AFFILIATE TERMS AND CONDITIONS 

1. INTERPRETATION  

1.1       The definitions and rules of interpretation in this clause apply in this agreement.

Affiliate: means you, the person or entity who applies to participate in the Affiliate Program.

Affiliate Application: the application form found at https://partners.gan.com whereby the Affiliate applies to participate in the Affiliate Program

Affiliate Program: the collaboration between the Company and the Affiliate whereby the Affiliate will promote the Website and create links from the Link Pages to the Website and thereby be paid a Commission subject to the terms and conditions of this agreement and any addendum entered into pursuant to its terms.

Affiliate Sites:  the websites maintained and operated by the Affiliate.

Approval: means any and all required approvals, authorisations, licences, transactional waivers, permits, consents, findings of suitability, registrations, clearances, exemptions and waivers of or from any Competent Authority.

Business Day:  a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Commission: the commission payable to the Affiliate in accordance with this Agreement and calculated in accordance with Clause 6.

Company: GAN Nevada, Inc. of Suite 125, 10801 W.Charleston Blvd., Summerlin, Nevada 89135, United States of America  

Company Trade Mark Guidelines:  the guidelines for use of the trade marks, logos and branding from time to time as made available in the media gallery on the GAN Partners Portal.

Competent Authority: means collectively, those international, federal, state, local, foreign and other governmental, regulatory and administrative authorities, agencies, commissions, boards, bodies and officials or other regulatory body or agency including those who have jurisdiction over (or is responsible for or involved in the regulation of) the gaming and gambling activities in the State of New Jersey from time to time.

GAN Partners Portal: the portal made available by the Company through which the Affiliate is able to access marketing materials and commission information.

Link Pages:  the web pages of the Affiliate Sites that provide a hyperlink directly to one or more pages of the Website.

Minimum Deposit: a minimum real money transfer requirement set for one or more Affiliates, New Customers, or real money transfer, as from time to time may be communicated to one or more Affiliates or New Customers by the Company.

New Customers: individuals who access the Website via clicking the tracking links on the Affiliate Sites, properly register on the Website and then make real money transfers at least equivalent to the Minimum Deposit into their website account, who do not yet have, and have not had an account with the Company (or any member of the group of companies to which it belongs), and whose account has not been closed indefinitely or for a period exceeding 3 months.

Website: the websites located at www.betocean.com and www.playlive.com

 2. AFFILIATE APPLICATION

2.1       In support of an Affiliate Application, the Affiliate is required to provide the Company with a copy of all Approvals required to operate as an affiliate which, in the case of the State of New Jersey, includes but is not limited to (i) a completed Vendor Registration Disclosure Form (“VRDF”) and Vendor Registration Supplemental Disclosure Form (“VRSDF”), as submitted to the New Jersey Division of Gaming Enforcement (“DGE”); (ii) your Vendor Registration Number (“VRN”); (iii) any other applications and/or information reasonably required by the Company to ensure that the Affiliate is able to perform the Affiliate’s obligations under this agreement. 

2.2       The Company shall have the right to terminate this agreement with immediate effect in the event of any of the following: (i) the Affiliate has not obtained and provided the Company with all necessary Approvals; or (ii) the VRDF and VRSDF is not submitted to the DGE within thirty (30) days of the date of this agreement; or (iii) the VRDF or VRSDF is rejected by the DGE; or (iv) any Competent Authority, including but not limited to the DGE, requires the Company to terminate this agreement.

2.3       In the event that any Commission has been paid or is payable to you in respect of any period prior to termination of this agreement in accordance with Clause 2.2 above, all unpaid Commission shall automatically be voided and you shall refund any Commission paid prior to termination within five (5) days of such termination.

2.4       The Company shall evaluate the Affiliate Application hereby submitted and shall notify the Affiliate in writing (which may be by email) whether the Affiliate Application is accepted or not. The Company reserves the right to refuse any registration in its sole and absolute discretion. The Company’s decision is final and not subject to any right of appeal.

2.5       Subject to the Affiliate Application being accepted in accordance with Clause 2.4, the Affiliate is granted the non-exclusive non-assignable right to direct New Customers to the Website in accordance with the terms set out in this agreement .

2.6       This agreement is non-exclusive and does not prevent or restrict the Company from entering into similar or different agreements with third parties. The Company makes no representation that the terms of this agreement are similar to or the same as the terms of any other agreement it has entered or may enter into with any third party.

3. QUALIFYING CONDITIONS

The Affiliate hereby represents and warrants that:

(a)        it has, and will retain throughout the term of this agreement, title and authority to enter into this agreement, and to perform all its obligations in this agreement;

(b)        it has provided the Company with complete, valid and truthful information;

(c)        it has obtained and will maintain in force all Approvals including all necessary registrations, authorizations, consents and licenses necessary to fulfil its obligations under this agreement;

(d)        it shall comply with all applicable laws and regulations in the performance of their obligations; and

(e)        it fully understands and accepts the contents of this agreement.

4. COMPANY’S RIGHTS AND OBLIGATIONS  

4.1       The Company shall be responsible for developing, operating and maintaining the Website.

4.2       Subject to Clause 2, the Company shall assign a unique player tracking code to the Affiliate and unique tracking identifications codes for each New Customer. By means of the player tracking code New Customers acquired via the Link Pages on the Affiliate Site and the bets placed during such sessions are registered and/or can be tracked.

4.3       The Company shall provide New Customers clicking through directly from the Link Pages access to and use of the Website in accordance with the Company’s terms and conditions and policies and procedures from time to time.

4.4       The Company shall administer the turnover generated via the Link Pages, record the net revenues and the total amount of Commission earned via the Link Pages and shall via the GAN Partners Portal provide the Affiliate with commission statistics, and handle all customer services related to the business of the Company.

4.5       Subject to the Affiliate complying with is obligations under this agreement, the Company shall pay the Affiliate its applicable Commission.

4.6       The Company may at any time or times without notice to Affiliate:

(a)        change the name of the Website; and

(b)        change the Company Trade Mark Guidelines.

4.7       The Company reserves the right to freeze the Affiliate’s account with immediate effect and/or deduct money from the Affiliate if any traffic is deemed to have been referred through fraudulent means or in breach of this agreement.

4.8       The Company reserves the right to request any information from the Affiliate for due diligence purposes in line with its obligations under applicable law as it may from time to time deem fit.

4.9       The Company may refuse any applicant’s New Customer or close a New Customer's account if in the sole opinion of the Company, such action is deemed to be necessary to comply with the Company’s internal policies and/or to comply with all applicable laws and regulations.

