Terms and Conditions

Subscriber and Panviva agree as follows:

  1. Subscription.

    1. These Subscription Agreement Terms and Conditions (“Terms”) shall apply to Subscriber’s use of the Services described in any Order signed by Subscriber and Panviva. Capitalized terms not defined in an Order or in the body of the Terms or an exhibit accompanying such Terms shall have the meanings set forth in Section 24.
    2. During the Subscription Term, Panviva grants to Subscriber a non-exclusive, non-transferable right to permit named individuals authorized by Subscriber, and who are employees or individual contractors of Subscriber (“Users”), to access and use the Services subject to this Agreement for the Permitted Purpose. Subscriber must ensure that Users comply with this Agreement and must use reasonable efforts to prevent unauthorized access to or use of the Services.
    3. The number of users for a Service shall not exceed the number subscribed for in current Orders.
    4. Subscriber agrees to be liable to pay all additional fees for any Unauthorized Users.
  2. Term.

    This Agreement commences on the Start Date set out in the initial Order and, unless terminated in accordance with this Agreement, shall remain in effect until the end of the Subscription Term.  All rights and obligations of the parties, which by their nature are reasonably intended to survive termination, shall survive termination.

  3. Panviva Obligations.

    Panviva will provide the Services (including the Support Services) to the Subscriber in accordance with this Agreement.

  4. Fees and Renewal.

    1. Unless agreed otherwise in advance, the Fee for the Subscription Term must be paid before the commencement of the Subscription Term.
    2. If Subscriber does not pay the Fee by the agreed-to date, in addition to any other rights, Panviva may suspend the Services or cancel Subscriber’s subscription without notice. Subscriptions for all Services, unless agreed in advance, will automatically renew for an additional period of 12 months unless a party gives the other party notice to terminate not less than 30 days before the end of the relevant Subscription Term. 
    3. By completing an additional Order, Subscriber may add additional subscriptions to use the Services (“Mid-Term Subscriptions”). Unless agreed otherwise, Mid-Term Subscriptions will incur a Fee based on the pro-rata pricing of the Services in the underlying subscription and expire at the end of the Subscription Term at which point they will be aggregated into the renewal of the underlying subscription.
    4. In the case of an automatic renewal, the renewed Services will not include professional service fees (such as training and implementation), which may have been included in any Order in a preceding Subscription Term.
    5. Panviva may increase Fees at each renewal period and will notify the Subscriber of revised Fees at least 45 days before the end of the current Subscription Term. 
  5. Termination.

    1. If Subscriber breaches this Agreement, Panviva may suspend the subscription without notice.
    2. If either party becomes the subject of any bankruptcy, or insolvency related proceeding or process, or breaches this Agreement (and if curable, such breach is not cured within 30 calendar days after written notice of the breach) the non-breaching party may terminate this Agreement as of a date specified in such notice.
    3. If Subscriber terminates this Agreement under this Section 5, all Fees are immediately due and payable unless:
      1. Subscriber notifies Panviva of its intention to terminate this Agreement for breach by Panviva; or
      2. Subscriber notifies Panviva of its intention to terminate this Agreement as a result of Panviva modifying the terms of the Agreement in a manner that has a materially detrimental effect on Subscriber and Subscriber has notified Panviva within 14 days of Panviva’s notice of such change.

      In both these situations, the Agreement shall be terminated effective as of the date of the notification to Panviva, and Subscriber will receive a pro-rata refund for any amount already paid to Panviva in respect of any period after that date.

    4. If Panviva terminates this Agreement under this Section 5, all Fees are immediately due and payable.
    5. Upon termination of this Agreement or expiration of any Subscription Term, Subscriber’s right to access and use the Services will terminate, provided that at the written request of Subscriber, which request must be received by Panviva within 30 days of termination or expiration, Panviva will allow Subscriber to access the Services, but only to the extent necessary for Subscriber to export Subscriber Data.  At any time after 45 days following termination of this Agreement or expiration of any Subscription Term, Panviva may permanently delete any Subscriber Data within the possession or control of Panviva.
    6. On termination or expiration of this Agreement, Panviva must (at Subscriber's request) destroy all Subscriber Data within the possession or control of Panviva,
    7. The obligations in Section 5(f) will not apply to:
      1. Subscriber Data stored on a back-up server for bona fide back-up, security and data recovery purposes, which is not readily accessible; or
      2. any Subscriber Data that Panviva retains in its files as required to comply with any applicable laws, audit or records retention requirement or insurance policies,

      provided that such Subscriber Data that is retained remains subject to the confidentiality obligations set out in this Agreement.

  6. Billing.

    Subscriber must pay the Fees within the terms of the invoice as agreed in the Order.   Except as provided in Section 5 or an Order, all Fees and payment obligations are non-cancellable and non-refundable.

  7. Taxes.

    Except where expressly stated otherwise, the Fee does not include any taxes, levies, duties or similar governmental assessments of any kind, including for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Subscriber is responsible for paying all Taxes associated with Fees. If Panviva has the legal obligation to pay or collect Taxes for which Subscriber is responsible, Panviva will include that amount in addition to the Fees unless Subscriber provides Panviva with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Panviva is solely responsible for taxes assessable against its income, property and employees.

  8. Subscriber Data.

    1. Panviva acknowledges that Subscriber Data is and shall remain the property of Subscriber.
    2. Subscriber is at all times solely responsible for the content and legality of Subscriber Data, how Subscriber Data is acquired, and the transfer of Subscriber Data into and from of the Services.
    3. Subscriber acknowledges and agrees responsibility for assessing the suitability of the Services for Subscriber’s requirements, including in relation to the sensitivity of Subscriber Data and any applicable law or regulation, resides at all times exclusively with the Subscriber.
    4. Subject to Panviva’s obligations under this Agreement, Panviva reserves the right to access Subscriber Data for the purpose of testing the operation and performance of the Services.
  9. Restrictions.

