GENERAL TERMS AND CONDITIONS OF USE OF SPENDESK SERVICES

Spendesk offers an expense management platform for companies. The purpose of these General Terms and Conditions is to govern the Services provided by Spendesk to its Customers. The Services include Payment Services.

As part of the Payment Services provided by SFS SAS, Spendesk acts as a PSP agent in the name and on behalf of SFS SAS. As such, Spendesk is registered with the ACPR and listed in the French financial firms register (accessible here: https://www.regafi.fr/) under number 74593.

Annexes:

• Annex 1 - Contractual documentation applicable to Payment Services

• Annex 2 - Withdrawal form in case of banking or financial solicitation

• Annex 3 - Data Processing Agreement

• Annex 4 - Information Note on the Processing of Personal Data carried out by SFS SAS and Spendesk

1. Definitions and interpretation

1.1. Definitions

In these General Terms and Conditions, capitalized terms not specifically defined in the body of the General Terms and Conditions have the meaning attributed to them below:

1.2. Interpretation

Unless otherwise stated in these General Terms and Conditions, (i) words of one gender imply the other gender, (ii) words in the singular also imply the plural and vice versa, and (iii) the expressions "these General Terms and Conditions", "herein" and their derivative forms or similar expressions refer to the General Terms and Conditions in their entirety.

Unless otherwise stated in these General Terms and Conditions, in case of contradiction between the General Terms and Conditions and the Partners' Documents, the latter will prevail over the General Terms and Conditions.

In the absence of use of the term "Business Day" as defined in article 1.1, the term "day" means a calendar day.

2. Subscription to the Services

2.1. Registration

If the Customer meets all the criteria indicated on the Platform at the time of registration, it can subscribe to the Services by following the steps indicated on the Platform.

The Customer may only be a natural person or a legal entity acting for business purposes, resident or registered in an EEA Member State or in the United Kingdom. The Services are intended exclusively for professional customers and are not intended for consumers.

In any event, the Customer's registration implies in particular (i) the acceptance of the entire Contract and (ii) the payment of the Fees.

Spendesk may, at its sole discretion, refuse to allow any person to register for the Services, without having to explain its refusal.

2.2. Acceptance of the Contract

The acceptance of the Contract by the Customer is evidenced, during the registration process detailed in article 2.1, by the electronic signature of the Contract by an authorised representative of the Customer.

By accepting the Contract, the Customer expressly acknowledges that it has carefully read the General Terms and Conditions, the Partners' Documents, and the Pricing Terms in force on the day of its acceptance, that it has understood them and that it accepts them in their entirety and without reservation.

The Customer undertakes to bring the Contract to the attention of any User and, to ensure compliance with the provisions of the Contract by any User.

The Customer accepts the transmission and signing of any document by electronic means and acknowledges their enforceability in the event of a dispute.

2.3. AML-CFT checks

In accordance with applicable regulations, SFS SAS and TPL are required to collect certain documents and information about the Customer (including its legal representatives and its Main User), as well as its beneficial owner(s), (i) before entering into a relationship with the Customer and providing Payment Services, and then (ii) during the course of the business relationship with the Customer.

In this context, the Customer undertakes to provide Spendesk, at any time during the relationship, with any document and/or any information necessary to enable SFS SAS and/or TPL to comply with their AML-CFT obligations (the "KYC Information"). Verification and certification measures of the documents communicated by the Customer may be requested or carried out, if necessary. The Customer undertakes to promptly provide all the information requested, under penalty of having its access to the Services blocked.

The Customer acknowledges that, in the event that it does not provide the requested documents and information, Spendesk will be unable to provide the Services and, if necessary, will be obliged to terminate the Contract.

In case of any change affecting the KYC Information, the Customer must inform Spendesk as soon as possible.

The Customer agrees that the KYC Information is kept by SFS SAS and/or TPL, as the case may be, for the duration and under the conditions provided for by the applicable regulations.

3. Access to the Services

In these General Terms and Conditions, the term "Customer" must be interpreted as referring to (i) the Customer itself if it is a natural person or (ii) the Customer acting through a User (either the Main User or a User with the necessary powers and authorisations).

When the Main User is not the Customer or a legal representative of the Customer, it must be a natural person (employee or third party) specially authorised to act in the name and on behalf of the Customer (including to enter into the Contract on behalf of the Customer) through a power of attorney or delegation of powers granted by a legal representative of the Customer. The Customer undertakes to provide Spendesk, upon request, with proof of the Main User's powers.

Any act, decision, instruction, or request entered by a User on the Platform will be considered as an act, decision, instruction, or request of the Customer.

Access to the Services by Users requires their registration on the Platform. The Customer undertakes to have Users register on the Platform and use the Services in compliance with the provisions of the Contract.

The Main User may carry out via the Platform any act to manage the Services (including the Payment Services), including:

(i) inviting others to become Users and empower them to perform certain actions on the Platform;

(ii) requesting the issuance of Cards;

(iii) allocating a spending or withdrawal limit to each Card, within the maximum amounts authorised by Spendesk, SFS SAS and TPL;

(iv) requesting the execution of outgoing Transfers, including to an External Account; and/or

(v) crediting an Account.

The Main User may delegate powers to a User by assigning such User a profile on the Platform. When assigning powers to a User, the Main User may be required to select one of the predefined profiles offered by Spendesk, without being able to choose the combination of delegated powers/authorisations, or the terminology assigned to each profile ("Administrator", "Requester", "Controller", etc.).

4. Payment Services

The provisions included in the various contractual documents in Annex 1 apply alternatively according to (i) the Customer’s country of registration or residence and (ii) the Payment Services that it requested during its registration.

5. Dematerialisation Service

5.1. Operation of the Dematerialisation Service

Spendesk proceeds on behalf of the Customer to the dematerialisation, in accordance with the regulations applicable in France, of scans or photographs of invoices, estimates, expense reports and other similar documents (the "Content") uploaded by the Users to the Platform.

The Customer accepts and acknowledges that the dematerialisation of the Content uploaded by the User is carried out by Spendesk on behalf of the Customer.

The Content uploaded to the Platform is converted if necessary to PDF format. Each PDF file is then sealed and time-stamped via an electronic seal with a unique number provided by a third-party service provider. The seal complies with the eIDAS regulation providing proof of integrity of each Content, which is kept on a secure server (ISO 27001 certified) based in the European Union. Each Content is stored securely during the retention period mentioned in Spendesk's Personal Data privacy policy.

5.2. Download of dematerialised Content

The Customer, subject to acting as the Main User or another User with corresponding rights, may download and export at any time the raw version of the Content uploaded to the Platform by its Users (i.e., the unconverted, unsealed, and non-timestamped version of the document).

The Customer may also at any time, during the term of the Contract and until its effective termination date, ask Spendesk to download and transmit to it the Content that has been subject to the Dematerialisation Service described in article 5.1 (i.e., the version of the document converted (if necessary), sealed and timestamped via an electronic seal).

The download is not instantaneous insofar as the Content subject to the Dematerialisation Service is stored on servers dedicated to long-term storage that imply a recovery period of several hours.

Notwithstanding the above provisions, Spendesk may retain a copy of the Customer’s Content, in particular for statistical and/or probative purposes, within the limits and periods permitted by law.

5.3. Liability for Contents

The Customer is solely liable for the Content it uploads to the Platform.

The timestamping service compliant with the eIDAS regulation does not constitute an electronic signature procedure. As such, the Dematerialisation Service does not have the objective or effect of certifying the authenticity of an invoice (within the meaning of the provisions of article 96 F bis of annex 3 and/or article 289, VII, 1° or 2° of the French General Tax Code), but only to guarantee the integrity of dematerialised Content. Spendesk cannot be held liable in this respect.