4.10     The Company may refuse any applicant Affiliate and/or may close any Affiliate's account if in the sole opinion of the Company it is necessary to comply with its internal policies and/or to comply with all applicable laws and regulations. If the Affiliate is in breach of this agreement, the Company may, besides closing the Affiliate's account take any other steps at law to protect its interests.

5. AFFILIATE’S OBLIGATIONS

5.1       The Affiliate shall use all reasonable commercial efforts to market and promote the Website and the products and services available on the Website and shall prominently display the Link Pages on the Affiliate Site(s) in accordance with what is agreed between the Company and the Affiliate.

5.2       The Affiliate shall be responsible for developing, operating and maintaining the Affiliate Website and for all materials that appear on it. In particular, but without limiting the generality of the foregoing, the Affiliate shall be responsible for:

(a)        the proper functioning and maintenance of the Affiliates Site and all Page Links to the Website;

(b)        compliance with the Company Trade Mark Guidelines and shall not alter any marketing materials provided by the Company without its consent which may be withheld in its absolute discretion;

(c)        ensuring that all news, offers and promotions in relation to the Company and/or the Website are current and up to date;

5.3       The Affiliate hereby undertakes, represents and warrants that:

(a)        it will not perform any act, and that the Affiliate Website nor will contain any material, which is libellous, discriminatory, obscene, threatening, unlawful or otherwise unsuitable or which contains sexually explicit, pornographic, obscene or graphically violent materials;

(b)        it will not target any person who is under the age of 21, and shall not engage in any marketing or promotional practices that are designed to appeal persons under the age of 21;

(c)        it will not send any messages to promote the Websites to any of the following persons: (i) those who are known by the Affiliate to be self-excluded from other sites and/or with the DGE; and/or (ii) have been notified by the Company to the Affiliate as being self-excluded;

(d)        it will not target any persons located in any State other New Jersey;

(e)        it acknowledges the Company's ongoing commitment for the prevention of problem gambling and that the Affiliate will co-operate with the Company to actively reduce gambling addictions by, for example, placing links provided by the Company on the Affiliate Site(s) which direct traffic to websites involved in the business of helping problem gamblers;

(f)         that it will not generate traffic to the Website by illegal or fraudulent activity, particularly but not limited to by:

(i)         sending spam or unsolicited mail in its attempt to refer New Customers to the Website;

(ii)        registering as a player or making deposits directly or indirectly to any player account through his tracker(s) for its own personal use and/or the use of its relatives, friends, employees or other third parties, or in any other way attempt to artificially increase the commission payable or to otherwise defraud the Company. Violation of this sub-clause shall be deemed to be fraud; and

(iii)       that it will not present the Affiliate Site(s) in such a way that it might evoke any risk of confusion with the Website and/or the Company or convey the impression that the Affiliate Site(s) is partly or fully associated with/from the Website and/or the Company.

(g)        it will provide the Company without undue delay and in any event within 48 hours any request by any recipient of messages promoting the Websites to opt-out of receiving future emails or promotions in accordance with the US CAN-SPAM Act.

(h)        not register or purchase domain names, keywords, search terms or other identifiers for use in advertising or search or referral services which are similar or identical with the intellectual property rights of the Company and its group companies or which include the word "Ocean” or variations thereof. The Affiliate shall not create any applications or Internet pages falsely representing BetOcean Online Casino in any way, shape or form on any social media channels (including, but not limited to, Facebook, Google +, Twitter etc.).

5.4       The Affiliate shall submit to the Company for prior approval any proposed use of any Company trade mark, domain name, logo, and other elements of branding that the Affiliate may wish to make.

5.5       The Affiliate shall provide the Company with:

(a)        all co-operation in relation to this agreement; and

(b)        all access to such information as may be required by the Company, as is necessary for the proper performance of the Company’s obligations under this agreement and/or in order to comply with all applicable laws and regulations.

5.6       The Affiliate acknowledges and agrees that it has no authority to legally bind the Company in relation to New Customers, other users or anyone else and that it has not been appointed and is not the agent of the Company for any purpose. The Affiliate agrees that it shall not make to anyone any representation or commitment about the Company, the Website or any of the products or services available on the Website.

5.7       The Affiliate shall comply with all applicable laws and regulations with respect to its activities under this agreement and to its business including but not limited to ensuring that all of its general marketing and promotional materials in relation to the Website are truthful, not misleading and fully compliant with all applicable law.

6. CHARGES AND PAYMENT  

6.1       The terms of any Commission payable pursuant to this agreement shall be set out in an addendum to this agreement which may only be modified in accordance with the terms of this agreement.

6.2       All Commissions under this Agreement shall be calculated from the date on which the  Company has (to its entire satisfaction) received all of the information required pursuant to clause 2.1.. The Affiliate shall not be entitled to any Commission in relation to any period prior to the applicable aforementioned date.

6.3       Affiliate acknowledges and agrees that no payments are due to it under this agreement otherwise than as expressly set out in this agreement.

6.4       Payment of Commissions validly due under this agreement shall be made in accordance with the payment method chosen by the Affiliate on the GAN Partner Portal. If an error is made in the calculation of the Commission, the Company reserves the right to correct such calculation at any time. In the case of any overpayment by the Company, the Company reserves the right to request a refund from the Affiliate  or deduct the corresponding amount of overpayment to the Affiliate from the following month’s Commission, and each month thereafter, until the debt is repaid in full.

6.5       Except in the case of manifest error, the Company shall pay the Affiliate the amount shown in the GAN Partners Portal within thirty (30) days of the end of the relevant monthly period.

6.6       The Affiliate's acceptance of the payment of the Commission shall be deemed to constitute the full and final settlement of the balance due for the relevant period.

6.7       The Company may in its sole discretion withhold the payment of any balance to the Affiliate for up to one hundred and eighty (180) days if the Company needs to investigate and verify that the relevant transactions comply with the provisions of the agreement.

6.8       No payment of Commissions shall be due if the Company has reasons to believe that the traffic generated by the Affiliate is illegal or is in breach of any of the provisions of the agreement.

6.9       The Affiliate agrees to return all Commissions received based on fraudulent or falsified transactions and indemnify the Company for all costs and losses incurred in relation to such transactions (including, but without limitation, legal fees and costs).

6.10     The Affiliate is required to provide proof of VAT registration to the Company if deemed applicable by the Company and as further specified from time to time by the Company at its sole discretion. Payment of any Commission is subject to the Affiliate providing the Company with a fully completed W-9 form, and such updated W-9 form whenever there is a change in one or more of the details if its W-9 form.

