SaaS Services Agreement

GENERAL AGREEMENT

SaaS service provider: Vixiees Tech-Hub, S.L., with tax ID B44570174 and registered office at C/ Lepant 270, 08013 Barcelona (Spain) (hereinafter, “Vixiees”). The user of the service or services (hereinafter, the “CLIENT”) accepts the conditions set out in this agreement. Use of the service entails full acceptance of these conditions.

1 Subject matter scope

This agreement and the Vixiees platform are intended exclusively for companies and professionals. The application is not intended for consumers or individual users. The CLIENT states that it is contracting as a company or professional for the purposes of the applicable regulations.

2 License of use and intellectual property

2.1 Vixiees grants the CLIENT a non-exclusive, non-transferable, non-sublicensable and revocable license to use the Vixiees software, limited to the term of the agreement and to web use through the assigned credentials.

2.2. All intellectual and industrial property rights over the software, the platform, the brand, the logos, the source code, the documentation, the interfaces, the models, the know-how and any improvement or development derived therefrom belong exclusively to Vixiees or its licensors. No rights other than the use license described are transferred to the CLIENT.

2.3. The CLIENT undertakes not to carry out reverse engineering, decompilation, disassembly, resale, sublicensing, copying, modification, assignment or creation of derivative works of the platform, except where mandatory law so permits.

2.4. The data, contacts, recordings, transcripts, content and databases that the CLIENT enters or generates through use of the platform are and shall remain the property of the CLIENT. Vixiees will process them only under the terms set out in Annex 2 (DPA).

2.5. The CLIENT acknowledges that the access URLs to the contracted product are the property of Vixiees.

3 Data protection

3.1 Since, for the provision of the services described in this Agreement, the processing of personal data is necessary and in compliance with the provisions of Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights of December 5, 2018 (LOPDGDD) and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), it is necessary to enter into a specific Data Protection agreement in which the relationship between the Client, as Data Controller, and Vixiees Tech-Hub S.L. as Data Processor, will be formalized.

In this regard, the processing of personal data arising from the provision of the service shall be governed by the Data Processing Agreement (DPA) in Annex 2, which forms an integral part of this agreement.

3.2 Likewise, in accordance with the aforementioned regulations, the legal representatives of the signing parties accept the processing of the personal data collected in this Agreement for purposes related to the services described herein and their accounting and administrative management. The lawfulness of this processing is based on Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract to which the data subject is party.

3.3 Personal data will be retained for as long as the contractual relationship lasts. Once this relationship ends, your data may continue to be retained in order to comply with any applicable legal obligation and to deal with any claims until the maximum limitation period for actions that may arise from this relationship expires. Once the limitation periods have elapsed, the personal data will be deleted.

3.4 The CLIENT may exercise the rights of access, rectification, erasure and objection, restriction of processing, data portability and not to be subject to automated individual decisions (including profiling), by sending a request with the subject "Data Protection", to the email address: contact@vixiees.com, from the same account it provided us, indicating its contact details.

3.5 If the parties consider that their rights have been violated, they may exercise the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

3.6 It is hereby stated that the Data Protection Officer is: Grupo Datcon Sur S.L.U. C/ Dr. Duarte Acosta 7, 11500, El Puerto de Santa María, Cádiz.

4 Call recordings and Artificial Intelligence

4.1. The platform allows the CLIENT's communications to be recorded, transcribed and analyzed. It is the CLIENT's sole responsibility to obtain the consent of the interlocutors for the recording and processing of their data, as well as to comply with the information obligations arising from the applicable regulations.

4.2. The maximum retention period for recordings and transcripts on the platform is 6 months, after which Vixiees will delete them unless the CLIENT expressly contracts for a longer period.

4.3. Vixiees does not use the CLIENT's data, recordings, transcripts or content to train Artificial Intelligence models, whether its own or third-party models.

4.4. The CLIENT undertakes to use the Artificial Intelligence functionalities in accordance with the applicable regulations, in particular Regulation (EU) 2024/1689 (Artificial Intelligence Act), refraining from any fraudulent use or from carrying out any of the practices prohibited by that Regulation.

5 Technical support or inquiries

5.1. Vixiees will provide technical or administrative/commercial support as set out on the websites related to the product to be contracted.

5.2. The response time is a maximum of 24 hours in cases of incidents and technical or functional support, excluding Saturdays, Sundays and official public holidays in Spain.

