Terms and Conditions

Subscription Agreement Terms and Conditions

Subscriber and Panviva agree as follows:

  1. Subscription.

    1. These Subscription Agreement Terms and Conditions (“Terms”) shall apply to Subscriber’s use of the Services described in any Order signed by Subscriber and Panviva.
    2. This Agreement is made up of the following documents:
      1. an Order;
      2. these Terms; and
      3. the Exhibits,
    3. If the documents forming part of the Agreement are inconsistent and the parties cannot agree on an interpretation, then the documents must be construed in the priority set out in section 1(b).
    4. Capitalized terms not defined in an Order or in the body of the Terms or an Exhibit accompanying such Terms shall have the meanings set forth in Section 26.
    5. During the Subscription Term, Panviva grants to Subscriber a non-exclusive, non-transferable right to permit named individuals authorized by Subscriber, and who are employees or individual contractors of Subscriber Group (“Users”), to access and use the Services subject to this Agreement for the Permitted Purpose. Subscriber must ensure that Users comply with this Agreement and must use reasonable efforts to prevent unauthorized access to or use of the Services.
    6. The number of users for a Service shall not exceed the number subscribed for in current Orders, and the Subscriber agrees to be liable to pay Fees for any Unauthorised Users.
  2. Term.

    This Agreement commences on the Start Date set out in the initial Order and, unless terminated in accordance with this Agreement, shall remain in effect until the end of the Subscription Term. All rights and obligations of the parties, which by their nature are reasonably intended to survive termination, shall survive termination including, without limitation, clauses 6, 7, 9, 11, 12, 14, 15, 16, 17, 18, 21, 22, and 25.

  3. Panviva obligations.

    1. Panviva will provide the Services to the Subscriber in accordance with this Agreement.
    2. Panviva will supply the current production version of the Panviva Software running on its Platform necessary to:
      1. provide the Services to Subscriber and the Users; and
      2. enable Subscriber and the Users to access and use the Services
    3. Panviva will provide the Support Services in accordance with this Agreement.
    4. Panviva will comply with its data security obligations as described in Exhibit 1-C (Security Agreement).
    5. The parties commit to have regular scheduled meetings to discuss the Services, its performance, support, and other topics as agreed by the parties. These meetings are to be held not more often than monthly and at least once a quarter unless otherwise agreed by the parties.
  4. Service Levels.

    1. The Services must meet the Service Levels.
    2. If Panviva fails to meet Service Levels in a month, Subscriber is entitled to a Service Credit in accordance with Exhibit 1-A (Service Level Agreement) or Exhibit 1-B (Support Process) (as applicable).
    3. The parties agree that the payment of Service Credit is not a penalty but a genuine pre-estimate of the diminution of the value of the Services provided if Panviva fails to meet any Service Level.
    4. Subscriber agrees that its sole and exclusive remedies for a failure by Panviva to comply with the SLA and/or Support are limited to the Service Credits as set forth in the Exhibits.
  5. Fees and Renewal.

    1. Unless agreed otherwise in advance, the Fee for the Subscription Term must be paid before the commencement of the Subscription Term and in accordance with this Section 5.
    2. Panviva will provide a correctly rendered tax invoice at the times specified in the relevant Order.
    3. A tax invoice will be correctly rendered if:
      1. the invoice contains a valid purchase order number (such purchase order number to be provided by Subscriber on timely basis to facilitate compliance with this Agreement, and in the absence of providing a purchase order number on timely basis Panviva may lodge a valid tax invoice without a purchase order number);
      2. the invoice only contains charges for Services that will be provided over the next 12 months, or as otherwise agreed in the applicable Order; and
      3. the Fee is correctly calculated.
    4. Where the Subscriber, acting reasonably, disputes an invoiced Fee or expense within 14 days of issue, the parties agree to have good faith discussions to resolve the dispute.
    5. Unless Subscriber is disputing the Fee in accordance with clause 5(d), if Subscriber does not pay the Fee by the agreed-to date in addition to any other rights, Panviva may suspend the Services or cancel Subscriber’s subscription after reasonable written notice has been provided (which in all cases will be not less than 30 days).
    6. Subscriptions for all Services, unless agreed in advance, will automatically renew for an additional period of 12 months unless a party gives the other party notice to Terminate, or discontinue a portion of the Services, not less than 30 days before the end of the relevant Subscription Term.
    7. By completing an additional Order, Subscriber may add additional subscriptions to use the Services (“Mid-Term Subscriptions”). Unless agreed otherwise, Mid-Term Subscriptions will incur a Fee based on the pro-rata pricing of the Services in the underlying subscription and expire at the end of the Subscription Term at which point they will be aggregated into the renewal of the underlying subscription.
    8. In the case of an automatic renewal, the renewed Services will not include professional service fees (such as training), which may have been included in any Order in a preceding Subscription Term.
    9. Panviva may increase Fees at each renewal period and will notify the Subscriber of revised Fees at least 45 days before the end of the current Subscription Term.
  6. Termination.

    1. In the event Panviva, acting reasonably, considers Subscriber to be in breach of its commitments under Section 10, Panviva may suspend the services after providing a minimum 48 hours’ notice to the Subscriber.
    2. Either party may terminate this Agreement in whole or in part in writing immediately if the other party:
      1. commits a breach of the Agreement and, where the breach is capable of remedy, a period of 30Business Days has expired from the other party notifying the first party of the breach without the other party remedying the breach;
      2. commits a Material Breach of the Agreement, which is not capable of remedy; and
      3. becomes or threatens to become Insolvent.
    3. If Subscriber terminates this Agreement under this Section 6, all Fees are immediately due and payable unless
      1. Subscriber notifies Panviva of its intention to terminate this Agreement for breach by Panviva; or
      2. Subscriber notifies Panviva of its intention to terminate this Agreement as a result of Panviva modifying the terms of the Agreement in a manner that has a materially detrimental effect on Subscriber and Subscriber has notified Panviva within 14 days of Panviva’s notice of such change.

      In both these situations, the Agreement shall be terminated effective as of the date of the notification to Panviva, and Subscriber will receive a pro-rata refund for any amount already paid to Panviva in respect of any period after that date.

    4. If Panviva terminates this Agreement under this Section 6, all Fees are immediately due and payable.
    5. Upon termination of this Agreement or expiration of any Subscription Term, Subscriber’s right to access and use the Services will terminate, provided that at the written request of Subscriber, which request must be received by Panviva within 30 days of termination or expiration, Panviva will allow Subscriber (for no additional Panviva Subscription Fee) to access the Services, but only to the extent necessary for Subscriber to export Subscriber Data. At any time after 45 days following termination of this Agreement or expiration of any Subscription Term, Panviva may permanently delete any Subscriber Data within the possession or control of Panviva.
    6. On termination or expiry of this Agreement, Panviva must (at Subscriber’s request) destroy all Subscriber Data within the possession or control of Panviva,
    7. The obligations in Section 6(f) will not apply to:
      1. Subscriber Data stored on a back-up server for bona fide back-up, security and data recovery purposes, which is not readily accessible; or
      2. any Subscriber Data that Panviva retains in its files as required to comply with any applicable laws or insurance policies,

      provided that such Subscriber Data that is retained remains subject to the confidentiality obligations set out in this Agreement.

  7. Billing.

    Subscriber must pay the Fees within the terms of the invoice as agreed in the Order. Except as provided in Section 6 or an Order, all Fees and payment obligations are non-cancellable and non-refundable.

  8. Taxes.

    1. Except where expressly stated otherwise, all amounts referred to in this Agreement are exclusive of GST. Where any supply occurs under or in connection with this Agreement or the Services which is subject to GST, the party making the supply (“the supplying party”) is entitled to increase the amount payable for the supply by the amount of any applicable GST, provided that the Supplier gives the receiving party written evidence of its GST registration status.
    2. The supplying party acknowledges and agrees that if a legislative requirement requires the receiving party to deduct an amount in respect of withholding tax from a payment under this Agreement such that the suppling party would not actually receive on the due date the full amount provided for under this Agreement then on the due date:
      1. receiving party must deduct the amount for the withholding tax;
      2. receiving party must pay an amount equal to the amount deducted to the relevant authority in accordance with applicable Law and give the original receipt to the supplying party; and
      3. Receiving party must pay supplying party an amount equal to the difference between the payment and the amount deducted.
  9. Subscriber Data.