6.11     The Company shall be entitled to deduct and withhold from any amounts payable under this agreement that the Company is required to deduct and withhold under any applicable tax laws at the applicable rate for such withholding.

6.12     The Affiliate shall notify the Company of any change in its contact or address details and shall duly complete all relevant forms requiring completion by any taxation or other government authority in relation to its activities under this agreement.

7. PROPRIETARY RIGHTS  

The Affiliate acknowledges and agrees that the Company and its licensors own all intellectual property rights in the Website and all the Company’s products and services. Except as expressly stated herein, this agreement does not grant the Affiliate any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences belonging to the Company. All such rights are reserved to the Company.

8. CONFIDENTIALITY  

8.1       Each party undertakes that it shall not at any time during this agreement, and for a period of five years after termination of this agreement, disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party or of any member of the group of companies to which the other party belongs (“Confidential Information”), except as permitted by Clause 8.2.

8.2       Each party may disclose the other party’s confidential information:

(a)        to its employees, officers, representatives or advisers who need to know such information for the purposes of exercising the party’s rights or carrying out its obligations under or in connection with this agreement. Each party shall ensure that its employees, officers, representatives or advisers to whom it discloses the other party’s confidential information comply with this Clause 8; and

(b)        as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority or listed stock exchange.

8.3        No party shall use any other party’s confidential information for any purpose other than to exercise its rights and perform its obligations under or in connection with this agreement.

8.4       Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.

8.5       This Clause 8 shall survive termination of this agreement, however arising.

9. DATA PROTECTION. PRIVACY NOTICE  

9.1.       The Company and the Affiliate shall comply with the applicable data protection laws and regulations when processing Personal Data.

9.2.       If the Affiliate needs to process Personal Data on behalf of the Company for the performance of the Affiliate Program, it shall Process Personal Data in accordance with the General Terms and Conditions of the Data Processing Agreement for Marketing Partners, where  the Company shall act as the Controller, and the Affiliate as the Processor.

9.3.       This Privacy Notice explains how the Company collects and Processes the Affiliate’s Personal Data within the collaboration under the  Affiliate Program. ‘Processing” of Personal Data includes any operation or set of operations which is performed regarding Affiliate’s Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.

9.4.       Who is the controller of the Affiliate’s Personal Data? Any Personal Data provided to the Company by the Affiliate(s) as a part of the Affiliate program is controlled and Processed by  GAN UK Limited (company registration number 3883658, registered office address at c/o Memery Crystal, 165 Fleet Street, London, England EC4A 2DY) or any company within a group of companies of GAN Limited and its affiliated, parent, subsidiary or linked companies under the common control of the same business group or those affiliated or linked to a parent company or to any company of the same group (in each case separately or collectively referred to as the ‘Company’).

9.5.       What Personal Data do we collect? The Company collects and Processes the following Personal Data of the Affiliates:

• username;
• email address;
• first name;
• last name;
• company name;
• phone number;
• address, city, state, zip code, country;
• website URL;
• target market details;
• preferred contact method.

9.6.       How does the Company collect the Affiliate’s Personal Data? The Company collects this Personal Data directly from the Affiliate when the Affiliate signs up for the Affiliate Program or updates  profile. The Affiliate should inform the Company in written form without undue delay about any changes to previously mentioned Personal Data Processed, about inaccurate or incomplete Personal Data.

9.7.       How will the Company use the Affiliate’s Personal Data? The Company Processes the Affiliate’s Personal Data for the following purposes:

to assess the Affiliate’s suitability to participate in the  Affiliate Program ​​(legal basis: legitimate interest);

to calculate and process payments related to the Affiliate Program (legal basis: contract performance);

to manage Affiliate’s account, which includes communicating with the Affiliate, sending important information related to the Affiliate Program, such as updates to terms and conditions, new promotional offers, payment notifications, and general program announcements (legal basis: contract performance);

to perform monitoring, analyzing and reporting on the Affiliate's marketing performance (e.g., clicks, conversions, sales) to calculate commissions, maintain performance reports, and optimize the Affiliate program (legal basis: contract performance);

to improve the Company’s services and ensure the most effective business operation (legal basis: legitimate interest);

marketing and promotion of the Affiliate Program, wghich includes but is not limited to sending affiliates information and resources to help them effectively promote the Company's products or services through their affiliate links. This could include newsletters with marketing tips, information on new campaigns, and performance incentives (legal basis depends on the marketing content: legitimate interst or consent);

fraud prevention and security (legal basis: legitimate interest);

To analyze aggregated Affiliate performance data and feedback to identify areas for improvement in the Affiliate Program structure, Commission Rates, promotional materials, and overall Affiliate experience (legal basis: legitimate interest);

to fulfil legal and regulatory obligations (legal basis: legal obligation).

9.8.       International Transfers of Personal Data. In some instances, the Personal Data  may be Processed and shared with a recipient located in a country other than the country of origin of the Personal Data. When this is the case, the Company ensures there are appropriate safeguards in place to protect the Affiliate’s Personal Data.

9.9.       What security measures does the Company take to safeguard the Affiliate’s Personal data? While no data transmission or storage can be guaranteed to be secure, the Company has  taken appropriate technical and organizational security measures to help protect the Affiliate’s Personal Data and to prevent it from being accidentally lost, used, altered, disclosed, destroyed, or accessed without authorisation. These measures include policies, confidentiality agreements with third parties, secure development practices, due diligence of service providers, products and services that may be used. The Company cannot guarantee the absolute security of Affiliate’s Personal Data and there is no guarantee that it may not be accessed, disclosed, altered or destroyed by breach of any of our physical, technical or managerial safeguards.

9.10.    For how long does the Company retain the Affiliate’s Personal Data? 

If the Affiliate’s application is unsuccessful, the Company will store the Affiliate’s Personal Data provided during the application process, for a period of 2 (two) years after the assessment regarding the Affiliate’s suitability for participation in the Affiliate's Program. This retention period is based on the Company’s legitimate interest and the purposes of such storage are the following: (1) to maintain an efficient operation by understanding which Affiliates have previously been rejected, thereby avoiding duplication of work and to prevent misuse; (2) to address potential disputes or litigation that may arise in future in connection with  assessment and decision on the Affiliate’s unsuitability for participation in Affiliate Program; the Affiliate’s Personal Data may be used as evidence to support the decision and demonstrate the basis for the denial; (3) to assist  in assessing the Company’s decision-making process, to ensure consistent and fair decision-making process in future assessments of perspective Affiliates' suitability, to prevent any biased or discriminatory practices, to improve selection criteria or identify potential areas for improvement. 

