Cloud Capital Terms of Service

This Terms of Service (this “Agreement”), effective as of the date Customer (defined below) accepts this Agreement (the “Effective Date”), is a legally binding contract between you and either Cloud Capital Technologies, Ltd., a company incorporated under the laws of the United Kingdom, if you are based in the United Kingdom or Europe (including without limitation the European Union), or Cloud Capital Technologies, Inc., a corporation organized under the laws of the United States, if you are based in the United States or anywhere else other than the United Kingdom or Europe (each, as applicable, “Cloud Capital” “us,” “we,” or “our”) regarding your use of the Service (as defined herein). References to “Customer”, “you”, and “your” refer to the individual, company, or other entity that accepts the Agreement, by executing an ordering document provided to you by us, placing an Order using online functionality Cloud Capital makes available like clicking a box, creating an Account (as defined herein), or otherwise affirmatively accepting the Agreement through another means Cloud Capital offers you. If an authorized individual uses the Service on behalf of a company or entity, all references to ‘Customer,’ ‘you,’ or ‘your’ will refer to that entity. The individual represents and warrants they have the authority to bind the entity to this Agreement. If a prior agreement exists regarding the Service use or if an authorized representative has already accepted this Agreement before the acceptance date, this Agreement does not apply. Instead, the pre-existing agreement governs all rights and obligations related to the Service. If you are not eligible, or do not agree to the terms and conditions of the Agreement, then you do not have our permission to use the Service. Your use of and our provision of the Service to you, constitutes an Agreement by Cloud Capital and by you to be bound by this Agreement. Capitalized terms not otherwise defined in the Agreement shall have the meaning set forth in Exhibit A. 

1. Overview. Cloud Capital’s Services provide a free-to-use, web-based SaaS platform that enables engineering and finance teams to collaboratively build a plan and forecast long-term cloud infrastructure costs and to assess potential cost savings opportunities. The Services may include various features, some of which are currently available and some of which may be added or discontinued.
2. Services. 
   
   1. Ordering Process. Services are purchased as stated in an Order in the manner established for each of the Services. 
   2. Permitted Use. During a Subscription Term, subject to Customer’s compliance with the terms of this Agreement, Customer may access and use the Services only for its internal business purposes in accordance with the Documentation, this Agreement, and any limitations set forth in an Order. 
   3. Users. To access the Services, Customer and its Users must register for an account (“Account”), and, in doing so, may be required to provide Cloud Capital with information (such as name, email address, or other contact information). Customer agrees that the information it provides to Cloud Capital is accurate, complete, and not misleading and that it will keep it accurate and up to date at all times. Only Users, using the mechanisms designated by Cloud Capital (“Log-in Credentials”), may access and use the Services. Each User must keep its Log-in Credentials confidential and not share them with anyone else. Customer is responsible for its Users’ compliance with this Agreement and all actions taken through their Log-in Credentials (excluding misuse of the Log-in Credentials caused by Cloud Capital’s breach of this Agreement). Customer will promptly notify Cloud Capital if it becomes aware of any compromise of any Log-in Credentials. Cloud Capital may Process Log-in Credentials in connection with Cloud Capital’s provision of the Services or for Cloud Capital’s internal business purposes.
   4. Restrictions. Customer will not (and will not permit anyone else to), except as enabled by the functionality of the Service, do any of the following: (a) provide access to, distribute, sell, or sublicense a Service to a third party (other than Users); (b) use a Service on behalf of, or to provide any product or service to, third parties; (c) use a Service to develop a similar or competing product or service; (d) reverse engineer, decompile, disassemble, or seek to access the source code to a Service, except to the extent expressly permitted by Law (and then only with prior notice to Cloud Capital); (e) modify or create derivative works of a Service or copy any element of a Service; (f) remove or obscure any proprietary notices in a Service; (g) publish benchmarks or performance information about a Service; (h) interfere with the operation of a Service, circumvent any access restrictions, or conduct any security or vulnerability test of a Service; (i) deliberately or negligently transmit any viruses or other harmful materials to a Service; or (j) take any action that risks harm to others or to the security, availability, or integrity of a Service. Notwithstanding anything else in this Agreement, Customer will not submit to the Services any Prohibited Data. Cloud Capital disclaims any responsibility or liability for any claims arising from the provision of Prohibited Data.
3. Support. During a Subscription Term, Cloud Capital will use commercially reasonable efforts to provide commercially reasonable support for the applicable Services. 
4. Updates and Upgrades. 
   
   1. Updates. Unless stated otherwise in an Order, Cloud Capital will make Updates to Services as Cloud Capital makes them available to its customers of the applicable Services generally. 
   2. Upgrades. From time to time, Cloud Capital, in its sole discretion, may make available Upgrades under additional or different terms. Nothing in this Agreement obligates Cloud Capital to make Upgrades available to Customer as part of the Services or otherwise unless specifically included in an Order. Cloud Capital may modify, terminate, suspend, or otherwise disable Upgrades at any time for any or no reason with or without Customer’s notice or consent. Where Customer has paid for an Upgrade that is subsequently modified such that is materially degraded, or is terminated, or is suspended for an unreasonable period, Customer may give notice to Cloud Capital that it intends to cease access to and use of the Upgrades, and upon such notice Cloud Capital shall refund to Customer the balance of any prepaid unused fees paid for such Upgrades.   
   3. No Obligation; No Guarantee. Customer's access to the Services is not contingent on the delivery of any future functionality, features, Updates, or Upgrades, nor is it dependent on any oral or written public or private comments made by Cloud Capital regarding future functionality or features of the Services. There is no guarantee of any particular functionality, features, Updates, or Upgrades.