    1. Subscriber acknowledges and agrees that the Services are not designed for use with data that may be classified as highly sensitive, personal and/or otherwise subject to information privacy regulations, including without limitation any data subject to laws governing the storage and transmission of personally identifiable information, protected health information or information subject to the Payment Card Industry Data Security Standard (collectively, “Regulated Data”).
    2. Subscriber must not enter Regulated Data in the Services and Panviva shall have no liability under any circumstances with respect to Subscriber Data that is Regulated Data. 
    3. For clarity, the Regulated Data limitation in Section 9(b) does not apply to Personal Information contained in User Validation Information.
    4. Subscriber must use the Services only for the Permitted Purpose and in a manner consistent with the other terms of this Agreement. Subscriber must not (i) use the Services to provide a bureau or similar service; (ii) sublicense, re-license or sell rights to access or use the Services, or transfer or assign rights to access or use the Services; or (iii) modify, make derivative works of, reverse engineer, disassemble, decompile or otherwise reproduce the operation of the Services or any part of the Services or the Software and materials used or created by Panviva to provide the Services. Subscriber may not, and may not engage another party, to undertake security testing, load testing, performance testing or any automated or other forms of testing of the Service.
  10. Ownership.

    All Intellectual Property Rights in the Services and any Documentation (including all derivatives, modifications or improvements thereon) are and shall at all times remain the sole and exclusive property of Panviva.  Panviva will own all Intellectual Property Rights in: (a) all suggestions, enhancements requests, feedback, recommendations or other improvements provided by Subscriber to Panviva relating to the Services; (b) content, images and documentation provided by Subscriber to Panviva as part of any Subscriber Contributions; and (c) anonymized data generated by Subscriber’s use of the Services to measure and analyze how the Services operate and how Subscriber interacts with the Services (such as usage patterns, latency, networks and other performance data).

  11. Confidentiality and Security.

    Each party agrees to hold the other’s Confidential Information in strict confidence and not to copy, reproduce, sell, transfer, or otherwise dispose of, give or disclose such Confidential Information to third parties other than employees, agents, or subcontractors of a party who have a need to know for the purposes of, and in accordance with, this Agreement, or if either party is required to do so by law or an exchange or in connection with legal proceedings relating to this Agreement. Each agrees to advise and require their respective employees, agents, and subcontractors of their obligations to keep all Confidential Information confidential.

    Panviva will maintain appropriate measures to protect the security and confidentiality of the Subscriber Data, including commercially reasonable physical, technological and administrative measures, as set forth in Exhibit A-3. However, Subscriber acknowledges that security measures are not infallible and may be circumvented, which may result in unauthorized access. Panviva will not be liable for any such unauthorized access, and such access will not constitute a breach of the Agreement, provided such access did not result from Panviva’s failure to adhere to the aforementioned security measures.

  12. Panviva Warranty and Liability.

    1. Panviva warrants that the:
      1. Services shall perform substantially in accordance with the Service Level Agreement (“SLA”) attached hereto as Exhibit A-1. Panviva’s Support Process (“Support”) in connection with the Services is attached hereto as Exhibit A-2.
      2. Panviva shall use commercially reasonable efforts to ensure that the Software shall not contain:
        1. any virus, trojan horse, worm, backdoor or other software or hardware devices the effect of which is to permit unauthorized access or to disable, erase, or otherwise harm any computer, systems or software, or
        2. any time bomb, drop dead device or other software or hardware device designed to disable a computer program automatically with the passage of time, provided, however, that Subscriber acknowledges the Services includes logical access controls which may be used by Panviva to restrict Subscribers access to the Services in accordance with the Agreement.
      3. Subscriber agrees that its sole and exclusive remedies for a failure by Panviva to comply with the SLA and/or Support Services are as set forth in the Exhibits.
      4. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, PANVIVA MAKES NO PROMISES, REPRESENTATIONS OR WARRANTIES OF ANY KIND AND EXPRESSLY DISCLAIMS ANY AND ALL PROMISES, REPRESENTATIONS, AND WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE SERVICES, INCLUDING, WITHOUT LIMITATION, CONDITION, CONFORMITY TO ANY REPRESENTATION OR DESCRIPTION, THE EXISTENCE OF ANY LATENT OR PATENT DEFECTS, NON-INFRINGEMENT, MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, ANY WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE OR THAT THE SERVICES ARE SUITABLE FOR SUBSCRIBER’S INTENDED USE OR WILL BE UNINTERRUPTED OR ERROR FREE.
      5. Nothing in this Agreement shall exclude, restrict or modify the application of any statutory provision (including a provision of theCompetition and Consumer Act 2010 (Cth)) where to do so would contravene that statute or cause any part of this Agreement to be void (“Non-excludable Condition”).
      6. To the extent permitted by law, Panviva’s liability to the Subscriber for any breach of any Non-excludable Condition is limited, at Panviva’s option to: (a) in the case of services, to supplying those services again or payment of the cost of having the services supplied again; and (b) in the case of goods, to providing, replacing or repairing those goods.
  13. Mutual Limitation of Liability.

    1. TO THE EXTENT PERMITTED BY LAW, NOTWITHSTANDING ANY OTHER PROVISION SET FORTH HEREIN, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL, AND/OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT; AND
    2. EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS, A PARTY’S MAXIMUM LIABILITY TO THE OTHER FOR ANY DIRECT DAMAGES ARISING OUT OF OR RELATING TO ITS PERFORMANCE OR FAILURE TO PERFORM UNDER THIS AGREEMENT, WHETHER BASED ON AN ACTION OR CLAIM IN CONTRACT, EQUITY, NEGLIGENCE, TORT, OR OTHERWISE SHALL NOT, TO THE EXTENT PERMITTED BY LAW, EXCEED THE FEES PAID UNDER THE APPLICABLE ORDER IN THE TWELVE MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
    3. This Section 13 shall not limit Subscriber’s obligation to pay Panviva for the Services.
  14. Panviva Indemnity.

