Legal
Master Services Agreement
Version 0.1
CHECKIO MASTER SERVICES AGREEMENT .v0.1.
Effective date: .INSERT DATE.
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions
In this Agreement, the following expressions shall have the meanings set out below:
Defined Term
Meaning
Agreement
This Master Services Agreement, including all Schedules and any documents expressly incorporated by reference, as amended from time to time in accordance with its terms.
Applicable Law
All laws, statutes, regulations, statutory instruments, regulatory requirements, rules, principles, codes of practice and guidance .whether or not having the force of law. applicable to a party from time to time.
Business Day
A day other than a Saturday, Sunday or public holiday in England and Wales.
Checkio
Checkio Ltd, a company incorporated in England and Wales, and any permitted successor or assignee.
Confidential Information
All information disclosed by or on behalf of one party to the other party in connection with this Agreement, whether in writing, orally, electronically or otherwise, which is confidential by nature or which a reasonable person would understand to be confidential, including information relating to business operations, systems, security arrangements, pricing, trade secrets, regulatory matters and Personal Data.
Credits
Prepaid usage units purchased by the Customer and used to access the Services in accordance with Clause 7 .Fees, Credits and Payment..
Customer
The legal entity entering into this Agreement with Checkio.
Customer Data
All data, information, records and materials submitted, uploaded, transmitted or otherwise made available by or on behalf of the Customer through or in connection with the Services, including Personal Data.
Data Protection Laws
The UK GDPR, the Data Protection Act 2018 and all other applicable laws and regulations relating to the processing of Personal Data.
Data Processing Agreement or DPA
The data processing agreement governing the processing of Personal Data by Checkio on behalf of the Customer, incorporated into this Agreement pursuant to Clause 14 .Data Protection. and attached as Schedule 1.
Effective Date
The date on which this Agreement is entered into by the parties.
Output
Any output, result, response, report, match, flag, score, alert, dataset or other information generated, returned or made available by the Services, as further described in Clause 4 .Service Delivery and Nature of Outputs..
Personal Data
Has the meaning given to it in the UK GDPR.
Services
The technology.enabled services provided by Checkio under this Agreement, as described in Clause 2 .Appointment and Scope. and made available via the Checkio platform from time to time, including AML screening, verification services, document extraction, data enrichment, credit.related checks and associated services.
Term
The period from the Effective Date until termination of this Agreement in accordance with Clause 16 .Suspension and Termination..
UK GDPR
The retained EU law version of Regulation .EU. 2016/679 as it forms part of the law of England and Wales.
1.2 Interpretation
1.2.1 References to clauses are to clauses of this Agreement and references to schedules are to schedules to this Agreement.
1.2.2 The headings in this Agreement are for convenience only and shall not affect its interpretation.
1.2.3 Words importing the singular include the plural and vice versa.
1.2.4 References to any statute or statutory provision include any amendment, extension or re.enactment of that statute or statutory provision from time to time.
1.2.5 References to “including” or “include” shall be construed as being without limitation.
1.2.6 References to a person include a natural person, corporate or unincorporated body .whether or not having separate legal personality..
1.2.7 References to writing or written include email but exclude instant messaging platforms unless expressly agreed otherwise in writing.
1.3 Schedules
1.3.1 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement.
1.3.2 Any reference to this Agreement includes a reference to its Schedules.
2. APPOINTMENT, SCOPE AND CONTRACTUAL FRAMEWORK
2.1 Subject to the terms and conditions of this Agreement, Checkio shall provide the Services to the Customer on a non.exclusive, non.transferable basis during the Term.
2.2 This Agreement constitutes the entire contractual framework governing the Customer’s access to and use of the Services, unless expressly superseded by a separate written agreement signed by authorised representatives of both parties.
2.3 The Customer acknowledges and agrees that:
.a. Checkio provides technology.enabled services only; .b. the Services facilitate access to data, checks and automated processing; .c. no aspect of the Services constitutes legal advice, regulatory advice, .
2.4 Nothing in this Agreement shall be construed as:
.a. creating a partnership, joint venture or agency relationship between the parties; .b. authorising either party to act on behalf of, or bind, the other party; .c. appointing Checkio as an outsourced compliance function, risk function or control function of the Customer for the purposes of.
2.5 The Customer remains solely responsible for:
.a. determining whether and how to use the Services; .b. assessing the suitability of the Services for its business, regulatory obligations and risk profile; .c. ensuring that its use of the Services complies with Applicable Law and, where relevant.
2.6 The Services are provided on a usage.based, on.demand basis and do not constitute a commitment by Checkio to provide any minimum volume of services, availability level or response time, unless expressly agreed in writing.
2.7 The Customer acknowledges that access to and use of the Services may be subject to technical, operational or regulatory constraints and that Checkio may, where reasonably necessary to comply with Applicable Law or manage regulatory risk:
.a. impose usage limits; .b. restrict access to particular Services; .c. modify the manner in which the Services are delivered.
2.8 Any descriptions of the Services, including on the Checkio platform, in documentation or in marketing materials, are provided for indicative purposes only and do not form part of this Agreement unless expressly incorporated by reference.
3. SCOPE OF SERVICES
3.1 Checkio provides technology-enabled services as described in this Agreement.
3.2 The regulatory status and obligations of Checkio are as set out in Applicable Law from time to time.
3.3 The parties acknowledge and agree that:
.a. not all Services provided under this Agreement are regulated activities; .b. the regulatory status of any particular Service depends on the nature of that Service and the manner in which it is provided; .c. unless expressly stated otherwise in writing, the Services consist of automated, technology.enabled tools that provide information, data and analysis only.
3.4 Nothing in this Agreement, and no Output generated through the Services, shall constitute or be construed as:
.a. regulated advice; .b. a recommendation; .c. a decision on behalf of the Customer; or .d. the outsourcing or delegation of the Customer’s regulatory, compliance or decision.making obligations.
3.5 The Customer remains solely responsible for:
.a. determining whether and how to use the Services and any Outputs; .b. applying appropriate human oversight, judgement and validation; .c. ensuring its use of the Services and any Outputs complies with Applicable Law and any regulatory requirements applicable to the Customer.
4. SERVICE DELIVERY, NATURE OF SERVICES AND OUTPUTS
4.1 Checkio shall make the Services available to the Customer during the Term in accordance with this Agreement and any applicable service descriptions published by Checkio from time to time.
4.2 The Customer acknowledges and agrees that:
.a. the Services are provided on a technology.enabled, automated and usage.based basis; .b. the Services process and analyse data supplied by the Customer and, where applicable, data obtained from third.party sources; .c. the Services do not involve manual verification, investigation or validation by Checkio unless expressly agreed in writing.
4.3 Outputs are generated through automated processing, matching, scoring, extraction or rules.based logic applied to available data at the time of processing.
4.4 The Customer acknowledges and agrees that:
.a. Outputs are informational in nature only; .b. Outputs do not constitute advice, recommendations, opinions, decisions or determinations of any kind; .c. Outputs are not intended to be relied upon as a substitute for the Customer’s own assessment, judgement or decision.making; .d. Outputs do not constitute confirmation of compliance with Applicable Law or regulatory requirements.
4.5 Without prejudice to the generality of Clause 4.4, the Customer acknowledges that:
.a. Outputs may be incomplete, inaccurate, misleading or out of date; .b. Outputs may reflect limitations or errors inherent in Customer Data or third.party data sources; .c. Checkio does not warrant the accuracy, completeness, reliability or timeliness of any Output.
4.6 The Customer shall:
.a. independently evaluate and verify Outputs before relying on them; .b. apply appropriate human oversight and review to Outputs, where required by Applicable Law or internal policy; .c. ensure that Outputs are used only for lawful and appropriate purposes consistent with this Agreement.
4.7 Checkio shall have no responsibility for:
.a. decisions taken by the Customer or any third party in reliance on Outputs; .b. regulatory reporting, disclosures or filings made by the Customer; .c. actions or omissions of the Customer arising from or connected with the use of Outputs.
4.8 The Customer acknowledges that availability, performance and response times of the Services may be affected by factors outside Checkio’s reasonable control, including network connectivity, third.party data availability and system maintenance.
4.9 Checkio may, where reasonably necessary to comply with Applicable Law, manage regulatory risk, or maintain the integrity of the Services:
.a. modify the manner in which the Services are delivered; .b. suspend or restrict access to particular Services or features; .c. impose reasonable usage limits or controls.
4.10 Any service descriptions, documentation or guidance relating to the Services are provided for information purposes only and do not form part of this Agreement unless expressly incorporated by reference.
4.11 No service levels
4.11.1 Unless expressly agreed in writing, this Agreement does not include any service level commitments, availability guarantees or response times.
4.11.2 Any availability metrics, uptime figures or performance descriptions are indicative only and shall not constitute contractual commitments.
5. CUSTOMER OBLIGATIONS AND USE OF THE SERVICES
5.1 The Customer shall use the Services strictly in accordance with:
.a. this Agreement; .b. all Applicable Law; and .c. any reasonable instructions, usage guidelines or policies notified by Checkio from time to time.