‍

5. Data and Output. 
   
   1. Use of Customer Data. Customer grants Cloud Capital the non-exclusive, worldwide, non-transferable (except as expressly permitted under this Agreement), sublicensable right to use, copy, store, disclose, transmit, transfer (except as expressly permitted under this Agreement), Customer Data only as necessary to: (a) provide any Services and support, including to create Customer’s cloud spend forecast and savings analysis, and assess Customer’s counterparty credit risk; (b) derive or generate Usage Data; (c) create and compile Aggregated Data and Output Data; (d) as otherwise required by Laws; or (e) as agreed to in signed writing between the parties. 
   2. Security. Cloud Capital will maintain, for as long as it Processes Customer Data, commercially reasonable technical and organizational security measures with respect to that Customer Data (“TOSMs”). Upon reasonable request from time to time from Customer, Cloud Capital will provide details of its TOSMs to Customer.  Cloud Capital’s TOSMs are Cloud Capital Confidential Information. 
   3. Data Processing. Customer shall not upload or submit any Personal Data to the Services except for Registration Data without the prior written consent of CC. To the extent Cloud Capital will Process Personal Data to provide the Services to Customer (“Relevant Data”) pursuant to this Agreement, each party will comply with the Data Protection Laws. Customer acknowledges that for the purposes of the Data Protection Laws, Cloud Capital will be a processor of the Relevant Data. 
   4. Data Protection Addendum. Cloud Capital’s processing of the Relevant Data shall be governed by the Data Protection Addendum in Exhibit B.  
   5. Location of Data Processing. Processed Relevant Data will be stored on servers in the United States, that are operated by Cloud Capital and /or its Subprocessors. A list of Subprocessors is available upon request from time to time. To the extent any international transfers of Relevant Data take place, Cloud Capital will implement adequate safeguards as required by Data Protection Laws. 
   6. Usage Data; Aggregated Data. Cloud Capital may Process Usage Data and Aggregated Data for internal business purposes, such as to: (a) track use of Services; (b) provide support for Services; (c) monitor the performance and stability of the Services; (d) prevent or address technical issues with the Services; (e) improve Services, its other products and services, and to develop new products and services, subject always to Cloud Capital’s obligations of confidentiality under this Agreement, to the extent applicable; (f) train Cloud Capital’s internal artificial intelligence or machine learning algorithms; and (g) for all other lawful business practices, such as analytics, benchmarking, and reports, subject always to Cloud Capital’s obligations of confidentiality under this Agreement, to the extent applicable.  
   7. License to Output Data. Cloud Capital hereby grants to Customer a non-exclusive, worldwide, royalty-free, fully paid-up, non-transferable license, without the right to sublicense, to use, reproduce, distribute, and display the Output Data, both during and after the Term, for its legitimate business purposes (including disclosing to its board of directors or third-party investors or potential investors), subject always to Cloud Capital’s obligations of confidentiality under this Agreement, to the extent applicable.
6. Ownership. Neither party grants the other any rights or licenses not expressly set out in this Agreement. Except for Cloud Capital’s use rights in this Agreement, to the maximum extent permitted under applicable law, Customer retains all intellectual property rights and other rights in Customer Data provided to Cloud Capital. Except for Customer’s use rights in this Agreement, to the maximum extent permitted under applicable law, Cloud Capital and its licensors own and will retain ownership of any and all intellectual property rights and other rights in or to the Services, Output Data and any other deliverables, Documentation, Aggregated Data, Usage Data, and Cloud Capital technology, templates, formats, and dashboards, including any modifications or improvements to these items made by Cloud Capital. If Customer provides Cloud Capital with feedback or suggestions regarding the Services or other Cloud Capital offerings, Cloud Capital may use the feedback or suggestions without restriction or obligation.
7. Customer Obligations. Customer is responsible for its Customer Data, including its content and accuracy, and will comply with Laws when using the Services. Customer shall not upload or submit any Personal Data to the Services except for Registration Data without the prior written consent of CC. Customer represents and warrants that it has, to its knowledge, made all disclosures, provided all notices, and has obtained all rights, consents, and permissions necessary for Cloud Capital to Process Customer Data accordance with in this Agreement without violating or infringing Laws, third-party rights, or terms or policies that apply to the Customer Data. If Customer fails to do any of the following, Cloud Capital’s obligation to provide the Services will be excused until Customer is in compliance: Customer will (1) give Cloud Capital timely access to Customer Data reasonably needed for the Services, (2) provide continued access to Customer Data reasonably needed for the Services, (3) ensure any Customer Data it provides is accurate to their best knowledge, and (4) keep any such Customer Data up-to-date on a monthly basis.
8. Suspension of Service. Cloud Capital may immediately suspend Customer’s access to any or all of the Services if: (1) Customer breaches Section 2.4 (Restrictions) or Section 7 (Customer Obligations), and fails to cure (or have an agreed plan to cure); (2) changes to Laws or new Laws require that Cloud Capital suspend a Service or otherwise may impose additional liability on the part of Cloud Capital; or (4) Customer’s actions risk harm to any of Cloud Capital’s other customers or the security, availability, or integrity of a Service, unless demonstrably impracticable, Cloud Capital will use reasonable efforts to provide Customer with prior notice of the suspension (email sufficing). If the issue that led to the suspension is resolved, Cloud Capital will restore Customer’s access to the Service(s).
9. Customer Systems. Customer will provide and maintain any Customer Systems. In addition, Customer will give Cloud Capital timely access to Customer Data reasonably needed for the Services, and if Customer fails to do so, Cloud Capital’s obligation to provide Services will be excused until access is provided. 
10. Third-Party Platforms. Use of Third-Party Platforms is subject to Customer’s agreement with the relevant provider and not this Agreement. Cloud Capital does not control and has no liability for Third-Party Platforms, including their security, functionality, operation, availability, or interoperability with the Services or how the Third-Party Platforms or their providers use Customer Data. By enabling a Third-Party Platform to interact with the Services, Customer authorizes Cloud Capital to access and exchange Customer Data with such Third-Party Platform on Customer’s behalf.
11. Commercial Terms.
    
