SaaS Services Agreement

GENERAL AGREEMENT

SaaS service provider: Vixiees Tech-Hub, S.L., with tax ID B44570174 and registered office at C/ Lepant 270, 08013 Barcelona (Spain) (hereinafter, “Vixiees”). The user of the service or services (hereinafter, the “CLIENT”) accepts the terms detailed in this agreement. Use of the service implies full acceptance of these terms.

1 Scope of application

This agreement and the Vixiees platform are intended exclusively for companies and professionals. The application is not intended for consumers or individual users. The CLIENT declares that it is contracting in its capacity as a company or professional for the purposes of the applicable regulations.

2 License of use and intellectual property

2.1 Vixiees grants the CLIENT a non-exclusive, non-transferable, non-sublicensable and revocable license to use the Vixiees software, limited to the term of the agreement and to web use through the assigned credentials.

2.2. All intellectual and industrial property rights in the software, platform, brand, logos, source code, documentation, interfaces, models, know-how and any improvement or derivative development belong exclusively to Vixiees or its licensors. No right other than the described license of use is transferred to the CLIENT.

2.3. The CLIENT undertakes not to carry out reverse engineering, decompilation, disassembly, resale, sublicensing, copying, modification, assignment or creation of derivative works of the platform, unless mandatory law so permits.

2.4. The data, contacts, recordings, transcripts, content and databases that the CLIENT enters or generates through use of the platform are and will remain the property of the CLIENT. Vixiees will process them only under the terms set out in Annex 2 (DPA).

2.5. The CLIENT acknowledges that the product access URLs are the property of Vixiees.

3 Data protection

3.1 As it is necessary, for the provision of the services described in this Agreement, to process personal data and in compliance with the provisions of Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights, of December 5, 2018 (LOPDGDD) and in EU Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), it is necessary to enter into a specific Data Protection agreement, which will formalize the relationship between the Client, as Data Controller, and Vixiees Tech-Hub S.L. as Data Processor.

In this regard, the processing of personal data arising from the provision of the service shall be governed by the Data Processing Agreement (DPA) in Annex 2, which forms an integral part of this agreement.

3.2 Likewise, in accordance with the aforementioned regulations, the legal representatives of the signing parties accept the processing of the personal data collected in this Agreement for the purposes related to the services described herein and their administrative accounting management. The lawfulness of this processing is based on Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract to which the data subject is party.

3.3 Personal data will be retained for as long as the contractual relationship lasts. Once this relationship has ended, your data may continue to be retained to comply with any applicable legal obligation and to address any claims until the maximum limitation period for any actions that may arise from this relationship. Once the limitation periods have elapsed, the personal data will be deleted.

3.4 The CLIENT may exercise the rights of access, rectification, erasure and objection, restriction of processing, data portability and not to be subject to automated individual decisions (including profiling), by sending a request with the subject “Data Protection”, to the email address: contact@vixiees.com, from the same account provided to us, indicating the contact details.

3.5 If the parties consider that their rights have been violated, they may exercise the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

3.6 It is hereby informed that the Data Protection Officer is: Grupo Datcon Sur S.L.U. C/ Dr. Duarte Acosta 7, 11500, El Puerto de Santa María, Cádiz.

4 Call recordings and Artificial Intelligence

4.1. The platform allows the CLIENT's communications to be recorded, transcribed and analyzed. It is the sole responsibility of the CLIENT to obtain the consent of the interlocutors for the recording and processing of their data, as well as to comply with the information obligations arising from the applicable regulations.

4.2. The maximum retention period for recordings and transcripts on the platform is 6 months, after which Vixiees will delete them unless the CLIENT expressly contracts for a longer period.

4.3. Vixiees does not use the CLIENT's data, recordings, transcripts or content to train Artificial Intelligence models, whether its own or those of third parties.

4.4. The CLIENT undertakes to use the Artificial Intelligence functionalities in accordance with the applicable regulations, in particular Regulation (EU) 2024/1689 (Artificial Intelligence Act), refraining from fraudulent use or from carrying out any of the prohibited practices set out in that Regulation.

5 Technical support or inquiries

5.1. Vixiees will provide technical or administrative/commercial support as set out on the websites related to the product to be contracted.

5.2. The response time is a maximum of 24 hours in cases of incidents and technical or functional support, excluding Saturdays, Sundays and official holidays in Spain.