5.3. The service will be provided during Vixiees' business hours: Monday to Friday from 9:00 a.m. to 6:00 p.m. (mainland Spain time).

5.4. Maintenance services, updates and bug fixes are carried out remotely. They do not include travel to the CLIENT's premises.

6 Billing and payments

6.1. All prices, fees and applicable economic conditions will be published at all times in the pricing section within the Vixiees application. Such information forms an integral part of the agreement.

6.2. Prices will always be published excluding taxes. Applicable taxes (VAT or other equivalents) will be added on the invoice according to the default country of the CLIENT's account.

6.3. Payment is monthly. On the day of registration, an invoice will be issued for the proportional part of the remaining days of the month; subsequent invoices will be issued within the first five (5) days of each month. Payment will be made by SEPA transfer or credit/debit card.

6.4. Vixiees may modify the prices and economic conditions by up to a maximum of 10% per year, with a minimum notice period of 90 days to the CLIENT. If said period elapses without the CLIENT's express objection, the new conditions shall be deemed accepted.

6.5. In the event of a returned payment, delay or non-payment after 5 days from the invoice date, Vixiees may suspend the service until payment is confirmed. In the event of a returned direct debit, the CLIENT will be charged an additional fifteen (15) € + VAT for bank fee costs.

6.6. After repeated delays or non-payments, Vixiees may request that the CLIENT provide a security deposit in an amount equal to the current fee.

6.7. If Vixiees has to cancel a service due to non-payment, it will not be liable for any damages that may be caused to the CLIENT or its customers.

7 Duration and service cancellation

7.1. The duration of the agreement will depend on the conditions agreed upon at the time of contracting and on the maintenance of the associated payments.

7.2. Fees already invoiced or paid will not be refundable, regardless of the time of month in which the cancellation occurs.

7.3. Cancellation will become effective once processed by the system and, in any event, within 72 hours from the request made in the application.

7.4. The CLIENT shall be entitled to request a copy of its data within 72 hours following the effective date of cancellation, in accordance with the provisions of the DPA (Annex 2). Vixiees will deliver the data in a technically viable format, which may include, among others, CSV files, audio files and transcripts. Proper subsequent handling of the data shall be the CLIENT's responsibility.

7.5. In the hypothetical event that Vixiees cancels the service without the CLIENT having breached any of the conditions described herein, the amount corresponding to the proportional part of the unused period shall be refunded.

8 Termination for breach

8.1. Either party may terminate this agreement for material breach by the other party, subject to prior written notice identifying the breach and granting a period of 30 calendar days to remedy it. If the breach is not remedied within that period, the agreement will be automatically terminated.

8.2. Notwithstanding the foregoing, cases of non-payment (clause 6) and unlawful use or misuse of the platform (clauses 9 and 10) shall be governed by the specific immediate suspension or cancellation mechanisms provided for in the corresponding clauses, without the need for any cure period.

9 Acceptable use of the platform

9.1. The CLIENT undertakes to use the platform solely for the purposes permitted in this agreement and in full compliance with applicable law. The following are expressly prohibited:

• using the platform for illegal, fraudulent or morally or publicly order contrary purposes;

• hosting or transmitting illegal content, including child pornography or copyrighted content (music, video, software) without a license;

• using the service to carry out SPAM or massive and indiscriminate sending of emails, SMS or WhatsApp messages;

• carrying out reverse engineering, decompilation, disassembly, copying, resale or creation of derivative works;

• performing load tests, benchmarking, scraping or unauthorized mass data extraction;

• bypassing the platform's security mechanisms or technical limits;

• creating fake accounts, sharing credentials or allowing access to unauthorized third parties;

• subletting or assigning the service to other customers or third parties unless expressly provided for in the special conditions.

10 Immediate suspension for misuse

10.1. Vixiees reserves the right to suspend or terminate the service immediately and without prior notice in the event that it receives any complaint, notice, request from a competent authority or reasonable evidence of misuse or unlawful use of the platform by the CLIENT.

10.2. The service may be interrupted prior to any clarification. Explanations, claims and any reinstatement will be handled after the suspension.

10.3. Liability to third parties for misuse, hosted content or communications made through the platform shall rest entirely with the CLIENT, who shall hold Vixiees harmless from any claim, sanction or damage arising from such use.

11 Warranties and service level (SLA)

11.1. Vixiees shall be responsible for the proper functioning of the contracted product, remedying as soon as possible any incident arising from its malfunction.