6. Customer's undertakings and guarantees

6.1. Supply and update of information

The Customer undertakes to supply Spendesk with all the information and/or documents necessary for the proper execution of the Contract and the provision of the Services and, more generally, to actively cooperate with Spendesk for the proper performance hereof. If the Customer does not comply with this obligation, Spendesk reserves the right to suspend the Services until the required information or documents are obtained.

The Customer guarantees to Spendesk that all information and documents it supplies to Spendesk, including those supplied on the Platform and those concerning each User, are accurate, up-to-date, and truthful on the day they are communicated to Spendesk, and are not vitiated by any information of a false or misleading nature.

If the information and/or documents supplied become inaccurate or obsolete during the term of the Contract, the Customer undertakes to update them and/or to transmit an updated version of the relevant documents on the Platform as soon as possible.

More generally, it is up to the Customer to formally notify Spendesk of any change in the relevant information. Spendesk will under no circumstances be liable for any damage suffered by the Customer resulting from any inaccuracy or change of which Spendesk has not been notified.

6.2. Compliance with regulations

The Customer undertakes, for itself and each of the Users, to (i) comply, in the context of its use of the Services, with the laws and regulations in force and not to infringe the rights of third parties or public order and (ii) carry out only activities that comply with applicable regulations.

The Customer will bear any fine, financial penalty or damages incurred by Spendesk resulting from an activity of the Customer that is illegal, unlawful, or contrary to common decency.

6.3. Use of the Platform and the Services

The Customer undertakes, for itself and for each of the Users:

(i) not to breach or attempt to breach, scan, or test the vulnerability of the security system and related systems of the Platform;

(ii) not to access or attempt to access any data that is not intended for the Customer;

(iii) to refrain from interfering with the normal operation of the Platform and from performing any action that could cause the interruption or degradation of one or more Service(s);

(iv) not to upload to the Services, display, send by email or otherwise transmit any material containing software viruses or other computer codes, files or programs designed to interrupt, destroy, or limit the operation of the Platform;

(v) not to attempt to interfere with the Services provided to any other customer, user, host, or network, including but not limited to exposing the Services to a virus, creating server overload, flooding the server, or flooding the messaging services; and

(vi) not to use the Services in a manner that: (a) violates or infringes the rights of a third party, including those relating to a contract, intellectual property, privacy, or advertising; or (b) makes or facilitates the storage or transmission of defamatory, tortious, or otherwise illegal content, including, but not limited to, harassing, threatening or obscene content.

The Customer acknowledges having read the characteristics and constraints, in particular technical, of all Services. The Customer is solely responsible for its use of the Services.

The Customer is informed and accepts that the use of the Services requires an Internet connection, and that the quality of the Services depends directly on this connection, as well as on computer equipment and/or third-party software, for which the Customer is solely responsible.

6.4. Security and confidentiality obligations

The Customer is solely responsible for Users maintaining the confidentiality of their Personalised Security Credentials, as well as any other data or information necessary to access the Platform and/or use the Services.

Users must not disclose to third parties their Personalised Security Credentials, as well as any other data or information necessary to access the Platform and/or use the Services. The Customer undertakes that the Users comply with this obligation of confidentiality.

6.5. Use of the Services solely for the account of the Customer

The Customer undertakes to use the Platform and the Services only for its own account, and not to allow any third party to use them in its place or on its behalf, without bearing full liability. Users may only use the Platform and the Services in the name and on behalf of the Customer.

6.6. Testing of new features

Spendesk may occasionally make new features available to some Customers prior to their official release date to all Customers (the "Beta Tests"). These features are referred to by Spendesk as "beta", "test" or another similar name.

The Customer is free to register to participate in the Beta Tests at its sole discretion. All restrictions on the use of the Services and Customer's undertakings under the Contract will apply to access and use of the Beta Tests. Spendesk may disable, modify, or discontinue the Beta Tests at any time, at its sole discretion and without notice. By participating in the Beta Tests, the Customer acknowledges and agrees that:

(i) Beta Tests must only be used for evaluation and testing purposes;

(ii) Spendesk provides the Beta Tests as is and without any guarantee;

(iii) Spendesk cannot be liable for any damages arising from or in connection with the Beta Tests, including those arising from the Customer's use of or inability to use the Beta Tests; and

(iv) Any Feedback of the Customer relating to the Beta Tests will be subject to the provisions of article 12.

7. Spendesk's undertakings and guarantees

Spendesk undertakes to provide the Services with diligence and according to best practices, it being specified that it is bound by an obligation of means, to the exclusion of any obligation of result, which the Customer expressly acknowledges and accepts.

Spendesk does not guarantee to the Customer that the Services will be completely free from errors, faults, or defects, or that they will be continuously available. In addition, the Services are standard and are therefore not offered for the sole purpose of a given Customer, according to its own individual constraints, nor to specifically meet its needs and expectations.

Spendesk undertakes to:

(i) make its best efforts to ensure the security of the Platform;

(ii) inform the Customer of any reasonably foreseeable difficulty, in particular regarding the provision of the Services or the proper operation of the Platform; and

(iii) carry out regular checks to verify the proper operation and accessibility of the Platform.

Spendesk reserves the right to modify at any time the technical arrangements for access to the Services and/or the Platform depending, in particular, on the evolution of the technology, the regulations, or its offer of Services, it being understood that such a modification cannot have the effect of reducing the general level of security of the Platform. It is the Customer's responsibility to ensure that the IT or telecommunications tools or equipment at its disposal are adapted to these evolutions.

8. Insurance subscription (option only available for Customers registered in France or Luxembourg)

As an option, the Customer has the possibility to provide all Card Users with group insurance taken out by Spendesk with a partner insurer.

8.1. Insurance Information

An information sheet on the various coverages, compensation ceilings and pricing terms is available here: https://www.spendesk.com/fr/product/insurance/.

The standardised insurance product information document is available here: https://spx-production.s3-eu-west-1.amazonaws.com/tos/2021_03_23-Fiche_IPID_Spendesk_03-03-2022.pdf.

If the Customer considers the product adapted to its needs and relevant to its activity and that of the Card Users, with Spendesk being available to assist the Customer in its choice, it is invited to read carefully the information notice of the group insurance contract no 4 091 933 available here: https://spx-production.s3-eu-west-1.amazonaws.com/tos/2021_03_10-notice_dinformation_des_assurances_spendesk.pdf.

This notice, for which Spendesk waives all responsibility, precisely defines the conditions of coverages, the applicable exclusions, the duration of cover and the formalities in the event of a claim. Adherence to the insurance policy requires the Customer to accept without reservation all the terms of the information notice. The Customer also undertakes to bring the information notice to the attention of all Card Users.

8.2. Management of claims

An insurance claim and its follow-up will be processed directly and exclusively with the partner insurer according to the instructions available here: https://helpcenter.spendesk.com/fr/articles/4967565-comment-faire-pour-contacter-l-assurance-ou-l-assistance, which the Customer will communicate to Card Users. Spendesk undertakes to assist Customers and Card Users to enable them to assert their rights effectively with the partner insurer.

8.3. Modifications of the insurance policy and insurance pricing terms

Spendesk draws the Customer's attention to the possibility that, after adherence, the partner insurer may make changes to its rights and obligations, as well as to those of the Card Users. Spendesk disclaims all liability in connection with the contractual and pricing changes, which are the sole decision of the partner insurer.

Any changes will be sent by Spendesk to the Customer, on the Platform and/or by email, no later than three (3) months before the date proposed for their entry into force. The Customer will be deemed to have accepted the proposed changes if it has not notified Spendesk of its refusal before the effective date indicated. The Customer will inform the Card Users of the changes made. If the Customer refuses the changes, it can withdraw from its insurance contract, without charge, by notification sent to Spendesk before the effective date of the changes, in the manner provided for in article 10. Its adherence will end upon the expiry of a period of two (2) months from the date of notification. The Customer will inform the Card Users of the termination of the insurance.