If the Affiliate’s application is successful, but Affiliate's relationships with the Affiliate were terminated either by the Affiliate or by the Company with or without reason, the Company will store the Affiliate’s Personal Data during 2 (two) years after such termination. This retention period is based on the Company’s legitimate interest and the purposes of such storage are the following: (1) to maintain an efficient operation by understanding who have previously been the Company’s former Affiliate, thereby avoiding duplication of work and misuse; (2) to address potential disputes or litigation that may arise in future in connection with the former Affiliate's relations, grounds for termination; the Affiliate’s Personal Data may be used as an evidence to support the decision to terminate participation in Affiliate's Programme and demonstrate the valid reason for termination; (3) to assist the Company to ensure consistent ongoing assessments of Affiliates' compliance and suitability, to identify potential areas for improvement. 

After the two-year period, the Affiliate’s Personal Data will be securely deleted from the Company’s systems unless otherwise required by law or for legitimate business purposes. By applying, the Affiliate agrees to this retention period.

9.11.    What are the Affiliate’s data protection rights? The Company aims to ensure the Affiliate has all the rights available  under applicable data protection laws. These rights shall include the right to access, correct, update or request deletion of Personal Data, the right to withdraw consent, to object to or restrict processing of Personal Data, the right to data portability, the right not to be subject to decisions based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, and the right to complaint. However, the Affiliates rights are not absolute, and may be balanced with the Companies’ legitimate interest, and/or overridden by Companies legal obligation.

9.12.    How to lodge a complaint? If the Affiliate believes that its data protection rights have been breached, the Affiliate has the right to lodge a complaint with the relevant supervisory authority in the Affiliate’s country. If the Affiliate believes that the Company has not addressed the Affiliate’s concerns adequately, the Affiliate can contact the Data Protection Authority in its country.

9.13.    How to exercise your rights and contact the Company? If the Affiliate has any questions or concerns about  Privacy Notice, or the Company’s privacy practices, or if the Affiliate wishes to exercise his/her privacy rights, please contact us at: Email: privacy@coolbet.com or dpo@coolbet.com. The Affiliate may exercise his/her rights directly or via an authorised representative, if relevant documents are provided for such representation. 

9.14.    Changes to the current Company’s privacy Notice. The Company keeps its Privacy Notice under regular review and places any updates on this webpage. This Privacy Notice was last updated on June 16, 2025.

10. INDEMNITY  

The Affiliate agrees to defend, indemnify and hold the Company and its group companies/affiliates, successors, officers, employees, agents, directors, shareholders and attorneys, free and harmless from and against any and all claims and liabilities, including reasonable legal and expert fees, related to or arising from:

(a)        any breach of Affiliate's representations, warranties or obligations under this agreement;

(b)        Affiliate's use (or misuse) of the marketing material and the Company's and/or its group companies' intellectual property rights;

(c)        all conduct and activities occurring under Affiliate's user ID and password;

(d)        any defamatory, libellous or illegal material contained on the Affiliate Website(s) or Affiliate's information and data;

(e)        any claim or contention that the Affiliate Website(s) or the Affiliate's information and data infringes any third party's intellectual property rights or violates any third party's rights of privacy or publicity;

(f)         third party access or use of the Affiliate Website(s) or the Affiliate's information and data;

(g)        any claim related to Affiliate Website(s) or the Page Links; and

(h)        any violation of this agreement or any applicable laws.

11. LIMITATION OF LIABILITY  

11.1     This Clause 11 sets out the entire financial liability of the Company (including any liability for the acts or omissions of its employees, agents and sub-contractors) to the Affiliate:

(a)        arising under or in connection with this agreement; and

(b)        in respect of any representation, misrepresentation (whether innocent or negligent), statement or tortious act or omission (including negligence) arising under or in connection with this agreement.

11.2     Except as expressly and specifically provided in this agreement, all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this agreement.

11.3     Nothing in this agreement excludes the liability of the Company:

(a)        for death or personal injury caused by the Company’s negligence; or

(b)        for fraud or fraudulent misrepresentation.

11.4     Subject to Clause 11.3:

(a)        the Company shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation (whether innocent or negligent), restitution or otherwise for any of the following:

(i) loss of profits; or

(ii) loss of business; or

(iii) depletion of goodwill and/or similar losses; or

(iv) loss or corruption of data or information; or

(v) pure economic loss; or

(vi) for any special, indirect or consequential loss costs, damages, charges or expenses however arising under this agreement; and

(b)        the Company’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement shall be limited to the amount paid under this agreement by the Company to the Affiliate during the six (6) months preceding the date on which the claim arose.

12. DURATION AND TERMINATION  

12.1     This agreement may be terminated by either party by giving thirty (30) days’ written notice (which may be by email) to the other party.

12.2     This agreement shall automatically be terminated in the event that the Company is precluded form offering online gambling services.

12.3     The Company may terminate this agreement on notice at any time if it discontinues or withdraws, in whole or in part, its affiliate marketing programme. The Company will endeavour to give Affiliate as much notice of the same as reasonably practicable, but any such termination will be without liability to Affiliate.

12.4     Without prejudice to any other rights or remedies to which the parties may be entitled, either party may terminate this agreement without liability to the other if:

(a)        the other party commits a material breach of any term of this agreement which breach is irremediable or (if such a breach is remediable) fails to remedy that breach within a period of thirty (30) days after being notified in writing to do so;

(b)    the other party is declared bankrupt or insolvent by court order or if any bankruptcy or insolvency proceedings are commenced against the other party or in the event of any similar situation indicating that the other party is insolvent.

12.5     The Affiliate hereby agrees and acknowledges that any breach of applicable laws or regulations may, without limitation, result in fines, penalties, breaches of license conditions and ability to do business, as well as potential civil and criminal action against the Affiliate or the Company by the respective authorities. Without prejudice to any of the Company’s rights herein or at law, the Company may forthwith terminate this agreement, in part or in its entirety, should the Affiliate act in breach of the foregoing and the Affiliate shall be held fully responsible and liable for any such resulting fine, penalty, claim, action, or loss which is caused to us as a result of its actions, omissions or default as the case may be.

13. CONSEQUENCES OF TERMINATION  

On termination of this agreement for any reason:

(a)        all licences and benefits granted under this agreement shall immediately terminate;

(b)        each party shall return and make no further use of any materials and other items (and all copies of them) belonging to the other party; and

(c)        the accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced.