11.2. Vixiees guarantees a monthly platform availability level of 99% (uptime), calculated on a monthly calendar basis and excluding previously notified maintenance windows, force majeure events and incidents attributable to third-party providers or to the CLIENT itself.

11.3. Vixiees is not responsible for service malfunction due to issues associated with its providers, nor for incidents arising from misuse by the CLIENT, in which case it may charge the corresponding costs.

11.4. Vixiees does not guarantee that the services will meet the CLIENT's specific needs. Any lack of suitability may not be grounds for termination of the agreement or for non-payment of fees.

11.5. The CLIENT must report any incident to contact@vixiees.com or through the channels indicated on the website related to the subscribed product.

11.6. Vixiees will make backups every 24 hours of the CLIENTS' databases, from which the service may be restored in the event of a serious incident. The foregoing does not exempt the CLIENT from maintaining its own backup processes. The specific retention and restoration conditions shall be governed, where applicable, by the DPA.

11.7. The CLIENT must take all measures within its reach to prevent access by unauthorized third parties and must ensure the secrecy of passwords, changing them at the slightest suspicion.

12 Technical requirements

12.1. The Vixiees platform is optimized for the latest versions of the Google Chrome browser. Other browsers may work, but Vixiees does not guarantee full compatibility or an optimal experience outside that environment.

12.2. The CLIENT is responsible for having an Internet connection, hardware and configuration suitable for using the service.

13 Developer API

13.1. The uses, technical limits, call quotas and other terms applicable to the Vixiees API are published at https://developers.vixiees.com and must be consulted there by the CLIENT, and form an integral part of this agreement.

14 Certifications and security

14.1. Vixiees holds the CASA Tier 2 certification required by Google, certifying the application of standard security controls over the service provided.

15 Responsibilities and limitation of liability

15.1. Vixiees shall not be liable for loss of profits, loss of revenue, loss of data or indirect or consequential damages arising from the use, operation or performance of the software.

15.2. Without prejudice to the CLIENT's mandatory rights, the aggregate maximum liability of Vixiees for any claims arising out of or related to this agreement shall be limited to the amount actually paid by the CLIENT to Vixiees during the twelve (12) months immediately preceding the event giving rise to liability.

15.3. Vixiees shall not be liable for breach of its obligations if their performance has been prevented, interfered with or delayed by circumstances beyond its reasonable control, including, without limitation, acts of force majeure, acts of God, strikes, riots, lockouts, acts of war, epidemics, official acts or regulations, fires, communication failures, power supply failures, lightning, earthquakes, floods and disasters.

15.4. Vixiees is not responsible for misuse of the platform with third-party services (for example Facebook, WhatsApp or others) and no type of compensation may be claimed for this.

15.5. Service means access to the platform and use of the functionalities designed by Vixiees. Any other functionality related to third-party integrations, which Vixiees does not own, has no direct relationship with Vixiees, which is not responsible for any issues arising from their use.

16 Modifications

16.1. The conditions of this agreement may be modified by Vixiees, with notice given by the means it deems necessary, 90 days in advance. If during this period the CLIENT does not expressly reject the change, it shall be deemed to accept the modifications.

17 Assignment of the agreement

17.1. The CLIENT may not assign this agreement, in whole or in part, to a third party without Vixiees' prior written consent.

17.2. Vixiees may assign the agreement to any entity in its group or to third parties in the context of corporate transactions (mergers, spin-offs, sale of assets, etc.), informing the CLIENT.

18 Number portability

18.1. Upon cancellation of the service, the CLIENT may request the portability of telephone numbers to another operator. Vixiees will not charge costs for number porting out; if costs attributable to third parties (wholesale operators or others) arise during the process, such costs will be passed on in full to the CLIENT.

19 Server contents

19.1. Vixiees shall not be responsible for the content and data hosted in the database of Vixiees' provider virtual server, as they are the property of the CLIENT.

19.2. The CLIENT is hereby informed that the server on which the information and web applications are hosted is located in Europe, within the territory of the European Union, and the CLIENT unequivocally accepts this fact.

20 Customer and Users

20.1. Concepts:

Client: account to which the subscription is assigned and on which the contracted users are generated.

User: the different users contained in an account who access the contracted product.

The minimum configuration is 1 Client / 5 Users.

21 Use of the CLIENT's name and logo

21.1. The CLIENT authorizes Vixiees to include the name and logo of its company in Vixiees' list of clients and on its website. If the CLIENT wishes to opt out, it may notify contact@vixiees.com at any time.