5.3. The service will be provided during Vixiees' business hours: Monday to Friday from 9:00 a.m. to 6:00 p.m. (peninsular Spain time).

5.4. Maintenance, updates and bug-fixing services are carried out remotely. They do not include travel to the CLIENT's premises.

6 Billing and payments

6.1. All applicable prices, rates and financial terms will be published at all times in the pricing section within the Vixiees application. Such information forms an integral part of the agreement.

6.2. Prices will always be published excluding taxes. Applicable taxes (VAT or other equivalents) will be added on the invoice depending on the default country of the CLIENT account.

6.3. Payment is monthly. On the date of registration, an invoice will be issued corresponding to the proportional part of the remaining days of the month; subsequent invoices will be issued within the first five (5) days of each month. Payment will be made by SEPA transfer or credit/debit card.

6.4. Vixiees may modify prices and financial terms by up to 10% per year, with at least 90 days’ prior notice to the CLIENT. If that period passes without an express objection from the CLIENT, the new terms shall be deemed accepted.

6.5. In the event of a reversal, delay or non-payment 5 days after the invoice date, Vixiees may suspend the service until payment is confirmed. In the event of a returned direct debit, an additional fifteen (15) € + VAT will be charged to the CLIENT to cover bank fees.

6.6. After repeated delays or non-payments, Vixiees may request that the CLIENT provide a security deposit in an amount equal to the current fee.

6.7. If Vixiees has to cancel a service due to non-payment, it shall not be liable for any damage it may cause to the CLIENT or its customers.

7 Term and termination of the service

7.1. The duration of the agreement will depend on the terms agreed at the time of contracting and on the maintenance of the associated payments.

7.2. There is no minimum term. The CLIENT may cancel the service at any time from its own account within the application. No written notice or additional request is required.

7.3. Fees already invoiced or paid will not be refunded, regardless of the time of month at which the cancellation takes place.

7.4. The cancellation will be effective once processed by the system and, in any case, within 72 hours from the request made in the application.

7.5. The CLIENT shall be entitled to request a copy of its data within 72 hours following the effectiveness of the cancellation, in accordance with the provisions of the DPA (Annex 2). Vixiees will deliver the data in the technically feasible format, which may include, among others, CSV files, audio files and transcripts. Proper subsequent handling of the data shall be the responsibility of the CLIENT.

7.6. In the hypothetical event that Vixiees cancels the service without the CLIENT having breached any of the conditions described herein, the corresponding amount for the proportional part of the unused period shall be refunded.

8 Termination for breach

8.1. Either party may terminate this agreement for material breach by the other party, upon prior written notice identifying the breach and granting a period of 30 calendar days to remedy it. If the period elapses without remedy, the agreement shall automatically terminate.

8.2. Notwithstanding the foregoing, non-payment (clause 6) and unlawful use or misuse of the platform (clauses 9 and 10) shall be governed by the specific immediate suspension or cancellation mechanisms provided for in the corresponding clauses, without the need for a cure period.

9 Acceptable use of the platform

9.1. The CLIENT undertakes to use the platform only for the purposes permitted in this agreement and in full compliance with applicable law. The following are expressly prohibited:

• using the platform for illegal, fraudulent or immoral purposes or purposes contrary to public order;

• hosting or transmitting illegal content, including child pornography or copyrighted content (music, video, software) without a license;

• using the service to carry out SPAM or bulk and indiscriminate sending of emails, SMS or WhatsApp messages;

• carrying out reverse engineering, decompilation, disassembly, copying, resale or creation of derivative works;

• carrying out load tests, benchmarking, scraping or unauthorized bulk data extraction;

• bypassing the security mechanisms or technical limits of the platform;

• creating fake accounts, sharing credentials or allowing access to unauthorized third parties;

• subletting or assigning the service to other clients or third parties except as expressly provided for in the special terms.

10 Immediate suspension for misuse

10.1. Vixiees reserves the right to suspend or terminate the service immediately and without prior notice in the event of receiving any complaint, notice, request from a competent authority or reasonable evidence of misuse or unlawful use of the platform by the CLIENT.

10.2. Service interruption may occur before any clarification. Explanations, claims and any eventual reinstatement will be processed after the suspension.

10.3. Liability to third parties for misuse, hosted content or communications made through the platform shall rest entirely with the CLIENT, who shall hold Vixiees harmless from any claim, sanction or damage arising from such use.

11 Warranties and service level (SLA)

11.1. Vixiees shall be responsible for the proper functioning of the contracted product, resolving any incident arising from its malfunction as soon as possible.