5.2 The Customer shall be solely responsible for ensuring that:
.a. all Customer Data submitted to the Services is accurate, complete, lawful and not misleading; .b. it has obtained all rights, permissions, notices and consents required to submit, process and use Customer Data through the Services; .c. its use of the Services does not infringe the rights of any third party.
5.3 The Customer shall establish and maintain appropriate internal policies, procedures and controls governing its use of the Services, including .where applicable.:
.a. governance and oversight arrangements; .b. escalation and review procedures; .c. record.keeping and audit trails; .d. controls to ensure compliance with Applicable Law and regulatory requirements.
5.4 The Customer shall ensure that Outputs are:
.a. subject to appropriate human oversight and review, where required by Applicable Law, or the Customer’s internal policies; .b. not relied upon as the sole basis for any decision which may have legal, regulatory or financial consequences; .c. used only for the Customer’s internal business purposes and in accordance with this Agreement.
5.5 The Customer shall not:
.a. use the Services in any manner that is unlawful, fraudulent or misleading; .b. use the Services to carry out automated decision.making where such use is prohibited by Applicable Law; .c. represent or imply that any Output has been verified, approved or endorsed by Checkio or ; .d. use the Services in a manner that could reasonably be expected to cause Checkio to breach Applicable Law or regulatory requirements.
5.6 The Customer shall promptly notify Checkio if it becomes aware of:
.a. any unauthorised use of the Services or access credentials; .b. any material error, anomaly or issue in relation to the Services or Outputs which could reasonably give rise to regulatory, legal or reputational risk.
5.7 The Customer shall provide reasonable cooperation and information to Checkio as may be required to:
.a. investigate and remediate security incidents or misuse of the Services; .b. comply with Applicable Law or regulatory requests; .c. manage material risks arising from the Customer’s use of the Services.
5.8 The Customer acknowledges and agrees that failure to comply with this Clause 5 may result in suspension or termination of access to the Services in accordance with Clause 16.
6. ACCEPTABLE USE, NON.DERIVATION AND RESTRICTIONS
6.1 The Customer shall use the Services and Outputs solely:
.a. for the Customer’s own internal business purposes; and .b. strictly in accordance with this Agreement and all Applicable Law.
6.2 Without prejudice to the generality of Clause 6.1, the Customer shall not, and shall ensure that its users do not, use the Services or any Outputs:
.a. for any unlawful, fraudulent, misleading or improper purpose; .b. in breach of Applicable Law, including data protection, financial services, AML, sanctions or regulatory requirements; .c. in a manner that could reasonably be expected to cause Checkio to breach Applicable Law or regulatory obligations.
6.3 The Customer shall not use, and shall not permit any third party to use, the Services or Outputs:
.a. to design, develop, create, train, test, benchmark, validate, improve or operate any product or service that competes with, is substitutable for, or is functionally similar to the Services; .b. to reverse engineer, derive, infer or attempt to reconstruct any underlying logic, algorithms, models, methodologies, workflows, decision trees, rules or processes used in the Services; .c. to extract, analyse or aggregate Outputs for the purpose of identifying patterns, logic or system behaviour beyond the Customer’s permitted internal use of the Services.
6.4 The Customer shall not:
.a. copy, reproduce, modify, adapt or create derivative works of the Services, Outputs or Checkio Materials, except to the extent strictly necessary for permitted use of the Services; .b. decompile, disassemble or otherwise attempt to derive the source code or underlying structure of the Services, except to the extent expressly permitted by Applicable Law and only after giving prior written notice to Checkio; .c. interfere with, disrupt or attempt to gain unauthorised access to the Services, systems or networks.
6.5 The Customer shall not use the Services or Outputs:
.a. on a bureau, service provider, resale, white.label or outsourcing basis; .b. to provide services to third parties; or .c. for the benefit of any third party,
in each case without Checkio’s prior written consent.
6.6 The Customer acknowledges and agrees that:
.a. the restrictions in this Clause 6 are reasonable and necessary to protect Checkio’s legitimate interests, including its intellectual property, confidential information and regulatory obligations; .b. breach of this Clause 6 may cause irreparable harm to Checkio for which damages may not be an adequate remedy.
6.7 Checkio may, without prejudice to any other rights or remedies, immediately suspend or restrict access to the Services, in whole or in part, where it reasonably believes that the Customer has breached or is likely to breach this Clause 6.
6.8 The restrictions in this Clause 6 shall survive termination or expiry of this Agreement to the extent necessary to give them effect.
7. FEES, CREDITS AND PAYMENT
7.1 The Services are provided on a prepaid, usage.based credit model.
7.2 In order to access and use the Services, the Customer shall purchase Credits in advance through the Checkio platform or as otherwise agreed in writing.
7.3 Unless expressly stated otherwise in writing:
.a. one penny sterling .GBP £0.01. shall be equivalent to ten .10. Credits; .b. Credits do not constitute money, electronic money, stored value, a deposit or a payment account; .c. no interest shall accrue on any balance of Credits.
7.4 The number of Credits required to access or use a particular Service shall vary depending on the nature of that Service and shall be as specified on the Checkio platform at the time the relevant request is submitted or processed.
7.5 Credits shall be deducted at the point a Service request is submitted or processed, as applicable to the relevant Service.
7.6 All prices, Credit conversion rates and Credit requirements for particular Services may be amended by Checkio from time to time, provided that:
.a. any such changes shall not retrospectively affect Credits already used; and .b. material changes shall be notified to the Customer in advance where reasonably practicable.
7.7 All fees and charges are exclusive of value added tax and any other applicable taxes, duties or levies, which shall be payable by the Customer in addition at the prevailing rate.
7.8 Purchased Credits are non.refundable, non.transferable and may not be exchanged for cash or other consideration, except to the extent required by Applicable Law.
7.9 The Customer shall be solely responsible for ensuring that it maintains a sufficient balance of Credits to access the Services, and Checkio shall have no obligation to provide Services where insufficient Credits are available.
7.10 Checkio may suspend access to the Services, in whole or in part, where the Customer has insufficient Credits or where payment is overdue, without prejudice to any other rights or remedies available to Checkio.
8. INTELLECTUAL PROPERTY RIGHTS
8.1 All intellectual property rights in and to the Services, the platform through which the Services are provided, and all underlying software, source code, object code, algorithms, models, methodologies, workflows, processes, databases, system architecture, documentation, know.how and other materials created, developed or made available by or on behalf of Checkio in connection with the Services .together, the Checkio Materials. shall vest in and remain the exclusive property of Checkio or its licensors.
8.2 Nothing in this Agreement shall operate to transfer, assign or otherwise grant to the Customer any right, title or interest in the Checkio Materials, except for the limited licence expressly granted under this Clause 8.
8.3 Subject to the Customer’s compliance with this Agreement, Checkio grants to the Customer a limited, non.exclusive, non.transferable, non.sublicensable and revocable licence during the Term to access and use the Services and the Outputs solely for the Customer’s internal business purposes and strictly in accordance with this Agreement.
8.4 The Customer acknowledges and agrees that:
.a. all intellectual property rights in and to the Outputs vest in and remain the property of Checkio or its licensors; .b. the Customer acquires no ownership rights in the Outputs; .c. the Outputs constitute part of the Checkio Materials for the purposes of this Agreement.
8.5 Except to the extent strictly necessary to exercise the licence granted under Clause 8.3, the Customer shall not, and shall ensure that its users do not:
.a. copy, reproduce, modify, adapt, translate or create derivative works of the Services, the Outputs or the Checkio Materials; .b. remove, obscure or alter any proprietary notices, legends or markings included in or on the Services, Outputs or documentation; .c. use the Services, Outputs or Checkio Materials to develop, train, enhance or validate any product or service that competes with, is substitutable for, or is functionally similar to the Services.
8.6 Without prejudice to Clause 6, the Customer shall not acquire, and shall not claim to have acquired, any rights in the Services, Outputs or Checkio Materials by virtue of use, access or familiarity, whether through estoppel, implication or otherwise.
8.7 To the extent that any intellectual property rights in or to any materials, feedback, suggestions, ideas or other information provided by or on behalf of the Customer in connection with the Services vest in the Customer, the Customer hereby grants to Checkio a perpetual, irrevocable, royalty.free, worldwide licence to use, exploit, modify and incorporate such materials for any purpose related to the Services.
8.8 The Customer warrants that it has all rights, licences and consents necessary to grant the licence set out in Clause 8.7 and that use of such materials by Checkio in accordance with this Agreement shall not infringe the rights of any third party.
8.9 All licences granted under this Clause 8 shall automatically terminate upon termination or expiry of this Agreement, save to the extent necessary to give effect to any surviving provisions.
8.10 The Customer acknowledges that breach of this Clause 8 may cause irreparable harm to Checkio for which damages may not be an adequate remedy, and that Checkio shall be entitled to seek injunctive or equitable relief in addition to any other remedies available at law.
8A. MISUSE, NON.DERIVATION AND REMEDIES
8A.1 The Customer acknowledges and agrees that the Services, Outputs and Checkio Materials embody valuable confidential information, intellectual property, trade secrets and proprietary methodologies of Checkio.