8.4. Termination of the insurance

Group insurance can be terminated by Spendesk or the partner insurer. No later than two (2) months before the proposed termination date, Spendesk will inform the Customer of this on the Platform and/or by email. The Customer will inform the Card Users. Termination is enforceable against the Customer and Card Users.

The Customer may terminate the insurance cover, after informing the Card Users by giving two (2) months' notice, notifying Spendesk in the manner provided for in article 10. The termination of the insurance by the Customer implies termination of the insurance cover for all Cards provided under the Contract.

Spendesk recalls that the insurance cover, inseparably linked to the Card, cannot continue after expiry or withdrawal of the Card. Non-payment for insurance services will also terminate the adherence.

8.5. Personal Data

By taking out insurance, the Customer expressly authorises Spendesk to transmit to the partner insurer all the information necessary for the subscription to said insurance, including Personal Data relating to the Card Users. The partner insurer will process this Personal Data as a data controller in accordance with the conditions and purposes defined in the information notice of the group insurance contract, referred to in article 8.1. The Customer is informed that the partner insurer, in its capacity as data controller, may, at the subscription stage and during the term of the insurance policy, request any additional information from it as well as from the relevant Users, including, where applicable, Personal Data.

9. Financial conditions

9.1. Pricing Terms

The prices of the Services are indicated in the Pricing Terms. The Pricing Terms may be provided free of charge to the Customer, upon request, on a durable medium.

9.2. Provision of invoices

Invoices are provided to the Customer on the Platform.

If the Customer wishes to dispute an invoice, it must inform Spendesk within sixty (60) days after the date of the invoice. After this period, the invoice can no longer be disputed.

9.3. Fees payment terms

The Fees due by the Customer to Spendesk in return for the provision of the Services are debited directly from the Account.

If the Customer has several Accounts and its debt is not inherent to a particular Account, Spendesk may decide at its sole discretion to debit all or part of the Fees from one of the Customer's Accounts.

The Customer expressly authorises Spendesk to debit from the Customer's Account(s) the Fees payable under the Contract.

In the event that the credit balance of an Account proves insufficient to allow the debiting of all Fees, the Customer undertakes to immediately credit the Account up to the amount due.

In case of insufficient balance of the Account, Spendesk reserves the right to block the Account, any Payment Transaction in progress, any use of Cards already issued, as well as the issuance of new Cards.

9.4. Fees payment frequency

Fees relating to the use of the Platform are invoiced and debited:

(i) monthly, if the Contract is for an indefinite term; or

(ii) according to the frequency provided for in the Pricing Terms, if the Contract is for a fixed term (as agreed between the Parties if applicable, under the conditions provided for in article 16).

The amount of the first invoice relating to the use of the Platform is debited by Spendesk one (1) month after the date of subscription to the Services by the Customer.

The Fees relating to the Payment Services provided for in Annex 1 are also debited directly from the Account by SFS SAS or TPL on the date of the relevant Payment Transaction and in the manner provided for in the Partners' Documents.

10. Processing of complaints

Any complaint related to the provision of the Services must be addressed by the Customer to Spendesk customer service:

• by email to the following address: support@spendesk.com;

• by using the "chat" function available on the Platform; or

• by post to the customer service address, at the registered office of Spendesk: 51 rue de Londres, 75008 Paris – France.

In the event of a complaint relating to the Payment Services, the time limits for processing complaints are specified in the Partners' Documents.

11. Amendment of the Contract

Spendesk reserves the right to amend, at any time, all or part of the Contract between Spendesk and the Customer. Any proposed amendment of the Contract will be sent by Spendesk to the Customer, on the Platform and/or by email, no later than two (2) months before the date proposed for its entry into force. The Customer will be deemed to have accepted the proposed amendments if it has not notified Spendesk, before the proposed effective date of these amendments, that it does not accept them. If the Customer refuses the amendments, it may terminate the Contract, without charge, before the proposed effective date of the amendments, under the conditions provided for in article 17.

As an exception under a fixed-term Contract, if the Customer refuses the amendments, the previous version of the Contract will continue to apply (excluding technical modification related to the evolution of the Platform or modification necessary under the applicable regulations, which will apply in any case), and the termination will be effective at the end of the current contractual term, as defined in the Pricing Terms.

The Partners' Documents may be amended at any time under the conditions and according to the time periods provided for in the Partners' Documents.

Spendesk cannot under any circumstances be held liable for any damage, in any capacity whatsoever, in connection with the amendment of the Contract, if the Customer refrains from terminating the Contract and continues to use the Services after the effective date of the amendments.

12. Intellectual property

The Parties expressly agree that no intellectual property rights are transferred to the Customer over any of the elements of the Services and the Platform made available to it under the Contract, including software, structures, infrastructures, source codes, databases, know-how, user interfaces, photos, brands, interactive elements or any content of any kind (texts, images, visuals, music, logos, brands, database, etc.) operated by Spendesk, and any technical documentation that may be provided by Spendesk to the Customer.

Subject to the payment of the Fees due to Spendesk and the provisions and limitations specified in the Contract, Spendesk grants the Customer a personal, non-exclusive, and non-transferable licence to use the Platform and the Services for its own purposes only. This right is granted for the term of the Contract.

The Customer is prohibited from carrying out:

• any adaptation, modification, duplication, decompilation, disassembly, reverse engineering or reproduction of the Services and the Platform, regardless of their nature, any total or partial extraction (including the source code or other trade secrets) and, in general, any act that may violate the rights of Spendesk and/or its suppliers;

• any reproduction, by any means and on any medium whatsoever, of the Platform;

• any form of use of the Platform and associated documentation in any manner whatsoever for the purpose of designing, producing, distributing, or marketing similar, equivalent or substitute software;

• any adaptation, modification, transformation, translation, arrangement of the Platform for any reason whatsoever, in particular for the creation of derivative or entirely new software, including to correct errors;

• any direct or indirect transcription, or translation into other languages of the Platform;

• any modification or circumvention of the protection code such as, in particular, Personalised Security Credentials; and/or

• any deletion, partial or total modification of the existing notices relating to copyright, trademarks and, more generally, to intellectual property rights, attached to the Platform.

Spendesk encourages the Customer to provide suggestions, proposals, ideas, recommendations, or other feedback to improve the Services and the Platform (the "Feedback"). To the extent that the provided Feedback does not identify the Customer, its Affiliates or Users and does not include any confidential data specific to the Customer, the Customer grants Spendesk a royalty-free, fully-paid, sub-licensable, transferable, non-exclusive, irrevocable, worldwide licence to produce, use, sell, offer for sale, import and otherwise exploit the Feedback (including by integrating the Feedback into the Services) without restriction, for the duration of the intellectual property rights applicable to such Feedback.

13. Processing of Personal Data

13.1. Spendesk as the Customer's data processor

As part of the processing carried out for (i) the provision of the Platform, (ii) the provision of Payment Services to the Customer and Users and (iii) the provision of anonymised data on industry trends in business expenses according to predetermined criteria depending on the Customer's area of work, Spendesk acts as a data processor in accordance with the terms of Annex 3 (Data Processing Agreement).

13.2. Spendesk as data controller

In addition, Spendesk carries out the following processing operations in its capacity as a data controller:

• commercial and contractual management with the Customer;

• research and development concerning the Platform;

• video and audio recording of calls for the purpose of improving the Services and training Spendesk personnel; and

• supervision of Users' account on the Platform for the provision of technical support to the Customer, and for training purposes of Spendesk personnel authorised to process the Customer’s information.

For these purposes, Spendesk undertakes to comply with the obligations related to its capacity as a data controller, in accordance with the applicable regulations.