    1. Subscription Term. Except as set forth in an Order, each Subscription Term will automatically renew for successive 12-month periods unless either party gives the other party notice of non-renewal at least 30 days before the then-current Subscription Term ends. Customer may cancel their subscription to access and use the Services (effective on the expiration of the then-current Subscription Term) or provide notice of non-renewal either by sending by email to Cloud Capital at support@cloudcapital.co or through Customer’s Account settings in the Services.
    2. Affiliate Orders. An Affiliate of Customer may use Services by entering into its own Order as agreed with Cloud Capital. Each such Order creates a separate agreement between the Affiliate and Cloud Capital which incorporates this Agreement, with the Affiliate treated as “Customer”. Neither Customer nor any Customer Affiliate has any rights or obligations under each other’s agreement with Cloud Capital, and breach or termination of any such agreement is not breach or termination under any other.
12. Warranties.  
    
    1. The parties warrant current, and continuing, compliance with all laws applicable to it in connection with: (i) in the case of Cloud Capital, the operation of Cloud Capital’s business as it relates to the Service; and (ii) in the case of Customer, Customer’s use of the Service and its Customer Data.
    2. Documentation and Good Industry Practices Warranty. Cloud Capital warrants it will provide the Service: (i) in substantial conformance with the all applicable documentation made available to Customer; and (ii) with the degree of skill and care reasonably expected from a skilled and experienced supplier of software-as and/or platform-as service substantially similar to the nature and complexity of the Service. 
13. DISCLAIMERS. THE SERVICES AND ALL OUTPUT (INCLUDING OUTPUT DATA) RESULTING FROM THE SERVICES, SUPPORT, TECHNICAL SERVICES, AND ALL OTHER CLOUD CAPITAL SERVICES ARE PROVIDED “AS IS”. CLOUD CAPITAL, ON ITS OWN BEHALF AND ON BEHALF OF ITS SUPPLIERS AND LICENSORS, MAKES NO OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, OR NONINFRINGEMENT. EXCEPT AS OTHERWISE PROVIDED IN THIS AGREEMENT, CLOUD CAPITAL DOES NOT OTHERWISE WARRANT THAT CUSTOMER’S USE OF THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT CLOUD CAPITAL WILL REVIEW CUSTOMER DATA FOR ACCURACY, OR THAT IT WILL MAINTAIN CUSTOMER DATA WITHOUT LOSS. CLOUD CAPITAL IS NOT LIABLE FOR DELAYS, FAILURES, OR PROBLEMS INHERENT IN USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS OR OTHER SYSTEMS OUTSIDE CLOUD CAPITAL’S CONTROL. CUSTOMER MAY HAVE OTHER STATUTORY RIGHTS, BUT ANY STATUTORILY REQUIRED WARRANTIES WILL BE PERFORMANCE TO THE SHORTEST LEGALLY PERMITTED PERIOD. YOU UNDERSTAND AND AGREE THAT YOUR USE OF ANY PORTION OF THE SERVICE, INCLUDING ANY DECISIONS YOU MAKE BASED ON OUPTUT, OR INFORMATION DISPLAYED OR PRODUCED VIA THE SERVICE, AT YOUR OWN DISCRETION AND RISK. THE SERVICE AND OUTPUT DATA ARE FOR INFORMATIONAL PURPOSES ONLY AND ARE NOT INTENDED TO SERVE AS FINANCIAL ADVICE OR GUARANTEES OF FUTURE CLOUD USAGE OR COST. CLOUD CAPITAL IS NOT RESPONSIBLE FOR ANY DAMAGE TO YOUR PROPERTY OR ANY LOSS OF DATA, EXCEPT FOR ANY LOSS OF PERSONAL DATA.

‍

14. Term and Termination.
    
    1. Term. The term of this Agreement (the “Term”) starts on the Effective Date and continues until expiration or termination of all Subscription Terms.  
    2. Termination. Either party may terminate this Agreement or an Order if the other party: (a) fails to cure a material breach of this Agreement within 30 days after notice; (b) ceases operation without a successor; or (c) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition, or comparable proceeding, or if such a proceeding is instituted against that party and not dismissed within 60 days.
    3. Effect of Termination. Upon expiration or termination of an Order, Customer’s access to and Cloud Capital’s obligations to provide the Services described in the Order will cease. During a Subscription Term, Customer may export data or information that Customer (including its Users) submits to the Services, including from Third-Party Platforms from the applicable Service using the export features described in the applicable Documentation. After that 30-day period, Cloud Capital will be under no obligation to store or retain the applicable Customer Data and may delete the applicable Customer Data at any time in its sole discretion. Customer Data and other Confidential Information, as defined in Section 16, may be retained in Recipient’s standard backups for up to 60 days notwithstanding any obligation to delete the applicable Confidential Information but will remain subject to this Agreement’s confidentiality restrictions. 
    4. Survival. These Sections survive expiration or termination of this Agreement: 2.4 (Restrictions), 5.3 (Data Processing), 5.4 (Usage Data; Aggregated Data), 6 (Ownership), 13 (Disclaimers), 14.3 (Effect of Termination), 14.4 (Survival), 15 (Limitations of Liability), 16 (Indemnification), 17 (Confidentiality), 17.5 (Required Disclosures), 18 (General Terms), and Exhibit A (Definitions). Except where an exclusive remedy is provided in this Agreement, exercising a remedy under this Agreement, including termination, does not limit other remedies a party may have under this Agreement or at law or in equity. 
15. Limitations of Liability.
    