8A.2 The Customer shall not, and shall ensure that its users, affiliates and contractors do not, whether directly or indirectly:
.a. use the Services, Outputs or any part thereof for the purpose of analysing, studying, learning, extracting or identifying the design, logic, structure, workflows, methodologies, scoring approaches, decision criteria or operational principles underlying the Services; .b. derive, infer, reconstruct, replicate or attempt to replicate any aspect of the Services or Outputs, whether by technical means, statistical analysis, repeated usage, comparison, benchmarking or otherwise; .c. use the Services or Outputs to assist in the development, operation, marketing or enhancement of any product or service that competes with, substitutes for, or is functionally similar to the Services.
8A.3 The Customer shall not assert, and shall procure that no third party asserts, that any product, service or system developed by or on behalf of the Customer has been independently created where such product, service or system has been informed by, derived from, or influenced by access to or use of the Services or Outputs.
8A.4 Any use of the Services or Outputs outside the scope expressly permitted by this Agreement shall constitute unauthorised use and a material breach of this Agreement.
8A.5 The Customer acknowledges and agrees that:
.a. damages alone may be an inadequate remedy for breach of this Clause 8A; .b. any breach or threatened breach of this Clause 8A may cause irreparable harm to Checkio.
8A.6 Without prejudice to any other rights or remedies, Checkio shall be entitled to seek immediate injunctive relief, specific performance or other equitable relief in respect of any breach or threatened breach of this Clause 8A.
8A.7 This Clause 8A shall survive termination or expiry of this Agreement for so long as necessary to protect Checkio’s legitimate interests.
9. CONFIDENTIALITY
9.1 Each party shall keep confidential and shall not disclose to any third party any Confidential Information of the other party, except as expressly permitted by this Agreement or required by Applicable Law.
9.2 Without prejudice to the generality of Clause 9.1, the parties acknowledge and agree that, in the case of Checkio, Confidential Information includes:
.a. the Services and the manner in which they are designed, configured and delivered; .b. the Checkio Materials; .c. all Outputs, whether viewed individually or in aggregate; .d. any information relating to system behaviour, workflows, logic, rules, scoring approaches, methodologies or operational characteristics of the Services; .e. any non.public information relating to Checkio’s business, technology, regulatory arrangements, security measures or pricing.
9.3 The Customer shall use Checkio’s Confidential Information solely for the purposes of exercising its rights and performing its obligations under this Agreement and for no other purpose.
9.4 A party may disclose the other party’s Confidential Information to its employees, officers, contractors, professional advisers and, in the case of Checkio, its licensors and subcontractors, provided that:
.a. such disclosure is strictly necessary for the purposes of this Agreement; .b. the recipients are subject to confidentiality obligations no less onerous than those set out in this Clause 9; .c. the disclosing party remains responsible for any breach of this Clause 9 by such recipients.
9.5 A party may disclose Confidential Information to the extent required by:
.a. Applicable Law; .b. any court of competent jurisdiction; or .c. any regulatory or supervisory authority, including ,
provided that, to the extent permitted by Applicable Law, the receiving party gives the other party prompt written notice of such requirement and cooperates reasonably to limit the scope of the disclosure.
9.6 The obligations in this Clause 9 shall not apply to information which the receiving party can demonstrate:
.a. is or becomes publicly available other than through a breach of this Agreement; .b. was lawfully in its possession prior to disclosure by the other party; .c. is lawfully disclosed to it by a third party without restriction on disclosure; .d. is independently developed without use of or reference to the Confidential Information.
9.7 Each party shall implement and maintain appropriate technical and organisational measures to protect the other party’s Confidential Information against unauthorised or unlawful access, use, disclosure, alteration or destruction.
9.8 Upon termination or expiry of this Agreement, or upon written request, each party shall promptly return or destroy the other party’s Confidential Information, except to the extent that:
.a. retention is required by Applicable Law or regulatory requirements; .b. such Confidential Information is retained in accordance with the receiving party’s bona fide record retention policies; .c. such Confidential Information is retained in backup systems, provided that such information remains subject to the confidentiality obligations set out in this Agreement.
9.9 The obligations set out in this Clause 9 shall survive termination or expiry of this Agreement for a period of six .6. years, or for such longer period as is necessary to protect the Confidential Information in question.
10. INFORMATION SECURITY AND BUSINESS CONTINUITY
10.1 Checkio shall implement and maintain appropriate technical and organisational measures designed to protect the Services, Customer Data and Confidential Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account:
.a. the nature, scope, context and purposes of the Services; .b. the risks presented by processing, including risks to confidentiality, integrity and availability; .c. applicable requirements under Data Protection Laws and, where relevant.
10.2 Without prejudice to the generality of Clause 10.1, such measures shall include, where appropriate:
.a. access controls and authentication mechanisms; .b. segregation of environments and data; .c. logging and monitoring of access and system activity; .d. encryption of data in transit and, where appropriate, at rest; .e. vulnerability management and patching processes; .f. staff confidentiality and security training.
10.3 The Customer acknowledges and agrees that no system can be guaranteed to be completely secure and that Checkio does not warrant that the Services will be free from all security vulnerabilities or incidents.
10.4 Checkio shall maintain reasonable business continuity and disaster recovery arrangements appropriate to the nature of the Services, designed to minimise disruption and support the restoration of Services following an incident.
10.5 The Customer acknowledges that business continuity and disaster recovery arrangements are intended to support the continuity of the Services generally and do not constitute a guarantee of uninterrupted availability or recovery within any specific timeframe, unless expressly agreed in writing.
10.6 In the event of a security incident affecting the Services which results in unauthorised access to or loss of Customer Data or Confidential Information, Checkio shall:
.a. take reasonable steps to investigate and contain the incident; .b. notify the Customer without undue delay where required by Applicable Law or Data Protection Laws; .c. provide reasonable information to the Customer to enable it to comply with its own legal or regulatory obligations.
10.7 The Customer shall:
.a. implement and maintain appropriate security measures in relation to its access to and use of the Services; .b. promptly notify Checkio of any actual or suspected security incident relating to its access credentials or use of the Services; .c. cooperate reasonably with Checkio in connection with the investigation and remediation of any security incident.
10.8 Nothing in this Agreement shall require Checkio to disclose information which would compromise the security of its systems, other customers or the Services generally.
10.9 This Clause 10 shall be read subject to, and without prejudice to, the Data Processing Agreement incorporated pursuant to Clause 14, which shall govern matters relating to Personal Data.
11. WARRANTIES AND REPRESENTATIONS
11.1 Each party represents and warrants to the other that:
.a. it is duly incorporated and validly existing under the laws of its jurisdiction of incorporation; .b. it has full power, authority and capacity to enter into this Agreement and to perform its obligations under it; .c. this Agreement constitutes legal, valid and binding obligations enforceable against it in accordance with its terms.
11.2 The Customer represents and warrants that:
.a. it is a commercially sophisticated entity with appropriate knowledge and experience to evaluate and use the Services; .b. it has conducted its own independent assessment of the Services and their suitability for its business, regulatory obligations and risk profile; .c. it has not relied on any representation, warranty or statement made by or on behalf of Checkio other than those expressly set out in this Agreement.
11.3 Checkio represents and warrants that it shall provide the Services using reasonable skill and care consistent with generally accepted industry standards for services of a similar nature.
11.4 Except as expressly set out in this Agreement, all warranties, representations, conditions and other terms implied by statute, common law or otherwise are excluded to the fullest extent permitted by Applicable Law, including any implied warranties as to quality, fitness for purpose, accuracy, completeness or suitability of the Services or Outputs.
11.5 Without prejudice to Clause 11.4, Checkio does not warrant that:
.a. the Services or Outputs will meet the Customer’s specific requirements; .b. the Services or Outputs will be accurate, complete, reliable or error.free; .c. the use of the Services or Outputs will ensure compliance with Applicable Law or regulatory requirements.
11.6 The Customer acknowledges and agrees that the exclusions and limitations set out in this Clause 11 are fundamental elements of the basis on which Checkio provides the Services and reflect the allocation of risk agreed between the parties.
12. DISCLAIMER OF OUTPUTS AND RELIANCE
12.1 The Services generate outputs, results, reports, data points, scores, indicators and other information .together, Outputs. through automated, technology.enabled processes, including the application of rules.based logic and the use of Customer.provided data and third.party data sources.
12.2 The Customer acknowledges and agrees that all Outputs are provided for informational purposes only and are intended to support, but not replace, the Customer’s own assessment, judgement and decision.making processes.
12.3 Without prejudice to Clause 3 .Regulatory Status and Scope of Services., nothing in this Agreement, and no Output, shall constitute or be construed as:
.a. regulated advice; .b. a recommendation; .c. a decision made on behalf of the Customer; or .d. a determination as to compliance with any legal or regulatory obligation.
12.4 The Customer shall not rely on any Output as the sole or primary basis for any decision with legal, regulatory, financial or commercial effect and shall apply appropriate human oversight, validation and independent assessment before acting on any Output.
12.5 The Customer acknowledges and agrees that:
.a. Outputs may be based on incomplete, outdated or inaccurate data sources; .b. Outputs may contain errors, omissions or false positives or negatives; .c. Outputs may include or constitute Personal Data without altering the respective roles of the parties under Clause 14 .Data Protection..