11.2. Vixiees guarantees a monthly availability level of the platform of 99% (uptime), calculated on a calendar monthly basis and excluding previously communicated scheduled maintenance windows, force majeure events and incidents attributable to third-party providers or to the CLIENT itself.

11.3. Vixiees is not responsible for service malfunctions due to issues associated with its providers, nor for incidents arising from misuse by the CLIENT, in which case it may invoice the corresponding costs.

11.4. Vixiees does not guarantee that the services fit the CLIENT's specific needs. Such unsuitability shall not be grounds for termination of the agreement or non-payment of fees.

11.5. The CLIENT must report any incident to contact@vixiees.com or through the channels indicated on the website related to the subscribed product.

11.6. Vixiees will make backup copies every 24 hours of the CLIENTS' databases, from which the service may be restored in the event of a serious incident. This does not exempt the CLIENT from maintaining its own backup processes. Specific retention and restoration conditions shall be governed, as applicable, by the DPA.

11.7. The CLIENT must use all means at its disposal to prevent access by unauthorized third parties and must ensure the confidentiality of passwords, changing them at the slightest suspicion.

12 Technical requirements

12.1. The Vixiees platform is optimized for the latest versions of the Google Chrome browser. Other browsers may work, but Vixiees does not guarantee full compatibility or the optimal experience outside that environment.

12.2. The CLIENT is responsible for having an adequate Internet connection, hardware and configuration for use of the service.

13 Developer API

13.1. The uses, technical limits, call quotas and other terms applicable to the Vixiees API are published at https://developers.vixiees.com and must be consulted there by the CLIENT, and form an integral part of this agreement.

14 Certifications and security

14.1. Vixiees holds the CASA Tier 2 certification required by Google, accrediting the application of standard security controls over the service provided.

15 Responsibilities and limitation of liability

15.1. Vixiees shall not be liable for loss of profits, loss of business, loss of data or indirect or consequential damages arising from the use, operation or performance of the software.

15.2. Without prejudice to the CLIENT's mandatory rights, the maximum aggregate liability of Vixiees for any claims arising from or related to this agreement shall be limited to the amount actually paid by the CLIENT to Vixiees during the twelve (12) months immediately preceding the event giving rise to liability.

15.3. Vixiees shall not be liable for failure to perform its obligations if performance has been prevented, interfered with or delayed by circumstances beyond its reasonable control, including, among others, force majeure events, acts of God, strikes, riots, lockouts, acts of war, epidemics, official acts or regulations, fires, communication failures, power supply failures, lightning, earthquakes, floods and disasters.

15.4. Vixiees is not responsible for misuse of the platform with third-party services (for example Facebook, WhatsApp or others) and no type of compensation may be claimed for this.

15.5. Service means access to the platform and use of the functionalities designed by Vixiees. Any other functionality related to third-party integrations, which are not owned by Vixiees, is not directly related to Vixiees, which is not responsible for any issues arising from their use.

16 Amendments

16.1. The terms of this agreement may be amended by Vixiees, with notice given by the means it deems necessary, 90 days in advance. If during this period the CLIENT does not expressly reject the change, it shall be deemed to accept the amendments.

17 Assignment of the agreement

17.1. The CLIENT may not assign this agreement, in whole or in part, to a third party without the prior written consent of Vixiees.

17.2. Vixiees may assign the agreement to any entity in its group or to third parties in the context of corporate transactions (mergers, spin-offs, asset sales, etc.), informing the CLIENT accordingly.

18 Number portability

18.1. Upon cancellation of the service, the CLIENT may request portability of the telephone numbers to another operator. Vixiees will not charge costs for number portability; if costs attributable to third parties (wholesale operators or others) arise in the process, such costs will be passed on in full to the CLIENT.

19 Server content

19.1. Vixiees shall not be responsible for the content and data hosted in the database of Vixiees's virtual provider server, as they are the property of the CLIENT.

19.2. The CLIENT is informed that the server on which the information and web applications are hosted is located in Europe, within the territory of the European Union, and the CLIENT unequivocally accepts this fact.

20 Client and Users

20.1. Concepts:

Client: account to which the subscription is assigned and on which the contracted users are created.

User: the different users contained in an account and who access the contracted product.

The minimum configuration is 1 Client / 5 Users.