    1. Panviva acknowledges that Subscriber Data is and shall remain the property of Subscriber.
    2. Subscriber is at all times solely responsible for the content and legality of Subscriber Data, how Subscriber Data is acquired, and the transfer of Subscriber Data into and from of the Services.
    3. Subscriber acknowledges and agrees responsibility for assessing the suitability of the Services for Subscriber’s requirements, including in relation to the sensitivity of Subscriber Data and any applicable law or regulation, resides at all times exclusively with the Subscriber.
    4. Subject to Panviva’s obligations under this Agreement, Panviva reserves the right to access Subscriber Data for the purpose of testing the operation and performance of the Services.
  10. Restrictions.

    1. Subscriber acknowledges and agrees that the Services are not designed for use with data that may be classified as highly sensitive, personal and/or otherwise subject to information privacy regulations, including without limitation any data subject to laws governing the storage and transmission of personally identifiable information, protected health information or information subject to the Payment Card Industry Data Security Standard (collectively, “Regulated Data”). Subscriber must not enter Regulated Data in the Services.
    2. Panviva shall have no liability under any circumstances with respect to Subscriber Data that is Regulated Data.
    3. Subscriber must use the Services only for the Permitted Purpose and in a manner consistent with the other terms of this Agreement. Subscriber must not (a) use the Services to provide a bureau or similar service; (b) sublicense, re-license or sell rights to access or use the Services, or transfer or assign rights to access or use the Services; or (c) modify, make derivative works of, reverse engineer, disassemble, decompile or otherwise reproduce the operation of the Services or any part of the Services or the Software and materials used or created by Panviva to provide the Services. Subscriber may not, and may not engage another party, to undertake security testing, load testing, performance testing or any automated or other forms of testing of the Service.
    4. For clarity, the Regulated Data limitation in Section 10(b) does not limit Panviva’s undertakings in this Agreement in relation to Personal Information used for User Validation Information.
  11. Ownership.

    All Intellectual Property Rights in the Services and any Documentation (including all derivatives, modifications or improvements thereon), are and shall at all times remain the sole and exclusive property of Panviva. Panviva will own all Intellectual Property Rights in: (a) all suggestions, enhancements requests, feedback, recommendations or other improvements provided by Subscriber to Panviva relating to the Services; (b) content, images and documentation provided by Subscriber to Panviva as part of any Subscriber Contributions; and (c) anonymized data generated by Subscriber’s use of the Services to measure and analyse how the Services operate and how Subscriber interacts with the Services (such as usage patterns, latency, networks and other performance data).

  12. Confidentiality.

    1. Each party agrees to hold the other’s Confidential Information in strict confidence and not to copy, reproduce, sell, transfer, or otherwise dispose of, give or disclose such Confidential Information to third parties other than employees, agents, or subcontractors of a party who have a need to know for the purposes of, and in accordance with, this Agreement, or if either party is required to do so by law or an exchange or in connection with legal proceedings relating to this Agreement. Each agrees to advise and require their respective employees, agents, and subcontractors of their obligations to keep all Confidential Information confidential.
    2. Panviva will maintain measures to protect the security and confidentiality of the Subscriber Data and User Validation Information, including commercially reasonable physical, technological and administrative measures, as set forth in Exhibit 1-C (Security Agreement), and Subscriber acknowledges:
      1. these measures are reasonable and appropriate for Subscribers intended use; and
      2. that security measures are not infallible and may be circumvented, which may result in unauthorized access; and Panviva will not be liable for any such unauthorized access, and such access will not constitute a breach of the Agreement, provided such access did not result from Panviva’s failure to adhere to the aforementioned security measures.
  13. Panviva warranty and liability.

    1. Panviva warrants that:
      1. the Services shall perform substantially in accordance with the Service Level Agreement (“SLA”) attached hereto as Exhibit 1-A. Panviva’s Support Process (“Support”) in connection with the Services is attached hereto as Exhibit 1-B;
      2. it will comply with all applicable Laws related to the provision of the Services;
      3. it will supply the Services in all material respects with due care, skill, expertise and in a good, proper and professional manner;
      4. Panviva Software used in the Services, the Platform (subject to Panviva’s knowledge as set out in Sections 13(a)(v) and 13(a)(vi) below), and Subscriber’s use of the Platform and Panviva Software (excluding any Subscriber Data), does not infringe the patent, copyright, trade secret or trademark categories of Intellectual Property Rights of any person;
      5. it not aware of any infringement of the Intellectual Property Rights of any person for any third-party elements used in providing the Platform;
      6. it is not aware of any infringement of any Moral Rights in providing the Services;
      7. it will use commercially reasonable efforts to ensure the Panviva Software shall not contain:
        1. any virus, trojan horse, worm, backdoor or other software or hardware devices the effect of which is to permit unauthorized access or to disable, erase, or otherwise harm any computer, systems or software, or
        2. any time bomb, drop dead device or other software or hardware device designed to disable a computer program automatically with the passage of time, provided, however, that Subscriber acknowledges the Services includes logical access controls which may be used by Panviva to restrict Subscribers access to the Services in accordance with the Agreement.
    2. Subscriber agrees that its sole and exclusive remedies for a failure by Panviva to comply with the SLA and/or Support Services are as set forth in the Exhibits.
    3. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, PANVIVA MAKES NO PROMISES, REPRESENTATIONS OR WARRANTIES OF ANY KIND AND EXPRESSLY DISCLAIMS ANY AND ALL PROMISES, REPRESENTATIONS, AND WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE SERVICES, INCLUDING, WITHOUT LIMITATION, CONDITION, CONFORMITY TO ANY REPRESENTATION OR DESCRIPTION, THE EXISTENCE OF ANY LATENT OR PATENT DEFECTS, NON-INFRINGEMENT, MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, ANY WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE OR THAT THE SERVICES ARE SUITABLE FOR SUBSCRIBER’S INTENDED USE OR WILL BE UNINTERRUPTED OR ERROR FREE.
    4. Nothing in this Agreement shall exclude, restrict or modify the application of any statutory provision (including a provision of the Competition and Consumer Act 2010 (Cth)) where to do so would contravene that statute or cause any part of this Agreement to be void (“Non-excludable Condition”).
    5. To the extent permitted by law, Panviva’s liability to the Subscriber for any breach of any Non-excludable Condition is limited, at Panviva’s option to: (a) in the case of services, to supplying those services again or payment of the cost of having the services supplied again; and (b) in the case of goods, to providing, replacing or repairing those goods.
  14. Mutual Limitation of Liability.

    1. TO THE EXTENT PERMITTED BY LAW, NOTWITHSTANDING ANY OTHER PROVISION SET FORTH HEREIN, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL, AND/OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT; AND
    2. EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS; A BREACH OF SECTION 9 OR 12; A BREACH OF SECTION 13(a)(ii) UNLESS THE NON-COMPLIANCE IS ATTRIBUTABLE TO SUBSCRIBER’S ACTIONS OR INACTIONS; OR AN INTENTIONAL BREACH OF SECTION 17 BY PANVIVA, A PARTY’S MAXIMUM LIABILITY TO THE OTHER FOR ANY DIRECT DAMAGES ARISING OUT OF OR RELATING TO ITS PERFORMANCE OR FAILURE TO PERFORM UNDER THIS AGREEMENT, WHETHER BASED ON AN ACTION OR CLAIM IN CONTRACT, EQUITY, NEGLIGENCE, TORT, OR OTHERWISE SHALL NOT, TO THE EXTENT PERMITTED BY LAW, EXCEED THE FEES PAID UNDER THE APPLICABLE ORDER IN THE TWELVE MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
    3. This Section shall not limit Subscriber’s obligation to pay Panviva for the Services.
  15. Panviva Indemnity.