    1. Consequential Damages Waiver. To the maximum extent permitted by applicable law, except for Excluded Claims (as defined below) neither party (nor its suppliers or licensors) will have any liability arising out of or related to this Agreement for any loss of use, lost data (except for any Personal Data), lost profits, failure of security mechanisms, interruption of business, or any indirect, special, incidental, reliance, or consequential damages of any kind, even if informed of their possibility in advance. 
    2. Liability Cap. To the maximum extent permitted by applicable law, except for Excluded Claims, each party’s (and its suppliers’ and licensor’s) entire liability arising out of or related to this Agreement will not exceed, in aggregate, the total amounts paid or payable by Customer to CC for the Services in the 3 months preceding the events giving rise to the dispute (not including any amounts payable by CC directly to the Cloud Provider on behalf of Customer).  Notwithstanding the foregoing or anything to the contrary in this Agreement, CC’s entire liability arising out of or related to a breach of its data protection, privacy or security obligations under this Agreement (including the DPA) will not exceed, in aggregate, $500,000 (five hundred thousand dollars).
    3. Excluded Claims. “Excluded Claims” means the following: (a) Customer’s breach of Sections 2.4 (Restrictions) or 7 (Customer Obligations); (b) either party’s breach of Section 17 (Confidentiality); or (c) amounts payable under the indemnifying party’s obligations in Section 16 (Indemnification).  Further, nothing in this Agreement excludes the liability of Cloud Capital: (i) for death or personal injury caused by Cloud Capital’s negligence; or (ii) for fraud or fraudulent misrepresentation; or (iii) wilful acts or omissions. Each party’s liability for Excluded Claims arising out of or related to this Agreement will not exceed the lesser of (i) liability under the law or (ii) $250,000 (fifty thousand dollars). Each party’s total aggregate liability under Section 15 (Indemnification) is limited to $1,000,000 (one million dollars).
    4. Nature of Claims and Failure of Essential Purpose. The waivers and limitations in this Section 14 apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
16. Indemnification.
    
    1. Indemnification by Cloud Capital. Cloud Capital will defend Customer from and against any third-party claim to the extent alleging that a Service as operated by Cloud Capital, when used by Customer as permitted under the applicable Order infringes or misappropriates a third-party’s U.S., UK, or European patent, copyright, trademark, or trade secret, and will indemnify and hold harmless Customer against any damages and costs awarded against Customer (including reasonable attorneys’ fees) or agreed in a settlement by Cloud Capital resulting from the claim.
    2. Indemnification by Customer. Customer will defend Cloud Capital from and against any third-party claim to the extent resulting from: (a) Customer’s breach of Section 7 (Customer Obligations); (b) any decisions made by Customer based on Customer’s use of the Services or Output Data ; or (c) that any Customer Data when used by Cloud Capital as permitted under the applicable Order infringes or misappropriates a third-party’s U.S., UK or European patent, copyright, trademark, or trade secret.
    3. Procedures. The indemnifying party’s obligations in this Section 16 are subject to it receiving: (a) prompt written notice of the claim; (b) the exclusive right to control and direct the investigation, defense, and settlement of the claim; and (c) all reasonably necessary cooperation of the indemnified party, at the indemnifying party’s expense for reasonable out-of-pocket costs. The indemnifying party may not settle any claim without the indemnified party’s prior consent (which shall not be unreasonably withheld) if settlement would require the indemnified party to admit liability or take or refrain from taking any action (other than relating to use of the Services, when Cloud Capital is the indemnifying party). The indemnified party may participate in a claim with its own counsel at its own expense.
    4. Mitigation. In response to an actual or potential infringement or misappropriation claim or otherwise relating to violation of intellectual property rights, if required by settlement or injunction or as Cloud Capital determines necessary to avoid material liability, Cloud Capital may at its option: (a) procure rights for Customer’s continued use of the applicable Service; (b) replace or modify the allegedly infringing portion of the applicable Service to avoid infringement or misappropriation without reducing the Service’s overall functionality; or (c) terminate the affected Order. Nothing in this clause 16.4 shall affect the Customer’s right to make a claim under clause 16.1, or alter, reduce or invalidate the liability provided by CC at clause 15.3.
    5. Exceptions. Cloud Capital’s obligations in this Section 16 do not apply: (a) to infringement or misappropriation resulting from Customer’s modification of Services or use of Services in combination with items not provided by Cloud Capital (including Third-Party Platforms); (b) to unauthorized use of Services; or (c) to Free Services, Trials and Betas (as defined in Section 18) or other free or evaluation use. 
    6. Exclusive Remedy. This Section 16 sets out the parties’ exclusive remedy and entire liability regarding infringement or misappropriation of third-party intellectual property rights.
17. Confidentiality. 
    