12.6 Neither Checkio nor makes any representation, warranty or undertaking, whether express or implied, as to the accuracy, completeness, timeliness, reliability or suitability of any Output for any particular purpose.
12.7 To the fullest extent permitted by law, neither Checkio nor shall have any liability arising out of or in connection with:
.a. any reliance placed on Outputs by the Customer or any third party; .b. any decision, action or omission taken by the Customer based on any Output; .c. any use of Outputs other than in accordance with this Agreement.
12.8 The Customer is solely responsible for ensuring that its use of Outputs complies with Applicable Law and any regulatory requirements applicable to the Customer, including any obligations relating to customer outcomes, fairness, transparency and decision.making.
12.9 Nothing in this Clause 12 shall limit or exclude any liability that cannot lawfully be limited or excluded under Applicable Law.
13. LIMITATION OF LIABILITY
13.1 Nothing in this Agreement shall limit or exclude either party’s liability for:
.a. death or personal injury caused by negligence; .b. fraud or fraudulent misrepresentation; or .c. any other liability which cannot lawfully be limited or excluded under Applicable Law.
13.2 Subject to Clause 13.1, neither Checkio nor shall be liable to the Customer, whether in contract, tort .including negligence., breach of statutory duty or otherwise, for any:
.a. loss of profit, loss of revenue, loss of business or loss of anticipated savings; .b. loss of data .other than loss of Customer Personal Data caused by a breach of Clause 14 .Data Protection..; .c. loss of goodwill or reputation; or .d. indirect, consequential or special loss or damage,
in each case arising out of or in connection with this Agreement.
13.3 Subject to Clauses 13.1 and 13.2, the total aggregate liability of Checkio to the Customer arising out of or in connection with this Agreement, whether in contract, tort .including negligence., breach of statutory duty or otherwise, shall not exceed the total Fees paid by the Customer to Checkio under this Agreement in the twelve .12. month period immediately preceding the event giving rise to the claim.
13.4 Subject to Clauses 13.1 to 13.3 shall have no liability to the Customer under or in connection with this Agreement, whether in contract, tort .including negligence., breach of statutory duty or otherwise.
13.5 Without prejudice to Clause 12 .Disclaimer of Outputs and Reliance., and subject always to Clause 13.1, neither Checkio nor shall have any liability arising out of or in connection with:
.a. any reliance placed on Outputs by the Customer or any third party; .b. any decision, action or omission taken by the Customer based on any Output; .c. any failure by the Customer to apply appropriate human oversight, validation or independent assessment to Outputs.
13.6 The Customer acknowledges and agrees that:
.a. the exclusions and limitations of liability set out in this Agreement are reasonable having regard to the nature of the Services and the Fees payable; .b. the Services are provided as automated, informational tools and not as advisory or decision.making services; .c. the allocation of risk under this Agreement reflects the respective roles of the parties as set out in Clause 3 .Regulatory Status and Scope of Services..
13.7 Each limitation and exclusion of liability in this Clause 13 shall apply independently of the other and shall survive termination or expiry of this Agreement.
14. DATA PROTECTION
14.1 Each party shall comply at all times with Data Protection Laws in connection with the performance of this Agreement.
14.2 The parties acknowledge and agree that, to the extent Checkio processes Personal Data on behalf of the Customer in connection with the Services, the Customer acts as controller and Checkio acts as processor for the purposes of Data Protection Laws, unless expressly stated otherwise in writing.
14.3 The Data Processing Agreement is hereby incorporated into this Agreement by reference and shall apply to all processing of Personal Data by Checkio on behalf of the Customer under this Agreement.
14.4 The Customer shall ensure that:
.a. it has a valid lawful basis under Data Protection Laws for the processing of Personal Data using the Services; .b. it has provided all required notices to, and obtained all necessary consents from, data subjects in relation to such processing; .c. its instructions to Checkio for the processing of Personal Data are lawful and comply with Data Protection Laws.
14.5 Checkio shall process Personal Data only in accordance with:
.a. the Customer’s documented instructions as set out in this Agreement and the Data Processing Agreement; and .b. Applicable Law,
unless required to process Personal Data otherwise by Applicable Law, in which case Checkio shall, to the extent permitted by Applicable Law, inform the Customer of such requirement.
14.6 The Customer acknowledges and agrees that Checkio may engage subprocessors in accordance with the Data Processing Agreement and that such subprocessors may process Personal Data on Checkio’s behalf.
14.7 In the event of any conflict or inconsistency between the terms of this Agreement and the Data Processing Agreement in relation to the processing of Personal Data, the terms of the Data Processing Agreement shall prevail.
14.8 Nothing in this Agreement shall require Checkio to process Personal Data in a manner that would cause it to breach Data Protection Laws or regulatory requirements.
14.9 This Clause 14 shall survive termination or expiry of this Agreement to the extent required to give it effect.
14.10 Order of precedence
14.10.1 In the event of any conflict or inconsistency between the terms of this Agreement and Schedule 1 .Data Processing Agreement., the terms of Schedule 1 shall prevail solely in respect of data protection and processing of Personal Data.
14.10.2 For all other matters, the terms of this Agreement shall prevail.
15. INDEMNITIES
15.1 The Customer shall indemnify, defend and hold harmless Checkio, its affiliates and, where applicable, together with their respective directors, officers, employees and contractors, from and against all losses, liabilities, damages, costs, expenses, claims, demands and proceedings .including reasonable legal and professional fees. arising out of or in connection with:
.a. any breach by the Customer of this Agreement, including Clauses 5 .Customer Obligations., 6 .Acceptable Use., 8 .Intellectual Property Rights., 8A .Misuse, Non.Derivation and Remedies. or 9 .Confidentiality.; .b. the unlawful, improper or unauthorised use of the Services or Outputs by or on behalf of the Customer; .c. any allegation that Customer Data, or the processing or use of Customer Data in accordance with this Agreement, infringes the rights of any third party or breaches Applicable Law; .d. any failure by the Customer to comply with Applicable Law, including, in connection with its use of the Services; .e. any reliance placed by the Customer or any third party on Outputs contrary to this Agreement.
15.2 The indemnity in Clause 15.1 shall apply whether the relevant claim arises in contract, tort .including negligence., breach of statutory duty or otherwise.
15.3 Checkio shall:
.a. promptly notify the Customer in writing of any claim to which the indemnity in Clause 15.1 applies, to the extent reasonably practicable; .b. provide reasonable cooperation to the Customer, at the Customer’s cost, in the defence or settlement of such claim.
15.4 The Customer shall not settle or compromise any claim subject to Clause 15.1 without Checkio’s prior written consent, such consent not to be unreasonably withheld or delayed where the settlement does not impose any obligation, admission of liability or restriction on Checkio.
15.5 Nothing in this Clause 15 shall require the Customer to indemnify Checkio to the extent that the relevant loss, liability or claim arises directly from Checkio’s fraud or wilful misconduct.
16. SUSPENSION AND TERMINATION
16.1 Checkio may suspend access to the Services, in whole or in part, with immediate effect and without liability, where Checkio reasonably considers that:
.a. the Customer has breached, or is likely to breach, this Agreement; .b. the Customer’s use of the Services poses a material legal, regulatory, security or reputational risk to Checkio; .c. suspension is required to comply with Applicable Law, or a request or direction from a competent regulatory authority; .d. the Customer has insufficient Credits to access the Services.
16.2 Where reasonably practicable, Checkio shall notify the Customer of any suspension under Clause 16.1 and the reasons for such suspension.
16.3 Either party may terminate this Agreement by written notice to the other party if the other party commits a material breach of this Agreement which is not remedied within thirty .30. days of receipt of written notice specifying the breach and requiring it to be remedied.
16.4 Checkio may terminate this Agreement with immediate effect by written notice to the Customer if:
.a. the Customer commits a material breach of Clauses 5 .Customer Obligations., 6 .Acceptable Use., 8 .Intellectual Property Rights., 8A .Misuse, Non.Derivation and Remedies. or 9 .Confidentiality.; .b. the Customer repeatedly breaches this Agreement, whether or not such breaches are remedied; .c. continued provision of the Services would, in Checkio’s reasonable opinion, expose Checkio to material regulatory, legal or reputational risk; .d. Checkio ceases to be authorised or permitted to provide the Services, in whole or in part, due to a change in Applicable Law or regulatory requirements.
16.5 Either party may terminate this Agreement immediately by written notice to the other party if the other party:
.a. becomes insolvent, unable to pay its debts as they fall due, or enters into liquidation, administration or any analogous insolvency process; .b. ceases or threatens to cease carrying on its business.
16.6 Termination or suspension of this Agreement shall not affect any rights, remedies or liabilities of either party which have accrued prior to the date of termination or suspension.
17. CONSEQUENCES OF TERMINATION
17.1 Upon termination or expiry of this Agreement for any reason:
.a. all rights granted to the Customer under this Agreement shall immediately cease; .b. the Customer’s access to the Services and the platform shall be terminated; .c. any unused Credits shall immediately lapse without refund or compensation; .d. the Customer shall promptly cease all use of the Services, Outputs and Checkio Materials.
17.2 Termination or expiry of this Agreement shall not relieve the Customer of any obligation to pay any fees, charges or other amounts accrued and payable prior to the date of termination or expiry.