    1. Panviva agrees to indemnify, defend and hold harmless Subscriber and its affiliates and their respective shareholders, directors, officers, employees and agents (collectively, the “Subscriber Indemnitees” and each a “Subscriber Indemnitee”) from all actions, suits, claims and demands made by a third party (each, a “Claim” and collectively, “Claims”), including reasonable attorneys’ fees, costs, and expenses incidental thereto, which may be suffered by, incurred by, accrued against, charged to, or recoverable from any Subscriber Indemnitee, by reason of any Claim arising out of or relating to any Claim arising out of or relating to the Software infringing or misappropriating any patent, copyright, trade secret or trademark of a third party.  The foregoing obligations shall not apply to the extent such Claims arise as a result of: (i) any use of the Software in a manner other than as specified  in the Agreement or in an Order;  (ii) any use of the Software in combination with other products, services or data not supplied by Panviva or its Personnel, to the extent that such Claim is caused by such combination; (iii) any alteration, modification or customization of the Software made by a party other than Panviva or Panviva’s Personnel or authorized representatives if such infringement would not have occurred without such alteration, modification or customization; (iv) Panviva’s compliance with any designs, specifications or instructions provided by Subscriber where such designs, specifications or instructions cause the infringement; or (v) use by Subscriber after written notice by Panviva to discontinue use of all or a portion of the Software. 
    2. In the event that the Software is held to infringe in a final non-appealable judicial finding or a settlement agreement approved by Panviva, Panviva shall, at its expense and in its sole discretion: (i) obtain for Subscriber the right to continue using such Software; (ii) replace or modify such Software so that they do not infringe upon or misappropriate such proprietary right; or, (iii) in the event that Panviva is unable or determines, in its reasonable judgment, that it is commercially unreasonable to do either of the aforementioned, Panviva may terminate this Agreement and reimburse to Subscriber any prepaid fees.
    3. The rights and remedies granted to Subscriber in this Section state Panviva’s entire liability and Subscriber’s exclusive remedy with respect to any claim of infringement of Intellectual Property Rights of a third party, whether arising under statutory or common law or otherwise.
  15. Subscriber Indemnity.

    Subscriber agrees to indemnify, defend and hold harmless Panviva and its shareholders, directors, officers, employees, suppliers and licensors (each, a “Panviva Indemnified Party” and collectively, “Panviva Indemnified Parties”) from all Claims, including reasonable attorneys’ fees, costs, and expenses incidental thereto, relating to any Claim against any Panviva Indemnified Party arising out of or relating to Subscriber’s failure to comply with Section 8.

  16. Privacy.

    1. For Subscriber Personal Data, Panviva will:
      1. ensure that its dealings with Personal Information in connection with this Agreement comply with applicable Privacy Laws and its Privacy Policy;
      2. only use and disclose Personal Information to the extent necessary for it to perform its obligations under this Agreement;
      3. if reasonably requested by the Subscriber, provide access to any Personal Information acquired from the Subscriber under or in connection with this Agreement;
      4. take reasonable steps to ensure that Personal Information held by it is protected against misuse, interference, loss, unauthorized access, unauthorized modification and unauthorized disclosure;
      5. ensure that only Personnel who have a need to deal with Personal Information in connection with this Agreement are given access, only use the Personal Information for the purposes of the Agreement, and are aware of and comply with, Panviva's obligations under this Agreement.
    2. For the purposes of this Section 16, Subscriber warrants that the only privacy laws applicable to Subscriber’s Users are the Privacy Laws.
  17. Insurance.

    1. Panviva must effect and maintain the following insurances:
      1. public liability insurance with an insured limit of not less than $20.0 Million for each occurrence;
      2. professional indemnity insurance with an insured limit of not less than $1.0 Million for each claim and $3.0 Million in the aggregate for all claims in aggregate;
      3. workers compensation insurance or registrations, as required by law;
      4. cyber risk insurance (i) Contractually assumed privacy remediation: an insured limit of not less than $4.0 Million; and (ii) Cyber attack: an insured limit of not less than $1.0 Million;
    2. Panviva must effect each insurance required under section 1(a) with an insurer that has a financial strength rating of not less than "A-" issued by Standard & Poor's (or an equivalent rating from another recognised ratings agency), or with an insurer approved by the Subscriber, acting reasonably.
    3. If requested, prior to commencement of the Services, Panviva must produce to Subscriber a certificate of currency for each insurance that Panviva is required to obtain under this Exhibit A-3 section 1, or such other evidence of insurance that is satisfactory to Subscriber.
  18. Notices.

    If a party wishes to give a notice under this Agreement, it may give the notice in writing by nationally recognized overnight delivery or by email (as applicable, delivered to the other party’s postal or email address set forth in the Order). A notice will be deemed to have been received the next business day after it is sent and at the time of receipt (with confirmation of delivery) if sent by email.

  19. Operational.

    1. To facilitate the provision of the Services, Panviva may change the terms of this Agreement, including Exhibits, at any time, and Panviva will notify Subscriber of any change prior to the date that such change is effective using the email address on the Order. If any such change has a materially detrimental effect on Subscriber, Subscriber may cancel its Subscription in accordance with Section 5. The method and means of providing the Services shall be under the exclusive control, management, and supervision of Panviva.
    2. Panviva may enter into any subcontracts for the performance of the Services, however, Panviva’s use of subcontractors shall not relieve Panviva of any of its duties or obligations under this Agreement.
    3. Neither party will be liable for, or be considered to be in breach of or default under this Agreement on account of, any delay or failure to perform as required by this Agreement as a result of any cause or condition beyond its reasonable control, and such events shall include, but not be limited to, fire, explosion, flood or other natural catastrophe, infrastructure of the internet, utilities or telecommunications and data failures, governmental legislation, acts, orders, or regulation, strikes or labor
  20. Publicity.

    The Subscriber acknowledges that Panviva shall be entitled to issue press releases regarding its relationship with the Subscriber.  Panviva shall submit these releases to the Subscriber for approval, which shall not be unreasonably withheld or delayed.  The Subscriber consents to its name and logo being included in any listing of Panviva’s current customers.