13.3. Spendesk and SFS SAS as joint data controllers

For the provision of Payment Services and in accordance with applicable regulations, Spendesk and SFS SAS also process Personal Data as joint data controllers. The respective roles of each of the joint data controllers are defined in a joint controllership agreement in accordance with the applicable regulations, which useful information for the Customer is made available in the information note in Annex 4.

14. Professional secrecy and confidentiality

14.1. Professional secrecy

In accordance with the regulations, Spendesk (as PSP agent), SFS SAS and TPL (as PSP) as well as their officers and employees are bound by professional secrecy regarding their Customers' data.

However, professional secrecy may not be held against the competent regulator(s) or against the judicial authority acting in the context of criminal proceedings.

In addition, Spendesk, SFS SAS and TPL may disclose information covered by professional secrecy to third parties, either when permitted by law or, on a case-by-case basis, with the express authorisation of the Customer.

14.2. Confidentiality

In addition, each of the Parties undertakes to keep strictly confidential all documents and information of a legal, commercial, industrial, strategic, technical, or financial nature relating to the other Party of which it may become aware in the context of the Contract acceptance and performance, and not to disclose them without the prior written consent of the other Party.

This obligation does not extend to documents and information for which it can be demonstrated:

(i) that they were already known by the receiving Party;

(ii) that they were already public at the time of their disclosure, or have become public without breach of the Contract;

(iii) that they have been lawfully received from a third party; or

(iv) that their disclosure is required by the judicial authorities, pursuant to applicable laws and regulations, or with a view to establishing the rights of a Party under the Contract.

This obligation of confidentiality extends to all employees, contractors, interns, officers, and directors of the Parties, as well as their advisers and Affiliates, to whom confidential documents or information may only be transmitted if they are bound by the same obligation of confidentiality as that provided for herein.

This will continue to have effect for three (3) years following the end of the Contract, or any longer period provided for by the applicable law or regulation.

Each Party will, at its own expense, at the end of the Contract or at any other time, upon receipt of a written request from the other Party, (i) return or destroy all written confidential information provided to it directly or to its advisers and which is in the possession of that Party or in its custody and control, without retaining copies thereof; and (ii) provide a certificate signed by a legal representative confirming that, to its knowledge, and after conducting all appropriate investigations, the requirements of this article have been fully complied with.

However, the receiving Party may retain the confidential information to the extent that it is required to do so by applicable law or regulation, or if such confidential information has been created in accordance with automatic electronic archiving procedures. Any confidential information that is retained by the receiving Party in accordance with the above will continue to be subject to the confidentiality obligations of the Contract until such confidential information is returned or destroyed.

15. Right of withdrawal in case of solicitation

If the Customer has been solicited by Spendesk within the meaning of article L. 341-1 of the CMF, and subject to the exceptions provided for by the regulations, the Customer has, in accordance with article L. 341-16 of the CMF, a right of withdrawal that it can exercise within a maximum period of fourteen (14) full calendar days from the date of acceptance of the Contract, without having to justify reasons or incur any penalties.

The exercise of the right of withdrawal within the period referred to above entails the automatic termination of the Contract.

The Customer may exercise its right of withdrawal by using the form in Annex 2 of the General Terms and Conditions, or by any other notification of its choice. In the latter case, its statement must be unambiguous and clearly express the Customer's desire to withdraw.

If the Customer exercises its right of withdrawal, it is only required to pay the price corresponding to the use of the Services actually provided between the Effective Date of the Contract and that on which the right of withdrawal is exercised, excluding any penalty.

The Customer expressly consents to Spendesk providing the Services (including Payment Services) to the Customer before the end of the withdrawal period.

16. Effective Date and duration of the Contract

Unless otherwise stated in the Pricing Terms, the Contract takes effect for an indefinite period from its Effective Date until its termination under the conditions provided for in article 17.

By way of exception, the Parties can agree in the Pricing Terms specific to the Customer that the Contract is entered into for a fixed term, and from a specific Effective Date. The Contract is then tacitly renewed at its end, for new successive periods which duration is defined in the Pricing Terms, unless one of the Parties refuses the renewal at the end of the initial term or the renewed term, by written notification with a prior notice period of one (1) month (or any other notice period specifically defined in the Pricing Terms, which will prevail where applicable).

17. Termination or term of the Contract

17.1. Termination at the Customer’s initiative

Notwithstanding any provision to the contrary contained in the Partners' Documents, and in the case of an indefinite term Contract, the Customer may terminate the Contract at any time by giving two (2) months' notice, notifying Spendesk in the manner provided for in article 10.

Only in the case of an indefinite term Contract, no fee will be charged to the Customer for the termination notice period if the request for termination is notified by the Customer within ninety (90) days following the Effective Date of the Contract.

17.2. Termination at Spendesk’s initiative

Notwithstanding any provision to the contrary contained in the Partners' Documents, and in the case of an indefinite term Contract, Spendesk may terminate the Contract at any time by giving two (2) months' notice by notifying the Customer by any written means, and in particular by email or by message on the Platform.

By way of exception, and regardless of the Contract duration, Spendesk reserves the right to stop providing the Services to the Customer and to terminate the Contract as of right and without notice:

(i) in the event of a serious breach by the Customer and/or a User of the obligations provided for in the Contract, including, but not limited to, in case of communication of false information, exercise by the Customer of an activity that is illegal or contrary to common decency, threats against Spendesk employees or a failure to pay;

(ii) in the event of fraudulent or abusive use of the Services by the Customer and/or a User;

(iii) in the event of a change in the applicable regulations and/or the interpretation thereof by the competent authorities which would affect the ability of Spendesk, SFS SAS, TPL or their service providers to provide the Services; or

(iv) in the event of termination by SFS SAS and/or TPL of one of the Partners' Documents.

In the event of immediate termination of the Contract, Spendesk will inform the Customer by any written means, and in particular by email.

17.3. Early termination of a fixed-term Contract

This article applies only to the case of a fixed-term Contract.

A fixed-term Contract may be terminated prior to its term only (a) by Spendesk in the cases provided for in article 17.2, or (b) in case of a material breach or non-performance by either Party of any of its obligations under the Contract, after written notice of the breach or non-performance by the non-defaulting Party, and in the absence of remedy by the defaulting Party within thirty (30) days of receipt of the written notice.

In case of notice of early termination of the Contract (a) by the Customer without fault from Spendesk or (b) by Spendesk for fault of the Customer under the conditions of this article, the Customer will be immediately liable for all the monthly payments remaining due until the term of the Contract, and the Customer authorises Spendesk to debit its Account for the Fees due in this respect, under the conditions provided for in article 9.3.

In case of notice of early termination of the Contract (a) by the Customer for Spendesk's fault under the terms of this clause or (b) by Spendesk pursuant to clause 17.2 (iii) or 17.2 (iv), Spendesk will promptly provide a refund proportional to the remaining contractual period of any Fees prepaid by the Customer for the Services.

17.4. Effects of termination or term

The non-renewal or termination of the Contract by the Customer or by Spendesk will result in the termination of all Services provided under the Contract, including termination of all Payment Services described in the Partners' Documents, in accordance with the termination conditions set forth therein.

Likewise, the termination by the Customer or by SFS SAS and/or TPL of all Payment Services will entail termination of the Contract on the effective termination date of the last Payment Service provided to the Customer.

The end of the Services, regardless of the cause, will automatically and as of right result in the deactivation of all Users' access to the Platform. It is the Customer’s responsibility, prior to this deactivation, to retrieve the documents, elements, data, and information that it has stored on the Platform as part of its use of the Services.

18. Third-party claims

18.1. Indemnification by Spendesk

Spendesk undertakes to indemnify, defend, and hold harmless the Customer and its officers, directors, employees, Affiliates and Users against any claim, action or proceeding of third parties, insofar as it is caused by the Services breaching the intellectual property rights of a third party.