    1. Panviva agrees to indemnify, defend and hold harmless Subscriber, each Subscriber Group member and their respective shareholders, directors, officers, employees and agents (collectively, the “Subscriber Indemnitees and each a “Subscriber Indemnitee) from all actions, suits, claims and demands made by a third party (each, a “Claim and collectively, “Claims), including reasonable attorneys’ fees, costs, and expenses incidental thereto, which may be suffered by, incurred by, accrued against, charged to, or recoverable from any Subscriber Indemnitee, by reason of any Claim arising out of or relating to any Claim arising out of or relating to the Panviva Software infringing or misappropriating the patent, copyright, trade secret or trademark categories of Intellectual Property Rights, or other proprietary right of any third party. The foregoing obligations shall not apply to the extent such Claims arise as a result of: (a) any use of the Panviva Software in a manner other than as specified in the Agreement or in an Order; (b) any use of the Panviva Software in combination with other products, services or data not supplied by Panviva or its Personnel, to the extent that such Claim is caused by such combination; (c) any alteration, modification or customization of the Panviva Software made by a party other than Panviva or Panviva’s Personnel or authorized representatives if such infringement would not have occurred without such alteration, modification or customization; (d) Panviva’s compliance with any designs, specifications or instructions provided by Subscriber where such designs, specifications or instructions cause the infringement; or (e) use by Subscriber after written notice by Panviva to discontinue use of all or a portion of the Panviva Software. In the event that the Panviva Software is held to infringe in a final non-appealable judicial finding or a settlement agreement approved by Panviva, Panviva shall, at its expense and in its sole discretion: (i) obtain for Subscriber the right to continue using such Panviva Software; (ii) replace or modify such Panviva Software so that they do not infringe upon or misappropriate such proprietary right, with no material degradation to the Services; or, (iii) in the event that Panviva is unable or determines, in its reasonable judgment, that it is commercially unreasonable to do either of the aforementioned, Panviva may terminate this Agreement and reimburse to Subscriber any prepaid F
    2. The rights and remedies granted to Subscriber in this Section state Panviva’s entire liability and Subscriber’s exclusive remedy with respect to any claim of infringement of Intellectual Property Rights of a third party, whether arising under statutory or common law or otherwise. Panviva must without undue delay notify the Subscriber if it becomes aware of any formal legal Claim being pursued by a third party for infringement of Intellectual Property Rights in relation to the Panviva Software.
  16. Subscriber Indemnity

    Subscriber agrees to indemnify, defend and hold harmless Panviva and its shareholders, directors, officers, employees, suppliers and licensors (each, a “Panviva Indemnified Party” and collectively, “Panviva Indemnified Parties”) from all Claims, including reasonable attorneys’ fees, costs, and expenses incidental thereto, relating to any Claim against any Panviva Indemnified Party arising out of or relating to Subscriber’s failure to comply with Section 10.

  17. Privacy.

    1. To the extent that User Validation Information contains Personal Information, for that User Validation Information, Panviva will:
      1. ensure that its dealings with Personal Information in connection with this Agreement comply with applicable Privacy Laws;
      2. only use and disclose Personal Information to the extent necessary for it to perform its obligations under this Agreement;
      3. not export or transmit Personal Information obtained or collected on Subscriber’s behalf to a place outside Australia without Subscriber’s prior written consent.
      4. if reasonably requested by the Subscriber, provide access to any Personal Information acquired from the Subscriber under or in connection with this Agreement;
      5. take reasonable steps to ensure that Personal Information held by it is protected against misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure; and
      6. ensure that only Personnel who have a need to deal with Personal Information in connection with this Agreement are given access, only use the Personal Information for the purposes of the Agreement and are aware of and comply with, Panviva’s obligations under this Agreement.
    2. If Panviva considers a Data Breach of User Validation Information has or may have occurred, Panviva will comply with Section 23 of Exhibit 1-C (Security Addendum).
    3. For the purposes of this Section 17, Subscriber represents, warrants and agrees that the only privacy laws applicable to Subscriber’s Users are the Privacy Laws. Subscriber agrees Panviva can rely on these representations and warranties, and plead this clause in any assertion of non-compliance, Claim or dispute.
  18. Insurance.a

    1. Panviva must effect and maintain the following insurances:
      1. public liability insurance with an insured limit of not less than $20.0 Million for each occurrence;
      2. professional indemnity insurance with an insured limit of not less than $1.0 Million for each claim and $3.0 Million in the aggregate for all claims in aggregate and which must be maintained for twoyears after the termination or expiry of this Agreement;
      3. workers compensation insurance or registrations, as required by law;
      4. cyber risk insurance (i) contractually assumed privacy remediation: an insured limit of not less than $4.0 Million (ii) cyber-attack: an insured limit of not less than $1.0 Million;
    2. Panviva must effect each insurance required under Section 18(a) with an insurer that has a financial strength rating of not less than “A-” issued by Standard & Poor’s (or an equivalent rating from another recognised ratings agency), or with an insurer approved by the Subscriber, acting reasonably.
    3. If requested, prior to commencement of the Services, Panviva must produce to Subscriber a certificate of currency for each insurance that Panviva is required to obtain under this Section 18, or such other evidence of insurance that is satisfactory to Subscriber.
  19. Notices.

    If a party wishes to give a notice under this Agreement, it may give the notice in writing by nationally recognized overnight delivery or by email (delivered to the other party’s postal or email address set forth in the Order). A notice will be deemed to have been received the next Business Day after it is sent and at the time of receipt if sent by email.

  20. Operational

    1. To facilitate the provision of the Services, Panviva may change the terms of this Agreement, including Exhibits, at any time, and Panviva will notify Subscriber of any change prior to the date that such change is effective using the email address on the Order. If any such change has a materially detrimental effect on Subscriber, Subscriber may cancel its Subscription in accordance with Section 6. The method and means of providing the Services shall be under the exclusive control, management, and supervision of Panviva.
    2. Panviva may enter into any subcontracts for the performance of the Services, however, Panviva’s use of subcontractors shall not relieve Panviva of any of its duties or obligations under this Agreement. Where Panviva enters into any subcontracts for the performance of the Services, Panviva retains prime contract responsibility for all the obligations of Panviva under this Agreement, and is liable for all acts or omissions of the subcontractor.
    3. Neither party will be liable for, or be considered to be in breach of or default under this Agreement on account of, any delay or failure to perform as required by this Agreement as a result of any cause or condition beyond its reasonable control, and such events shall include, but not be limited to, fire, explosion, flood or other natural catastrophe, infrastructure of the internet, utilities or telecommunications and data failures, governmental legislation, acts, orders, or regulation, strikes or labour difficulties.
  21. Publicity.

    The Subscriber acknowledges that Panviva shall be entitled to issue press releases regarding its relationship with the Subscriber. Panviva shall submit these releases to the Subscriber for approval, which shall not be unreasonably withheld or delayed. The Subscriber consents to its name and logo being included in any listing of Panviva’s current customers.

  22. The Subscriber Group.

    1. This Agreement and each Order is for the benefit of the Subscriber Group. Any licence or indemnity expressed to be for Subscriber’s benefit is also for the benefit of the Subscriber Group.
    2. A breach of this Agreement, an Order or any other actionable conduct by Panviva associated with this Agreement may result in losses or damages being suffered or incurred by other members of the Subscriber Group. Subscriber is entitled to claim from Panviva for loss or damage suffered or incurred by any other member of the Subscriber Group under or in connection with this Agreement as if those losses and damages had been suffered or incurred by Subscriber.
    3. Where entities other than Subscriber receive the Services under the Agreement, Subscriber retains prime contract responsibility for all indemnities, obligations, undertakings and commitments under the Agreement, including without limitation the payment of all Fees.
  23. Third Party Software.

    The Subscriber acknowledges that as part of providing the Services, Panviva utilizes enabling technology, and in some instances, those license arrangements require Panviva to include certain additional terms and conditions on the end user. Where applicable these additional terms are set out at www.panviva.com/terms-and-conditions/tps and are incorporated into this Agreement.

  24. Open Source Software.

    The Software includes open source software programs that are made available by Panviva and other third parties under their respective open source licenses (“Open Source Licenses”). Certain Open Source Licenses and/or certain relevant provisions of such Open Source Licenses are set out at www.panviva.com/terms-and-conditions/oss . Subscriber is obligated to comply with the applicable Open Source Licenses related to such open source software programs. Open source software programs are governed solely by such Open Source Licenses, including without limitation warranty and indemnification, which will prevail over these Terms.

  25. General.

    1. A party may assign this Agreement as part of a corporate reorganization, consolidation, merger, or sale of all or substantially all of its assets or business, but otherwise neither party may assign its rights or obligations under this Agreement without the prior written consent of the other party.
    2. If any provision is found to be void or unenforceable, that provision may be severed and the remainder of this Agreement must be interpreted as if the severed provision had never existed.
    3. This Agreement is governed by the laws of Victoria, Australia and the parties submit to the nonexclusive jurisdiction of the courts of Victoria.
    4. This Agreement, together with Exhibits and each Order is the entire agreement between the parties and supersedes all prior agreements, discussions, and representations in relation to the Services.
    5. Except as provided in Section 20(a), this Agreement may be modified or amended only in writing executed by Panviva and the Subscriber.
    6. The failure of either party at any time to require performance by the other party of any provision hereof shall not affect in any way the right to require such performance at any time thereafter, nor shall the waiver by either party of a breach of any provision of this Agreement be taken or held to be a waiver of any subsequent breach of the same provision or any other provision.
    7. This Agreement may be executed simultaneously in two or more counterparts, including electronically, each of which will be considered an original, but all of which together will constitute one and the same instrument.
  26. Definitions.