14. FORCE MAJEURE  

Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for six months, the party not affected may terminate this agreement by giving thirty (30) days’ written notice to the affected party.

15. WAIVER

No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

16. RIGHTS AND REMEDIES  

The rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

17. SEVERANCE  

17.1     If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this agreement.

17.2     If any provision or part-provision of this agreement is invalid, illegal or unenforceable, the parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.

18. ENTIRE AGREEMENT  

18.1     This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

18.2     Each party agrees that it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement. Each party agrees that it shall have no claim for innocent or negligent misrepresentation based on any statement in this agreement.

18.3     Each party agrees that the only rights and remedies available to it arising out of or in connection with a representation shall be for breach of contract.

18.4     Nothing in this clause shall limit or exclude any liability for fraud.

19. ASSIGNMENT AND OTHER DEALINGS  

19.1     The Affiliate shall not assign, transfer, mortgage, charge, subcontract, declare a trust over or deal in any other manner with any or all of its rights or obligations under this agreement without the prior written consent of the Company.

19.2     The Company may at any time assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under this agreement.

20. NO PARTNERSHIP OR AGENCY  

Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.

21. VARIATION  

21.1     The Company reserves the right to, at any time and at its sole discretion, with or without giving any prior notice to the Affiliate, amend, alter, delete or add any of the provisions of this agreement. When possible, a notice of the amendments will be sent to the Affiliate's registered email address and such notice will be deemed to be served once sent by the Company. The Affiliate's continuing participation in the Affiliate Program after any amendments or modifications have been made public will be deemed as the Affiliate's acceptance of the new terms and conditions.

21.2     It shall be the sole responsibility of the Affiliate to keep updated with the latest version of this agreement.

22. THIRD PARTY RIGHTS  

A person who is not a party to this agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.

23. NOTICES  

23.1     Any notice or other communication given to a party under or in connection with this agreement shall be in writing and shall be:

(a)        delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or

(b)        in the case of GAN sent by email to: affiliates@gan.com and, in the case of the Affiliate, sent by email to the address provided by the Affiliate in GAN Partner Portal.

23.2     Any notice or communication shall be deemed to have been received:

(a)        if delivered by hand, on signature of a delivery receipt [or at the time the notice is left at the proper address; and

(b)        if sent by pre-paid first-class post or other next working day delivery service, at midday on the second Business Day after posting [or at the time recorded by the delivery service; and

(c)        if sent by email, at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this clause, business hours means 9.00am to 5.00pm Monday to Friday on a day that is not a public holiday in the place of receipt.

24. GOVERNING LAW  

This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by, and construed in accordance with, the laws of the state of Nevada.

25. JURISDICTION  

Each party irrevocably agrees that the courts of the state of Nevada shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation.

General Terms and Conditions of the 

Data Processing Agreement for Marketing Partners

This Data Processing Agreement (“DPA”)  is part of the Marketing Agreement (“Agreement”) entered into between the Company and its Affiliates (“Controller”) and the Service Provider and its Affiliates (“Processor”) and is intended to ensure compliance with applicable Data Protection Laws with respect to the processing of Personal Data that the Processor collects or the Controller provides to the Processor, which is necessary for the performance of services provided by the Processor to the Controller under the Agreement. 

1. DEFINITIONS
2. NATURE OF DATA PROCESSING
3. CONTROLLER’S OBLIGATIONS
4. PROCESSOR’S OBLIGATIONS
5. NOTICE TO THE CONTROLLER
6. USE OF SUB-PROCESSORS
7. SECURITY
8. DATA BREACH
9. DOCUMENTATION, COMPLIANCE AND AUDIT
10. LIABILITY
11. THIRD PARTIES
12. DATA RETURN AND DELETION
13. MISCELLANEOUS

1. DEFINITIONS

• “Affiliate” means any affiliate that owns or controls, is owned or controlled by or is or under common control or ownership with this party, where control is defined as the possession, directly or indirectly, or the power to direct or cause. 

• “Cross-border Transfer” means a transfer of Personal Data in connection with the provision or use (as applicable) of the Services under the Agreement outside the EU/EEA-area.

• “Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, breach of confidentiality or integrity of Personal Data, including, but not limited to any incident that affects integrity or availability and/or the unauthorised access or attempted access to Personal Data, a cyber incident which negatively affects the Controller’s finances, either directly or indirectly, breach Controller's security policies or procedures or expose it to legal liability, or affect a Controller’s services or reputation.

• “Data Processing Agreement” or DPA means the special terms of the data processing agreement together with these general terms and conditions of the data processing agreement.

• “Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area (including, but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016  on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), the UK Data Protection Act 2018, the Convention of the Council of Europe for the protection of individuals with regard to the processing  of personal data (“Convention 108+”) and its respective Protocols) and their member states, the United States of America, Switzerland, the United Kingdom, Canada, Israel, Chile, Mexico, Ecuador, and any other legislation applicable to the Processing of Personal Data, in each case as amended, superseded or replaced from time to time.

• “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

• “General Terms of the DPA” means these general terms and conditions of data processing as may be updated from time to time and which form an integral part of the data processing agreement.

• “Personal Data” means any information relating to an identified or identifiable individual, that Processor collects, or Controller provides to Processor in connection with its use of Services under the Agreement, to the extent that such information is protected as personal data under Data Protection Laws.

• “Services” means the services provided to the Controller by the Processor in accordance with the Agreement.

• “Special Terms of the DPA” means the special terms and conditions of data processing agreed between Controller and Processor to specify the General Terms of the DPA.

• “Sub-processor” means any entity which Processes Personal Data under the instructions or supervision of the Processor.

• “Supervisory Authority” means any authority that has the legal power to supervise Personal Data Processing under the applicable Data Protection Laws. 

• The terms “Controller”, “Data Subject”, “Processing”, and “Processor” shall have the same meaning as set out in the GDPR.

2. NATURE OF DATA PROCESSING

• Processor shall Process Personal Data received under the Agreement only for the purposes set forth in the Agreement  and under instructions of the Controller. For the avoidance of doubt, the categories of Personal Data Processed and the purposes of the Processing are described in the Special Terms of the DPA.

• The parties shall each comply with their respective obligations under all applicable Data Protection Laws.