Notwithstanding the terms contained in this article and article 18.4, Spendesk will not be liable for third-party claims if the alleged infringement is based on or arises from (a) the combination or use of the Services with software or other materials not provided or approved for use by Spendesk, (b) the modification of the Services by any person other than Spendesk or its employees, or (c) the use of the Services non-compliant with the documentation provided or the Contract.

18.2. Indemnification by the Customer

The Customer undertakes to indemnify, defend, and hold harmless Spendesk and its officers, directors, employees and Affiliates against any claim, action or proceeding of third parties, insofar as it is caused by a breach by the Customer of its obligations under the Contract. The Customer undertakes to indemnify Spendesk for any damage that the latter may suffer, and to pay it all fees, charges and/or penalties that it may incur as a result.

18.3. Indemnification procedure

Any Party entitled to indemnification under this article (the "Indemnified Party") will comply with the following conditions in order to benefit from said indemnification:

(i) a prompt written notice by the Indemnified Party to the indemnifying Party (the "Indemnifying Party") of any third-party claim for which indemnification may be requested under this article (provided, however, that any failure or delay in providing such notice will not relieve the Indemnifying Party of its obligations, except to the extent that the failure or delay prejudices the defence of the Indemnifying Party);

(ii) a transfer to the Indemnifying Party of full control of the defence and settlement of the claim; and

(iii) a reasonable cooperation of the Indemnified Party, at the expense of the Indemnifying Party, to facilitate such defence or settlement.

Notwithstanding the above, the Indemnifying Party will not consent to the recording of a judgment or enter into any compromise or settlement agreement with respect to any third-party claim for which it defends the Indemnified Party under this article without the prior written consent of said Indemnified Party, unless such judgment, compromise, or settlement agreement:

(i) provides for the payment by the Indemnifying Party of money as sole remedy for the third party making a claim;

(ii) results in the Indemnified Party's full and general release from all liability arising from, relating to, or in connection with, the third-party claim; and

(iii) does not imply any finding or admission of a breach of law, regulation, or the rights of a third party by the Indemnified Party, and has no effect on other claims.

18.4. Other remedies of the Customer in the event of a claim from third parties

If the Services are, or, according to Spendesk, are likely to be, the subject of a third-party claim for infringement preventing the Customer's use of the Services, Spendesk may, at its sole discretion: (i) obtain for the Customer the right to continue to use the Services, (ii) replace or modify the relevant Services so that they are no longer in breach while providing substantially equivalent features, or (iii) if such solutions are not achievable on commercially reasonable terms, as determined by Spendesk, terminate the licence to use the relevant part of the Services, and promptly provide a pro rata refund of any Fees prepaid by Customer for the relevant part of the Services.

Without limiting Spendesk's obligation to indemnify the Customer in accordance with the provisions of article 18.1, the remedies provided for in this article will be the Customer's exclusive remedies with respect to third-party claims for any actual or alleged infringement by Spendesk of any third-party intellectual property right.

19. Liability

19.1. Liability limited to direct damages

Each Party’s liability under the Contract is limited to the direct damages suffered by the other Party, excluding any indirect damages.

19.2. Liability of the Customer

The Customer, acknowledging having read the characteristics and constraints, in particular technical, of all Services, is solely liable for the use of the Services by the Users.

The Customer is solely liable for the acts performed by the Users in connection with the use of the Services, including in the event of non-compliance with regulations, fraud, negligence, or abusive use of the Services. Spendesk cannot be held liable to the Customer or any third party for any fraudulent or abusive use of the Services by one or more User(s).

19.3. Liability of Spendesk

Spendesk cannot be held liable in the event of:

(i) misappropriation of Personalised Security Credentials and, more generally, any information of a sensitive nature for the Customer of which, for example, a third party might make a fraudulent use, if this misappropriation results from an action or omission of the Customer;

(ii) litigation related to the underlying relationship existing between (a) the Customer and (b) as the case may be, the Payer, the Beneficiary and/or the Acceptor, in particular in the event of breach by the Customer of its obligations towards the persons referred to in (b); or

(iii) damage suffered by the Customer resulting from an act or omission of a third party, including in the event of suspension of the Services or termination of the Contract at the request of a supervisory authority such as the ACPR.

In addition, the liability of Spendesk is limited, for all damages, to the amount of the Fees paid by the Customer during the twelve (12) calendar months preceding the event giving rise to the liability of Spendesk; it being specified that this limitation of liability does not apply (a) in the event of gross negligence or fraudulent conduct by Spendesk and (b) in the context of the indemnification procedure provided for in article 18.1.

19.4. Force majeure

The Parties will not be liable for any damage, delay, non-performance, or partial performance of their respective obligations under the Contract resulting from a Force Majeure Event.

The obligations of the Party affected by the Force Majeure Event will be suspended without incurring any liability whatsoever.

If a Force Majeure Event prevents either Party from performing an essential obligation under the Contract for a period of more than five (5) consecutive Business Days, the Parties will consult with a view to reaching a satisfactory solution. In the absence of agreement on such a solution within fifteen (15) Business Days following the expiry of the period of five (5) Business Days, either Party may terminate the Contract without compensation for the other Party in accordance with the provisions of article 17.

19.5. Liability of SFS SAS

The liability of SFS SAS as part of the provision of the Payment Services is provided for in the SFS SAS GTC.

19.6. Liability of TPL

The liability of TPL as part of the provision of the Payment Services is provided for in the TPL GTC.

19.7. Third-Party Services

The Customer may choose at its discretion to integrate the Services provided by Spendesk with third-party products and services (the "Third-Party Services"). Any acquisition by the Customer of Third-Party Services is solely between the Customer and the relevant Third-Party Service provider, and Spendesk does not guarantee, support, or assume any liability or other obligation with respect to such Third-Party Services unless expressly provided otherwise in the Contract.

In the event that the Customer elects to integrate or interoperate Third-Party Services with the Services provided by Spendesk in a manner that requires Spendesk or the Platform to exchange Customer’s data with such Third-Party Services or Third-Party Service provider, the Customer: (a) grants Spendesk permission to allow the Third-Party Services and Third-Party Service provider to access Customer’s data and information relating to the Customer’s use of the Services in an appropriate and necessary manner to enable the interoperability of such Third-Party Services with the Services provided by Spendesk; (b) acknowledges that any exchange of data between the Customer and any Third-Party Services is solely between the Customer and the Third-Party Service provider and is subject to the Third-Party Service provider's terms and conditions governing the use and provision of such Third-Party Services; and (c) releases Spendesk from any liability for any disclosure, modification or deletion of the Customer’s data resulting from access to such data by the Third-Party Services and the Third-Party Service provider.

20. Assignment

The Customer may not assign or transfer all or part of its rights or obligations under the Contract to a third party, in any manner whatsoever.

Notwithstanding any contrary provision contained in the Partners' Documents, the Customer expressly authorises Spendesk, SFS SAS and TPL to assign to a third party all or part of their obligations under the Contract, subject to informing the Customer in advance.

21. Miscellaneous

21.1. Severability

If one or more provision(s) of the Contract are considered invalid or declared as such pursuant to a law, a regulation or following a final decision of a competent court, the other provisions will remain in full force and effect.

21.2. No waiver

Neither Party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under the Contract.

21.3. Electronic communication

The Parties acknowledge that, under the conditions provided for in article 1366 of the French Civil Code, emails have the same probative force as written documents on paper. Consequently, emails and messages received electronically, including via the Platform, must be kept by the Parties under conditions that prevent any alteration of their form or content so as to constitute reliable copies.

21.4. Notifications

All notifications made by email in the context of executing the Contract will be sent:

• with respect to the Customer: to the address of the Main User or the User concerned, as registered on the Platform; and

• with respect to Spendesk: to the address support@spendesk.com.