    1. Definition. “Confidential Information” means information disclosed to the receiving party (“Recipient”) under this Agreement that is designated by the disclosing party (“Discloser”) as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. Cloud Capital’s Confidential Information includes the terms and conditions of this Agreement and any technical or performance information about the Services. Customer’s Confidential Information includes Customer Data.
    2. Obligations. As Recipient, each party will: (a) hold Confidential Information in confidence and not disclose it to third parties except as permitted in this Agreement, including Section 5.1 (Use of Customer Data); and (b) only use Confidential Information to fulfill its obligations and exercise its rights in this Agreement. At Discloser’s request, Recipient will delete all Confidential Information, except, in the case where Cloud Capital is the Recipient, Cloud Capital may retain the Customer’s Confidential Information to the extent required to continue to provide the Services. Recipient may disclose Confidential Information to its employees, agents, contractors, and other representatives having a legitimate need to know (including, for Cloud Capital, the subcontractors referenced in Section 20.9), provided it remains responsible for their compliance with this Section 17 and they are bound to confidentiality obligations no less protective than this Section 17.
    3. Exclusions. These confidentiality obligations do not apply to information that Recipient can document: (a) is or becomes public knowledge through no fault of the receiving party; (b) it rightfully knew or possessed prior to receipt under this Agreement; (c) it rightfully received from a third party without breach of confidentiality obligations; or (d) it independently developed without using Confidential Information. 
    4. Remedies. Unauthorized use or disclosure of Confidential Information may cause substantial harm for which damages alone are an insufficient remedy. Each party may in such case where damages are, or may be, an insufficient remedy, seek appropriate equitable relief, in addition to other available remedies, for breach or threatened breach of this Section 17.
    5. Required Disclosures. Nothing in this Agreement prohibits either party from making disclosures, including of Customer Data and other Confidential Information, if required by Law, subpoena, or court order, provided (if permitted by Law) it notifies the other party in advance and cooperates in any effort to obtain confidential treatment.
    6. Return or Destroy Confidential Information. Upon termination of this Agreement, or at Discloser’s written request, Recipient shall return or, if directed by Discloser, destroy all Confidential Information in its possession, custody, or control within sixty (60) days, and cease all further use thereof. Recipient shall provide Discloser with a written certification of its compliance with this section upon Discloser’s request. Notwithstanding the foregoing, the Recipient may retain copies of Confidential Information to the extent required by law or any applicable governmental or regulatory authority, and to the extent such Confidential Information is automatically archived on backup or disaster recovery systems in accordance with standard backup procedures (subject to such backup being according to best-practice industry standards, and subject also to Cloud Capital’s confidentiality obligations under this Agreement. Such Confidential Information shall remain subject to all confidentiality obligations under this Agreement.
18. Free Services, Trials and Betas. If Customer receives access to Services or features thereof on a free (including a free-tier) or trial basis or as an alpha, beta, or early access offering (“Free Services, Trials and Betas”), use is permitted only for Customer’s internal evaluation during the period designated by Cloud Capital (or if not designated, 30 days). Free Services, Trials and Betas are optional and either party may terminate Free Services, Trials and Betas at any time for any reason. Free Services, Trials and Betas may be inoperable, incomplete, or include features that Cloud Capital may never release, and their features and performance information are Cloud Capital’s Confidential Information. Notwithstanding anything else in this Agreement, Cloud Capital provides no warranty, indemnity, support or service level commitments for Free Services, Trials and Betas, and its liability for Free Services, Trials and Betas will not exceed US$50.
19. Publicity. Neither party may publicly announce that the parties have entered into this Agreement, except with the other party’s prior consent or as required by Laws. Cloud Capital may use Customer’s name, trademarks, and Results in Cloud Capital’s customer lists and promotional materials but will cease further use at Customer’s written request. 
20. General Terms.
    
    1. Assignment. Notwithstanding anything to the contrary in this Agreement, Cloud Capital may, in its sole discretion, without the necessity of consent from the Customer, assign or transfer any or all of its rights or obligations under this Agreement, in whole or in part, at any time, to a successor in the event of a change of control, merger, acquisition or sale of all or substantially all of its assets, to a special purpose vehicle as part of its financial or business initiatives, or to ensure continuity of service to Customer in the event of Cloud Capital’s insolvency or anticipated cessation of operations. Cloud Capital will nevertheless provide Customer with appropriate notice of any such assignment and/or transfer within a reasonable period prior to any such assignment and/or transfer. Customer may not assign this Agreement without the prior consent of Cloud Capital, except in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all its assets or voting securities to the other party involved in such transaction. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each party’s permitted successors and assigns.
    2. Governing Law, Jurisdiction and Venue. 
       
       1. If Customer is based in the United Kingdom or Europe (including without limitation the European Union), then this Agreement is governed by the England and Wales, irrespective of the location of the applicable Cloud Capital entity you are contracting with and without regard to conflicts of laws provisions that would result in the application of the laws of another jurisdiction or the United Nations Convention International Sale of Goods. The jurisdiction and venue for actions related to this Agreement will be the courts located in London, England and both parties submit to the personal jurisdiction of those courts.
       2. If Customer is based in the United States or anywhere else other than the United Kingdom or Europe, then this Agreement is governed by the laws of the State of New York and the United States, irrespective of the location of the applicable Cloud Capital entity you are contracting with and without regard to conflicts of laws provisions that would result in the application of the laws of another jurisdiction or the United Nations Convention on the International Sale of Goods. The jurisdiction and venue for actions related to this Agreement will be the state and United States federal courts located in New York, New York, and both parties submit to the personal jurisdiction of those courts. 
       3. Attorneys’ Fees and Costs. To the maximum extent permissible under applicable law, the prevailing party in any action to enforce this Agreement will be entitled to recover its attorneys’ fees and costs in connection with such action.
    3. Notices. Except as set out in this Agreement, any notice or consent under this Agreement must be in writing to the addresses on the first page and will be deemed given: (a) upon receipt if by personal delivery; (b) upon receipt if by certified or registered U.S. or UK mail (return receipt requested). Notices may be sent via email unless otherwise expressly permitted elsewhere in this Agreement. Either party may update its address with notice to the other party. Cloud Capital may also send operational notices to Customer by email or through the Services. 
    4. Entire Agreement. This Agreement (including the Order) is the parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and “including” and similar terms are to be construed without limitation. This Agreement may be executed in counterparts (including electronic copies and PDFs), each of which is deemed an original and which together form one and the same agreement.
    5. Amendments. Cloud Capital may, from time to time, make non-material changes to this Agreement, which will be effective immediately upon posting. Cloud Capital will give Customer 30 days’ prior written notice of any material changes, after which period, such material changes will be deemed accepted by Customer and effective if Customer has not provided written notice of its rejection and request to negotiate. We may require Customer to affirmatively accept the modified Agreement in order to continue to use the Service. If you do not agree to the modified Agreement, then you should discontinue your use of the Service, without penalty. Except as expressly permitted in this Section 20.5, this Agreement may be amended only by a written agreement signed by authorized representatives of the parties to this Agreement.
    6. Waivers and Severability. Waivers must be signed by the waiving party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal, or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
    7. Force Majeure. Neither party is liable for any delay or failure to perform any obligation under this Agreement due to events beyond its reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, Internet or utility failures, refusal of government license, or natural disaster.
    8. Subcontractors. Cloud Capital may use subcontractors and permit them to exercise Cloud Capital’s rights, but Cloud Capital remains responsible for their compliance with this Agreement and for its overall performance under this Agreement.
    9. Independent Contractors. The parties are independent contractors, not agents, partners, or joint venturers.
    10. Export. Customer will comply with all relevant U.S. and foreign export and import Laws in using any Service. Customer: (a) represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. government as a “terrorist supporting” country; (b) agrees not to access or use Services in violation of any U.S. export embargo, prohibition, or restriction; and (c) will not submit to the Services any information controlled under the U.S. International Traffic in Arms Regulations.
    11. Open Source. The Services may incorporate third-party open source software (“OSS”) a list of which Cloud Capital will provide upon Customer’s written request. To the extent required by the OSS license, that license will apply to the OSS on a stand-alone basis instead of this Agreement. 
    12. Conflicts in Interpretation. If there are inconsistencies or conflicts between the terms of the body of this Agreement and the terms of any exhibits, attachments, addenda, or other documents attached to or incorporated by reference in this Agreement, the order of precedence is as follows: (a) the terms contained in the body of this Agreement; (b) the terms of the exhibits, attachments, and addenda to this Agreement; and (c) the Documentation. 
        