3. CONTROLLER’S OBLIGATIONS

• To provide instructions to the Processor and determine the purposes and general means of Personal Data Processing by the Processor in accordance with the Agreement; and

• To comply with its protection, security and other obligations with respect to Personal Data prescribed by Data Protection Laws for data controllers by: 

• establishing and maintaining a procedure for the exercise of the rights of Data Subjects; 

• processing only Personal Data that have been lawfully and validly collected and ensuring that such Personal Data will be relevant and proportionate to the respective uses; and 

• ensuring compliance with the provisions of this DPA by its personnel or by any third party Processing Personal Data on its behalf.

4. PROCESSOR’S OBLIGATIONS 

• To process Personal Data only for the purpose of provision of  Services and using appropriate technical and organizational security measures.

• To comply with the instructions received from the Controller and in conformity with the terms of the Agreement and this DPA. The Processor shall not use or Process Controller Personal Data for any other purpose.

• To process Personal Data without any other purposes, than for the provision of Services and as required under the laws applicable to the Processor, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that the Processor shall inform the Controller of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest.

• To  inform the Controller promptly in written form if it cannot comply with the requirements under this DPA, in which case the Controller may terminate the Agreement or take any other reasonable action, including suspending Processing of Personal Data. In such a case, the Processor may temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend the Controller’s access to the Services, and, if the Parties do not agree on a resolution to the issue in question and the costs thereof, the Controller may, as its sole discretion, terminate the Agreement and this DPA with respect to the affected Processing.

• To inform the Controller promptly in written form if, in the Processor’s opinion, any instruction from the Controller violates applicable Data Protection Laws.

• To ensure that its employees, authorized agents, Sub-processors and other persons engaged to perform Services on Processor’s behalf are required to comply with and acknowledge and respect the confidentiality of Personal Data, including after the end of their respective employment, contract or assignment.

• To provide the Controller without undue delay upon the Controller’s request with any policies, data protection practices and documents related to Personal Data Processing. 

• To maintain and keep up-to-date records of Personal Data Processing, containing all the information as required under Article 30(2) of GDPR.

• To implement technical and organisational security measures referred to in Article 32(1) of GDPR, and provide the required assistance to the Controller, among other things, by demonstrating compliance with such obligations.

• To assist the Controller in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with this clause, the Processor shall comply with the Controller’s instructions.

• To assist the Controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.

• To ensure that Personal Data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the Personal Data Processed it is processing is inaccurate or has become outdated.

• To investigate any actual or potential Data Breach and provide reasonable assistance to the Controller (and any law enforcement or regulatory official) as required to investigate the Data Breach, and take steps to remedy any non-compliance with this DPA.

• To perform dully and to comply with all the obligations that stem from other terms of current DPA, Agreement and applicable Data Protection Laws.

5. NOTICE TO THE CONTROLLER

• The Processor will promptly inform the Controller if the Processor becomes aware of:

• any non-compliance by Processor or its employees with this DPA or the Data Protection Laws relating to the protection of Personal Data Processed;

• any legally binding request for disclosure of Personal Data by a law enforcement authority, unless Processor is otherwise forbidden by law to inform the Controller, for example, to preserve the confidentiality of an investigation by law enforcement authorities;

• if the Processor is required by Data Protection Laws to Process any Personal Data for a reason other than providing the Services, the Processor shall inform the Controller in written form (including, via electronic means) of this requirement before such Processing, unless the Processor is legally prohibited from mentioned informing (e.g., as a result of secrecy requirements that may exist under applicable laws);

• any notice, inquiry or investigation by a Supervisory Authority concerning Personal Data;

• any complaint or request (in particular, requests for information, access to, rectification, erasure, portability, objection or restriction, withdrawal of consent to Processing of Personal Data) received directly from Data Subjects, and the Processor shall not respond to the request itself unless authorised in writing to do so by the Controller;

• any actual or potential Data Breach.

6. USE OF SUB-PROCESSORS

• The Processor shall not subcontract any of its processing operations performed on behalf of the Controller in accordance with this DPA to a Sub-processor, without the Controller’s prior specific written authorisation. The Processor shall submit a written (including by electronic means) request for specific authorisation at least 10 days prior to the engagement of the Sub-processor in question, together with the information necessary to enable the Controller to decide on the authorisation. The list of Sub-processors authorised by the Controller can be found in the Special Terms of this DPA. The Parties shall keep the Special Terms of this DPA up to date.

• Where the Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the Controller, it shall do so by way of a contract which imposes on the Sub-processor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with this DPA. The Processor shall ensure that the Sub-processor complies with the obligations to which the Processor is subject pursuant to this DPA and to Data Protection Laws.

• At the Controller’s request, the Processor shall provide a copy of such a Sub-processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect trade secrets or other confidential information, including Personal Data, the Processor may redact the text of the agreement prior to sharing the copy.

• The Processor shall remain fully responsible to the Controller for the performance of the Sub-processor’s obligations in accordance with its contract with the Processor. The Processor shall notify the Controller of any failure by the Sub-processor to fulfil its contractual obligations.

7. SECURITY

•  The Processor shall:

•  implement and maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Controller Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Controller Personal Data and to ensure the security, accessibility, confidentiality and integrity of Personal Data;

• be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Processor personnel with respect to Controller Personal Data and liable for any failure by such Processor personnel to meet the terms of the DPA;

• take reasonable steps to confirm that all Processor personnel are protecting the security, privacy and confidentiality of Controller Personal Data consistent with the requirements of the DPA; 

• grant access to the Personal Data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The Processor shall ensure that persons authorised to process the Personal Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Such confidentiality obligation shall remain in force indefinitely, including in case of termination of the Agreement, this DPA, or the employment/authorization relationship;

• apply specific restrictions and/or additional safeguards if the Processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the Processor shall The Processor shall at least implement the technical and organisational measures specified in the Special Terms of this DPA to protect Personal Data from Data Breach and to ensure the security, accessibility, confidentiality and integrity of Personal Data. 

• In assessing the appropriate level of security, the Processor shall take into consideration the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the Data Subjects. 