21.5. Languages of the Contract

The Customer acknowledges and agrees that:

• the language used in its pre-contractual and contractual relationship with Spendesk may be either English or French, or both, depending on the Partners' Documents applicable to the Services; and

• to the extent permitted by law, (i) the French version of the General Terms and Conditions is deemed authentic for Customers registered or resident in France and (ii) the English version of the General Terms and Conditions is deemed authentic for Customers registered or resident outside of France; any other available translation of the General Terms and Conditions exists for information purposes only.

The Customer is informed that it can obtain at any time and free of charge from Spendesk a copy of the Contract on a durable medium.

21.6. Prior agreements

This Contract supersedes any prior oral or written agreement, and any other communications between the Customer and Spendesk relating to the subject matter of this Contract, including any confidentiality or non-disclosure agreements.

21.7. Commercial reference

The Parties are not authorised, except for any obligation imposed by applicable law or regulation, to publish or release any announcement, statement, press release or other publicity or marketing material relating to this Contract, or use the other Party's trademarks or logos without the other Party's prior written consent.

As an exception to the foregoing, Spendesk may include the Customer's name and logo as a commercial reference, including during events, in its commercial documents and on its website, in any form whatsoever, during the term of the Contract and beyond, for a period of six (6) months.

Spendesk agrees to cease such use of the Customer's name and logo as soon as possible upon receipt of a request from the Customer to logos@spendesk.com.

22. Applicable law and competent jurisdictions

22.1. Applicable law

The General Terms and Conditions are subject to French law.

The Partners' Documents are subject to the law specified in the Partners' Documents.

22.2. Competent jurisdictions

Any dispute relating in particular to the validity, interpretation, or execution of the General Terms and Conditions will be subject to the exclusive jurisdiction of the Commercial Court of Paris.

Any dispute relating in particular to the validity, interpretation, or execution of the Partners' Documents will be subject to the jurisdiction of the court(s) indicated in the Partners' Documents.

Contractual documentation applicable to Payment Services provided by SFS SAS:

Contractual documentation applicable to Payment Services provided by TPL:

Supplement to the General Terms and Conditions of Spendesk SAS relating to the use of Payment Services provided by TPL: Link

FORM RELATING TO THE WITHDRAWAL PERIOD PROVIDED FOR IN ARTICLE L. 341-16 OF THE CMF

Form to be returned no later than fourteen (14) calendar days after the date of entering into the Contract (as defined below), by registered letter with acknowledgement of receipt, to:

Spendesk SAS

51 rue de Londres

75008 Paris

Contract name: general terms and conditions of use of Spendesk services (the "Contract").

In accordance with article L. 341-16 of the French Monetary and Financial Code, the right of withdrawal may be exercised within fourteen (14) calendar days from entering into the Contract, or from the receipt of the contractual conditions, if the latter date falls later.

This withdrawal will only be valid if it is sent, by registered letter with acknowledgement of receipt, legibly and duly completed, before the expiry of the period of 14 calendar days provided for in article L. 341-16 of the French Monetary and Financial Code.

I, the undersigned ________________________________, [duly authorised to represent the company __________________________________] (hereinafter the "Professional Customer"), declare that I exercise the Professional Customer's right of withdrawal, and waive the entire Contract entered into on ________________ with Spendesk SAS for the provision (in particular) of payment services.

Signing location: ______________

Date: ______________

Signature of the Customer ______________

This Data Processing Agreement (the "Agreement") forms part of the general terms and conditions of use of Spendesk Services (the "General Terms and Conditions") entered into between the Customer (the "Data Controller") and Spendesk (the"Data Processor"), as respectively defined in the General Terms and Conditions (together, the "Parties").

Spendesk provides Services to the Customer, which imply the Processing of Personal Data. As such, the Parties wish to implement this Agreement, in accordance with the Data Protection Legislation, and in particular article 28 of the GDPR, to define their respective rights and obligations.

1. Definitions

In this Agreement, capitalised terms not specifically defined in the body of the Agreement have the meaning attributed to them (a) below, (b) failing that, in the body of the General Terms and Conditions or (c) failing that, in the GDPR:

2. Designation and role of the Parties

As part of the Processing carried out for (i) the provision of the Platform to the Users and (ii) the collection of Personal Data for the provision of Payment Services to the Customer and the Users:

2.1. The Customer acts as a Data Controller; and

2.2. Spendesk acts as a Data Processor.

3. Obligations of the Data Processor

The Data Processor:

3.1. Will process Personal Data only to the extent, and in the manner, necessary for the Permitted Purposes, and in accordance with the Data Controller's written instructions (including the instructions set out in this Contract and in the body of the General Terms and Conditions), with the following consequences:

(i) The Data Processor will not process Personal Data for any other purpose, unless the Processing is required by laws applicable to the Data Processor, in which case the Data Processor will, to the extent permitted by applicable laws, promptly notify the Data Controller of such legal requirement when the Data Processor becomes aware of it, and in any event prior to the Processing of such Personal Data;

(ii) The Data Controller is solely responsible for the Personal Data that it communicates to the Data Processor, and must refund the Data Processor for any costs and expenses incurred resulting from an individual instruction that goes beyond (a) what is defined by the Data Protection Legislation and/or (b) the Processing activities provided for in the Contract or in this Agreement;

(iii) If the Data Processor considers that an instruction from the Data Controller constitutes an infringement of the Data Protection Legislation, it must inform the Data Controller without delay; in addition, the Data Processor has the right to suspend the execution of the instruction until it is confirmed by the Data Controller;

3.2. Will comply, and ensure that any Authorised Recipient complies, with the Data Protection Legislation and, where applicable, with the policies and directives of the Data Controller previously communicated to the Data Processor;

3.3. Will comply, and ensure that all systems, Services, and products provided by the Data Processor to the Data Controller comply, with all laws, decrees, regulations, orders, standards, and other similar instruments (including the Data Protection Legislation) applicable in connection with the Processing of Personal Data;

3.4. Will cooperate and comply with the instructions or decisions of any Supervisory Authority, and in each case within a period allowing the Data Controller to comply with any deadline imposed by the Supervisory Authority. In the event that such a requirement or the deadlines imposed by a Supervisory Authority would place an unreasonable burden on the Data Processor, the Parties will cooperate to approach the Supervisory Authority in order to modify these requirements and/or adjust some deadlines.

4. Cooperation and assistance

The Data Processor undertakes:

4.1. To the extent legally permitted, and to the extent that the Data Controller does not have access to such Personal Data as part of its use of the Services, to promptly modify, transfer, change and/or delete any Personal Data held on behalf of the Data Controller in accordance with any written instruction of the Data Controller. The Data Controller will assume all additional costs resulting from such actions that go beyond (a) what is defined by the Data Protection Legislation and/or (b) the Processing activities provided for in the Contract or in this Agreement, following approval of the quotation;

4.2. To notify the Data Controller without undue delay:

(i) If the Data Processor considers that an instruction from the Data Controller relating to the Processing of Personal Data infringes Data Protection Legislation;

(ii) Of any breach of the Data Protection Legislation by the Data Processor or any of its sub-processors;

(iii) If the Data Processor or any of its sub-processors suffers a Personal Data Breach;

(iv) Of the results of investigations related to the breaches referred to in article 4.2 (ii) or to the Personal Data Breaches referred to in article 4.2 (iii);

(v) If the Data Processor or any of its sub-processors receives any complaint, notice or communication from a Supervisory Authority or governmental authority that relates directly to a requirement relating to the above Processing of Personal Data;

and, with respect to article 4.2 (iii), to comply with the provisions of article 4.3, and with respect to articles 4.2 (i) to (v), to provide the Data Controller with full cooperation, information and assistance in connection with any such complaint, notice or communication or any Personal Data Breach, and not to make any public statement or announcement to any third party, including (without limitation) any governmental authority or Supervisory Authority, without first having, where reasonably possible and unless prohibited by applicable laws, consulted with the Data Controller concerning the content of such public statements or announcements;

4.3. With respect to article 4.2 (iii), to:

(i) Take all reasonable steps necessary to remedy or protect the Data Processor's systems against the Personal Data Breach;

(ii) Implement measures to restore any lost, corrupted, or unusable Personal Data;

(iii) Provide reports to the Data Controller that are sufficient to enable it to notify the Personal Data Breach to the relevant Supervisory Authorities and, if necessary, to the Data Subjects in accordance with Data Protection Legislation;

(iv) Take measures to mitigate the adverse effects arising from the Personal Data Breach as directed by the Data Controller, or in any event as a prudent operator would; and

(v) Take steps to prevent a similar Personal Data Breach in the future.