22 Surviving clauses

22.1. The clauses relating to intellectual property (clause 2) and the residual obligations regarding personal data processing provided for in Annex 2 (DPA), as well as any other clauses that by their nature must remain in force after termination of the agreement, shall survive termination of this agreement for any reason.

23 Jurisdiction and governing law

23.1. This agreement is governed by Spanish law.

23.2. Both parties submit to the Courts and Tribunals of Barcelona (Spain) for the resolution of any dispute that may arise, expressly waiving their own jurisdiction if it were different.

24 Order of precedence

24.1. In the event of a contradiction between the various documents that make up the contractual relationship, the following order shall prevail:

• 1st Special Conditions (Annex 1).

• 2nd Data Processing Agreement (Annex 2, DPA).

• 3rd General Conditions of this agreement.

• 4th Prices and conditions published within the application.

Notes

The contracted service includes access to Vixiees' functionalities according to what is configured in the application. The rest of the functionalities (integrations, calls, messages, AI, etc.) that entail an additional cost are not included in the service's fixed pricing and are detailed within the application and, where applicable, in the special conditions.

ANNEX 1 — SPECIAL CONDITIONS

1 Economic conditions

1.1. All economic conditions applicable to the contracted services (license price, included call packs, extra minute rates, SMS, WhatsApp, recordings, transcripts, Artificial Intelligence-based solutions and other additional services) are published and updated in the pricing section within the Vixiees application.

1.2. These economic conditions form an integral and inseparable part of this agreement and will be those in force at the time of accrual, without prejudice to clause 6.4 of the General Conditions regarding the annual cap of 10% and the 90-day prior notice.

1.3. Prices will be published excluding taxes. Applicable taxes will be added on the invoice according to the default country of the CLIENT's account.

2 Definition of Commercial Agent

2.1. The term “Commercial Agent” applies exclusively to those users who carry out any type of communication with contacts registered in the Vixiees system or use the task system.

2.2. Users who do not carry out direct communications (Supervisors, IT staff, managers or other equivalent profiles) will not be classified as Commercial Agents and, consequently, will not be subject to the corresponding license fee.

3 Use of telephony and derived services

3.1. The minute packs included per license, additional services (recording, transcription, AI, etc.) and overage costs will be those published within the application.

3.2. For the calculation of the minutes consumed during the contractual period, Vixiees will add up the total minutes used by all active accounts under the CLIENT's subscription and divide them by the number of active commercial agents, in order to determine the average use per agent.

3.3. The proportion of incoming calls received by the CLIENT must not exceed 5,000 minutes for each contracted telephone line. Any excess will be charged according to the rates published in the application.

3.4. If the CLIENT exceeds the contracted pricing for additional services, Vixiees will make additional charges for the excess use. These charges may be made daily, within a maximum period of 24 hours from completion.

3.5. Vixiees will notify the CLIENT by email before all the minutes included in its package are used up, in order to allow it, if it so requires, to choose a higher package.

4 SMS and WhatsApp Service

4.1. The applicable SMS rates will be those published in the application. An SMS segment is understood to be up to a maximum of 160 characters; messages exceeding this length will be charged as additional segments.

4.2. Meta, as the owner of WhatsApp, is solely responsible for establishing and pricing the costs associated with each conversation window. The CLIENT may consult the updated costs at any time on the official Meta-WhatsApp page.

4.3. Vixiees acts solely as a technology provider (Tech Provider) and assumes no responsibility for the costs applied by Meta or for any changes thereto.

4.4. The CLIENT is solely responsible for the content, destination and purpose of such communications, as well as for ensuring that it has an adequate legal basis for the processing of personal data and for sending communications, whether that basis is the prior, express and informed consent of the recipients or any other legitimizing basis admitted by the applicable regulations.

4.5. The CLIENT undertakes to comply with the information obligations and to enable appropriate objection mechanisms or unsubscribing from the receipt of commercial communications and to comply at all times with the applicable regulations on data protection and on information society services and electronic communications.

5 Geographic scope and contracted territory

5.1. The economic conditions and rates apply to the contracted territory, meaning the country that the CLIENT chose in its first contract as the default country of the account.

5.2. If the CLIENT requires numbering or needs to make communications (calls, SMS, WhatsApp) on a recurring basis from or to numbers in other countries, it must request from Vixiees the corresponding information on the applicable international pricing.

