UK Data Protection Laws;

1.1.5 Controller to Processor Clauses” means, as relevant, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 specifically including Module 2 (Controller to Processor), or any equivalent clauses issued by the relevant competent authority of the UK in respect of transfers of Personal Data from the UK, in each case as in force and as amended, updated or replaced from time to time;

1.1.6 Processor to Processor Clauses” means, as relevant, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 specifically including Module 3 (Processor to Processor), or any equivalent clauses issued by the relevant competent authority of the UK in respect of transfers of Personal Data from the UK, in each case as in force and as amended, updated or replaced from time to time;

1.1.7 Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.

1.1.8 Where Applicable US Privacy Laws apply, the terms “Business”, “Consumer”, “Controller”, “Personal Data”, “Personal Information”, “Processor”, “Service Provider”, “Sell”, and “Share”, shall have the same meanings as set forth in the Applicable US Privacy Laws and their cognate terms shall be construed accordingly. For purposes of this Addendum, “US Personal Data” shall be construed to mean Personal Data or Personal Information (as both are defined under Applicable US Privacy Laws). “US Data Subject” shall be construed to mean “Consumers” as that term is used in the Applicable US Privacy Laws.

1.1.9 Your Data” means all information processed or stored through the Platform by you or on your behalf. It includes information provided by, or generated through use of the Platform by, your customers, employees, gift recipients and other users.

2. &Open’s Obligations

2.1 To the extent &Open Processes Personal Data on behalf of the Client as those terms are defined under Applicable EU/UK Data Protection Laws, and pursuant to this Agreement as further set out in Annex A, and such Processing is governed by Applicable EU/UK Data Protection Laws, the parties agree that Client is acting as the Controller and &Open is acting as the Processor, and &Open shall:

2.1.1 Process the Personal Data only on documented instructions from Client, unless required to Process such Personal Data by applicable law to which &Open is subject; in such a case, &Open shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;

2.1.2 ensure that its personnel authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

2.1.3 implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the Processing. &Open’s current technical and organisational measures are described as set out in Annex B (“Security Measures”). Client acknowledges and agrees that the Security measures may change and develop, and that &Open may update and modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services;

2.1.4 provide Client with reasonable assistance as necessary for Client to fulfil its obligation under Applicable EU/UK Data Protection Laws to respond to Data Subject requests;

2.1.5 promptly notify the Client in writing upon becoming aware of any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise Processed by &Open. &Open shall be obliged to provide the Client with all information necessary for compliance with the Client’s relevant obligations pursuant to Applicable EU/UK Data Protection Laws;

2.1.6 assist the Client in ensuring compliance with the obligations to: (i) notify (if required) Personal Data breaches to relevant competent authorities and/or individuals; and (ii) at the Client’s cost, conduct data protection impact assessments and, if required, prior consultation with relevant competent authorities;

2.1.7 at the choice of the Client, delete or return all the Personal Data to the Client after the end of the provision of services relating to Processing, and delete existing copies of the Personal Data unless any applicable law to which &Open is subject requires storage of the Personal Data;

2.1.8 upon written request from Client, provide information as is reasonably necessary to Client to demonstrate compliance with the obligations laid down in this Schedule. Open shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals and no more than once per calendar year on at least thirty (30) days’ written notice to &Open or: (a) if there are indications, in Client’s reasonable opinion, of non-compliance with this DPA; (b) where requested by a supervisory authority. Before the commencement of any such on-site audit, Client and &Open shall mutually agree upon the scope, timing, and duration of the audit. Any audits are at Client's sole expense. Client shall reimburse &Open for any reasonable time expended for any such on-site audit at &Open’s then-current rates, which shall be made available to Client upon request. All reimbursement rates shall be reasonable, taking into account the resources expended by &Open. If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2 or similar audit report performed by a qualified third-party auditor within twelve (12) months of Client's audit request and &Open has confirmed there have been no known material changes in the controls audited since the date of such report, Client agrees to accept such report in lieu of requesting an audit of such controls or measures; and

2.1.9 immediately inform Client if, in its opinion, an instruction of Client infringes the Applicable EU/UK Data Protection Laws.