17.3 Upon termination or expiry of this Agreement, the Customer shall, at Checkio’s option and upon written request:
.a. return to Checkio all Confidential Information of Checkio in its possession or control; or .b. securely destroy such Confidential Information and certify in writing that it has done so,
except to the extent that retention of such Confidential Information is permitted under Clause 9.8.
17.4 Checkio may retain Customer Data and Outputs to the extent required:
.a. by Applicable Law or regulatory requirements; .b. for the establishment, exercise or defence of legal claims; .c. in accordance with its bona fide record retention policies,
provided that any such retained data remains subject to the confidentiality and data protection obligations set out in this Agreement and the Data Processing Agreement.
17.5 The Customer acknowledges and agrees that termination of this Agreement shall not entitle the Customer to any refund, rebate or compensation in respect of:
.a. unused Credits; .b. prepaid fees; or .c. any loss of anticipated benefit arising from the termination.
17.6 The following Clauses shall survive termination or expiry of this Agreement, together with any other provisions which by their nature are intended to survive:
.a. Clause 6 .Acceptable Use, Non.Derivation and Restrictions.; .b. Clause 8 .Intellectual Property Rights.; .c. Clause 8A .Misuse, Non.Derivation and Remedies.; .d. Clause 9 .Confidentiality.; .e. Clause 12 .Disclaimer of Outputs and Reliance.; .f. Clause 13 .Limitation of Liability.; .g. Clause 14 .Data Protection.; .h. Clause 15 .Indemnities.; .i. Clause 17 .Consequences of Termination.; .j. Clause 26 .Governing Law and Jurisdiction..
18. FORCE MAJEURE
18.1 Neither party shall be liable for any failure or delay in the performance of its obligations under this Agreement .other than payment obligations. to the extent that such failure or delay is caused by a Force Majeure Event.
18.2 For the purposes of this Agreement, a Force Majeure Event means any event or circumstance beyond a party’s reasonable control which could not reasonably have been foreseen or avoided, including:
.a. acts of God, flood, fire, earthquake or other natural disaster; .b. epidemic, pandemic or public health emergency; .c. war, terrorism, riot, civil commotion or malicious damage; .d. compliance with any Applicable Law, governmental order, direction or regulatory requirement; .e. failure or interruption of utilities, communications networks or third.party infrastructure; .f. failure or unavailability of third.party data sources or service providers outside the affected party’s reasonable control.
18.3 A party affected by a Force Majeure Event shall:
.a. notify the other party as soon as reasonably practicable of the occurrence of the Force Majeure Event; .b. use reasonable endeavours to mitigate the effect of the Force Majeure Event on the performance of its obligations.
18.4 If the Force Majeure Event continues for a period of more than sixty .60. consecutive days and materially affects the performance of this Agreement, either party may terminate this Agreement by written notice to the other party without liability, save for any rights and liabilities accrued prior to termination.
18.5 Nothing in this Clause 18 shall excuse or delay the Customer’s obligation to pay any fees or charges due under this Agreement.
19. ASSIGNMENT AND SUBCONTRACTING
19.1 The Customer shall not assign, transfer, novate, subcontract or otherwise dispose of any of its rights or obligations under this Agreement, in whole or in part, without the prior written consent of Checkio, such consent not to be unreasonably withheld or delayed.
19.2 Any purported assignment, transfer, novation or disposal by the Customer in breach of Clause 19.1 shall be null and void.
19.3 Checkio may assign, transfer or novate this Agreement, in whole or in part:
.a. to any member of its group; .b. in connection with a merger, acquisition, corporate reorganisation or sale of all or substantially all of its business or assets relating to the Services; or .c. where required to comply with Applicable Law or regulatory requirements,
in each case by giving written notice to the Customer.
19.4 Checkio may subcontract the performance of any of its obligations under this Agreement, provided that:
.a. Checkio remains responsible for the acts and omissions of its subcontractors as if they were its own; .b. any subcontracting arrangements comply with Applicable Law and, where relevant; .c. where subcontracting involves the processing of Personal Data, such subcontracting shall be subject to the Data Processing Agreement.
19.5 Nothing in this Agreement shall prevent Checkio from engaging third.party service providers, licensors or data suppliers in the ordinary course of providing the Services.
19.6 This Clause 19 shall survive termination or expiry of this Agreement.
20. ENTIRE AGREEMENT
20.1 This Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes and extinguishes all prior and contemporaneous agreements, arrangements, understandings, representations and communications, whether written or oral, relating to that subject matter.
20.2 Each party acknowledges and agrees that, in entering into this Agreement, it does not rely on, and shall have no remedy in respect of, any statement, representation, assurance or warranty .whether made innocently or negligently. that is not expressly set out in this Agreement.
20.3 Nothing in this Clause 20 shall exclude or limit any liability for fraud or fraudulent misrepresentation.
21. VARIATION
21.1 No variation of this Agreement shall be effective unless it is in writing and signed by or on behalf of each party by its duly authorised representative.
21.2 Without prejudice to Clause 21.1, Checkio may make changes to this Agreement where such changes are required to:
.a. comply with Applicable Law or regulatory requirements; .b. reflect changes to the Services or the manner in which they are provided; .c. address security, risk management or regulatory concerns.
21.3 Where Checkio makes a change pursuant to Clause 21.2 which materially and adversely affects the Customer’s rights under this Agreement, Checkio shall provide the Customer with reasonable prior notice of such change.
21.4 The Customer’s continued use of the Services following the effective date of any variation notified in accordance with this Clause 21 shall constitute acceptance of the varied Agreement.
21.5 For the avoidance of doubt, no oral or implied variation of this Agreement shall be effective.
22. NOTICES
22.1 Any notice or other communication given under or in connection with this Agreement shall be in writing and shall be delivered by one of the following methods:
.a. by hand; .b. by pre.paid first.class post or other next Business Day delivery service; or .c. by email.
22.2 A notice or other communication shall be sent to the address or email address notified by the relevant party to the other party from time to time for this purpose.
22.3 Any notice or other communication shall be deemed to have been received:
.a. if delivered by hand, at the time the notice is left at the proper address; .b. if sent by pre.paid first.class post or other next Business Day delivery service, at 9.00 am on the second Business Day after posting; .c. if sent by email, at the time of transmission, provided that no delivery failure notification is received by the sender.
22.4 This Clause 22 shall not apply to the service of proceedings or other documents in any legal action or arbitration.
22.5 For the purposes of this Clause 22, “writing” or “written” includes email but excludes instant messaging platforms or communications sent via the Services unless expressly agreed otherwise in writing.
23. WAIVER
23.1 A waiver of any right or remedy under this Agreement shall be effective only if it is given in writing and shall not be deemed a waiver of any subsequent breach or default.
23.2 A failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy.
23.3 No single or partial exercise of any right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
24. SEVERANCE
24.1 If any provision or part.provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable.
24.2 If such modification is not possible, the relevant provision or part.provision shall be deemed deleted.
24.3 Any modification to or deletion of a provision or part.provision under this Clause 24 shall not affect the validity and enforceability of the remaining provisions of this Agreement.
25. THIRD PARTY RIGHTS
25.1 Except as expressly provided in Clause 25.2, a person who is not a party to this Agreement shall not have any rights under the Contracts .Rights of Third Parties. Act 1999 to enforce any term of this Agreement.
25.2 For the avoidance of doubt, the enforcement rights granted to under this Clause 25.2 do not create any liability or obligation owed by to the Customer. shall be entitled to enforce the following Clauses as if it were a party to this Agreement:
.a. Clause 3 .Scope of Services.; .b. Clause 6 .Acceptable Use, Non.Derivation and Restrictions.; .c. Clause 8 .Intellectual Property Rights.; .d. Clause 8A .Misuse, Non.Derivation and Remedies.; .e. Clause 9 .Confidentiality.; .f. Clause 12 .Disclaimer of Outputs and Reliance.; .g. Clause 13 .Limitation of Liability.; .h. Clause 15 .Indemnities..
25.3 The consent of any third party shall not be required for the rescission, variation or termination of this Agreement.
26. GOVERNING LAW AND JURISDICTION
26.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation .including non.contractual disputes or claims. shall be governed by and construed in accordance with the law of England and Wales.
26.2 The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation .including non.contractual disputes or claims..
27. COUNTERPARTS AND ELECTRONIC EXECUTION
27.1 This Agreement may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts together shall constitute the one agreement.
27.2 Execution of this Agreement may be effected by electronic signature or by exchange of electronically scanned signature pages, and any such execution shall be valid and binding for all purposes.
27.3 Each party agrees that execution of this Agreement by electronic means satisfies any requirement for a signature to be in writing and shall have the same legal effect as execution of an original handwritten signature.
28. COSTS
28.1 Each party shall bear its own costs and expenses incurred in connection with the negotiation, preparation, execution and performance of this Agreement.
28.2 Nothing in this Agreement shall entitle either party to recover its costs or expenses from the other party, except as expressly provided in this Agreement or as ordered by a court of competent jurisdiction.