    For the purposes of the Agreement:

    API Supplementary Agreement means the additional documentation associated with including the Panviva APIs as part of the Services, and where applicable, attached to this Agreement as Exhibit 1-D.

    Approval means any permit, consent, authorisation, registration, filing, lodgement, notarisation, certificate, endorsement, permission, licence (including process licences), approval, authority or exemption by, or with, an Authority and including any condition or requirement imposed under any of the foregoing.

    Authority means any government department, local government, governmental or statutory authority, or other party which has a right under a Law to impose a requirement or whose consent is required in relation to the Agreement.

    Business Day means a day other than a Saturday or Sunday when the banks in Melbourne are open for business.

    Confidential Information means all information of a party that, (a) has been marked “confidential” or with words of similar meaning at the time of disclosure; or (b) should reasonably be recognized as confidential information of the disclosing party regardless of how it is stored, delivered, provided or learnt by the other party; but does not include any information that was: (i) already in the possession of the receiving party without an obligation of confidentiality; (ii) developed independently by the receiving party, as proven by the receiving party; (iii) obtained from a source other than the disclosing party without an obligation of confidentiality; (iv) any Subscriber Data which has been made available, or is contemplated becoming available, in whole or in part, to any third party not subject to a duty of confidentiality to Subscriber; or (v) any Subscriber Data Consumed under the Panviva API Supplementary Agreement (if applicable). Confidential Information includes all pricing and related terms pertaining to the provision of Services under this Agreement.

    Consumption means the act of initiating, responding to or otherwise engaging with the Panviva APIs (as defined in the Panviva API Supplementary Agreement).

    Corporations Act means the Corporations Act 2001 (Cth).

    Data Breach has the meaning set out in clause 22 of Exhibit 1-C (Security Agreement).

    Documentation means ancillary information provided by Panviva to Subscriber to facilitate or support Subscriber’s use of the Services.

    Fee or Fees means the means the fee(s) specified in any Order, including the provision of subscriptions, integration, training, and other services (if any) as varied in accordance with this Agreement.

    GST has the same meaning as in the A New Tax (Goods and Services Tax) Act 1999 (Cth), or similar value added tax applicable to the location and nature of services provided.

    Insolvent means, with respect to a party, that:

    1. it is (or states that it is) insolvent (as defined in the Corporations Act);
    2. it has a controller (as defined in the Corporations Act) appointed to any part of its property;
    3. it is in receivership, in receivership and management, in liquidation, in provisional liquidation, under administration or wound up or has had a receiver appointed to any part of its property;
    4. it is subject to any arrangement, assignment, moratorium or composition, protected from creditors under any statute, dissolved (other than to carry out a reconstruction or amalgamation while solvent);
    5. an application or order has been made (and, in the case of an application, it is not stayed, withdrawn or dismissed within 30days), resolution passed, proposal put forward, or any other action taken, in each case in connection with that person, which is preparatory to or could result in any of the circumstances detailed in any of paragraphs (a), (b), (c) or (d) above;
    6. it is taken (under section459F(1) of the Corporations Act) to have failed to comply with a statutory demand;
    7. it is the subject of an event described in section459C(2)(b) or section585 of the Corporations Act (or it makes a statement from which the other party to this Agreement reasonably deduces it is so subject); or
    8. it is otherwise unable to pay its debts when they fall due.

    Intellectual Property Rights means any and all intellectual and other similar proprietary rights in any jurisdiction, whether registered or unregistered including but not limited to all rights and interests pertaining to or deriving from copyrights, designs, trademarks, trade secrets, know-how, confidential information, patents of all classes, patent applications, inventions and discoveries and all other intellectual property and similar proprietary rights, including, in each case any registrations of, applications to register, and renewals and extensions of any of the foregoing with or in any governmental authority in any jurisdiction, now or hereafter existing.

    Law means Commonwealth and State legislation including regulations, by–laws or other subordinate legislation, common law and equity, requirements of Authorities and Approvals, and guidelines of the Commonwealth, State and local governments and Authorities with which Panviva is legally required to comply.

    Material Breach means any of the following: (i) a failure by Subscriber to make Fee payments in accordance with this Agreement, (ii) a failure by Panviva to establish the Subscriber’s environment on the Platform within 30 days of signing this Agreement, or (iii) a breach of Section 10 of this Agreement.

    Moral Rights means rights of integrity of authorship, rights of attribution or authorship, rights not to have authorship falsely attributed, and rights of a similar nature conferred by statute in anywhere in the world that may now exist or that may come to exist in relation to the work.

    Orders means all orders entered into by the parties for the Services.

    Panviva means Panviva Pty Ltd (ACN: 096 472 543).

    Panviva Software means the software developed and owned by Panviva, including any improvements or modifications and which is used in the provision of the Services, and at all times excludes any Subscriber Data.

    Permitted Purpose means for the internal use in Subscriber’s business and specifically excludes using the Services to (a) transmit, share or otherwise communicate Regulated Data; (b) to transmit or disseminate any unlawful, harassing, offensive, defamatory or obscene information or any computer virus; (c) allow an Unauthorised User to be a User; or (d) accessing the Services via APIs in a manner inconsistent with the Panviva API Supplementary Agreement.

    Personnel means the employees, secondees, agents, principals and contractors (who are individuals) of Panviva or Panviva’s associates.

    Personal Information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not about an identifiable individual, or an individual whose identify is reasonably identifiable, from the information or opinion which is received or learnt by Panviva or Panviva’s Personnel from Subscriber, or the Subscriber Group under this Agreement.

    Platform means the hardware, Software, equipment and network infrastructure necessary to host and provide the Service.

    Privacy Act means the Privacy Act 1988 (Cth) as amended from time to time.

    Privacy Laws means the privacy laws applicable in the country of Subscriber’s registered address

    Related Body Corporate has the meaning given in the Corporations Act.

    Service Credit means a service credit payable in accordance with Section 4, Exhibit 1-A (Service Level Agreement) or Exhibit 1-B (Support Process).

    Service Levels means the service levels set out in Exhibit 1-A (Service Level Agreement) and Exhibit 1-B (Support Process).

    Services means the item(s) selected on the Order which are described at www.panviva.com/terms-and-conditions/services, including any Support Services.

    Software means all software used by or on behalf of Panviva to deliver the features and functionality of the Service, including any update, upgrade or new release relating to that software. For the avoidance of doubt, Software includes any Panviva Software.

    Start Date means the earliest start date set out on the initial Order.

    Subscriber means the company or other entity being part of the Subscriber Group named as the subscriber in an Order.

    Subscriber Contributions means contributions from Subscriber made available to Panviva to enhance the Services.

    Subscriber Data means any material of the Subscriber entered into the Services by Subscriber or a User and used exclusively in the Subscriber’s instance of the Services including (without limitation) User Validation Information where it contains Personal Information under the Privacy Laws.

    Subscriber Group means Subscriber, the Subscriber’s Ultimate Parent and the Ultimate Parent’s Related Bodies Corporate; and includes the entities listed in Exhibit 1-E (Group Entities).

    Subscription Term means the period specified in all applicable Orders.

    Support Services means the support services described Exhibit 1-B (Support Process).

    Ultimate Parent means where it is not the Subscriber, the ultimate parent entity of the Subscriber.

    Unauthorised User means any user accessing the Services who is not a named User (as updated from time to time) under the Subscription.

    User has the meaning given in Section 1(e).

    User Validation Information means the information supplied by Subscriber to Panviva for login validation of a named User, and is limited to a name for the User, a username, and the email address Subscriber has linked to the User’s name.

Exhibit 1-A

Service Level Agreement

This SLA applies to the Services subscribed for under this Agreement, and only applies to Services classified by Panviva as “in production” on a Supported Platform. For the avoidance of doubt, this SLA does not apply to Services in training or in any other non-production environments.

  1. Service Commitment.

    Panviva will use commercially reasonable efforts to ensure the Services will be available at least 99.5% of the time during each calendar month, excluding Scheduled Maintenance and Exception Maintenance (the “Service Commitment”). Subject to the SLA Exclusions below, if Panviva does not meet the Service Commitment the Subscriber will be eligible to apply for a Service Credit, as described below.