  21. Third Party Software.

    The Subscriber acknowledges that as part of providing the Services, Panviva utilizes enabling technology, and in some instances, those license arrangements require Panviva to include certain additional terms and conditions on the end user. Where applicable these additional terms are set out at www.panviva.com/terms-and-conditions/tps and are incorporated into this Agreement.

  22. Open Source Software.

    The Software includes open source software programs that are made available by Panviva and other third parties under their respective open source licenses (“Open Source Licenses”). Certain Open Source Licenses and/or certain relevant provisions of such Open Source Licenses are set out at www.panviva.com/terms-and-conditions/oss . Subscriber is obligated to comply with the applicable Open Source Licenses related to such open source software programs. Open source software programs are governed solely by such Open Source Licenses, including without limitation warranty and indemnification, which will prevail over these Terms.

  23. General.

    1. A party may assign this Agreement as part of a corporate reorganization, consolidation, merger, or sale of all or substantially all of its assets or business, but otherwise neither party may assign its rights or obligations under this Agreement without the prior written consent of the other party. 
    2. If any provision is found to be void or unenforceable, that provision may be severed and the remainder of this Agreement must be interpreted as if the severed provision had never existed.
    3. This Agreement is governed by the laws of Victoria, Australia and the parties submit to the nonexclusive jurisdiction of the courts of Victoria.
    4. This Agreement, together with Exhibits and each Order is the entire agreement between the parties and supersedes all prior agreements, discussions, and representations in relation to the Services.
    5. Except as provided in Section 18(a), this Agreement may be modified or amended only in writing executed by Panviva and the Subscriber.
    6. The failure of either party at any time to require performance by the other party of any provision hereof shall not affect in any way the right to require such performance at any time thereafter, nor shall the waiver by either party of a breach of any provision of this Agreement be taken or held to be a waiver of any subsequent breach of the same provision or any other provision.
    7. This Agreement may be executed simultaneously in two or more counterparts, including electronically, each of which will be considered an original, but all of which together will constitute one and the same instrument.
  24. Definitions.

    For the purposes of the Agreement:

    Confidential Information means all information of a party that, (a) has been marked “confidential” or with words of similar meaning at the time of disclosure; or (b) should reasonably be recognized as confidential information of the disclosing party regardless of how it is stored, delivered, provided or learnt by the other party; but does not include any information that was: (i) already in the possession of the receiving party without an obligation of confidentiality; (ii) developed independently by the receiving party, as proven by the receiving party; (iii) obtained from a source other than the disclosing party without an obligation of confidentiality; (iv) any Subscriber Data which has been made available, or is contemplated becoming available, in whole or in part, to any third party not subject to a duty of confidentiality to Subscriber; or (v) any Subscriber Data Consumed under the Panviva API Supplementary Agreement (if applicable). Confidential Information includes all pricing and related terms pertaining to the provision of Services under this Agreement.

    Consumption means the act of initiating, responding to or otherwise engaging with the Panviva APIs (as defined in the Panviva API Supplementary Agreement).

    Documentation means ancillary information provided by Panviva to Subscriber to facilitate or support Subscriber’s use of the Services.

    Fee or Fees means the means the fee(s) specified in any Order, including the provision of subscriptions, integration, training, and other services (if any) as varied in accordance with this Agreement.

    Intellectual Property Rights means any and all intellectual and other similar proprietary rights in any jurisdiction, whether registered or unregistered including but not limited to all rights and interests pertaining to or deriving from copyrights, designs,  trademarks, trade secrets, know-how, confidential information, patents of all classes, patent applications, inventions and discoveries and all other intellectual property and similar proprietary rights, including, in each case any registrations of, applications to register, and renewals and extensions of any of the foregoing with or in any governmental authority in any jurisdiction, now or hereafter existing.

    Orders means all orders entered into by the parties for the Services.

    Panviva means Panviva Pty Ltd (ACN: 096 472 543).

    Panviva API Supplementary Agreement means the additional documentation associated with including the Panviva APIs as part of the Services, and where applicable, attached to this Agreement as an additional Exhibit.

    Permitted Purpose means for the internal use in Subscriber’s business and specifically excludes using the Services to (i) transmit, share or otherwise communicate Regulated Data; (ii) to transmit or disseminate any unlawful, harassing, offensive, defamatory or obscene information or any computer virus; (iii) allow an Unauthorized User to be a User; or (iv) accessing the Services via APIs in a manner inconsistent with the Panviva API Supplementary Agreement.

    Personnel means the employees, secondees, agents, principals and contractors (who are individuals) of Panviva or Panviva's associates.

    Personal Information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not about an identifiable individual, or an individual whose identify is reasonably identifiable, from the information or opinion which is received or learnt by Panviva or Panviva’s Personnel from Subscriber under this Agreement.

    Privacy Laws means the privacy laws applicable in the country of Subscriber’s registered address.

    Privacy Policy means Panviva’s privacy policy as described at www.panviva.com/privacy-policy/

    Service Credit means a service credit payable in accordance with Section 12(b), Exhibit A-1 or Exhibit A-2.

    Service Levels means the service levels set out in Exhibit A-1 and Exhibit A-2.

    Services means the item(s) selected on the Order which are described at www.panviva.com/au-terms-of-use/services/, including any Support Services.

    Software means the software developed and owned by Panviva, including any improvements or modifications and which is used in the provision of the Services, and at all times excludes any Subscriber Data.

    Start Date means the earliest start date set out on the initial Order.

    Subscriber means the company or other entity named as the subscriber in an Order.

    Subscriber Contributions means contributions from Subscriber made available to Panviva to enhance the Services.

    Subscriber Data means any material of the Subscriber entered into the Services by Subscriber or a user and used exclusively in the Subscriber’s instance of the Services.

    Subscriber Personal Data means User Validation Information where it contains Personal Information under the Privacy Laws.