29. FURTHER ASSURANCE
29.1 Each party shall, at its own cost and expense, do and execute, or procure the doing and execution of, all such further acts, documents and things as the other party may reasonably require from time to time for the purpose of:
.a. giving full effect to this Agreement; .b. securing the performance of this Agreement in accordance with its terms; .c. complying with Applicable Law or regulatory requirements relating to the subject matter of this Agreement.
29.2 Without prejudice to the generality of Clause 29.1, the Customer shall provide such reasonable assistance and information as Checkio may require to enable it to:
.a. demonstrate compliance with Applicable Law or; .b. respond to lawful requests or enquiries from regulatory authorities; .c. maintain or vary its service arrangements.
29.3 Nothing in this Clause 29 shall require either party to do anything which would result in a breach of Applicable Law or any applicable regulatory requirement.
SCHEDULE 1 DATA PROCESSING AGREEMENT
.This Schedule 1 forms part of, and is incorporated into, the Master Services Agreement between the parties..
1. STATUS, PURPOSE AND ORDER OF PRECEDENCE
1.1 This Data Processing Agreement .“DPA”. is entered into pursuant to Clause 14 .Data Protection. of the Master Services Agreement .the “Agreement”. and forms Schedule 1 to the Agreement.
1.2 This DPA applies solely to the processing of Personal Data by Checkio on behalf of the Customer in connection with the provision of the Services under the Agreement.
1.3 In the event of any conflict or inconsistency between the terms of this DPA and the Agreement, the terms of this DPA shall prevail solely in respect of matters relating to the processing of Personal Data.
1.4 For the avoidance of doubt, this DPA does not apply to any processing of Personal Data carried out by Checkio as a controller in its own right, including processing relating to account administration, billing, platform security, fraud prevention, regulatory compliance or business operations.
2. DEFINITIONS AND INTERPRETATION
2.1 Definitions
In this DPA, unless the context otherwise requires, the following expressions shall have the meanings set out below. Capitalised terms not defined in this DPA shall have the meanings given to them in the Agreement.
Defined Term
Meaning
Controller
Has the meaning given in the UK GDPR.
Customer Personal Data
Personal Data processed by Checkio on behalf of the Customer in connection with the provision of the Services under the Agreement.
Data Breach
A personal data breach as defined in the UK GDPR.
Processor
Has the meaning given in the UK GDPR.
Processing
Has the meaning given in the UK GDPR, and “process” and “processed” shall be construed accordingly.
Subprocessor
Any third party engaged by Checkio to process Customer Personal Data on behalf of the Customer in connection with the Services.
UK GDPR
The retained EU law version of Regulation .EU. 2016/679 as it forms part of the law of England and Wales.
2.2 Interpretation
2.2.1 References to Articles are to Articles of the UK GDPR unless stated otherwise.
2.2.2 References to Applicable Law include Data Protection Laws.
2.2.3 Headings are for convenience only and shall not affect interpretation.
3. ROLES OF THE PARTIES AND SCOPE OF PROCESSING
3.1 The parties acknowledge and agree that, for the purposes of the Data Protection Laws:
.a. the Customer acts as Controller of the Customer Personal Data; and .b. Checkio acts as Processor of the Customer Personal Data,
in each case solely in respect of Processing carried out under this DPA in connection with the provision of the Services.
3.2 Nothing in this DPA or the Agreement shall be construed as creating a joint controller relationship between the parties.
3.3 The Processing of Customer Personal Data by Checkio shall be limited to that which is:
.a. necessary for the provision of the Services in accordance with the Agreement; and .b. carried out strictly in accordance with the Customer’s documented instructions, as set out in the Agreement, this DPA and any applicable Schedules.
3.4 The parties acknowledge and agree that:
.a. Outputs may contain or constitute Customer Personal Data; .b. the generation of Outputs does not alter the respective roles of the parties as Controller and Processor; .c. responsibility for determining the lawful use, disclosure and retention of Outputs containing Customer Personal Data remains with the Customer.
3.5 Checkio shall not determine the purposes for which or the manner in which Customer Personal Data is processed, except as required to perform the Services in accordance with the Agreement and this DPA.
3.6 Where Checkio processes Personal Data other than Customer Personal Data, including Personal Data relating to its own personnel, account administration, billing, security, fraud prevention or regulatory compliance, Checkio shall act as a Controller in its own right in respect of such processing, and such processing shall fall outside the scope of this DPA.
3.7 The Customer warrants that its instructions for the Processing of Customer Personal Data under this DPA are lawful and comply with Data Protection Laws.
3.8 Checkio shall promptly inform the Customer if, in its reasonable opinion, any instruction given by the Customer infringes Data Protection Laws, and shall be entitled to suspend Processing of the relevant Customer Personal Data until such instruction is amended or withdrawn.
4. DETAILS OF PROCESSING AND CUSTOMER INSTRUCTIONS
4.1 The subject matter, duration, nature and purpose of the Processing of Customer Personal Data under this DPA are as set out in Schedule A .Details of Processing. to this DPA.
4.2 The Customer instructs Checkio to Process Customer Personal Data solely:
.a. for the purposes of providing the Services to the Customer in accordance with the Agreement; .b. in accordance with the documented instructions set out in the Agreement, this DPA and the Schedules to this DPA; and .c. as otherwise required by Applicable Law.
4.3 The parties agree that the Customer’s documented instructions for the Processing of Customer Personal Data consist of:
.a. the Agreement; .b. this DPA; .c. the Schedules to this DPA; and .d. any additional written instructions agreed between the parties from time to time,
in each case provided that such instructions are lawful and comply with Data Protection Laws.
4.4 Checkio shall not Process Customer Personal Data for any purpose other than those expressly set out in Clause 4.2 unless required to do so by Applicable Law, in which case:
.a. Checkio shall, to the extent permitted by Applicable Law, inform the Customer of such legal requirement before carrying out the Processing; and .b. such Processing shall be limited to the minimum extent required to comply with Applicable Law.
4.5 The Customer acknowledges and agrees that:
.a. the scope of Processing is determined by the Customer’s use of the Services; .b. changes to the manner in which the Customer uses the Services may result in corresponding changes to the scope of Processing; .c. the Customer is responsible for ensuring that its use of the Services, and any resulting Processing, remains compliant with Data Protection Laws.
4.6 Where the Customer provides additional or amended instructions to Checkio which materially alter the scope, nature or volume of Processing, Checkio may:
.a. assess the impact of such instructions on its ability to comply with Data Protection Laws; and .b. require the Customer to agree to reasonable changes to the Services, this DPA or applicable fees before implementing such instructions.
4.7 Checkio shall maintain records of Processing activities carried out on behalf of the Customer to the extent required by Data Protection Laws.
5. CHECKIO PERSONNEL AND CONFIDENTIALITY
5.1 Checkio shall ensure that all personnel authorised by it to Process Customer Personal Data:
.a. are subject to appropriate confidentiality obligations, whether contractual or statutory; .b. have received appropriate training in relation to data protection and information security, commensurate with their role and responsibilities; .c. access Customer Personal Data only to the extent necessary for the performance of the Services in accordance with the Agreement and this DPA.
5.2 Checkio shall take reasonable steps to ensure the reliability of any personnel who have access to Customer Personal Data.
5.3 Checkio shall ensure that any person acting under its authority who has access to Customer Personal Data does not Process such data except on instructions from the Customer, unless required to do so by Applicable Law.
5.4 The obligations set out in this Clause 5 are without prejudice to, and shall be read consistently with, Clause 9 .Confidentiality. of the Agreement.
6. TECHNICAL AND ORGANISATIONAL MEASURES
6.1 Checkio shall implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR, taking into account:
.a. the state of the art; .b. the costs of implementation; .c. the nature, scope, context and purposes of the Processing; and .d. the risks of varying likelihood and severity for the rights and freedoms of natural persons.
6.2 Without prejudice to the generality of Clause 6.1, such measures shall include, where appropriate:
.a. logical access controls, authentication mechanisms and role.based access management; .b. segregation of Customer Personal Data from other data where appropriate; .c. encryption of Customer Personal Data in transit and, where appropriate, at rest; .d. logging and monitoring of access to systems and data; .e. regular testing, assessment and evaluation of the effectiveness of security measures; .f. incident detection, response and escalation procedures; .g. business continuity and disaster recovery arrangements.
6.3 The Customer acknowledges and agrees that the technical and organisational measures implemented by Checkio are designed to protect Customer Personal Data generally and are not intended to be tailored to the specific requirements of any individual Customer unless expressly agreed in writing.
6.4 Details of Checkio’s technical and organisational measures are further described in Schedule B .Technical and Organisational Measures. to this DPA.
6.5 Checkio may update or modify its technical and organisational measures from time to time, provided that such updates or modifications do not materially reduce the overall level of security provided for Customer Personal Data.
__ __
7. SUBPROCESSING
7.1 The Customer grants Checkio a general authorisation to engage Subprocessors for the Processing of Customer Personal Data, subject to the terms of this Clause 7.
7.2 Checkio shall ensure that any Subprocessor is appointed pursuant to a written agreement which:
.a. imposes data protection obligations on the Subprocessor that are no less protective than those set out in this DPA; .b. ensures that the Subprocessor provides sufficient guarantees to implement appropriate technical and organisational measures in accordance with Data Protection Laws; .c. permits Checkio to meet its obligations under this DPA.