2.2 To the extent that the US Personal Data identified in Annex A is disclosed by Client to &Open (“US Client PD”) and such Processing (as defined under Applicable US Privacy Laws) is governed by Applicable US Privacy Laws, the Parties agree that:

2.2.1 &Open shall be a Service Provider or Processor (as defined under Applicable US Privacy Laws);

2.2.2 Client shall be a Business or Controller (as defined under Applicable US Privacy Laws);

2.2.3 &Open shall collect, use, retain, and disclose US Client PD only at the direction of Client, and only to the extent necessary to perform the services for Client under this Agreement, for the business purposes as set forth in Annex A, or as otherwise permitted by this Agreement or required by Applicable US Privacy Laws;

2.2.4 Client discloses the US Client PD to &Open only for the specified business purposes in Annex A, and &Open shall not retain, use or disclose the US Client PD for any other commercial purpose except as expressly permitted by Applicable US Privacy Laws. Upon request by Client, &Open shall transfer all US Client PD to Client or otherwise dispose of such US Client PD as instructed in writing by Client;

2.2.5 Under no circumstances may any US Client PD be Sold or Shared by &Open or retained, used or disclosed outside of the direct business relationship between &Open and Client, except as permitted by Applicable US Privacy Laws and the Agreement;

2.2.6 &Open shall not combine any US Client PD with Personal Information that &Open receives from or on behalf of another person(s) or that &Open collects from its own interaction(s) with natural persons. Notwithstanding the foregoing, &Open may combine Personal Information to perform any business purpose as provided in Applicable US Privacy Laws, except for the purposes of providing advertising and marketing services or for other purposes identified in Applicable US Privacy Laws;

2.2.7 &Open agrees to comply with Applicable US Privacy Laws with respect to the US Client PD, including providing the same level of privacy protection as required by Client under those laws, cooperating with Client in responding to and complying with US Data Subject requests, implementing reasonable security procedures and practices appropriate to the nature of the US Client PD Processed (as defined under Applicable US Privacy Laws) by &Open, subjecting &Open personnel involved in processing of US Client PD to a duty of confidentiality, providing to Client all documents necessary for Client to conduct and document any data protection assessments as may be required by Applicable US Privacy Laws, and making available to Client all information necessary for &Open to demonstrate compliance with its obligations under this Agreement;

2.2.8 Client reserves the right to take reasonable and appropriate steps to ensure that &Open uses the US Client PD in a manner consistent with Client’s obligations under Applicable US Privacy Laws. Upon advance request and/or notice by Client, &Open shall take reasonable steps to stop and remediate any unauthorised uses of the US Client PD and/or verify &Open’s compliance with the Applicable US Privacy Laws (including via audits). &Open shall notify Client no later than five (5) business days after it makes any determination that it can no longer meet its obligations under the Applicable US Privacy Laws in relation to the US Client PD;

2.2.9 &Open shall inform Client of any US Data Subject request received by &Open pursuant to Applicable US Privacy Laws in relation to US Client PD and shall provide reasonable assistance to Client in responding to such requests. Client shall inform &Open of any US Data Subject request made pursuant to Applicable US Privacy Laws in relation to US Client PD that &Open must comply with and provide &Open with information necessary for &Open to comply with the request;

2.2.10 &Open has implemented and shall maintain (and &Open’s subcontractors have implemented and shall maintain) at its sole expense a comprehensive data security program which will include reasonable and appropriate technical, organisational, environmental, security and other safeguards to protect against any actual threats or hazards to the confidentiality, integrity, or availability of US Client PD, and against the destruction, loss, alteration of, and unauthorised access to, US Client PD in &Open’s possession or control;

2.2.11 if &Open discloses any US Client PD to any third party or subcontractor as permitted herein, &Open will ensure that the third party or subcontractor is subject to a written agreement requiring compliance with Applicable US Privacy Laws, including requiring the same level of data privacy protection and information security with respect to the US Client PD as required hereunder; and

2.2.12 &Open shall promptly notify Client of any actual breaches of security that may result in the unauthorised collection, access, use or disclosure of any US Client PD within &Open’s possession and shall take commercially reasonable steps to assist Client in relation to the investigation and remedy of any such breach of security regarding US Client PD within &Open’s possession.