    Subscription Term means the period specified in all applicable Orders.

    Support Services means the support services described Exhibit A-2 (Support Process)

    Unauthorized User means (i) any user accessing the Services who in doing so causes the number of Users to exceed the total number of individual User subscriptions set out in the current Orders; and/or (ii) any user accessing the Services who is not a named User (as updated from time to time) under the Subscription.

    User has the meaning given in Section 1(b).

    User Validation Information means the information supplied by Subscriber to Panviva for login validation of a User, and is limited to a name for the User, a username for the User, and the email address Subscriber has linked to the User’s name.

Exhibit A-1

Service Level Agreement

This SLA applies to the Services subscribed for under this Agreement, and only applies to Services classified by Panviva as “in production” on a Supported Platform. For the avoidance of doubt, this SLA does not apply to Services in training or in any other non-production environments.

  1. Service Commitment.

    Panviva will use commercially reasonable efforts to ensure the Services will be available at least 99.5% of the time during each calendar month, excluding Scheduled Maintenance and Exception Maintenance (the “Service Commitment”). Subject to the SLA Exclusions below, if Panviva does not meet the Service Commitment the Subscriber will be eligible to apply for a Service Credit, as described below.

  2. Service Commitments and Service Credits.

    If Panviva does not meet the Service Commitment in a month, the Subscriber may be entitled to a Service Credit based on the total fees paid or payable for the Services in that month, calculated as follows:

    • if the Monthly Availability Percentage is less than 99.5% but greater than or equal to 99.0%, the Subscriber may apply for a Service Credit of 10% of the total fees paid or payable in that month; or
    • if the Monthly Availability Percentage is less than 99.0%, the Subscriber may apply for a Service Credit of 30% of the total fees paid or payable in that month.
  3. Service Credit Request Procedure.

    To be eligible to receive a Service Credit, Subscriber must submit a Service Credit Request claim to Panviva by emailing it to support@panviva.com no later than 14 days following the last day of the month in which the Monthly Availability Percentage is alleged to have been below the Service Commitment. Panviva will be under no obligation to consider applications for Service Credits in relation to any other period. All email claims for Service Credits must include:

    • the words “SLA Credit Request” in the subject line;
    • the dates and times of each unavailability incident; and
    • Panviva issued incident number.

    Service Credits confirmed by Panviva will be applied by Panviva to the next payment for the Services payable by the Subscriber.  If Service Credits have not been applied at the time the Agreement expires or is terminated, Panviva will pay an amount equal to the Service Credits to the Subscriber within 30 days of expiration or termination. Subscriber’s sole and exclusive remedy in connection with a failure to meet the Service Commitment is the Service Credit.

  4. Panviva Service Commitment Exclusions.

    The Service Commitment does not apply in the event that an outage to the Service is caused by, or rectification is impacted by:

    • the Service having been altered or damaged by someone other than Panviva;
    • the Service or any portion of it having been incorporated with or into other software not approved by Panviva;
    • negligence, abuse or misapplication of the Service by Subscriber or by any Subscriber personnel, agent or contractor (including, without limitation, any failure by the Subscriber to comply with the Agreement);
    • where the Services have not been used at all times for the Permitted Purpose; or
    • any other factors outside of Panviva’s reasonable control, including, without limitation, any problem with Internet access, or any problems beyond the demarcation point of the Panviva network.
  5. Denfinitions.

    For the purposes of this SLA:

    Exception Maintenance means periods of time during which Panviva performs critical maintenance or corrective activity in relation to Services outside of Scheduled Maintenance, and during which the Services may be unavailable.  Panviva will use reasonable efforts to minimize interference with the Subscriber’s use of the Services during such periods.  If possible, Exception Maintenance activity requiring an outage will be scheduled outside the standard business hours of the location from which the Services are provided.  

    Monthly Availability Percentage means the total number of hours in a month minus the number of hours in that month during which the Services were not available (excluding Scheduled Maintenance and Exception Maintenance), divided by the total number of hours in the month, and then expressed as a percentage.

    Panviva Service Centre Portal means the secure support portal where Subscriber can access the Panviva knowledge base, participate in forums and log and manage support tickets. Panviva support team operates primarily via the Panviva Service Centre. The Panviva Service Centre is accessed at https://support.panviva.com

    Scheduled Maintenance means scheduled periods of time during which Panviva performs regular maintenance activity, and during which the Services may be unavailable.  Scheduled Maintenance activity requiring an outage will be scheduled outside the standard business hours of the location from which the Services are provided.

    Supported Platforms means the technologies that Panviva has certified for use or integration with the Services by the Subscriber. If the Subscriber uses technologies that are not Supported Platforms with the Services, Panviva will have no obligation to the Subscriber under this SLA.  The most up to date list of Platforms Panviva supports can be obtained from the Panviva Service Centre Portal.

 

Exhibit A-2

Support Process

  1. Support Description.

    1. Availability of Support

      Panviva will provide to Subscriber’s Nominated Support Users, telephone availability for Severity 1 incidents only (+61 3 9225 1810) twenty-four (24) hours per day, seven (7) days per week, three hundred sixty five (365) days per year and online Service Delivery Desk availability during business hours in the Subscriber’s time zone five (5) days per week (exclusive of Australian national holidays) (“Support”). Support will include any research and resolution activity performed by Panviva.

    2. Nominated Support Users.

      Subscriber will advise Panviva in writing its employees that are authorized to request Support (“Nominated Support Users”).

    3. Request for Support.

      Subscriber’s Nominated Support Users will make Support requests by telephoning or emailing Panviva’s Personnel providing Support (“Support Staff”) or by submitting a request via the Panviva Service Center. The Support Staff shall assign to the request the Incident Severity Level (as defined herein) indicated by the requestor, unless after making due enquires it is reasonably viewed by the Support Staff as miscategorized, in which case the parties will seek to agree on categorization.