7.3 Checkio shall remain fully liable to the Customer for the performance of each Subprocessor’s obligations in relation to the Processing of Customer Personal Data, to the same extent as if Checkio were performing such obligations itself.
7.4 A list of Subprocessors engaged by Checkio as at the Effective Date is set out in Schedule C .Subprocessors. to this DPA.
7.5 Checkio shall notify the Customer of any intended addition or replacement of a Subprocessor by updating Schedule C or otherwise providing notice to the Customer in advance of such change.
7.6 The Customer may object in writing to the appointment of a new Subprocessor on reasonable grounds relating to data protection within fourteen .14. days of receiving notice under Clause 7.5.
7.7 Where the Customer raises a valid objection under Clause 7.6 and the parties are unable to resolve the objection within a reasonable period, Checkio may, at its option:
.a. refrain from appointing the relevant Subprocessor; or .b. terminate the affected Services or, where appropriate, the Agreement, without liability to either party.
7.8 Nothing in this Clause 7 shall require Checkio to disclose information which would compromise the security or confidentiality of its systems or those of its Subprocessors.
8. ASSISTANCE WITH DATA SUBJECT RIGHTS AND REGULATORY OBLIGATIONS
8.1 Taking into account the nature of the Processing and the information available to it, Checkio shall provide reasonable assistance to the Customer to enable the Customer to comply with its obligations under Data Protection Laws in relation to:
.a. responding to requests from data subjects to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, objection and data portability; .b. compliance with Articles 32 to 36 of the UK GDPR, including security of Processing, data breach notification, data protection impact assessments and prior consultation with supervisory authorities.
8.2 Where Checkio receives a request from a data subject relating to Customer Personal Data, Checkio shall:
.a. not respond directly to such request, except as required by Applicable Law; and .b. promptly notify the Customer and provide reasonable assistance to enable the Customer to respond to the request.
8.3 The Customer shall be responsible for the substantive response to any data subject request and for determining whether such request is valid and applicable.
8.4 Checkio’s assistance under this Clause 8 shall be limited to information and actions within Checkio’s reasonable control and shall not require Checkio to disclose confidential or proprietary information beyond what is reasonably necessary.
8.5 Where the assistance requested by the Customer under this Clause 8 is not required by Data Protection Laws or is excessive, repetitive or disproportionate, Checkio may charge the Customer its reasonable costs incurred in providing such assistance, provided that Checkio notifies the Customer in advance.
8.6 Nothing in this Clause 8 shall require Checkio to take any action which would, in Checkio’s reasonable opinion, result in a breach of Applicable Law or compromise the security or confidentiality of the Services or other customers’ data.
9. PERSONAL DATA BREACH NOTIFICATION
9.1 Checkio shall notify the Customer without undue delay after becoming aware of a Data Breach affecting Customer Personal Data.
9.2 Such notification shall, to the extent reasonably practicable and taking into account the information available to Checkio at the time, include:
.a. a description of the nature of the Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; .b. a description of the likely consequences of the Data Breach; .c. a description of the measures taken or proposed to be taken by Checkio to address the Data Breach and, where appropriate, to mitigate its possible adverse effects.
9.3 Checkio shall take reasonable steps to investigate, contain and remediate any Data Breach without undue delay.
9.4 The Customer acknowledges and agrees that Checkio’s notification of a Data Breach under this Clause 9 does not constitute an admission of fault or liability.
9.5 The Customer shall be responsible for determining whether the Data Breach must be notified to a supervisory authority or to affected data subjects and for carrying out any such notification.
9.6 Checkio shall provide reasonable assistance to the Customer in relation to any notifications required under Data Protection Laws, subject to Clause 8.5.
9.7 Checkio shall not be required to notify the Customer of a Data Breach to the extent that such breach does not affect Customer Personal Data.
10. INTERNATIONAL TRANSFERS OF PERSONAL DATA
10.1 The Customer acknowledges and agrees that Customer Personal Data may be transferred to, or accessed from, countries outside the United Kingdom where this is necessary for the provision of the Services, including where Subprocessors are located outside the United Kingdom.
10.2 Where Checkio transfers Customer Personal Data outside the United Kingdom to a country that is not subject to an adequacy decision under Data Protection Laws, Checkio shall ensure that such transfer is subject to appropriate safeguards in accordance with Data Protection Laws.
10.3 Such safeguards may include, as applicable:
.a. the use of the UK International Data Transfer Agreement .IDTA.; .b. the use of the UK Addendum to the European Commission’s standard contractual clauses; or .c. any other lawful transfer mechanism permitted under Data Protection Laws from time to time.
10.4 The Customer authorises Checkio to enter into, on the Customer’s behalf, any transfer mechanism required under Clause 10.3 with a Subprocessor where necessary to facilitate the provision of the Services.
10.5 Checkio shall, upon reasonable request, provide the Customer with information regarding the transfer mechanisms relied upon under this Clause 10, subject to appropriate confidentiality obligations.
10.6 The Customer acknowledges and agrees that Checkio shall not be required to disclose information which would compromise the security or confidentiality of its systems or those of its Subprocessors in connection with compliance with this Clause 10.
11. AUDIT AND COMPLIANCE INFORMATION
11.1 Checkio shall make available to the Customer such information as is reasonably necessary to demonstrate compliance with this DPA and with Article 28 of the UK GDPR.
11.2 The Customer may audit Checkio’s compliance with this DPA only to the extent required by Data Protection Laws and subject to the limitations set out in this Clause 11.
11.3 Any audit conducted by or on behalf of the Customer shall:
.a. be carried out on reasonable prior written notice of not less than thirty .30. days; .b. be conducted no more than once in any twelve .12. month period, unless otherwise required by Data Protection Laws or a competent supervisory authority; .c. be limited in scope to matters reasonably necessary to verify compliance with this DPA; .d. be conducted during normal business hours; .e. not unreasonably interfere with Checkio’s business operations or the provision of services to other customers.
11.4 Checkio may satisfy its obligations under Clause 11.1 and 11.2 by providing:
.a. written responses to reasonable information requests; .b. copies of relevant policies, procedures or certifications; .c. summaries of third.party audit reports or security assessments,
provided that such materials are sufficient to demonstrate compliance and subject to appropriate confidentiality obligations.
11.5 Where an on.site audit is required by Applicable Law and cannot reasonably be satisfied through the means set out in Clause 11.4:
.a. the audit shall be conducted by an independent auditor appointed by the Customer and approved by Checkio .such approval not to be unreasonably withheld.; .b. the scope and duration of the audit shall be agreed in advance; .c. the Customer shall bear all costs of the audit; .d. the auditor shall be subject to appropriate confidentiality obligations.
11.6 Checkio may object to any audit request which, in Checkio’s reasonable opinion:
.a. is excessive, repetitive or disproportionate; .b. would compromise the security or confidentiality of Checkio’s systems or those of other customers; .c. relates to information not relevant to the Processing of Customer Personal Data.
11.7 Nothing in this Clause 11 shall require Checkio to disclose trade secrets, proprietary information or information relating to other customers beyond what is strictly necessary to demonstrate compliance with this DPA.
12. RETURN OR DELETION OF CUSTOMER PERSONAL DATA
12.1 Upon termination or expiry of the Agreement, and subject to Clause 12.3, Checkio shall, at the Customer’s written election:
.a. return to the Customer all Customer Personal Data processed on the Customer’s behalf; or .b. securely delete all Customer Personal Data processed on the Customer’s behalf,
in each case within a reasonable period following termination or expiry and in accordance with Applicable Law.
12.2 Where the Customer elects for return of Customer Personal Data under Clause 12.1.a., such return shall be provided in a commonly used and machine.readable format, to the extent reasonably practicable and technically feasible.
12.3 Notwithstanding Clause 12.1, Checkio may retain Customer Personal Data to the extent and for such period as required by:
.a. Applicable Law or regulatory requirements; .b. a lawful request from a competent supervisory or regulatory authority; or .c. the establishment, exercise or defence of legal claims.
12.4 Any Customer Personal Data retained by Checkio in accordance with Clause 12.3 shall:
.a. be retained only for so long as necessary for the relevant purpose; .b. remain subject to the confidentiality and security obligations set out in this DPA and the Agreement; .c. not be further processed except as required for the purpose for which it is retained.
12.5 The Customer acknowledges and agrees that deletion of Customer Personal Data from backup systems may occur in accordance with Checkio’s standard backup retention cycles, provided that such data remains protected and inaccessible for any other purpose.
13. LIABILITY AND LIMITATION
13.1 The parties acknowledge and agree that this DPA forms part of the Agreement and that, unless expressly stated otherwise in this DPA, the liability provisions set out in Clause 13 .Limitation of Liability. of the Agreement shall apply to all claims, losses and liabilities arising out of or in connection with this DPA.
13.2 Nothing in this DPA shall operate to:
.a. increase, extend or otherwise modify Checkio’s liability beyond the limits and exclusions set out in the Agreement; or .b. create any separate or additional liability regime in respect of data protection matters.