  2. Service Commitments and Service Credits.

    If Panviva does not meet the Service Commitment in a month, the Subscriber may be entitled to a Service Credit based on the total Fees paid or payable for the Services in respect of that month, calculated as follows:

    • if the Monthly Availability Percentage is less than 99.5% but greater than or equal to 99.0%, the Subscriber may apply for a Service Credit of 10% of the total Fees paid or payable in respect of that month; or
    • if the Monthly Availability Percentage is less than 99.0%, the Subscriber may apply for a Service Credit of 30% of the total Fees paid or payable in respect of that month.
  3. Service Credit Request Procedure.

    To be eligible to receive a Service Credit, Subscriber must submit a Service Credit Request claim to Panviva by emailing it to support@panviva.com no later than 14 days following the last day of the month in which the Monthly Availability Percentage is alleged to have been below the Service Commitment. Panviva will be under no obligation to consider applications for Service Credits in relation to any other period. All email claims for Service Credits must include:

    • the words “SLA Credit Request” in the subject line;
    • the dates and times of each unavailability incident; and
    • Panviva issued incident number.
  4. Panviva Service Commitment Exclusions.

    The Service Commitment does not apply in the event that an outage to the Service is caused by, or rectification is impacted by:

    • the Service having been altered or damaged by someone other than Panviva;
    • the Service or any portion of it having been incorporated with or into other software not approved by Panviva;
    • negligence, abuse or misapplication of the Service by Subscriber or by any Subscriber personnel, agent or contractor (including, without limitation, any failure by the Subscriber to comply with the Agreement);
    • where the Services have not been used at all times for the Permitted Purpose; or
    • any other factors outside of Panviva’s reasonable control, including, without limitation, any problem with Internet access, or any problems beyond the demarcation point of the Panviva network.
  5. Definitions.

    For the purposes of this SLA:

    Exception Maintenance means periods of time during which Panviva performs emergency maintenance or corrective activity in relation to Services outside of Scheduled Maintenance, and during which the Services may be unavailable. Panviva will use reasonable efforts to minimize interference with the Subscriber’s use of the Services during such periods. If possible, Exception Maintenance activity requiring an outage will be scheduled outside the standard business hours of the location from which the Services are provided.

    Monthly Availability Percentage means the total number of hours in a month minus the number of hours in that month during which the Services were not available (excluding Scheduled Maintenance, and Exception Maintenance where it is in response to an issue that is outside Panviva’s reasonable control), divided by the total number of hours in the month, and then expressed as a percentage.

    Panviva Service Centre Portal means the secure support portal where Subscriber can access the Panviva knowledge base, participate in forums and log and manage support tickets. Panviva support team operates primarily via the Panviva Service Centre. The Panviva Service Centre is accessed at http://support.panviva.com.

    Scheduled Maintenance means scheduled periods of time during which Panviva performs regular maintenance activity, and during which the Services may be unavailable. Scheduled Maintenance activity requiring an outage will be scheduled outside the standard business hours of the location from which the Services are provided.

    Supported Platforms means the technologies that Panviva has certified for use or integration with the Services by the Subscriber. If the Subscriber uses technologies that are not Supported Platforms with the Services, Panviva will have no obligation to the Subscriber under this SLA. The most up to date list of Platforms Panviva supports can be obtained from the Panviva Service Centre Portal.

Exhibit 1-B

Support process

  1. Support Description.

    1. Availability of Support.

      Panviva will provide to Subscriber’s Nominated Support Users, telephone availability for Severity 1 incidents only (+61 3 9225 1810) twenty-four (24) hours per day, seven (7) days per week, three hundred sixty five (365) days per year and online Service Delivery Desk availability during business hours in the Subscriber’s time zone five (5) days per week (exclusive of Australian national holidays) (“Support”). Support will include any research and resolution activity performed by Panviva.

    2. Nominated Support Users.

      Subscriber will advise Panviva in writing its employees that are authorized to request Support (“Nominated Support Users”).

    3. Request for Support.

      Subscriber’s Nominated Support Users will make Support requests by telephoning or emailing Panviva’s Personnel providing Support (“Support Staff”) or by submitting a request via the Panviva Service Centre. The Support Staff shall assign to the request the Incident Severity Level (as defined herein) indicated by the requestor, unless after making due enquires it is reasonably viewed by the Support Staff as miscategorized, in which case the parties will seek to agree on categorization.

    4. Incident Severity Level 1 Response, Restore and Resolution.

      Incidents of Severity Level 1 must be reported by telephone. In the event a Severity 1 Incident is reported by a means other than telephone, Panviva will only be obligated to provide the Service Level applicable to a Severity 2 Incident. Panviva Support shall confirm to the requestor receipt of the request by Panviva.

    5. Incident Severity Levels 2 and 3 Response, Restore and Resolution.

      Support requests for Incident Severity Levels 2 and 3 may not be made by telephone, but must be made either by email or via the Panviva Service Centre. Panviva Support shall confirm to the requestor receipt of the request by Panviva within the Response time for the deemed Severity Level of the Incident. If an Incident Severity Level 2 or 3 request cannot be dealt with to the reasonable satisfaction of the requestor within the Restore time period after the requestor makes the initial request for Support, the parties will mutually agree upon a schedule within which to resolve the request.

  2. Failure to Meet Support.

    If Panviva does not meet the Support commitment, the Subscriber agrees no additional credit beyond the Service Credit arising under Exhibit 1-A (Service Level Agreement) (if any) will apply.

  3. Incident Management Framework

    Defined As

    All incidents that are reported to Panviva will first be validated as issues with the Services and categorized based on their severity. Restoration of the Services or Resolution of issues shall be achieved according to the assigned Severity Level within the times listed below.

    Incidents are categorized into one of the following Severity Levels:

    • Severity 1: Critical Business Impact
    • Severity 2: Major Business Impact
    • Severity 3: Minor Business Impact

    Goals

    Category

    Service

    Target Timeframe

    Response

    Severity 1

    Telephone

    30 Minutes with an update communication every 30 minutes until a resolution timeframe is established

    Severity 2

    Web/Email

    4 Business Hours

    Severity 3

    Web/Email

    1 Business Day

    Restore

    Severity 1

    Telephone

    4 Business Hours

    Severity 2

    Web/Email

    5 Business Days or as agreed

    Severity 3

    Web/Email

    N/A

    Resolve

    Severity 1

    Telephone

    5 Business Days

    Severity 2

    Web/Email

    30 Business Days or as agreed

    Severity 3

    Web/Email

    As soon as reasonably possible.

    In the above framework:

    • Restore means use of commercially reasonable efforts to make the Services available again, including via temporary business or technical workaround.
    • Resolve means a permanent resolution of the issue using commercially reasonable efforts to meet the time frame.
    • Severity 1 – Critical Business Impact: means an issue that renders the Services inoperative for the majority of Users. When attempting to use Panviva, the majority of Users are prevented from performing a necessary function and there is no immediate workaround.
    • Severity 2 – Major Business Impact: means either an issue causing major functionality to experience a reproducible problem, which causes notable inconvenience to the majority of Users or the minority of Users are prevented from performing a necessary function. A workaround may exist but Users may be impacted.
    • Severity 3 – Minor Business Impact: means an issue causing a function to experience an intermittent problem or a common non-essential operation is fails consistently. Use of the Services in the manner intended is not materially affected overall.

    Methodology

    Tracking of incidents by Panviva as outlined within this Support Process is as follows:

    • An integrated Service Desk system tracks and reports support activity.
    • Panviva monitors, optimizes and reports on systems within its own control zone. Subscriber may experience latencies introduced by its Internet access, network and perimeter management systems, or end user devices. These cannot be managed or reported on by Panviva services; however, Subscriber may be required to provide configuration and performance data from these services as part of issue logging.

    Expectations

    Panviva will provide a Root Cause Analysis for Severity 1 Incidents and shall use commercially reasonable efforts to provide such analysis within three Business Days of resolution.

Exhibit 1-C

Security Agreement

This Exhibit is set out in three Parts and each individual Part is to be interpreted as a self-contained compartment in terms of this Security Agreement. For clarity, a commitment in one Part of this Exhibit does not apply in any other Part of this Exhibit unless it is explicitly identified as applying to that section.

    Part 1 – Subscriber Personal Data

  1. Definitions

    Subscriber Personal Data means User Validation Information where it represents Personal Information under the Privacy Laws.