    4. Incident Severity Level 1 Response, Restore and Resolution.

      Incidents of Severity Level 1 must be reported by telephone. In the event a Severity 1 Incident is reported by a means other than telephone, Panviva will only be obligated to provide the Service Level applicable to a Severity 2 Incident. Panviva Support shall confirm to the requestor receipt of the request by Panviva.

    5. Incident Severity Levels 2 and 3 Response, Restore and Resolution.

      Support requests for Incident Severity Levels 2 and 3 may not be made by telephone, but must be made either by email or via the Panviva Service Centre. Panviva Support shall confirm to the requestor receipt of the request by Panviva within the Response time for the deemed Severity Level of the Incident. If an Incident Severity Level 2 or 3 request cannot be dealt with to the reasonable satisfaction of the requestor within the Restore time period after the requestor makes the initial request for Support, the parties will mutually agree upon a schedule within which to resolve the request.

  2. Failure to Meet Support.

    If Panviva does not meet the Support commitment, the Subscriber agrees no additional credit beyond the SLA credit (if any) will apply.

  3. Incident Management Framework

    Defined As

    All incidents that are reported to Panviva will first be validated as issues with the Services and categorized based on their severity. Restoration of the Services or Resolution of issues shall be achieved according to the assigned Severity Level within the times listed below.

    Incidents are categorized into one of the following Severity Levels:

    ·         Severity 1:     Critical Business Impact

    ·         Severity 2:     Major Business Impact

    ·         Severity 3:     Minor Business Impact

     

     

    Goals

     

    Category

    Service

    Target Timeframe

    Response

    Severity 1

    Telephone

    30 Minutes

    Severity 2

    Web/Email

    4 Business Hours

    Severity 3

    Web/Email

    1 Business Day

     

     

     

     

    Restore

    Severity 1

    Telephone

    6 Business Hours

    Severity 2

    Web/Email

    30 Business Days or as agreed

    Severity 3

    Web/Email

    N/A

     

     

     

     

    Resolve

    Severity 1

    Telephone

    15 Business Days

    Severity 2

    Web/Email

    90 Business Days or as agreed

    Severity 3

    Web/Email

    As Agreed

     

    In the above framework:

    ·         Restore means use of commercially reasonable efforts to make the Services available again, including via temporary business or technical workaround. 

    ·         Resolve means a permanent resolution of the issue, to the extent commercially feasible within such time frame.

    ·         Severity 1 – Critical Business Impact: means an issue that renders the Services inoperative for the majority of Users. When attempting to use Panviva, the majority of Users are prevented from performing a necessary function and there is no immediate workaround.

    ·         Severity 2 – Major Business Impact: means either an issue causing major functionality to experience a reproducible problem, which causes notable inconvenience to the majority of Users or the minority of Users are prevented from performing a necessary function. A workaround may exist but Users may be impacted.

    ·         Severity 3 – Minor Business Impact: means an issue causing a function to experience an intermittent problem or a common non-essential operation is fails consistently. Use of the Services in the manner intended is not materially affected overall.

     

    Methodology

    Tracking of incidents by Panviva as outlined within this Support Process is as follows:

    ·         An integrated Service Desk system tracks and reports support activity.

    ·         Panviva monitors, optimizes and reports on systems within its own control zone. Subscriber may experience latencies introduced by its Internet access, network and perimeter management systems, or end user devices. These cannot be managed or reported on by Panviva services; however, Subscriber may be required to provide configuration and performance data from these services as part of issue logging.

     

    Expectations

    Panviva will provide a Root Cause Analysis for Severity 1 Incidents and shall use commercially reasonable efforts to provide such analysis within three business days of resolution.

Exhibit A-3

Security Agreement

This Exhibit is set out in three sections and each individual section is to be interpreted as a self-contained compartment in terms of this Security Agreement. For clarity, a commitment in one section of this Exhibit does not apply in any other section of this Exhibit unless it is explicitly identified as applying to that part.

Section 1 – Subscriber Personal Data

  1. Asset Management

    1. In relation to Subscriber Personal Data, Panviva shall be able to demonstrate understanding and management of legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations.
    2. In relation to Subscriber Personal Data, Panviva shall have established governance and risk management processes which address security and cybersecurity risks. The processes to determine risk must include the identification and documentation of:
      1. asset vulnerabilities;
      2. threats, both internal and external; and
      3. potential impacts and likelihoods.
    3. Panviva shall conduct privacy and security risk assessments to ensure Subscriber Personal Data is stored and transmitted in an acceptable and secure manner, including how Subscriber Personal Data is classified, protected, transmitted, retention periods and disposal requirements.
    4. Panviva shall identify and prioritise risk responses where it impacts on Subscriber Personal Data.
  2. Access Control

    1. In situations where Panviva employees access Subscriber Personal Data (“Supplier Users”):
      1. Panviva shall manage identities and credentials for authorised devices and Supplier Users:
        1. all computer accounts are attributable to a uniquely identifiable individual roles. The holder of that role has been educated to ensure that passwords and access should not be shared. For clarity, Subscriber Personal Data cannot be accessed via a shared computer account;
        2. password criteria for network operating systems are sufficiently complex, in line with recognised information security standards and expire regularly;
        3. access permissions are managed incorporating the principles of least privilege and separation of duties;
        4. where appropriate, role based access has been implemented;
        5. changes to user accounts and access for new joiners, leavers and internal movers are effectively managed to ensure access to systems is appropriate to a business need and is revoked when no longer required; and
        6. password files on all systems are protected by encryption during transmission and storage;
      2. Panviva shall manage remote access by Supplier Users:
        1. access to Panviva’s network is restricted and protected by appropriate security devices; and
        2. a secure remote access application is used to provide remote access to Panviva’s network, which is authenticated by the use of two-factor authentication; and
      3. Panviva shall perform access reviews on networks, systems and applications at least every 6 (six) months to ensure the joiners, leavers and transfers process is effective.
    2. In relation to Subscriber Personal Data, Panviva shall ensure that access to sensitive areas such as data centres and communications rooms are controlled by adequate security measures commensurate with the sensitivity of these areas, which are regularly reviewed and updated as necessary.
    3. Panviva shall take measures to ensure that physical assets used to process Subscriber Personal Data are adequately protected from loss, theft and damage.
    4. Panviva shall ensure that network integrity used to process Subscriber Personal Data is protected incorporating network segregation where appropriate.
    5. Where logical connections from networks used to process Subscriber Personal Data to other IP networks exist as part of the Services, controls are in place to restrict such network access to only authorised information assets.
  3. Personnel