21 Use of the CLIENT's name and logo

21.1. The CLIENT authorizes Vixiees to include the name and logo of its company in Vixiees's client list and on its website. If the CLIENT wishes to opt out, it may notify contact@vixiees.com at any time.

22 Surviving clauses

22.1. The clauses relating to intellectual property (clause 2) and the residual obligations regarding the processing of personal data set out in Annex 2 (DPA), as well as any other clauses which, by their nature, must remain in force after termination of the agreement, shall survive termination of this agreement for any reason.

23 Jurisdiction and governing law

23.1. This agreement is governed by Spanish law.

23.2. Both parties submit to the Courts and Tribunals of Barcelona (Spain) for the resolution of any dispute that may arise, expressly waiving their own jurisdiction if any other were applicable.

24 Order of precedence

24.1. In the event of any contradiction between the various documents that make up the contractual relationship, the following order shall prevail:

• 1st Special Terms (Annex 1).

• 2nd Data Processing Agreement (Annex 2, DPA).

• 3rd General Terms and Conditions of this agreement.

• 4th Prices and conditions published within the application.

Notes

The contracted service includes access to Vixiees functionalities as configured in the application. The rest of the functionalities (integrations, calls, messages, AI, etc.) that entail an additional cost are not included in the fixed pricing of the service and are detailed within the application and, where applicable, in the special terms.

ANNEX 1 — SPECIAL TERMS

1 Financial terms

1.1. All financial terms applicable to the contracted services (license price, included call packs, extra minute rates, SMS, WhatsApp, recordings, transcripts, Artificial Intelligence-based solutions and other additional services) are published and updated in the pricing section within the Vixiees application.

1.2. These financial terms form an integral and inseparable part of this agreement and shall be those in force at the time they become due, without prejudice to clause 6.4 of the General Terms regarding the annual cap of 10% and the 90-day prior notice.

1.3. Prices will be published excluding taxes. Applicable taxes will be added on the invoice depending on the default country of the CLIENT account.

2 Definition of Sales Agent

2.1. The term “Sales Agent” applies exclusively to those users who carry out any type of communication with contacts registered in the Vixiees system or use the task system.

2.2. Users who do not carry out direct communications (supervisors, IT staff, managers or other equivalent profiles) will not be classified as Sales Agents and, consequently, will not be subject to the corresponding license fee.

3 Use of telephony and derived services

3.1. The minute packs included per license, additional services (recording, transcription, AI, etc.) and excess usage costs will be those published within the application.

3.2. For the calculation of the minutes consumed during the contractual period, Vixiees will add together the total minutes used by all active accounts under the CLIENT's subscription and divide them by the number of active sales agents, in order to determine the average usage per agent.

3.3. The proportion of incoming calls received by the CLIENT must not exceed 5,000 minutes per contracted telephone line. Any excess will be charged according to the rates published in the application.

3.4. If the CLIENT exceeds the contracted pricing in the additional services, Vixiees will make additional charges for excessive use. These charges may be made daily, within a maximum period of 24 hours from their completion.

3.5. Vixiees will notify the CLIENT by email before the full amount of minutes included in its pack is reached, in order to allow it, if required, to opt for a higher-tier pack.

4 SMS and WhatsApp service

4.1. The applicable SMS rates will be those published in the application. An SMS segment is understood to mean up to a maximum of 160 characters; messages exceeding that length will be charged as additional segments.

4.2. Meta, as the owner of WhatsApp, is solely responsible for setting and pricing the costs associated with each conversation window. The CLIENT may consult the updated costs at any time on the official Meta-WhatsApp page.

4.3. Vixiees acts solely as a technology provider (Tech Provider) and assumes no responsibility for the costs applied by Meta or for any changes thereto.

4.4. The CLIENT is solely responsible for the content, destination and purpose of such communications, as well as for ensuring that it has an appropriate legal basis for the processing of personal data and for the sending of communications, whether by prior, express and informed consent of the recipients or any other lawful basis admitted by applicable law.

4.5. The CLIENT undertakes to comply with the information obligations and to enable appropriate opt-out mechanisms or unsubscribing from the receipt of commercial communications and to comply at all times with the applicable regulations on data protection and information society services and electronic communications.

5 Geographic scope and contracted territory

5.1. The financial terms and rates apply to the contracted territory, meaning the country that the CLIENT chose in its first contract as the default country for the account.

5.2. If the CLIENT requires numbering or intends to make communications (calls, SMS, WhatsApp) on a recurring basis from or to numbers in other countries, it must request from Vixiees the corresponding information on the applicable international pricing.