  2. Asset Management
    1. In relation to Subscriber Personal Data, Panviva shall be able to demonstrate understanding and management of legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations.
    2. In relation to Subscriber Personal Data, Panviva shall have established governance and risk management processes which address security and cybersecurity risks. The processes to determine risk must include the identification and documentation of:
      • asset vulnerabilities;
      • threats, both internal and external; and
      • potential impacts and likelihoods.
    3. Panviva shall conduct privacy and security risk assessments to ensure Subscriber Personal Data is stored and transmitted in an acceptable and secure manner, including how Subscriber Personal Data is classified, protected, transmitted, retention periods and disposal requirements.
    4. Panviva shall identify and prioritise risk responses where it impacts on Subscriber Personal Data.
  3. Access Control
    1. In situations where Panviva employees access Subscriber Personal Data (“Supplier Users”):
      1. Panviva shall manage identities and credentials for authorised devices and Supplier Users:
        1. all computer accounts are attributable to a uniquely identifiable individual roles. The holder of that role has been educated to ensure that passwords and access should not be shared. For clarity, Subscriber Personal Data cannot be accessed via a shared computer account;
        2. password criteria for network operating systems are sufficiently complex, in line with recognised information security standards and expire regularly;
        3. access permissions are managed incorporating the principles of least privilege and separation of duties;
        4. where appropriate, role based access has been implemented;
        5. changes to user accounts and access for new joiners, leavers and internal movers are effectively managed to ensure access to systems is appropriate to a business need and is revoked when no longer required; and
        6. password files on all systems are protected by encryption during transmission and storage;
      2. Panviva shall manage remote access by Supplier Users:
        1. access to Panviva’s network is restricted and protected by appropriate security devices; and
        2. a secure remote access application is used to provide remote access to Panviva’s network, which is authenticated by the use of two-factor authentication; and
      3. Panviva shall perform access reviews on networks, systems and applications at least every 6 (six) months to ensure the joiners, leavers and transfers process is effective.
    2. In relation to Subscriber Personal Data, Panviva shall ensure that access to sensitive areas such as data centres and communications rooms are controlled by adequate security measures commensurate with the sensitivity of these areas, which are regularly reviewed and updated as necessary.
    3. Panviva shall take measures to ensure that physical assets used to process Subscriber Personal Data are adequately protected from loss, theft and damage.
    4. Panviva shall ensure that network integrity used to process Subscriber Personal Data is protected incorporating network segregation where appropriate.
    5. Where logical connections from networks used to process Subscriber Personal Data to other IP networks exist as part of the Services, controls are in place to restrict such network access to only authorised information assets.
  4. Personnel
    1. In situations where Panviva employees access Subscriber Personal Data:
      1. Panviva Personnel are screened for suitability for dealing with confidential information and are required to complete confidentiality, data protection and information security awareness training at least annually; and
      2. Panviva hiring contracts for Personnel (including contractors) cover roles and responsibilities for security, data handling, a requirement to abide by company policies and instructions to keep information confidential. This includes senior executives.
    2. Where Panviva Personnel (including contractors) are authorised to process Subscriber Personal Data on their own devices (i.e. Bring Your Own Device Policy) these devices are protected by a mobile device management (MDM) solution.
  5. Data Security
    1. Panviva shall take appropriate measures to ensure that Subscriber Personal Data at-rest and Subscriber Personal Data in-transit is adequately protected as identified in a documented risk assessment process with documented encryption techniques used and enforced.
    2. Panviva shall formally manage physical and non-physical assets used to process Subscriber Personal Data throughout, including removal, transfers, disposals and/or erasure.
    3. Panviva shall make provision for and monitor that there is adequate capacity to process Subscriber Personal Data to ensure that availability is maintained in a manner consistent with the SLA.
    4. Panviva shall implement adequate protective measures against data loss of Subscriber Personal Data as identified in a documented risk assessment process.
    5. For Subscriber Personal Data, Panviva shall manage effective segregation between development, test and production applications.
    6. Under no circumstances may Subscriber Personal Data be used in development and test environments or for any non-production purposes without the express permission of Subscriber
    7. Panviva shall use checking mechanisms to verify Subscriber Personal Data integrity.
    8. Applications or third party systems used to store or process Subscriber Personal Data are logically segregated from all other third party systems.
  6. Information Protection Processes and Procedures
    1. Where it impacts on the use or storage of Subscriber Personal Data:
      1. Panviva shall maintain a baseline configuration of information technology systems, which may be updated from time to time; and
      2. Panviva shall manage information systems using a recognised and documented System Delivery Lifecycle (SDLC).
    2. For the production environment where it impacts on the use or storage of Subscriber Personal Data:
      1. Panviva shall manage a documented configuration change control process;
      2. Panviva shall perform backups of systems and ensure that backups are maintained and tested regularly;
      3. Panviva shall perform regular checks to ensure that policy and regulations regarding the physical operating environment are met;
      4. Panviva shall ensure that where required, Subscriber Personal Data is destroyed according to Panviva’s approved methods and policies;
      5. Panviva shall make provision for continually improving information protection processes;
      6. Panviva shall maintain, manage and periodically test response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery); and
      7. Panviva shall maintain a security vulnerability plan.
  7. Maintenance

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall ensure that the maintenance and repair of assets is performed and logged in a timely manner with approved and controlled tools; and
    2. Panviva shall ensure that remote maintenance of assets is approved, logged and performed in a manner which prevents unauthorised access.
  8. Protective Technology

    Panviva shall implement and maintain the secure collection of event data and audit/log records where it impacts on the use or storage of Subscriber Personal Data:

    1. audit/log records must cover as a minimum: system logon/logoff; use of escalated rights or administrative functions; access of sensitive system resources; change or escalation of rights/privileges; and
    2. logs must be held securely, demonstrate non-repudiation and kept for a minimum of 1 (one) year, with 3 (three) months available for analysis.
  9. Anomalies and Events

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall establish, maintain and manage a baseline of network operations and expected data flows for users and systems. This baseline should be included in processes to detect or identify events to be further analysed to understand attack targets and methods;
    2. Panviva shall collect aggregate and correlate event data and audit logs from multiple sources and sensors;
    3. Panviva shall determine the impact of events considered to warrant further investigation; and
    4. Panviva shall establish incident alert thresholds.
  10. Continuous Monitoring

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall monitor the network to detect potential security events or incidents;
    2. Panviva shall monitor for unauthorised personnel, connections, devices and software;
    3. Panviva shall detect malicious code; and
    4. Panviva shall scan the network, network devices, servers and endpoints for vulnerabilities.
  11. Detection Processes

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall assign roles and responsibilities for detection which are well defined to ensure accountability;
    2. Panviva shall ensure that detection activities meet applicable standards including those identified in a cybersecurity risk assessment;
    3. Suppler shall test detection processes for effectiveness and adequacy regularly and at least annually;
    4. Panviva shall ensure that event detection information is communicated to appropriate parties internally at Panviva; and
    5. Panviva shall continuously improve detection processes.
  12. Response and Recovery

    For the production environment where it impacts on the use or storage of Subscriber Personal Data:

    1. Panviva shall ensure that a response plan is in place and that it is executed during or after an event;
    2. Panviva shall ensure that Personnel know their roles and order of operations when a response to an event is needed;
    3. Panviva shall ensure that events are reported consistent with Panviva’s established criteria;
    4. Panviva shall ensure that information is shared consistent with response plans including where applicable coordination with stakeholders;
    5. consistent with Panviva’s established criteria:
      1. Panviva shall investigate notifications from detection systems;
      2. Panviva shall analyse the impact of the incident so that it is well understood;
      3. Panviva shall arrange forensic analysis of events as needed;
      4. Panviva shall categorise incidents consistent with response plans; and
      5. Panviva shall seek to contain and mitigate incidents;
    6. where viewed as warranted Panviva shall mitigate newly identified vulnerabilities or document acceptance of risk consistent with the risk management process;
    7. Panviva shall improve response and recovery plans by:
      1. updating response and recovery strategies; and
      2. incorporating lessons learned; and
    8. Panviva shall communicate unscheduled recovery activities to internal stakeholders and executive and management teams.
  13. Part 2 – Subscriber Data

  14. Definition

    In this Part 2 of this Exhibit:

    Industry Practice means operations consistent with ISO/IEC 27001 – Information Security Management Systems – Requirements.

  15. Security Program
    1. Panviva must develop, maintain and implement a written information security program of policies, standards and procedures governing the processing, storage and transmission of Subscriber Data (Security Program).
    2. The Security Program must include practices and processes designed to protect Subscriber Data from unauthorised access, acquisition, use, disclosure, corruption or destruction and which are consistent with Industry Practice.
  16. Compliance with Standards

    Panviva must ensure all data centres from which the Services are provided:

    1. are certified to comply with ISO/IEC 27001 – Information Security Management Systems – Requirements
    2. are subject to annual independent SSAE 18 audits by an appropriately qualified auditor. The reports from those audits (at a minimum a SOC 2 Type 2 service auditor report) must be provided to Subscriber upon written request.
  17. Location of Data, Software and Hardware

    In performing the Services, the Subscriber Data must be hosted and processed in accordance with the Agreement.