    1. In situations where Panviva employees access Subscriber Personal Data:
      1. Panviva Personnel are screened for suitability for dealing with confidential information and are required to complete confidentiality, data protection and information security awareness training at least annually; and
      2. Panviva hiring contracts for Personnel (including contractors) cover roles and responsibilities for security, data handling, a requirement to abide by company policies and instructions to keep information confidential. This includes senior executives.
    2. Where Panviva Personnel (including contractors) are authorised to process Subscriber Personal Data on their own devices (i.e. Bring Your Own Device Policy) these devices are protected by a mobile device management (MDM) solution.
  4. Data Security

    1. Panviva shall take appropriate measures to ensure that Subscriber Personal Data at-rest and Subscriber Personal Data in-transit is adequately protected as identified in a documented risk assessment process with documented encryption techniques used and enforced.
    2. Panviva shall formally manage physical and non-physical assets used to process Subscriber Personal Data throughout, including removal, transfers, disposals and/or erasure.
    3. Panviva shall make provision for and monitor that there is adequate capacity to process Subscriber Personal Data to ensure that availability is maintained in a manner consistent with the SLA.
    4. Panviva shall implement adequate protective measures against data loss of Subscriber Personal Data as identified in a documented risk assessment process.
    5. For Subscriber Personal Data, Panviva shall manage effective segregation between development, test and production applications.
    6. Under no circumstances may Subscriber Personal Data be used in development and test environments or for any non-production purposes without the express permission of Subscriber
    7. Panviva shall use checking mechanisms to verify Subscriber Personal Data integrity.
    8. Applications or third party systems used to store or process Subscriber Personal Data are logically segregated from all other third party systems.
  5. Information Protection Processes and Procedures

    1. Where it impacts on the use or storage of Subscriber Personal Data:
      1. Panviva shall maintain a baseline configuration of information technology systems, which may be updated from time to time; and
      2. Panviva shall manage information systems using a recognised and documented System Delivery Lifecycle (SDLC).
    2. For the production environment where it impacts on the use or storage of Subscriber Personal Data:
      1. Panviva shall manage a documented configuration change control process;
      2. Panviva shall perform backups of systems and ensure that backups are maintained and tested regularly;
      3. Panviva shall perform regular checks to ensure that policy and regulations regarding the physical operating environment are met;
      4. Panviva shall ensure that where required, Subscriber Personal Data is destroyed according to Panviva’s approved methods and policies;
      5. Panviva shall make provision for continually improving information protection processes;
      6. Panviva shall maintain, manage and periodically test response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery); and
      7. Panviva shall maintain a security vulnerability plan.
  6. Maintenance

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall ensure that the maintenance and repair of assets is performed and logged in a timely manner with approved and controlled tools; and
    2. Panviva shall ensure that remote maintenance of assets is approved, logged and performed in a manner which prevents unauthorized access.
  7. Protective Technology

    Panviva shall implement and maintain the secure collection of event data and audit/log records where it impacts on the use or storage of Subscriber Personal Data:

    1. audit/log records must cover as a minimum: system logon/logoff; use of escalated rights or administrative functions; access of sensitive system resources; change or escalation of rights/privileges; and
    2. logs must be held securely, demonstrate non-repudiation and kept for a minimum of 1 (one) year, with 3 (three) months available for analysis.
  8. Anomalies and Events

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall establish, maintain and manage a baseline of network operations and expected data flows for users and systems. This baseline should be included in processes to detect or identify events to be further analysed to understand attack targets and methods;
    2. Panviva shall collect aggregate and correlate event data and audit logs from multiple sources and sensors;
    3. Panviva shall determine the impact of events considered to warrant further investigation; and
    4. Panviva shall establish incident alert thresholds.
  9. Continuous Monitoring

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall monitor the network to detect potential security events or incidents;
    2. Panviva shall monitor for unauthorized personnel, connections, devices and software;
    3. Panviva shall detect malicious code; and
    4. Panviva shall scan the network, network devices, servers and endpoints for vulnerabilities.
  10. Detection Processes

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall assign roles and responsibilities for detection which are well defined to ensure accountability;
    2. Panviva shall ensure that detection activities meet applicable standards including those identified in a cybersecurity risk assessment;
    3. Suppler shall test detection processes for effectiveness and adequacy regularly and at least annually;
    4. Panviva shall ensure that event detection information is communicated to appropriate parties internally at Panviva; and
    5. Panviva shall continuously improve detection processes.
  11. Response and Recovery

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall ensure that a response plan is in place and that it is executed during or after an event;
    2. Panviva shall ensure that Personnel know their roles and order of operations when a response to an event is needed;
    3. Panviva shall ensure that events are reported consistent with Panviva’s established criteria;
    4. Panviva shall ensure that information is shared consistent with response plans including where applicable coordination with stakeholders;
    5. consistent with Panviva’s established criteria:
      1. Panviva shall investigate notifications from detection systems;
      2. Panviva shall analyse the impact of the incident so that it is well understood;
      3. Panviva shall arrange forensic analysis of events as needed;
      4. Panviva shall categorise incidents consistent with response plans; and
      5. Panviva shall seek to contain and mitigate incidents;
    6. where viewed as warranted Panviva shall mitigate newly identified vulnerabilities or document acceptance of risk consistent with the risk management process;
    7. Panviva shall improve response and recovery plans by:
      1. updating response and recovery strategies; and
      2. incorporating lessons learned; and
    8. Panviva shall communicate unscheduled recovery activities to internal stakeholders and executive and management teams.