3. Sub-Processing

3.1 Client hereby grants &Open general written authorisation to engage the sub-processors set out at Annex C.

3.2 Such sub-processors may be engaged directly by &Open or its affiliates.

3.2.1 &Open shall give Client notice of the appointment of any new sub-processors by updating the list of sub-processors set out in Annex C.

3.2.2 Client may reasonably object to such appointments within 10 days of such notice for important reasons relating to data protection which have been proven to &Open.

3.2.3 If Client does not object pursuant to Clause 3.2.2 of this Schedule, then the sub-processor shall be deemed accepted.

3.2.4 If Client objects pursuant to Clause 3.2.2 of this Schedule, Client will give &Open the opportunity to make a change in the service or recommend a commercially reasonable change to Client’s configuration to avoid processing of Personal Data by the objected-to new sub-processor without unreasonably burdening Client.

3.2.5 If the Client objects in accordance with this Section 3.2.2 and &Open cannot ascertain a solution agreeable to the Client pursuant to Clause 3.2.4 of this Schedule, both parties agree that &Open is entitled to terminate the Agreement on reasonable notice.

3.3 &Open shall ensure that it has a written agreement in place with all sub-processors which contains obligations on the sub-processor which are no less onerous on the relevant sub-processor than the obligations on &Open under this Agreement.

3.4 &Open shall remain fully liable under the Applicable EU/UK Data Protection Laws to the Client for the performance of that sub-processor’s obligations.

3.5 Client acknowledges and agrees that &Open may appoint a sub-processor to Process the Personal Data as those terms are defined under Applicable EU/UK Data Protection Laws in a Third Country, in which case &Open shall execute the Processor to Processor Clauses or a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under the Processor to Processor Clauses with such a sub-processor.

4. Changes in Applicable Data Protection Laws

4.1 The parties agree to negotiate in good faith modifications to this Schedule if changes are required for &Open to continue to process the Personal Data (including US Personal Data) as contemplated by the Agreement in compliance with the Applicable Data Protection Laws or to address the legal interpretation of the Applicable Data Protection Laws, including (i) to comply with the GDPR or any national legislation implementing it, and any guidance on the interpretation of any of their respective provisions; (ii) the European Commission’s Standard Contractual Clauses or any other mechanisms or findings of adequacy are invalidated or amended, or (iii) if changes to the membership status of a country in the European Union or the European Economic Area require such modification, or (iv) if additional US federal, state, or local privacy laws or regulations are enacted or modified.

5. Client’s Obligations

5.1 Client warrants that: (i) the legislation applicable to it does not prevent &Open from fulfilling the instructions received from Client and performing &Open’s obligations under this Schedule; (ii) its collection of Personal Data (including US Personal Data) has complied and will comply with Applicable Data Protection Laws, and (iii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the Personal Data (including US Personal Data) to &Open and to enable the Processing of the Personal Data (including US Personal Data) by &Open as set out in this Agreement.

5.2 Client acknowledges and agrees that &Open may create and derive from processing Your Data deidentified, anonymised and/or aggregated data that does not identify Client or any natural person and use such data to improve &Open’s products and services and for its other legitimate business purposes.

Annex A

Processing Details

Subject matter of Processing (including US Personal Data): The provision of the Services and the performance of &Open’s other obligations under this Agreement.

Duration of Processing: For the duration of this Agreement and for such period thereafter for &Open and its affiliates to comply with retention obligations imposed by law.

Nature and purpose of the Processing: &Open will process Personal Data as necessary to perform the Services described in this Agreement and to comply with Client’s lawful instructions.