  18. Physical Security

    Panviva must use subcontractors that meet ISO/IEC 27001 – Information Security Management Systems – Requirements.

  19. Administrative Security

    In relation to Subscriber Data, Panviva must ensure that only the necessary persons to enable Panviva to meet its obligations under the Agreement have access to Subscriber Data and implement the following minimum administrative security measures:

    1. “Security Awareness” – Panviva must maintain and comply with a security awareness program, including ensuring that all Panviva Personnel and contractors that have access to Subscriber Data participate in training on security practices as well as ongoing and regular refresher training detailing the importance of privacy, security; and
    2. “Vendor Security Risk management” – Where vendors are permitted to access Subscriber Data under the Agreement, Panviva must maintain and comply with a vendor security risk management program to assess all vendors that access, store, transmit or process Subscriber Data.
  20. Information Security

    In relation to Subscriber Data, Panviva must ensure that information security measures consistent with Industry Practice are in place, including implementing the following minimum information security measures:

    1. “Access Management” – Panviva must establish user access policies and procedures, and implement supporting business processes and technical measures for ensuring identity entitlement and access management for all Panviva Personnel, contractors and permitted subcontractors;
    2. “Multi-factor Authentication Access Control” – Panviva must use multi-factor authentication for remote access;
    3. “Data Security” – Panviva must cryptographically protect the authenticity, integrity and confidentiality of Subscriber stored data at rest (e.g. servers, databases) and in use (e.g. memory) using controls approved by Subscriber in writing (e.g. AES-256).
    4. “Vulnerability Management” – Panviva must establish and comply with policies, procedures, supporting processes and technical measures for the timely detection of vulnerabilities in Panviva’s IT environment, including utilising a risk-based model for prioritising remediation of identified vulnerabilities;
    5. “Threat Detection and Prevention” – Panviva must establish and comply with policies, procedures, supporting processes and technical measures to detect and prevent threats in order to protect the Services and infrastructure used to provide the Services;
    6. “Change Control” – Panviva must ensure that all changes to platform, applications and infrastructure related to the Services are controlled and implemented following a standard procedure;
    7. “Logging and Monitoring” – Panviva must ensure that log activities are centrally collected, in a tamper resistant solution and are monitored;
    8. “Network Security” - Panviva’s perimeter network systems must run behind a DMZ, with internal networks and servers protected by firewalls; and
    9. “Communications Security” – Panviva must protect the authenticity, integrity and confidentiality of Subscriber Data in transit.
  21. Backups and Service Continuity
    1. “Data Centres” - The data centres from which the Services are provided will be physically located in separate geographical locations and operate on a segregated network. Each data centre will include full redundancy (N+1) and fault tolerant infrastructure for power, internet connections, cooling and fire protection.
    2. “Backups” - Panviva will perform regular backups of Subscriber Data.
  22. Security Testing

    Panviva will have independent penetration testing of all Services and the service delivery environment performed no less frequently than annually by an appropriately qualified or certified organisation, provide Subscriber with a summary report detailing the test results on request and promptly remedy any issues or deficiencies identified.

  23. Part 3 – Data Breach

  24. Definition

    In this Part 3 of this Exhibit:

    Data Breach means unauthorized access, use, disclosure, modification, destruction, corruption or loss of Subscriber Data. For clarity, a Data Breach does not include (i) any access or actions of a User, (ii) data that is not Confidential Information or (iii) any Subscriber Data made available under the Panviva API Supplementary Agreement.

  25. Response to Data Breach

    For Subscriber’s production environment:

    1. Panviva shall as soon as practicable, and in any event within 72 (seventy two) hours of when Panviva becomes aware of such breach, notify Subscriber in writing should it become aware of, or reasonably suspect there has been, any actual or alleged Data Breach;
    2. promptly provide Subscriber with a description of: (i) the nature of the Data Breach, including (if applicable for the Data Breach) the volume and type of Subscriber Personal Data affected and the categories and approximate number of individuals concerned; and (ii) the measures taken or proposed to be taken to address the Data Breach including, where appropriate, measures to mitigate its possible adverse effects;
    3. provide Subscriber with assistance that may be reasonably required by Subscriber to manage the Data Breach. Panviva shall provide this assistance at no additional costs to the extent the Data Breach is the result of Panviva’s negligence; otherwise, Subscriber shall pay Panviva for the reasonable pre-agreed costs of the steps Subscriber takes in complying with this sub-clause;
    4. take immediate remedial action to secure the Subscriber Personal Data and to prevent re-occurrences of the same or similar incident and provide Subscriber with details of such remedial action; and
    5. not report a Data Breach to any national regulator or law enforcement body unless instructed to do so by Subscriber, or if Panviva’s opinion, it is required to comply with its obligations under any law.

Exhibit 1-D

API Supplementary Agreement

Subscriber and Panviva agree as follows:

  1. API Subscription.

    1. The API Subscription Agreement Terms and Conditions (“API Terms”) shall apply to Subscriber’s use of any API Services described in any Order signed by Subscriber and Panviva.
    2. Subscribers use of the API Service is set out in the following documents; (i) this API Supplementary Agreement; (ii) Panviva’s Subscription Agreement Terms and Conditions (“Subscription Terms”); and (iii) other API policies or procedures of Panviva as otherwise communicated to Subscriber (“General API Policies”). When we use the term “Agreement” in this Exhibit, we are referring collectively to all of them.
    3. During the Subscription Term, Panviva grants to Subscriber a non-exclusive, non-transferable right for Applications, to access and use the API Services for the Permitted Purpose subject at all times to the Agreement. Subscriber must ensure that their use API Service complies with the Agreement and must use reasonable efforts to prevent unauthorized access to, or use of, the API Services.
    4. Capitalized terms not defined in the other documents making up the Agreement (as described in 1(b)) shall have the meanings set forth in Section 11 of this Exhibit. In interpreting the Agreement for API Services, the order shall be as set out in this Section 1(b).
  2. Fees.

    1. Subscriber’s API Consumption in any period shall not exceed the quantum pre-paid and subscribed for in their current Order, unless the Subscriber has a current Order explicitly permitting API Consumption invoiced in arrears. In all situations, Subscriber agrees to be liable to pay all API Consumption in excess of their pre-paid API Consumption quantity.
  3. Panviva support obligations.

    1. This Agreement does not entitle Subscriber to any support for the API Services beyond materials made available at the Developer Website, or any Application of the Subscriber, unless Subscriber makes separate arrangements with Panviva for such support.
    2. Subscriber acknowledges and agrees that Panviva has no obligation to provide support or technical assistance to any End Users of any Application or to any End User, and Subscriber shall not represent to any such End Users that Panviva is available to provide such support.
    3. Subscriber is solely responsible for providing all support and technical assistance to End Users and its Applications. Subscriber agrees to use commercially reasonable efforts to provide support to users of its Applications.
  4. Modifications

    1. Subscriber acknowledges and agrees that Panviva may modify these API Terms, the API Services, the API, the General API Policies from time to time (a “Modification”). Subscriber will be notified of a Modification to the API Services or the API specifications through notifications or posts on the Developer Website. All other Modifications shall be communicated through a form of direct communication from Panviva to Subscriber. Subscriber further acknowledges and agrees that such Modifications may be implemented at any time and without any notice to Subscriber. Subscriber shall, within thirty (30) days from the date of first notice of any Modification(s) (or such shorter period of time specified in the notice of the Modification(s)) (the “Conformance Period”) comply with such Modification(s) by implementing and using the most current version of the API and making any changes to Applications that may be required as a result of such Modification(s).
    2. Subscriber acknowledges that a Modification may have an adverse effect on Applications, including but not limited to changing the manner in which Applications communicate with the API and display or transmit Subscriber Data. Panviva shall have no liability of any kind to Subscriber or any user of Subscriber’s Applications with respect to such Modifications or any adverse effects resulting from such Modifications. Subscriber’s continued access to or use of the Services or API following the Conformance Period shall constitute binding acceptance of the Modification(s) at issue.
  5. API Restrictions.