Exhibit A

Definitions

1. “Affiliate” means an entity directly or indirectly owned or controlled by a party, where “ownership” means the beneficial ownership of 50% or more of an entity’s voting equity securities or other equivalent voting interests and “control” means the power to direct the management or affairs of an entity.
2. “Aggregated Data” means Customer Data, that has been deidentified or aggregated with other data such that the resulting data no longer reasonably identifies Customer or a specific individual. 
3. “Confidential Information” has the meaning given to it in Section 16.1.
4. “Customer Data” means any data or information that: (a) Customer (including its Users) submits to the Services, including from Third-Party Platforms; and (b) is Processed by Cloud Capital to provide the Services to Customer. Customer Data includes Registration Data.
5. “Customer Systems” means Customer’s hardware, software, other technology, and infrastructure that Customer is required to provide and maintain in order for Customer to access and use the Services.
6. "Data Protection Laws" means all applicable data protection and privacy legislation including but not limited to: the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); the UK GDPR as defined by section 205(4) of the UK Data Protection Act 2018 (“UK GDPR”); the UK Data Protection Act 2018; U.S. Privacy Laws, and any implementing regulation thereof of any jurisdiction, and all other applicable data protection laws of the EEA, the United Kingdom, and Switzerland, each as applicable, in each case as amended, updated or replaced from time to time;. 
7. “Discloser” has the meaning given to it in Section 16.1.
8. “Documentation” means the then-current version of Cloud Capital’s usage guidelines and standard technical documentation for the Services that Cloud Capital makes generally available to its customers that it provides the applicable Services to.
9. “Excluded Claims” has the meaning given to it in Section 14.1.
10. “Force Majeure Events” has the meaning given to it Section 19.8.
11. “Free Services, Trials and Betas” has the meaning given to it in Section 17.
12. "Laws" means all applicable laws, statutes, regulations, and legally binding rules or requirements, including (as applicable) those of England and Wales, the United States (including federal, state, and local laws), and any other relevant jurisdiction. This includes, without limitation, laws relating to data protection, data transfer, international communications, and the export of data, including Customer Personal Data and Customer Personal Information.
13. “Log-in Credentials” has the meaning given to it in Section 2.3.
14. “Order” means an order or online ordering process that describes the Services being purchased by Customer.
15. “OSS” has the meaning given to it in Section 19.12.
16. “Output Data” means resultant forecast projections and savings analyses produced by the Services using Customer Data, including Results. Output Data does not include any Customer Data itself, except in anonymised or aggregated form that does not identify the Customer or any individual.
17. “Personal Data” shall have the meaning ascribed to that term in the EU GDPR.
18. “Process” means to collect, access, use, disclose, transfer, transmit, store, host, or otherwise process.
19. “Prohibited Data” means any: (b) patient, medical, or other protected health information regulated by the Health Insurance Portability and Accountability Act (as amended and supplemented) (“HIPAA”); (c) credit, debit, or other payment card data subject to the Payment Card Industry Data Security Standards; (d) other information subject to regulation or protection under specific Applicable Laws such as the Children’s Online Privacy Protection Act or Gramm-Leach-Bliley Act (or related rules or regulations); (e) social security numbers, driver’s license numbers, or other government ID numbers; or (f) any data similar to the above protected by Laws.
20. “Recipient” has the meaning given to it in Section 17.1.
21. “Registration Data” means all Personal Data including Log-In Credentials submitted by a Customer or its Users to create an Account. 
22. “Results” means data and information illustrating Customer’s business results, impacts, return on investment (ROI) case studies (e.g., “30% Cost Savings”), and other metrics related to Customer’s use of the Services. 
23. “Service” or “Services” means the then-current version of Cloud Capital’s proprietary service and other services that are identified in the relevant Order. Each of the Services includes the Documentation for the Service. 
24. “Subscription Term” means the period during which Customer’s subscription to access and use the Services is in effect, as identified in the applicable Order.
25. “Term” has the meaning given to it in Section 13.1.
26. “Third-Party Platform” means any third-party platform, add-on, service, or product not provided by Cloud Capital that Customer elects to integrate or enable for use with any Service. 
27. “Updates” means any updates, modifications, or bug fixes to the Services or Documentation that Cloud Capital provides free of additional charge to its customers using a Service. 
28. “Upgrades” means additions, enhancements, upgrades, new services, or modules that include new features and substantial increases in functionality to the Services that Cloud Capital makes available to its customers.
29. “Usage Data” means information generated from the use of the Services, which data does not identify Users, any other natural human persons, or Customer, such as technical logs, data, and learnings about Customer’s use of the Services, but excluding any identifiable Customer Data. 
30. “User” means any employee or contractor of Customer or its Affiliates that Customer allows to use the Services on Customer’s behalf.
31. “U.S. Privacy Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information). U.S. Privacy Laws include, but are not limited to, the following:
    