Categories of Data Subjects: Gift recipients

Types of Personal Data: The types of Personal Data that may be Processed by &Open in the provision of the Services is as follows:

(i) First name;

(ii) Last name;

(iii) User ID;

(iv) Social media handle;

(v) Postal address;

(vi) Telephone / mobile number;

(vii) Email address;

(viii) Date of birth; and

(ix) IP address.

Special categories of personal data: Not applicable.

Frequency of transfer: When uploaded to Platform or otherwise on receipt of a Gift Order from Client.

Identity and contact details of the data exported: Client, with contact details specified in the Agreement.

Identity and contact details of the data importer: &Open, with contact details specified in the Agreement.

Annex B

Security Measures Policy

1. Introduction

1.1 &Open implements and maintains a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards to protect Personal Data against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorised access, accidental loss, or damage or any other unauthorised form of processing).

1.2 The Platform and associated infrastructure are developed to a high industry standard and are regularly reviewed and audited by third-parties to ensure a high standard of security and data privacy. &Open make all reasonable efforts to maintain its SOC 2 Type II certification.

1.3 &Open will make available to Client on request a copy of the most up to date version of its SOC2 Type II report within a commercially reasonable timeframe of such report being complete

2. Security Measures

2.1 Here we provide an overview of some of the security controls in place to protect your Personal Data. You can reach our security team at security@andopen.co

2.2 Platform Security

2.2.1 Redundancy. All production databases and application servers are run with full redundancy, ensuring safe failover in the case of node failure.

2.2.2 Backups. All production databases are snapshotted daily.

2.2.3 Security Patch Management. &Open continually assess for known vulnerabilities and patch all systems, devices, operating systems, applications, and other software that process Personal Data.

2.2.4 Network Security. &Open operate a VPC-based firewall and network security technology in our server infrastructure. Traffic between Client and the Platform is always protected, authenticated, and encrypted.

2.2.5 Malicious Code Protection. All &Open staff run the latest anti-malware protection software on all workstations and have mandated scheduled malware monitoring and system scanning to protect Personal Data from anticipated threats or hazards.

2.2.6 Data Encryption. &Open use cryptographically secure protocols at all times to encrypt Personal Data when in transit, and at rest, All &Open staff devices utilise full-disk encryption, and &Open maintain an appropriate key management process, including access controls, key revocation processes, and key storage protocols (e.g., private keys must not be stored on the same media as the data they protect). The Platform’s web-accessible interfaces supports HTTPS and cannot be accessed over unsecured HTTP connections.

2.2.7 Disaster Recovery. &Open has disaster recovery plans in place, which include processes to ensure recovery of Personal Data from backup sources. &Open practice disaster recovery to ensure all processes work correctly.

2.2.8 Access Levels. The Platform has multi-user support with differential access based on roles assigned to Customer Users.

2.3 Physical & Environmental Security

&Open store and process Personal Data in an AWS data centre. Our AWS data centre is reviewed by &Open regularly.

Annex C

Sub-Processors

This Annex lists &Open’s current principal sub-processors used for the provision of the Services outlined under this Agreement. This Schedule may change from time to time and &Open shall notify Client in accordance with this Agreement, of any changes.

AWS

Location: United States, Ireland, Singapore
Service Description: Hosting

Sentry

Location: United States
Service Description: Hosting – error handling

Shopify

Location: United States
Service Description: Inventory Management

Shipwire

Location: United States, Netherlands, Australia
Service Description: Third Party Logistics Provider

Zhenhub

Location: Hong Kong
Service Description: Third Party Logistics Provider

ALOM

Location: United States
Service Description: Third Party Logistics Provider

Shippo

Location: United States
Service Description: Shipping Tracking

LOB

Location: United States
Service Description: Address Verification

DHL

Location: Global
Service Description: Delivery Services

Postmark

Location: United States
Service Description: Email

Mintsoft

Location: United Kingdom
Service Description: Warehouse Management Services

Aftership

Location: United States
Service Description: Shipping Tracking

AnGood

Location: United Kingdom
Service Description: Third Party Logistics Provider

Product