4.4. To assist the Data Controller in ensuring compliance with the obligations provided for in articles 32 to 36 (included) of the GDPR, taking into account the nature of the Processing carried out by the Data Processor and the information available to the Data Processor. This assistance includes, to the appropriate and necessary extent, the provision of information and assistance to the Data Controller in carrying out impact assessments on the protection of Personal Data in connection with the Processing carried out by the Data Processor as part of the Services.

5. Obligations of the Data Controller

The Customer, as Data Controller, is solely liable for compliance with all obligations attached to this status arising from the Data Protection Legislation, and in particular:

5.1. To ensure the lawfulness, the accuracy of Data Subjects’ Personal Data, and to have the authorisation from Users to the Processing of their Personal Data by the Data Processor as part of the Services provided;

5.2. Information provided to Users regarding the Processing of their Personal Data by the Data Processor under the conditions described in this Agreement, and how Users may exercise their rights with the Data Processor;

5.3. Information provided to the Main User, legal representatives and beneficial owners concerning the Processing and transfer of their Personal Data by the Data Processor to partner payment service providers, required to carry out the Processing related to AML-CFT procedures in accordance with their legal and regulatory obligations, in the manner described in the article "AML-CFT checks" of the General Terms and Conditions;

5.4. To inform the Data Processor without delay if a User no longer acts in the name and on behalf of or with the authorisation of the Data Controller.

6. Technical and organisational measures - Security

The Data Processor undertakes to implement appropriate technical and organisational measures compliant with the Data Protection Legislation.

The Data Processor undertakes:

(i) To ensure that it has appropriate technical and organisational measures in place against the destruction, loss, alteration (accidental or unlawful), unauthorised disclosure or access to the Personal Data it processes;

(ii) To ensure that the Authorised Recipients comply with all reasonable requests of the Data Controller with regard to the security and the Processing of Personal Data.

The Data Processor must carry out an annual review of its technical and organisational measures and update them regularly to reflect:

(i) Major technological developments and best standard practices;

(ii) Any change or proposed change to the Data Processor's procedures, sites and systems, Services and/or associated operating modes;

(iii) Any new threat identified or modified with regard to the Data Processor's procedures, sites, and systems.

7. Authorised Recipients and confidentiality

The Data Processor undertakes to:

7.1. Restrict access to Personal Data to Authorised Recipients who need to obtain access for Permitted Purposes;

7.2. Ensure that all Authorised Recipients are made aware of the data protection;

7.3. Impose on Authorised Recipients legally binding confidentiality and security obligations equivalent to those contained in this Agreement.

8. Records of Processing

The Data Processor undertakes to the Data Controller to keep a record of any Processing of Personal Data carried out on behalf of the Data Controller, including the record of Processing activities required in accordance with article 30 (2) of the GDPR.

9. Rights of Data Subjects

The Data Processor will:

9.1. Notify the Data Controller promptly, and in any event no later than fifteen (15) days, of any request from a Data Subject wishing to exercise their rights under the Data Protection Legislation;

9.2. Provide the Data Controller with reasonable cooperation and assistance to enable the Data Controller to respond to requests from Data Subjects who wish to exercise their rights under the Data Protection Legislation (whether such requests are received by the Data Processor or the Data Controller), to the extent that this is legally permitted, and to the extent that the Data Controller does not have access to such Personal Data as part of its use of the Services; and

9.3. Not disclose or communicate any Personal Data in response to a Data Subject or not respond to any other request for disclosure of Personal Data without first consulting and obtaining the written consent of the Data Controller.

10. Collection of Personal Data

If the Data Processor is required to collect Personal Data on behalf of the Data Controller requiring the consent of the Data Subjects, the Data Processor will collect the Personal Data in the format agreed in writing with the Data Controller, and will provide the Data Subjects at the time of collection with a privacy policy (including, if necessary, a consent form) according to the format authorised by the Data Controller and depending on the type of collection (direct or indirect).

11. Sub-processors

The Data Controller authorises the Data Processor to subcontract part of the Processing to its current sub-processors as mentioned in the sub-processors list available on the Data Processor’s website. This list includes the identities of each current sub-processor, the categories of Personal Data they process, their country location, and information about their compliance with Data Protection Legislation.

The Data Processor can update the sub-processors list and will inform the Data Controller of the recruitment of a new sub-processor.

The Data Controller may oppose the use of a new sub-processor by the Data Processor by promptly notifying the Data Processor in the form provided for in the General Terms and Conditions. In the event that the Data Controller objects to the appointment of a new sub-processor, the Data Controller may terminate the applicable Contract by sending the Data Processor a written notification in the form provided for in the General Terms and Conditions.

Any sub-processing of Personal Data will not release the Data Processor from its duties, responsibilities and obligations to the Data Controller under this Agreement, and the Data Processor will remain fully liable for the acts and omissions of its sub-processors.

12. Transfers to Third Countries

Any transfer of Personal Data to a Third Country or an international organisation by the Data Processor in the context of the Services will only be carried out on the basis of documented instructions from the Data Controller, or in order to fulfil a specific requirement of the law or regulation to which the Data Processor is subject, and will be carried out in accordance with Chapter V of the GDPR.

The Data Controller agrees that, where the Data Processor recruits a sub-processor in accordance with article 11 to carry out specific Processing activities (on behalf of the Data Controller), and such Processing activities involve a transfer of Personal Data within the meaning of Chapter V of the GDPR, the Data Processor and the sub-processor will comply with Chapter V of the GDPR by using the appropriate transfer mechanisms (in particular the standard contractual clauses published by the European Commission (the "Standard Contractual Clauses")).

In the event that the Data Processor is under an obligation to transfer Personal Data, under applicable law, to a Third Country or an international organisation, the Data Processor must inform the Data Controller without delay, and in any event before the performance of said mandatory transfer, unless applicable law prohibits such information for grounds of public interest.

13. Liability

Each Party is and will remain liable for any breach of Data Protection Legislation and will indemnify the other Party against the possible consequences of such breach.

The Data Processor’s liability will be limited to (i) its own Processing activities under this Agreement, and (ii) only the damages and maximum amounts specified in the General Terms and Conditions.

14. Entry into force and termination

This Agreement will take effect on the Effective Date defined in the General Terms and Conditions and will remain in force until the Data Processor ceases to Process the Personal Data on behalf of the Data Controller.

15. Consequences of Termination

Upon expiry or termination of the Contract (for any reason whatsoever), the Data Processor must cease the Processing on behalf of the Data Controller and, depending on the applicable retention periods set out in Annex A, and upon written request of the Data Controller, promptly return all Personal Data to it via a secured means (regardless of its form, and whether the Personal Data is electronic or physical).

16. Information and audit

The Data Processor will make available to the Data Controller all information necessary to demonstrate compliance with the obligations provided for in this Agreement and to allow audits to be carried out.