13.3 Without prejudice to Clause 13.1, Checkio shall not be liable to the Customer under or in connection with this DPA, whether in contract, tort .including negligence., breach of statutory duty or otherwise, except to the extent that such liability arises directly from Checkio’s failure to comply with its obligations under Article 28 of the UK GDPR.
13.4 Any liability of Checkio arising under or in connection with this DPA shall, in all cases, be subject to the exclusions and limitations set out in the Agreement, including:
.a. the exclusion of indirect, consequential or special losses; and .b. the applicable financial liability cap.
13.5 The Customer acknowledges and agrees that:
.a. the allocation of risk set out in the Agreement reflects the nature of the Services and the role of Checkio as a Processor acting on the Customer’s instructions; .b. the fees payable under the Agreement have been calculated on the basis that the exclusions and limitations of liability apply to this DPA.
13.6 Nothing in this DPA shall limit or exclude either party’s liability for:
.a. death or personal injury caused by negligence; .b. fraud or fraudulent misrepresentation; or .c. any other liability which cannot lawfully be limited or excluded under Applicable Law.
SCHEDULE A DETAILS OF PROCESSING
.This Schedule A forms part of Schedule 1 .Data Processing Agreement. to the Master Services Agreement..
1. SUBJECT MATTER OF THE PROCESSING
1.1 The Processing of Customer Personal Data by Checkio consists of the automated receipt, analysis, enrichment, extraction, matching, screening and return of data in connection with the provision of the Services to the Customer under the Agreement.
1.2 The Services may include, without limitation:
.a. anti.money laundering and sanctions screening; .b. politically exposed persons and adverse media checks; .c. identity verification and email verification; .d. document extraction and analysis; .e. data enrichment and credit.related checks; .f. associated data processing services provided via the Checkio platform.
2. DURATION OF THE PROCESSING
2.1 The Processing of Customer Personal Data shall continue for the duration of the Agreement, unless otherwise agreed in writing.
2.2 Following termination or expiry of the Agreement, Customer Personal Data shall be returned or deleted in accordance with Clause 12 of the Data Processing Agreement.
3. NATURE AND PURPOSE OF THE PROCESSING
3.1 The nature of the Processing includes:
.a. collection and receipt of Customer Personal Data; .b. automated processing, matching, scoring and analysis; .c. generation of Outputs; .d. storage, hosting and transmission of data as necessary to provide the Services; .e. deletion or return of data in accordance with the Agreement.
3.2 The purpose of the Processing is to enable Checkio to provide the Services to the Customer in accordance with the Agreement and the Customer’s documented instructions.
4. CATEGORIES OF DATA SUBJECTS
4.1 The categories of data subjects whose Personal Data may be processed include, without limitation:
.a. the Customer’s customers, clients or end users; .b. prospective customers or clients of the Customer; .c. individuals associated with corporate entities screened or verified by the Customer; .d. employees, officers, directors, beneficial owners or authorised representatives of the Customer’s customers or counterparties.
5. CATEGORIES OF PERSONAL DATA
5.1 The categories of Personal Data processed may include, without limitation:
.a. identification data, including names, dates of birth and nationality; .b. contact data, including email addresses and telephone numbers; .c. government.issued identifiers, where provided by the Customer; .d. business and professional information; .e. online identifiers and technical data; .f. data derived from public records, sanctions lists, watchlists and adverse media sources.
6. SPECIAL CATEGORIES OF PERSONAL DATA
6.1 The Services are not designed to require the Processing of special categories of Personal Data.
6.2 To the extent that special categories of Personal Data are incidentally processed through the Services .for example, through adverse media screening., such Processing shall be:
.a. incidental and not systematic; .b. carried out solely on the Customer’s instructions; .c. subject to appropriate safeguards in accordance with Data Protection Laws.
7. OBLIGATIONS AND RIGHTS OF THE CUSTOMER
7.1 The Customer is responsible for:
.a. determining the purposes and means of the Processing; .b. ensuring that the Processing of Customer Personal Data using the Services has a lawful basis under Data Protection Laws; .c. providing all required notices to data subjects and obtaining any required consents; .d. ensuring that its instructions to Checkio comply with Data Protection Laws.
SCHEDULE B TECHNICAL AND ORGANISATIONAL MEASURES
.This Schedule B forms part of Schedule 1 .Data Processing Agreement. to the Master Services Agreement..
1. INFORMATION SECURITY GOVERNANCE
1.1 Checkio maintains an information security programme designed to protect the confidentiality, integrity and availability of Customer Personal Data processed in connection with the Services.
1.2 Responsibility for information security is assigned to designated personnel with appropriate authority and oversight.
1.3 Information security policies and procedures are reviewed and updated periodically to reflect changes in risk, technology and Applicable Law.
2. ACCESS CONTROLS
2.1 Logical access to systems processing Customer Personal Data is restricted to authorised personnel on a need.to.know basis.
2.2 Role.based access controls are implemented to ensure that personnel have access only to the data and systems necessary for their role.
2.3 Authentication mechanisms are implemented to prevent unauthorised access, including strong password requirements and, where appropriate, multi.factor authentication.
2.4 Access rights are reviewed regularly and promptly revoked upon termination or change of role.
3. DATA SECURITY
3.1 Customer Personal Data is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
3.2 Encryption is used to protect Customer Personal Data in transit and, where appropriate, at rest.
3.3 Measures are implemented to ensure appropriate segregation of Customer Personal Data from other data.
4. LOGGING AND MONITORING
4.1 System activity relating to access to and Processing of Customer Personal Data is logged to an appropriate extent.
4.2 Logs are monitored for suspicious or unauthorised activity and retained for a reasonable period in accordance with security and compliance requirements.
5. INCIDENT MANAGEMENT
5.1 Checkio maintains procedures for the identification, reporting, investigation and remediation of security incidents, including Data Breaches.
5.2 Personnel are trained to recognise and escalate potential security incidents in accordance with internal procedures.
6. BUSINESS CONTINUITY AND DISASTER RECOVERY
6.1 Checkio maintains business continuity and disaster recovery arrangements appropriate to the nature of the Services.
6.2 Such arrangements are designed to support the restoration of Services and access to Customer Personal Data following an incident, taking into account the criticality of the Services.
7. PERSONNEL SECURITY AND TRAINING
7.1 Personnel with access to Customer Personal Data are subject to appropriate onboarding procedures, including confidentiality commitments.
7.2 Regular training is provided to personnel on data protection and information security requirements relevant to their role.
8. SUBPROCESSOR OVERSIGHT
8.1 Checkio conducts appropriate due diligence on Subprocessors prior to engagement, including assessment of their technical and organisational measures.
8.2 Checkio monitors Subprocessors on an ongoing basis to ensure continued compliance with applicable data protection and security obligations.
9. REVIEW AND UPDATE OF MEASURES
9.1 Checkio may update or modify these technical and organisational measures from time to time to reflect changes in risk, technology or regulatory requirements.
9.2 Any such updates shall not materially reduce the overall level of security provided for Customer Personal Data.
SCHEDULE C SUBPROCESSORS
.This Schedule C forms part of Schedule 1 .Data Processing Agreement. to the Master Services Agreement..
1. APPOINTMENT OF SUBPROCESSORS
1.1 Checkio engages Subprocessors to perform specific processing activities on behalf of the Customer in connection with the provision of the Services.
1.2 Subprocessors are appointed only where necessary for the delivery, security or operation of the Services and are subject to written agreements that comply with Clause 7 .Subprocessing. of the Data Processing Agreement.
2. CATEGORIES OF SUBPROCESSORS
As at the Effective Date, Checkio may engage Subprocessors within the following categories:
Category
Purpose of Processing
Typical Location.s.
Cloud hosting and infrastructure providers
Hosting of platform infrastructure, data storage, system availability and resilience
United Kingdom, EEA
Data and screening providers
Provision of sanctions lists, PEP data, adverse media and watchlist information
United Kingdom, EEA, third countries
Verification and enrichment providers
Email verification, identity verification, data enrichment and validation
United Kingdom, EEA
Document processing providers
Optical character recognition, document extraction and analysis
United Kingdom, EEA
Security and monitoring providers
Platform security monitoring, incident detection and alerting
United Kingdom, EEA
Support and maintenance providers
Technical support and maintenance services where access to Customer Personal Data is required
United Kingdom, EEA
3. NAMED SUBPROCESSORS AND LIVE LIST
3.1 A current list of named Subprocessors engaged by Checkio, including details of their location and the nature of the services provided, is maintained and made available to the Customer at:
.INSERT URL TO LIVE SUBPROCESSOR LIST.
3.2 Checkio shall update the live Subprocessor list to reflect any addition or replacement of a Subprocessor in accordance with Clause 7.5 of the Data Processing Agreement.
4. CUSTOMER OBJECTIONS
4.1 The Customer may object to the appointment of a new Subprocessor in accordance with Clause 7.6 of the Data Processing Agreement.
4.2 Any objection must be based on reasonable grounds relating to data protection and must be raised within the timeframe specified in the Data Processing Agreement.
5. NO WAIVER
5.1 The Customer acknowledges and agrees that the engagement of Subprocessors in accordance with this Schedule C and Clause 7 of the Data Processing Agreement does not constitute a waiver of any data protection rights under Applicable Law.