8. DATA BREACH

• In case of actual or potential Data Breach, to help the Controller comply with its legal obligations, to analyse and conclude whether the Data Breach took place and whether the occurred Data Breach is material, the Processor shall notify the Controller immediately, but in any case not later than within 24 hours after the Data Breach has occurred or any suspicions have arisen that it might have occurred. Such notification shall include all information that may help the Controller in determination that the Data Breach is material, including, but not limited to:

• the description of all relevant facts and Data Breach circumstances, including both quantitative and qualitative factors like what type and volume of Personal Data, the approximate number of data subjects that may be influenced, the approximate number of personal data records concerned;

• nature, extent, gravity and potential magnitude of the Data Breach, its possible consequences and adverse effects for the data subjects, the potential materiality of any identified risk, the importance of any compromised information, the range of harm that such Data Breach could cause (including the concomitant financial, legal, or reputational consequences to the Controller);

• the name and contact details of the data protection officer or other contact point where more information can be obtained;

• technical cyber security protection measures which were applied or are planned to be applied to  effectively limit the risk of Data Breach, identity fraud and other forms of data misuse; 

• current or planned cooperation with and notification to law enforcement bodies, ongoing investigation of a Data Breach;

• the description of measures taken or proposed to be taken to address the possible or actual Data Breach, including, where appropriate, measures to mitigate its possible adverse effects, incident response and remediation measures (like incident assistance to data subjects concerned, crisis support);

• any other information related to the actual Data Breach or risk of its occurrence, and its investigation, as requested by the Controller.

• Due to the Controller’s obligation to report on material cybersecurity Data Breaches it has experienced and to disclose on an annual basis material information regarding cybersecurity risk management, strategy, and governance, the Processor shall:

(i) regularly keep the Controller informed about and provide any updates related to the Processor’s cybersecurity risk management, strategy and governance, and implemented technical and organisational security measures;

(ii) be liable for the due performance of Data Breach obligations, specified in this clause for Processor, by its sub-processors;

(iii) provide the requested information within 3 (three) business days upon the Controller’s request.

• The Processor is responsible for disclosures and shall not make public or in any way disseminate before the end of the relevant Data Breach investigation and until the Data Breach is defined as material:

• any material nonpublic information about the possibility of Data Breach occurrence;

• any disclosures that could compromise cybersecurity efforts (like, specific technical information about cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident).

9. DOCUMENTATION, COMPLIANCE AND AUDIT

• The Processor shall be able to demonstrate compliance with this DPA.

• The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with this DPA.  

• The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from Data Protection Laws. At the Controller’s request, the Processor shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance.    

• The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice and during the Processor's working hours.

• The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent Supervisory Authority/ies on request.

• The Controller shall bear its own costs in relation to such audit unless the audit reveals any non-compliance with the Processor’s or Sub-processor’s obligations under Data Protection Laws or this DPA, in which case the Processor shall bear the costs of the audit.

•  If a Supervisory Authority requires an audit of the data Processing facilities where Processor Processes Controller Personal Data in order to ascertain or monitor Controller's compliance with Data Protection Requirements, Processor shall cooperate with such audit.

10. LIABILITY

• Disputes arising from or related to the DPA will be resolved through negotiations. In case of failure of negotiation, disputes shall be settled under the jurisdiction and law stipulated in the Agreement with respect to any disputes or claims arising under this DPA. Notwithstanding any limitation of liability agreed between the parties pursuant to the Agreement, a party (“Defaulting Party”) shall indemnify the other party (hereinafter Non-Defaulting Party) against all damages and fines that are awarded in a trial or imposed by the Supervisory Authority by way of final decision or settlement (and any reasonable attorney’s fees incurred by the Non-Defaulting Party in respect of such decision or settlement) against the Non-Defaulting Party, arising directly out of the Defaulting Party’s breach of its obligations pursuant to the DPA or a breach of warranty contained herein.

• Liability under this indemnity is conditional on the Non-Defaulting Party having complied with its obligations and warranties under the Agreement including, but not limited, to those obligations arising pursuant to this DPA

• If any third party submits a claim, or notifies an intention to submit a claim or start an investigation, against the Non-Defaulting Party which may reasonably be considered likely to give rise to a liability under the indemnity contained in section 10.7. against the Defaulting Party (“Claim”), the Non-Defaulting Party shall:

• notify the Defaulting Party in writing within ten (10) days of receipt by the Non-Defaulting Party of any documentation relating to the Claim, specifying the nature of the Claim and such relief or penalty as is sought therein;

• cooperate with the Defaulting Party in all reasonable respects in connection with the defence or investigation of the Claim;

• not make any admission of liability, agreement or compromise in relation to the Claim without the prior consent of the Defaulting Party (such consent not to be unreasonably withheld or delayed), provided that the Non-Defaulting Party may settle the Claim (after giving prior written notice of the terms of settlement (to the extent legally possible) to the Defaulting Party, but without obtaining the Defaulting Party’s consent) if the Non-Defaulting Party reasonably believes that failure to settle the Claim would be prejudicial to it in any material respect;

• permit the Defaulting Party to, upon written notice thereof to the Non-Defaulting Party, undertake to conduct all proceedings or negotiations in connection with the Claim, assume the defence thereof, and, if it so undertakes, it shall also undertake all other required steps or proceedings to settle or defend any such Claim, including hiring a counsel.

• Notwithstanding clause the Defaulting Party shall have no liability to the extent that a Claim has arisen due to any act or omission not attributable to the Defaulting Party.

• The Processor shall be liable for damages caused in the course of Processing if it has not complied with the requirements of the Data Protection Laws specifically addressed to the Processor, or if it has not complied with or acted against the lawful instructions of the Controller by this DPA. In case of Supervisory Authority or court-ordered Data Subjects claims/damages or any other claims/damages/fines connected to the Personal Data, the Processor shall indemnify the Controller of any such claims/damages/fines.

• Any Data Subject who has suffered material or non-material damage as a result of an infringement of Data Protection Laws, has the right to receive compensation from the Controller or Processor for the damage suffered. The Party responsible for the event giving rise to the damage shall compensate the damage to the Data Subject.

• Each Party to this DPA commits to indemnify the other Party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents.

• The obligations set out in clause 10 of the DPA shall survive the termination, cancellation or expiration of the DPA and/or the Agreement.

• If the Processor Processes Personal Data for a purpose different from the one determined by the Controller, it is considered a breach of this DPA. Processing outside the scope of this DPA or the Agreement will require a prior written agreement between the Controller and the Processor on additional instructions for Processing. 

• In the event that any action, suit, or other legal or administrative proceeding is instituted or commenced by either Party hereto against the other Party arising out of or related to this DPA, the prevailing Party is entitled to recover its actual attorneys’ fees and court costs from the non-prevailing Party.

11. THIRD PARTIES

• The Processor shall not have the right to transfer Personal Data to a third party or to grant access to a third party, e.g. by giving remote access to Personal Data (all understood as a transfer) without prior written consent of the Controller for such transfer. Upon consent, the transfer of Personal Data by the Processor shall be subject to the same data protection obligations as provided for in the DPA before the transfer of Personal Data to the relevant third party. 