6 Future services

6.1. Any economic condition stipulated applies only to the services and products currently offered by Vixiees. Any new or modified product or service in the future will be communicated and agreed through an update or contractual annex.

ANNEX 2 — DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement forms an integral part of the SaaS services provision agreement entered into between:

• The CLIENT, hereinafter “the Data Controller”, and

• Vixiees Tech-Hub, S.L., hereinafter “the Data Processor”.

For the purposes of Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and the applicable regulations:

• The CLIENT acts as Data Controller, by determining the purposes and means of the processing of the personal data hosted on the platform.

• Vixiees acts as Data Processor, processing such data only on behalf of the Controller and exclusively for the provision of the contracted services.

OBJECT OF THE DATA PROCESSING ASSIGNMENT

By means of these clauses, the Data Processor is authorized to process, on behalf of the Data Controller, the personal data necessary to provide the services described in the main agreement and, where applicable, on behalf of other companies in the Controller's group to which the services are also provided, detailed in Annex I of this DPA.

The Controller undertakes to communicate to the Processor the data of those third parties (companies in its group) that use the application under the license granted, as well as any structural changes (mergers, spin-offs, demergers) relevant to data protection. The Controller shall assume the consequences arising from the omission of such communication.

The processing shall consist of access to, consultation of and, where applicable, modification of the data, arising from the use of the license and the provision of the associated services.

IDENTIFICATION OF THE AFFECTED INFORMATION

All personal data contained in the application are made available to the Processor, among which may be:

• Identification data of the Controller's contacts (name, surname, email, phone number).

• Professional data (company, position).

• Communications, including voice recordings and transcripts.

• Metadata derived from the use of AI functionalities (summaries, tags).

• Data of the Controller's own users/employees with access to the platform.

Categories of data subjects include the Controller's business contacts, customers or leads, and its employees or authorized collaborators.

The Controller declares that the data accessed by the Processor have been lawfully obtained and in compliance with data protection regulations.

TERM

This agreement shall have a term equal to that of the main agreement entered into between the parties.

Once it ends, the Processor shall return to the Controller or transmit to another Processor designated by the Controller the personal data, and shall delete the copies in its possession. However, it may keep the data blocked in order to address administrative or judicial liabilities.

OBLIGATIONS OF THE DATA PROCESSOR

The Processor and all its personnel undertake to:

a. Use personal data only for the purpose of this assignment. It may not use them for its own purposes. In particular, the Processor will not use the Controller's data, recordings, transcripts or content to train Artificial Intelligence models, whether its own or those of third parties.

b. Process the data in accordance with the Controller's instructions. If the Processor considers that any instruction breaches the GDPR or other data protection regulations, it shall immediately inform the Controller.

c. Keep, in writing, a record of all categories of processing activities carried out on behalf of the Controller (parties' contact details, categories of processing, international transfers, technical and organizational measures).

d. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in compliance with Article 32 of the GDPR.

e. Not disclose the data to third parties, except with the express authorization of the Controller or in legally admissible cases. However, the Controller authorizes the Processor to disclose the data to the other entities of the corporate group to which the Controller belongs, the Controller guaranteeing the lawfulness of the transfer and the relevant consents.

f. Subcontract with the authorized providers referred to in clause 8 of this DPA, who shall observe the same security measures. To subcontract any other service, the Processor shall notify the Controller in writing; if the Controller does not object within two calendar days, the subcontracting may take place.

The subcontractor, who is also a Data Processor, is likewise obliged to comply with the obligations established in this document for the Data Processor and with the instructions issued by the controller. It is the responsibility of the initial processor to regulate the new relationship, so that the new processor is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as it, with regard to the proper processing of personal data and the guarantee of the rights of the affected persons. In the event of non-compliance by the subprocessor, the initial processor shall remain fully liable to the controller with regard to compliance with the obligations.

g. Observe the duty of confidentiality and professional secrecy with respect to the data it has access to, this obligation surviving termination of the agreement.

h. Ensure that authorized personnel have the necessary knowledge regarding personal data protection and that they undertake in writing to respect confidentiality.

i. Notification of security breaches: the Processor shall notify the Controller, without undue delay, of any personal data security breaches of which it becomes aware, providing at least the nature of the breach, the contact details of the DPO or contact point, the possible consequences and the measures adopted. Notification shall not be required if it is unlikely that the breach would pose a risk to the rights and freedoms of natural persons.