6 Future services

6.1. Any agreed financial term applies only to the services and products currently offered by Vixiees. Any new or modified product or service in the future will be communicated and agreed by means of an update or contractual annex.

ANNEX 2 — DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement forms an integral part of the SaaS services agreement entered into between:

• The CLIENT, hereinafter “the Data Controller”, and

• Vixiees Tech-Hub, S.L., hereinafter “the Data Processor”.

For the purposes of Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and the applicable regulations:

• The CLIENT acts as Data Controller, as it determines the purposes and means of the processing of personal data hosted on the platform.

• Vixiees acts as Data Processor, processing such data solely on behalf of the Controller and exclusively for the provision of the contracted services.

SUBJECT MATTER OF THE DATA PROCESSING ENGAGEMENT

These clauses authorize the Data Processor to process, on behalf of the Data Controller, the personal data necessary to provide the services described in the main agreement and, where applicable, on behalf of other companies in the Controller's group to which the services are also provided, detailed in Annex I of this DPA.

The Controller undertakes to provide the Processor with the data of those third parties (companies in its group) that use the application under the license granted, as well as any structural changes (mergers, spin-offs, segregations) relevant to data protection. The Controller shall bear the consequences arising from failure to provide such notice.

The processing shall consist of accessing, consulting and, where appropriate, modifying the data, arising from the use of the license and the provision of the associated services.

IDENTIFICATION OF THE INFORMATION AFFECTED

All personal data contained in the application are made available to the Processor, including:

• Identifying data of the Controller's contacts (name, surname, email, telephone).

• Professional data (company, position).

• Communications, including voice recordings and transcripts.

• Metadata derived from the use of AI functionalities (summaries, labels).

• Data of the Controller's own users/employees with access to the platform.

The categories of data subjects include the Controller's business contacts, customers or leads and its employees or authorized collaborators.

The Controller declares that the data accessed by the Processor have been lawfully obtained and in compliance with data protection regulations.

TERM

This agreement shall have a term equal to that of the main agreement entered into between the parties.

Once terminated, the Processor shall return to the Controller or transfer to another Processor designated by the Controller the personal data, and shall delete the copies in its possession. However, it may keep the data blocked in order to address administrative or judicial liabilities.

OBLIGATIONS OF THE DATA PROCESSOR

The Processor and all its staff undertake to:

a. Use the personal data solely for the purpose of this engagement. It may not use them for its own purposes. In particular, the Processor will not use the Controller's data, recordings, transcripts or content to train Artificial Intelligence models, whether its own or those of third parties.

b. Process the data in accordance with the Controller's instructions. If the Processor considers that any instruction breaches the GDPR or other data protection regulations, it shall immediately inform the Controller.

c. Keep, in writing, a record of all categories of processing activities carried out on behalf of the Controller (contact details of the parties, categories of processing, international transfers, technical and organizational measures).

d. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, complying with Article 32 of the GDPR.

e. Not disclose the data to third parties, except with the express authorization of the Controller or in legally admissible cases. However, the Controller authorizes the Processor to disclose the data to the other entities in the corporate group to which the Controller belongs, the Controller guaranteeing the lawfulness of the transfer and the relevant consents.

f. Subcontract with the authorized providers referred to in clause 8 of this DPA, who shall observe the same security measures. To subcontract any other service, the Processor shall notify the Controller in writing; if the Controller does not object within two calendar days, the subcontracting may proceed.

The subcontractor, who also has the status of Data Processor, is likewise obliged to comply with the obligations established in this document for the Data Processor and the instructions issued by the controller. It is for the initial processor to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as it is, as regards the proper processing of personal data and the guarantee of the rights of the affected individuals. In the event of breach by the subprocessor, the initial processor shall remain fully liable to the controller with respect to compliance with the obligations.

g. Observe the duty of confidentiality and professional secrecy with respect to the data to which it has access, this obligation surviving termination of the agreement.

h. Ensure that authorized personnel receive the necessary training in personal data protection, and that they undertake in writing to respect confidentiality.

i. Notification of security breaches: the Processor shall notify the Controller, without undue delay, of any personal data breaches of which it becomes aware, providing at least the nature of the breach, the contact details of the DPO or contact point, the possible consequences and the measures adopted. Notification shall not be required if the breach is unlikely to constitute a risk to the rights and freedoms of natural persons.