 

Section 2 – Subscriber Data

  1. Definition

    In this Part 2 of this Exhibit A-3:

    Industry Practice means operations consistent with ISO/IEC 27001 – Information Security Management Systems – Requirements.

  2. Security Program

    1. Panviva must develop, maintain and implement a written information security program of policies, standards and procedures governing the processing, storage and transmission of Subscriber Data (Security Program).
    2. The Security Program must include practices and processes designed to protect Subscriber Data from unauthorized access, acquisition, use, disclosure, corruption or destruction and which are consistent with Industry Practice.
  3. Compliance with Standards

    Panviva must ensure all data centres from which the Services are provided:

    1. are certified to comply with ISO/IEC 27001 – Information Security Management Systems – Requirements
    2. are subject to annual independent SSAE 18 audits by an appropriately qualified auditor. The reports from those audits (at a minimum a SOC 2 Type 2 service auditor report) must be provided to Subscriber upon written request.
  4. Location of Data, Software and Hardware

    In performing the Services, the Subscriber Data must be hosted and processed in accordance with the Agreement.

  5. Physical Security

    Panviva must use subcontractors that meet ISO/IEC 27001 – Information Security Management Systems – Requirements.

  6. Administrative Security

    In relation to Subscriber Data, Panviva must ensure that only the necessary persons to enable Panviva to meet its obligations under the Agreement have access to Subscriber Data and implement the following minimum administrative security measures:

    1. “Security Awareness” – Panviva must maintain and comply with a security awareness program, including ensuring that all Panviva Personnel and contractors that have access to Subscriber Data participate in training on security practices as well as ongoing and regular refresher training detailing the importance of privacy, security; and
    2. “Vendor Security Risk management” – Where vendors are permitted to access Subscriber Data under the Agreement, Panviva must maintain and comply with a vendor security risk management program to assess all vendors that access, store, transmit or process Subscriber Data.
  7. Information Security

    In relation to Subscriber Data, Panviva must ensure that information security measures consistent with Industry Practice are in place, including implementing the following minimum information security measures:

    1. “Access Management” – Panviva must establish user access policies and procedures, and implement supporting business processes and technical measures for ensuring identity entitlement and access management for all Panviva Personnel, contractors and permitted subcontractors;
    2. “Multi-factor Authentication Access Control” – Panviva must use multi-factor authentication for remote access;
    3. “Data Security” – Panviva must cryptographically protect the authenticity, integrity and confidentiality of Subscriber stored data at rest (e.g. servers, databases) and in use (e.g. memory) using controls approved by Subscriber in writing (e.g. AES-256).
    4. “Vulnerability Management” – Panviva must establish and comply with policies, procedures, supporting processes and technical measures for the timely detection of vulnerabilities in Panviva’s IT environment, including utilising a risk-based model for prioritising remediation of identified vulnerabilities;
    5. “Threat Detection and Prevention” – Panviva must establish and comply with policies, procedures, supporting processes and technical measures to detect and prevent threats in order to protect the Services and infrastructure used to provide the Services;
    6. “Change Control” – Panviva must ensure that all changes to platform, applications and infrastructure related to the Services are controlled and implemented following a standard procedure;
    7. “Logging and Monitoring” – Panviva must ensure that log activities are centrally collected, in a tamper resistant solution and are monitored;
    8. “Network Security” - Panviva’s perimeter network systems must run behind a DMZ, with internal networks and servers protected by firewalls; and
    9. “Communications Security” – Panviva must protect the authenticity, integrity and confidentiality of Subscriber Data in transit.
  8. Backups and Service Continuity

    1. “Data Centres” - The data centres from which the Services are provided will be physically located in separate geographical locations and operate on a segregated network. Each data centre will include full redundancy (N+1) and fault tolerant infrastructure for power, internet connections, cooling and fire protection.
    2. “Backups” - Panviva will perform regular backups of Subscriber Data.
  9. Security Testing

    Panviva will have independent penetration testing of all Services and the service delivery environment performed no less frequently than annually by an appropriately qualified or certified organization, provide Subscriber with a summary report detailing the test results on request and promptly remedy any issues or deficiencies identified.

Section 3 – Data Breach

  1. Definition

    In this Part 3 of this Exhibit A-3:

    Data Breach means unauthorized access, use, disclosure, modification, destruction, corruption or loss of Subscriber Data. For clarity, a Data Breach does not include (i) any access or actions of a User, (ii) data that is not Confidential Information or (iii) any Subscriber Data made available under the Panviva API Supplementary Agreement.

  2. Response to Data Breach

    For Subscriber’s production environment:

    1. Panviva shall as soon as practicable, and in any event within 72 (seventy two) hours of when Panviva becomes aware of such breach, notify Subscriber in writing should it become aware of, or reasonably suspect there has been, any actual or alleged Data Breach;
    2. promptly provide Subscriber with a description of: (i) the nature of the Data Breach, including (if applicable for the Data Breach) the volume and type of Subscriber Personal Data affected and the categories and approximate number of individuals concerned; and (ii) the measures taken or proposed to be taken to address the Data Breach including, where appropriate, measures to mitigate its possible adverse effects;
    3. provide Subscriber with assistance that may be reasonably required by Subscriber to manage the Data Breach. Panviva shall provide this assistance at no additional costs to the extent the Data Breach is the result of Panviva’s negligence; otherwise, Subscriber shall pay Panviva for the reasonable pre-agreed costs of the steps Subscriber takes in complying with this sub-clause;
    4. take immediate remedial action to secure the Subscriber Personal Data and to prevent re-occurrences of the same or similar incident and provide Subscriber with details of such remedial action; and
    5. not report a Data Breach to any national regulator or law enforcement body unless instructed to do so by Subscriber, or if Panviva’s opinion, it is required to comply with its obligations under any law.