    1. California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);
    2. Colorado Privacy Act;
    3. Connecticut Personal Data Privacy and Online Monitoring Act;
    4. Delaware Personal Data Privacy Act;
    5. Indiana Consumer Data Protection Act;
    6. Iowa Consumer Data Protection Act;
    7. Kentucky Consumer Data Protection Act;
    8. Maryland Online Data Privacy Act;
    9. Minnesota Consumer Data Privacy Act;
    10. Montana Consumer Data Privacy Act;
    11. Nebraska Data Privacy Act;
    12. New Hampshire Act Relative to the Expectation of Privacy;
    13. New Jersey Act Concerning Online Services, Consumers, and Personal Data;
    14. Oregon Consumer Privacy Act;
    15. Rhode Island Data Transparency and Privacy Protection Act;
    16. Tennessee Information Privacy Act;
    17. Texas Data Privacy and Security Act;
    18. Utah Consumer Privacy Act; and
    19. Virginia Consumer Data Protection Act.
        

‍

Exhibit B 

Data Protection Addendum

1. Definitions.
   
   1. In this DPA: 
      
      1. “Controller”, “Data Subject”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Laws;
      2. “Consumer” means a natural person. Where applicable, Consumer shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws;
      3. “Data Subject Rights” means all rights granted to Data Subjects by Data Protection Laws, including the right to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making;
      4. “International Data Transfer” means any disclosure of Personal Data by an organization subject to Data Protection Laws to another organization located outside the EEA or the UK or Switzerland; 
      5. “Instructions” mean the instructions given by Customer with regard to the Processing of Relevant Data;
      6. “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws;
      7. “Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Laws or other laws to which the Controller is subject;
      8. “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;
      9. “Subprocessor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller;
      10. “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
      11. “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
   2. In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
   3. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
2. Scope.
   
   1. This DPA applies to the Processing of Relevant Data by Cloud Capital subject to Data Protection Laws to provide the Services.
   2. The subject matter, nature and purpose of the Processing, the types of Relevant Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.
   3. Customer is a Controller responsible for determining the purposes and means of Processing Relevant Data and appoints Cloud Capital as a Processor on behalf of Customer for the limited and specific purposes set forth in the Agreement and this DPA. Customer is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers. 
   4. Notwithstanding any provision to the contrary in the Agreement or this DPA, the terms of this DPA shall not apply to Cloud Capital’s Processing of Relevant Data that is exempt from applicable Data Protection Laws.
3. Instructions.
   
   1. Cloud Capital will Process Relevant Data to provide the Services and in accordance with Customer’s documented instructions.
   2. Customer’s instructions are documented in this DPA and the Agreement.
   3. Except as expressly permitted by the Applicable Data Protection Laws, Cloud Capital is prohibited from (a) Selling or Sharing Relevant Data, (b) retaining, using, or disclosing Relevant Data for any purpose other than for the specific purpose of performing the services specified in the Agreement or this DPA, (c) retaining, using, or disclosing Relevant Data outside of the direct business relationship between the parties, and (d) combining Relevant Data with any data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable Data Protection Laws. For the avoidance of doubt, Cloud Capital is permitted to retain, use, and disclose Relevant Data for product improvement purposes, subject always to the Cloud Capitals confidentially obligations under the Agreement .
   4. Cloud Capital, its employees, agents, subcontractors, and subprocessors (a) shall comply with the obligations of the Data Protection Laws and (b) shall provide the level of privacy protection required by the Data Protection Laws.
4. Security and Personal Data Breaches.
   
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect  Relevant Data from unauthorized access, destruction, use, modification, or disclosure. Without limiting the foregoing, the parties shall comply with the Security Measures set forth at Annex II when Processing Relevant Data.
   2. Cloud Capital will notify Customer without undue delay after becoming aware of a Personal Data Breach involving any Relevant Data.
   3. Cloud Capital shall ensure that its employees, agents, subcontractors, and Subprocessors are subject to a duty of confidentiality with respect to Relevant Data. 
5. Subprocessing.
   
   1. Customer hereby authorizes Cloud Capital to engage Subprocessors. Cloud Capital will provide Customer a current list of Cloud Capital’s Subprocessors upon Customer’s request.
   2. Cloud Capital shall ensure that Subprocessors who Process Relevant Data on Cloud Capital’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Cloud Capital in this DPA and the Agreement with respect to Relevant Data, as well as to comply with the applicable Data Protection Laws. 
   3. Cloud Capital will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Laws by providing written notice detailing the grounds of such objection within thirty (30) days following Cloud Capital’s notification of the intended change. In the event Customer objects to a new Subprocessor, Cloud Capital will use reasonable efforts to make available to Customer a change in the Software Services to Customer’s configuration or use of the Service to avoid Processing of Relevant Data by the objected-to new Subprocessor without unreasonably burdening the Customer. If Cloud Capital is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate this Agreement and/or Order with respect to the Service by providing written notice to Cloud Capital. Cloud Capital will refund any pre-paid, unused fees following the effective date of termination with respect to such terminated Service.