    1. In order to use and access the API, Subscriber must obtain API credentials (a “Token”). Subscriber may not share its Token with any third party, shall keep such Token and all Login information secure, and shall use the Token as Subscriber’s sole means of accessing the API.
    2. Subscriber’s Applications shall not substantially replicate products or services offered by Panviva, including, without limitation, functions or features intended to lessen demand for subscriptions to Panviva’s Client services, or lessen Consumption of API Services.
    3. Applications may not use or access the API Services or any other Service in order to monitor the availability, performance, or functionality of any of the API Services or a Service or for any similar benchmarking purposes.
    4. Subscriber shall not, under any circumstances, through Applications or otherwise, repackage or resell the Services, or any part thereof.
    5. Except as specifically provided for in an Order, Subscriber shall not to cache, store or otherwise hold any repository of API Call responses such as to lessen or reduce Consumption by any End User. For the avoidance of doubt, any modification to the use case where limited caching was previously approved in an Order, requires new written approval from Panviva.
    6. Subscriber is not permitted to use the API Services in any manner that does, or could, potentially undermine the security of the Services, Subscriber Data or any other data or information stored or transmitted using the Services.
    7. Subscriber represents, warrants and covenants that it will include the mandatory terms of service provisions listed in Section 5(h) below (“Mandatory Service Terms”) in their terms of service (“App Terms of Service”) that govern use of its End User Applications. Such Mandatory Service Terms are a minimum set of provisions and Subscriber may have more exhaustive App Terms of Service. Subscriber may change the term references to match the terms used in its App Terms of Service.
    8. Mandatory Service Terms:
      1. End User may not modify, reverse engineer, decompile or disassemble the Application in whole or in part, or create any derivative works from or sublicense any rights in the Application, unless otherwise expressly authorized in writing by Subscriber.
      2. The Subscriber maintains all rights, title and interest in and to all its respective patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights (collectively, “IP Rights”). The rights granted to End User to use the Application under these App Terms of Service do not convey any additional rights in the Application, or in any IP Rights associated therewith. Subject only to limited rights to access and use the Application as expressly stated herein, all rights, title and interest in and to the Application and all hardware, software and other components of or used to provide the Application, including all related IP Rights, will remain with and belong exclusively to the Subscriber. Subscriber shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable and perpetual license to incorporate into the Application or otherwise use any suggestions, enhancement requests, recommendations or other feedback it receives from End User.

      -End of Mandatory Service Terms-

  6. Subscriber warranty.

  7. Subscriber represents and warrants that API Use and its Applications are not intended, designed, or marketed for use in environments requiring fail-safe performance (e.g., emergency medical care, hazardous activities) or in which the failure of the API Services could lead to death, personal injury, or severe physical or environmental damage. Subscriber acknowledges and agrees that the API Services are designed and intended for general business use only and not for the foregoing purposes.
  8. Subscriber Obligations

    1. Subscriber acknowledges that Subscriber is solely responsible, and that Panviva has no responsibility or liability of any kind, for the content, development, operation, support or maintenance of Applications. Without limiting the foregoing, Subscriber will be solely responsible for (a) the technical installation and operation of its Applications; (b) creating and displaying information and content on, through or within its Applications; (c) ensuring that its Applications do not violate or infringe the Intellectual Property Rights of any third party; (d) ensuring that Applications are not offensive, profane, obscene, libelous or otherwise illegal; (e) ensuring that its Applications do not contain or introduce malicious software into a Service, any Subscriber Data or other data stored or transmitted using the Service; and (f) ensuring that its Applications are not designed to or utilized other than for a Permitted Purpose.
    2. Subscriber will respect and comply with the technical and policy-implemented limitations of the API Service and the restrictions of this Agreement in designing and implementing Applications. Without limiting the foregoing, Subscriber shall not violate any explicit rate limitations on calling or otherwise utilizing an API Service.
    3. Subscriber shall not, and shall not attempt to: (a) interfere with, modify or disable any features, functionality or security controls of the API Services, (b) defeat, avoid, bypass, remove, deactivate or otherwise circumvent any protection mechanisms for the API Service, or (c) reverse engineer, decompile, disassemble or derive source code, underlying ideas, algorithms, structure or organizational form from the API Service.
  9. Disclaimer or Warranties

    1. ALL ASPECTS OF THE API SERVICES, INCLUDING ALL NETWORK COMPONENTS ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND TO THE FULLEST EXTENT PERMITTED BY LAW, AND PANVIVA EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. SUBSCRIBER ACKNOWLEDGE THAT PANVIVA DOES NOT WARRANT THAT THE API SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR-FREE OR FREE FROM VIRUSES OR OTHER MALICIOUS SOFTWARE, AND NO INFORMATION OR ADVICE OBTAINED BY SUBSCRIBER FROM PANVIVA OR THROUGH THE SERVICE SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.
  10. Limitation of Liability

    1. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS AGREEMENT, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA, BUSINESS INTERRUPTION, LOSS OF GOODWILL, OR FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER LOSS OR DAMAGES INCURRED BY SUCH PARTY OR THIRD PARTY IN CONNECTION WITH THIS AGREEMENT OR THE API SERVICES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.
    2. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, PANVIVA’S AGGREGATE LIABILITY TO SUBSCRIBER OR ANY THIRD PARTY ARISING OUT THIS AGREEMENT, SHALL IN NO EVENT EXCEED ONE HUNDRED U.S. DOLLARS ($100.00). ANY CLAIM ARISING OUT OF OR RELATING TO THIS AGREEMENT MUST BE BROUGHT WITHIN ONE (1) YEAR OF THE FIRST EVENT OR OCCURRENCE GIVING RISE TO THE CLAIM.
    3. Some jurisdictions do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages, which means that some of the above limitations may not apply to Subscriber. IN THESE JURISDICTIONS, PANVIVA’S LIABILITY WILL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW. The limitations set forth in this Section 9 will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose.
  11. Subscriber Indemnity.

    1. Subscriber agrees to indemnify, defend and hold harmless Panviva and its shareholders, directors, officers, employees, suppliers and licensors (each, a “Panviva Indemnified Party” and collectively, “Panviva Indemnified Parties”) from all Claims, including reasonable attorneys’ fees, costs, and expenses incidental thereto, relating to any Claim against any Panviva Indemnified Party arising out of or relating to Subscriber’s use of the API Services.
  12. Definitions.

    For purposes of these API Terms, capitalized terms not defined below have the meaning set forth in the Subscription Agreement, or such other applicable document forming part of this Agreement.

    API means an API and any accompanying or related documentation, specifications, executable applications and other materials made available by Panviva, including, without limitation, through its Developer Website; which is applicable to the development, implementation or Publishing of Subscriber Data, or information relating to Subscriber Data.

    API Call means a request by an Application that accesses or seeks to access an API.

    API Services means the item(s) selected on the Order which are described under Panviva API at www.panviva.com/terms-and-conditions/services/.

    Application mean any software service, system or application developed, owned or subscribed to by Subscriber that utilizes or interacts with the API and is able to Publish, including without limitation any End User Application. For the avoidance of doubt, the Panviva Client and the API Services are not an Application for the purposes of this Agreement.

    Consumption means the act of initiating, responding to or otherwise engaging in making API calls.

    Confidential Information for the purposes of these API Terms means all information of a party that, (a) has been marked “confidential” or with words of similar meaning at the time of disclosure; or (b) should reasonably be recognized as confidential information of the disclosing party regardless of how it is stored, delivered, provided or learnt by the other party; but does not include any information that was: (i) already in the possession of the receiving party without an obligation of confidentiality; (ii) developed independently by the receiving party, as proven by the receiving party; (iii) obtained from a source other than the disclosing party without an obligation of confidentiality; (iv) any Subscriber Data which has been made available, or is contemplated becoming available, in whole or in part, to any third party not subject to a duty of confidentiality to Subscriber; or (v) any Subscriber Data Consumed under this Panviva API Supplementary Agreement. Confidential Information includes all pricing and related terms pertaining to the provision of Services under this Agreement.

    Developer Website means the website to assist Subscribers use Panviva APIs at dev.panviva.com

    End User means the ultimate individual or Application Consuming the API Services.

    End User Application means any Application made available to End Users.

    External Consumer means where the End User is not an Internal Consumer.

    Internal Consumer means employees, agents, or subcontractors of the Subscriber who Consume API Services via an Application to support the internal business activities of the Subscriber.

    Panviva Client means the Panviva client application made available to Subscriber under the Subscription Terms.

    Publish means making any Subscriber Data available either (i) to any Internal Consumer other than via the Panviva Client or (ii) to any External Consumer by any means other than verbally by a natural person accessing Subscriber Data via the Panviva Client.