j. Data subject rights: when affected persons exercise their rights before the Processor, the Processor shall immediately inform the Controller and, in any case, no later than the next business day after receipt of the request.

k. Make available to the Controller the information necessary to demonstrate compliance with its obligations, allowing inspections or audits. The parties shall agree in advance on the date, schedule and conditions, with at least 30 days’ prior notice. The cost of the Processor's means, time and staff for such inspections shall be budgeted separately, and their amount shall be borne by the Controller.

l. Assist the Controller in implementing the necessary security measures to ensure the ongoing confidentiality, integrity, availability and resilience of systems; restore availability and access to data promptly in the event of an incident; and regularly verify and evaluate the effectiveness of the measures implemented.

m. Support the Controller in data protection impact assessments, where appropriate, and in prior consultations with the Spanish Data Protection Agency.

n. Make backup copies of the Controller's databases every 24 hours, without prejudice to the Controller's duty to maintain its own backup processes.

o. Destination of the data: destroy the data once performance has been completed. However, it may retain a blocked copy while liabilities may arise from the performance.

5 OBLIGATIONS OF THE DATA CONTROLLER

a. Provide the Processor with access to the data in order to provide the contracted service.

b. Apply appropriate technical and organizational measures and demonstrate that the processing complies with current legislation.

c. Carry out a risk analysis and, where appropriate, a data protection impact assessment on the processing to be carried out by the Processor.

d. Ensure compliance with the GDPR throughout the entire processing.

e. Supervise the processing, including any necessary checks and audits.

f. Ensure that the Data Protection Officer, or failing that the Security Officer, participates appropriately and in a timely manner in all related matters.

g. Obtain the consent of the interlocutors in cases of recording and transcription of communications, and inform end customers about the processing of their personal data, including the use of AI technology where applicable. The Processor is exempt from any liability arising from the Controller's failure to comply with these duties.

h. Have a valid legal basis if the platform is used for sending electronic commercial communications (including, among others, SMS, WhatsApp-type instant messaging or other equivalent services) in order to ensure full compliance with the applicable regulations on data protection and information society services and electronic communications. The Controller likewise undertakes to comply with its information obligations to recipients, to provide mechanisms for unsubscribing from the receipt of commercial communications and to be able to prove, at any time, compliance with such obligations. The Data Processor shall not be responsible for the use that the Data Controller makes of the platform in relation to the sending of electronic communications, nor for the consequences arising from the Data Controller's failure to comply with the applicable regulations in this area.

**h. **Use the AI tools and solutions provided by the Processor in accordance with Regulation (EU) 2024/1689 (Artificial Intelligence Act), refraining from fraudulent use or from carrying out prohibited practices.

6 GENERAL CLAUSES

a. The failure by either party to enforce its rights shall not be deemed a future waiver of those rights.

b. The legal relationship between the parties with regard to data protection is governed by this sole Agreement, replacing any prior agreement on the same subject matter.

c. Both parties undertake to comply with the regulatory provisions in force at all times regarding the protection of personal data.

d. The Processor shall not be liable for consequences towards third parties for following the Controller's instructions.

e. If any stipulation is found to be void, the rest shall not be affected.

f. This Agreement does not constitute a partnership, joint venture, agency or employment contract between the parties.

7 NOTIFICATIONS

a. Any notice between the parties shall be made in writing and by any means that certifies receipt.

b. Any change of address must be notified to the other party immediately.

8 AUTHORIZED SUBPROCESSORS

The Controller expressly authorizes the Processor to subcontract, as subprocessors, the providers listed below. All of them apply the technical and organizational measures required by the GDPR and are subject to contractual obligations equivalent to those of the Processor.

All servers used for processing are located in the European Union. Any addition or replacement of a subprocessor will be communicated to the Controller through the usual channels with reasonable prior notice, and the Controller may object within the period indicated in clause 4.f above.

In addition, the Controller authorizes the Data Processor to engage external collaborators to provide auxiliary development, maintenance, technical support or other services necessary for the proper performance of the contracted services.

Such collaborators may, where necessary, access personal data on behalf of the Processor, acting at all times under its authority and in accordance with its instructions, and shall be subject to confidentiality obligations and to security measures equivalent to those provided for in this Agreement.

In those cases where such collaborators are located outside the European Economic Area, the Data Processor guarantees that access to personal data is carried out subject to appropriate safeguards in accordance with the applicable regulations on personal data protection.