‍

6. Assistance.
   
   1. Taking into account the nature of the Processing, and the information available to Cloud Capital, Cloud Capital will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Laws to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach. Where applicable, Customer shall inform Cloud Capital of any Consumer request made pursuant to Data Protection Laws that Customer must comply with. Customer shall provide Cloud Capital with the information necessary for Cloud Capital to comply with the request.
   2. Cloud Capital shall not be required to delete any Relevant Data to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable Data Protection Laws; provided, however, that in such case, Cloud Capital shall not use Relevant Data retained for any purpose other than provided for by that exception.
   3. Cloud Capital may charge a reasonable fee for assistance under this Section 6. If Cloud Capital is at fault, Cloud Capital and Customer shall each bear their own costs related to assistance.
7. Audit.
   
   1. Customer has the right to monitor Company’s compliance with this DPA pursuant to the Data Protection Laws. Upon reasonable request of Customer, Cloud Capital must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once per year by Customer, and performed by an independent auditor as agreed upon by Customer and Cloud Capital. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Relevant Data and shall be conducted during normal business hours and in a manner that causes minimal disruption.
8. International Data Transfers.
   
   1. Customer hereby authorizes Cloud Capital to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Laws; or pursuant to the SCCs and the UK Addendum.
9. Notifications.
   
   1. Customer will send all notifications, requests and instructions under this DPA to Cloud Capital via email to privacy@cloudcapital.co. 
   2. Cloud Capital will send all notifications under this DPA to Customer’s contact as stated in an Order.
10. Term and duration of Processing.
    
    1. The Processing will last no longer than the term of the Agreement.
    2. Without prejudice to any provisions of Data Protection Laws, in the event that Cloud Capital is in breach of any of its obligations under this DPA, Customer may instruct Cloud Capital to suspend the Processing of Relevant Data until the latter complies with this DPA or the Agreement is terminated. 
    3. Customer may request return of Relevant Data up to ninety (90) days after termination of the Agreement. Upon termination, unless required or permitted by applicable law or this DPA, Cloud Capital will delete all remaining copies of Relevant Data without undue delay after returning Relevant Data to Customer. Cloud Capital may retain Relevant Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Cloud Capital shall ensure the confidentiality of all such Relevant Data.
    4. The parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, Data Protection Laws. 
       

‍

ANNEX I: DESCRIPTION OF DATA TRANSFER

1. Category of Data Subjects. Categories of data subjects whose Personal Data is transferred: End users of Customer
2. Categories of Personal Data. Categories of Personal Data transferred: Log-in credentials, First and last name, Email address, Phone number.
3. Sensitive Data. Where applicable, safeguards for Sensitive Data reflect the nature of the data and associated risks. These may include: strict purpose limitation, access restrictions (e.g. limited to personnel with specialized training), logging of all access, restrictions on onward transfers, and implementation of additional security controls appropriate to the sensitivity of the data.
4. Purpose of Processing. The nature and purpose(s) of the Processing: The Personal Data will be Processed as described in the Agreement.
5. Retention of Personal Data. Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Laws.

‍

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

‍

The parties will implement the following types of security measures: 

1. Physical access control. Measures to prevent unauthorized access to data processing systems (e.g. databases, application servers, hardware) include: defined security zones, restricted access paths, access rights for employees and third parties, ID or card-based access systems, key management, electronic door locks, on-site security staff, CCTV and alarms, and protection of decentralized systems and personal devices.
2. Virtual access control. Measures to prevent unauthorized use of data processing systems include: user identification and authentication procedures, strong ID/password policies (e.g. complexity, expiry), automatic session blocking (e.g. timeout or failed attempts), unique master records for each user, user data environment controls, and encryption of archived media.
3. Data access control. Measures ensure only authorized individuals access Customer Data per their permissions, and prevent unauthorized reading, copying, modification, or deletion. These include internal policies, access control schemes, default settings, role-based access, monitoring and logging, disciplinary actions, and defined access, change, deletion, and encryption procedures.
4. Disclosure control. Measures ensure Customer Data remains protected from unauthorized access during transmission, transport, or storage, and that any third-party disclosures are traceable. These include encryption, pseudonymization, tunneling, logging, and transport security.
5. Entry control. Technical and organizational measures to monitor whether Customer Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include: Logging and reporting systems; and Audit trails and documentation.
6. Control of instructions. Measures to ensure Customer Data is processed only according to the Controller’s instructions include: clear contractual terms, formal commissioning procedures (e.g. request forms), and defined criteria for selecting subcontracted service providers.
7. Availability control. Measures to maintain system integrity, availability, and resilience, and to protect Customer Data from accidental destruction or loss, include: backup procedures, uninterruptible power supply (UPS), remote storage, antivirus and firewall systems, and a disaster recovery plan for physical or technical incidents.
8. Separation control. Technical and organizational measures to ensure that Customer Data collected for different purposes can be processed separately include: Internal controls to keep data segregated; “Internal Company” concept / limitation of use; Segregation of functions (production/testing); and Procedures for storage, amendment, deletion, transmission of data for different purposes.
9. Testing controls. Technical and organizational measures to test, assess, and evaluate the effectiveness of security controls include: periodic review and testing of the disaster recovery plan; testing and evaluation of software updates before deployment; authenticated vulnerability scanning with elevated rights; and use of test environments for penetration tests and Red Team attacks.
10. IT governance. Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include: Certification/assurance of processes and products; Processes for data minimization; Processes for data quality; Processes for limited data retention; Processes for ensuring accountability; and Data subject rights handling policies
    

‍