• Such consent shall be valid until the earliest of the following: 

• the Controller notifies the Processor of the withdrawal of the consent; or 

• the Processor notifies the Controller that the Processor no longer uses the approved third party for that purpose.

• If the Controller does not consent to the transfer of Personal Data to a third party for the reason that the Controller considers reasonable, the Processor shall continue to perform the Agreement and the DPA under the agreed conditions until any of the following events occur: 

• the Parties have agreed to terminate the Agreement related to the Processing of Personal Data and have ensured the return of the relevant Personal Data to the  Controller (or deletion, as the case may be) or have agreed to transfer the Agreement to a new service provider, which shall in no case take longer than three (3) months; or 

• the Parties have agreed upon the continuance of the performance of the Agreement, including upon the distribution of the relevant costs, on terms and conditions reasonably acceptable to the Controller.

• If the third parties do not comply with the applicable Data Protection Laws or do not comply with the data protection obligations arising from the Agreement with the Controller, the Processor shall remain fully liable to the Controller for the third party obligations under applicable Data Protections Laws and the relevant Agreement.

• The Controller acknowledges that in the provision of some Services, the Processor, upon receipt of instructions from the Controller, may transfer Personal Data to and otherwise interact with the third party data processors. If and to the extent such transfers occur, the Processor shall be responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with Data Protection Laws. For the avoidance of doubt, such third-party data processors are not Sub-processors.

12. DATA RETURN AND DELETION

• Within 20 (twenty) days following the termination or expiration or cancellation of the Agreement, or termination of the Services’ provision for any other reason, or upon Controller’s request, the Processor and its all Sub-processors shall, at the choice of the Controller return all the Personal Data and copies of such Personal Data to Controller, or securely delete Personal Data and demonstrate to the satisfaction of the Controller that it has taken such measures unless applicable law prevents the Processor from returning or destroying all or part of the Personal Data. 

• Deletion of Personal Data shall mean irretrievable erasure of all electronically stored Personal Data and its existing copies and backups, destruction of paper assets, physical media, and external drives.

• If the Controller has not made a choice whether to return or delete Personal Data within 10 (ten) days after termination or expiration or cancellation of the Agreement, the Controller will be deemed to have chosen to have the Personal Data deleted and the Processor waived any objection to such deletion unless such deletion would conflict with superseding legal obligations.

• Where deletion of Personal Data would conflict with the Processor’s superseding legal obligations, the Processor agrees to preserve the confidentiality of the Personal Data retained by it and that it will only Process such Personal Data after such date to the extent it is strictly necessary in order to comply with applicable laws.

13. MISCELLANEOUS

• The DPA shall remain in effect as long as Processor carries out Personal Data Processing operations on behalf of Controller or until all the Personal Data has been returned or deleted in accordance with clause 12 of DPA.

• In the event of a conflict between any of the provisions of this DPA and the provision of the Agreement, the provisions of this DPA shall prevail.

• All correspondence or notices required or permitted to be given under this DPA and/or Agreement must be in writing (including via electronic means), in English, and addressed to the Parties at their address as set out herein (or to any other address that the Parties may designate from time to time). Notices shall be delivered by:

• personal delivery and be deemed duly given if signed by, or on behalf of, a duly authorized officer of the Party receiving the notice; 

• nationally recognized courier; or 

• e-mail address stated in Special Terms of the DPA with confirmation of transmission (i.e., receipt of email delivery protocol). 

• The Processor’s remuneration for its processing of the Data on behalf of or as instructed by the Controller shall be included in the fees as set out in the Agreement.

• If certain relations among the Parties are not regulated under the current DPA, the provisions of the Agreement may be applied, among other things, regarding term and termination, liability, confidentiality, severability, assignment, jurisdiction and competent court. 

• If any provision of this DPA is invalid, illegal, or unenforceable, such invalidity, illegality, or unenforceability will not affect any other term or provision of this DPA or invalidate or render unenforceable such term or provision. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties hereto shall negotiate in good faith to modify this DPA so as to effect the original intent of the Parties as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

• No amendment to or modification of, or rescission, termination, delay or discharge of this DPA is effective unless it is in writing (including electronically) and signed by an authorized representative of each Party (including, digital signatures).

• This DPA includes the special terms of the data processing agreement together with these general terms and conditions of the data processing agreement, and constitutes the entire agreement between the Parties with respect to the subject matter hereof, supersedes and replaces any prior or inconsistent agreements, negotiations, representations and promises, oral or written.

• No waiver by any Party of any of the provisions hereof is effective unless explicitly set forth in writing and signed by the Party so waiving. Each Party acknowledges that, in entering into this DPA, it does not rely on any representation, warranty, assurance or other provision (made innocently or negligently) except as expressly provided in this DPA or the Agreement.

• The Controller may, at any time and at its sole discretion, amend, alter, delete or add any of the provisions of the General Terms and Conditions, and any other rules, guidelines or instructions published on the Controller’s website or otherwise advised to the Processor from time to time. The Controller shall notify the Processor of material amendments via e-mail at least 14 (fourteen) calendar days before the amendments take effect and such notice will be deemed to be served once sent by the Controller. If the Processor does not agree to the amendments, it is entitled to terminate the Agreement by notifying the Company thereof before the amendments take effect. If the Processor does not submit such notice to the Company, then it is deemed to have accepted the amendments.

• Unless the Controller and the Processor have explicitly agreed otherwise, the Processor shall not be entitled to assign or transfer any of its rights or obligations arising from the DPA to anyone except with the prior written consent of the Controller. 

• The Controller and the Processor are independent contractors, and nothing in the terms of the DPA and in the Agreement  shall create any partnership, joint venture, agency, franchise, sales representative, or employment relationship between the Controller and the Processor. The Processor  shall not be entitled to make or accept any offers or representations on the Controller’s behalf. The Processor shall not make any statement, whether on the Processor’s website or otherwise, to contradict anything in this paragraph or that may be reasonably deemed to contradict this paragraph.

• The interpretation, validity and performance of the DPA shall be construed and enforced in accordance with the law stipulated in the Agreement, unless explicitly agreed otherwise in the Special Terms of the DPA.

• Disputes arising from or related to the DPA will be resolved through negotiations. In case of failure of negotiation, disputes shall be settled under the jurisdiction and law stipulated in the Agreement with respect to any disputes or claims arising under this DPA, unless explicitly agreed otherwise in the Special Terms of the DPA. 

V.2.0. of May, 2024