j. Data subjects' rights: when affected persons exercise their rights before the Processor, the Processor shall communicate this to the Controller immediately and, in any case, no later than the business day following receipt of the request.

k. Make available to the Controller the information necessary to demonstrate compliance with its obligations, allowing inspections or audits. The parties shall agree in advance on the date, time and conditions, with a minimum prior notice of 30 days. The cost of the Processor's resources, time and personnel for such inspections will be estimated separately, and its amount shall be borne by the Controller.

l. Assist the Controller in implementing the security measures necessary to ensure the continuing confidentiality, integrity, availability and resilience of the systems; restore availability and access to the data quickly in the event of an incident; and regularly verify and assess the effectiveness of the implemented measures.

m. Support the Controller in data protection impact assessments, where applicable, and in prior consultations with the Spanish Data Protection Agency.

n. Make backup copies of the Controller's databases every 24 hours, without prejudice to the Controller's duty to maintain its own backup processes.

o. Destination of the data: destroy the data once the service has been provided. However, it may retain a blocked copy while liabilities may arise from performance.

5 OBLIGATIONS OF THE DATA CONTROLLER

a. Provide the Processor with access to the data in order to be able to provide the contracted service.

b. Apply appropriate technical and organizational measures and demonstrate that the processing complies with current legislation.

c. Carry out a risk analysis and, where applicable, an impact assessment on the processing activities to be carried out by the Processor.

d. Ensure compliance with the GDPR throughout the entire processing.

e. Supervise the processing, including the necessary checks and audits.

f. Ensure that the Data Protection Officer, or failing that the Security Officer, participates appropriately and in a timely manner in all related matters.

g. Obtain the consent of the interlocutors in cases of recording and transcription of communications, and inform end customers about the processing of their personal data, including the use of AI technology where applicable. The Processor is exempt from any liability arising from the Controller's failure to comply with these duties.

h. Have a valid legal basis if using the platform to send electronic commercial communications (including, among others, SMS, instant messaging such as WhatsApp or other equivalent services) in order to ensure full compliance with the applicable regulations on data protection and on information society services and electronic communications. The Controller also undertakes to comply with the information obligations to recipients, to provide mechanisms for unsubscribing from the receipt of commercial communications and to be able to demonstrate, at any time, compliance with such obligations. The Data Processor shall not be responsible for the use the Data Controller makes of the platform in relation to the sending of electronic communications, nor for the consequences arising from the Data Controller's failure to comply with the applicable regulations in this area.

**h. **Use the tools and AI-based solutions provided by the Processor in accordance with Regulation (EU) 2024/1689 (Artificial Intelligence Act), refraining from fraudulent use or from carrying out prohibited practices.

6 GENERAL CLAUSES

a. The failure of either party to enforce its rights shall not be deemed a future waiver of those rights.

b. The legal relationship between the parties in relation to data protection is governed by this sole Agreement, replacing any prior agreement on the same subject matter.

c. Both parties undertake to comply with the regulatory provisions in force at any given time regarding the protection of personal data.

d. The Processor shall not be liable for the consequences to third parties of following the Controller's instructions.

e. If the invalidity of any provision is established, the remainder shall not be affected.

f. This Agreement does not constitute a partnership, joint venture, agency or employment contract between the parties.

7 NOTIFICATIONS

a. Any notification between the parties shall be made in writing and by any means that certifies receipt.

b. Any change of address must be notified immediately to the other party.

8 AUTHORIZED SUBPROCESSORS

The Controller expressly authorizes the Processor to subcontract, as subprocessors, the providers listed below. All of them apply the technical and organizational measures required by the GDPR and are subject to contractual obligations equivalent to those of the Processor.

All servers used for processing are located in the European Union. Any new subcontractor or replacement of a subprocessor will be communicated to the Controller by the usual means with reasonable notice, and the Controller may object within the period indicated in the previous clause 4.f.

In addition, the Controller authorizes the Data Processor to engage external collaborators for the provision of auxiliary development, maintenance, technical support or other services necessary for the proper performance of the contracted services.

Such collaborators may, where necessary, access personal data on behalf of the Processor, acting at all times under its authority and in accordance with its instructions, and remaining subject to confidentiality obligations and security measures equivalent to those provided for in this Agreement.

In cases where such collaborators are located outside the European Economic Area, the Data Processor guarantees that access to the personal data is carried out subject to the appropriate safeguards in accordance with the applicable regulations on personal data protection.