The Data Controller may carry out, at its own expense, any check it deems useful to verify compliance with the Data Processor’s obligations, under the conditions of the Data Processor's external audit policy.

The Data Processor will allow and contribute to the audits that the Data Controller or an auditor of its choice, subject to an obligation of confidentiality, will conduct for the purpose of reviewing the Data Processor's compliance with the obligations set out in this Agreement, subject to at least sixty (60) Business Days' written notice.

The Data Controller may request, carry out or have an audit carried out once every twelve (12) months. The Data Processor may object to the choice of an independent auditor made by the Data Controller within ten (10) days of notification by the Data Controller.

The audit may relate only to the Data Processor's obligations under this Agreement and cannot, in particular, relate to:

(i) Data or information from other customers or prospects of the Data Processor;

(ii) Any internal data belonging to the Data Processor that is not directly and strictly relevant to the authorised audit objectives;

(iii) Any information the disclosure of which could affect the security of the Data Processor's systems and data (i.e., create a risk to the confidentiality of the information); and

(iv) The source code of the computer programs used for the provision of the Services.

The auditor may neither copy a document, file, data, or information, in whole or in part, nor take photos, scan, or make an audio, video or computer program without first informing the Data Processor.

The audit will take place on Business Days during working hours, and will be conducted in such a way as not to disrupt the activities of the Data Processor and the provision of the Services by the Data Processor to the benefit of its other customers. The audit duration may not exceed three (3) Business Days of involvement of the Data Processor's personnel, which may be spread over one (1) calendar month.

The Data Controller will bear the full costs of the audit, and the Data Processor will be entitled to invoice the Data Controller for any additional costs and expenses relating to the audit. The audit will be carried out jointly, and a copy of the audit report must be provided to the Data Processor.

17. Entire Agreement

This Agreement constitutes the entirety of the commitments entered into by the Parties with respect to its subject matter, and the terms of the Agreement will prevail over all other agreements.

Each Party acknowledges and agrees that by entering into this Agreement, it waives, and will have no recourse with respect to, any statement, representation, guarantee or understanding of any person (whether or not a Party to this Agreement) other than as expressly set forth in this Agreement.

18. Interpretation

In case of a conflict between the provisions of this Agreement and those of the body of the General Terms and Conditions, the provisions of this Agreement will prevail.

19. Applicable law and jurisdiction

This Agreement will be governed by and construed in accordance with French law, and any dispute arising out of or in connection with this Agreement will be subject to the exclusive jurisdiction of the courts of Paris (France), to which each of the Parties irrevocably submits.

20. Miscellaneous

Each Party must occasionally (both during the term of this Agreement and after its termination) carry out all acts and sign all documents as may be reasonably necessary to give effect to the provisions of this Agreement.

Annex A. Description of the Personal Data Processing

1. Data governance of the Data Processor

Data protection officer (DPO): François-Xavier Boulin (privacy@spendesk.com)

2. Details of the Personal Data Processing

2.1 Categories of Data Subjects:

(i) The Users designated by the Customer;

(ii) The Customer's legal representatives and beneficial owners;

(iii) The Main User designated by the Customer.

2.2 Purposes of the Personal Data Processing:

(i) Provision of a SaaS Platform for the management of payments, invoices and authorisation flows of Users' business expenses;

(ii) Provision of Payment Services to the Customer and Users, including:

• opening an Account in the name of the Customer

• issuance of Cards for each User at the request of the Customer

• management of Payment Transactions (including by Card and Transfers)

• management of requests and complaints from the Customer or one or more User(s)

(iii) Provision of anonymised data on industry trends in business expenses according to predetermined criteria depending on the Customer's area of work. 

2.3 Type of Personal Data and nature of the Processing:

(i) KYC Information relating to the Customer’s legal representatives and beneficial owners and to the Main User (first name, surname, postal address, date of birth, nationality, professional email address (only for the Main User), nature of the relationship with the Customer (only for the beneficial owners), identity document and any other proof necessary for the validation of the Customer's compliance for entering into a business relationship)

Nature of the Processing: collecting of Personal Data as part of the opening of the Customer’s Account and collecting of information as part of the checks imposed by AML-CFT regulations on Spendesk's partner payment service provider(s).

(ii) Information relating to the Users (first name, surname, professional email address and phone number, postal address (only for the delivery of the Card), photo (with the User’s consent))

Nature of the Processing: to guarantee the sending of information relating to the status, collecting of information as part of the sending of the Card, the security code, and instructions as part of the authorisation process for Payment Transactions; creation of an account on the Spendesk Platform; management of requests and legal complaints; use of the Platform and the Services subscribed to by the Customer.

(iii) User login data (username, password, IP address)

Nature of the Processing: to ensure the connection of Users for identification purposes and access to the Spendesk Platform.

(iv) User professional position details

Nature of the Processing: to define the scope of the rights and authorisations of the User, and to limit the functions or access to the Spendesk Platform.

(v) User payment information (IBAN only)

Nature of the Processing: to ensure the payment (refund) of the User's professional expenses.

(vi) Invoices and receipts for professional expenses

Nature of the Processing: analysis and retention of invoices and receipts in order to preserve evidence and accounting information relating to payments and refunds.

2.4 Retention period:

(i) Data relating to the User(s): duration of the contractual relationship with the Customer and twenty-four (24) months from the deletion of the User (subject to another retention period defined in a specific regulation).

(ii) Data relating to the Main User, legal representatives, and beneficial owners of the Customer: duration of the contractual relationship with the Customer (subject to another retention period defined in a specific regulation).

(iii) Invoices and receipts for Users’ professional expenses: ten (10) years from the end of the calendar year in which they were received.

As part of the performance of the Contract, Spendesk and SFS SAS (respectively defined in the General Terms and Conditions) are required to process together, as joint Data Controllers, specific Customer Personal Data, namely the one relating to its beneficial owners, its legal representatives, its Main User, and the Users designated by the Customer (the "Data Subjects").

To protect this Personal Data, and in accordance with the Data Protection Legislation, Spendesk and SFS SAS have entered into a joint controllership agreement that specifies their respective roles and obligations towards the Customer and Data Subjects whose Personal Data is processed in order to provide the Payment Services.

In addition, SFS SAS may act as an independent Data Controller when processing the Personal Data of Data Subjects in its capacity as a payment institution, to comply with its legal and regulatory obligations, and to meet its legitimate interest.

This information note (the "Note") includes (1) the main points of the joint controllership agreement between Spendesk and SFS SAS, (2) the information relating to the Processing carried out by SFS SAS acting as an independent Data Controller and (3) the technical and operational measures put in place, including the security measures and the distribution of responsibility between Spendesk and SFS SAS to ensure the protection of Personal Data and the management of the Data Subjects’ rights.

The Customer undertakes to inform the Data Subjects of the Processing described in the Note, and to provide them with information on how they can exercise their rights with Spendesk and SFS SAS.

This Note may be updated, in particular in the event of modification of the Data Protection Legislation, or in the event that the Services are modified.

In this Note, capitalised terms not specifically defined have the meaning attributed to them (a) in the Data Processing Agreement annexed to the General Terms and Conditions, (b) failing that, in the body of the General Terms and Conditions or, (c) failing that, in the GDPR.

1. Processing carried out by SFS SAS and Spendesk as joint Controllers

A. Characteristics of the Processing

To provide the Payment Services and comply with their legal and contractual obligations, Spendesk and SFS SAS jointly process Personal Data collected from Data Subjects, as set out below:

The Processing of the aforementioned Personal Data is mandatory. Failing that, the Customer will not be able to benefit from the Payment Services.

B. Personal Data retention periods

Spendesk and SFS SAS undertake to retain Personal Data only for the periods necessary to achieve the purposes described above.

Certain Personal Data may be kept for an additional period of five (5) years, in accordance with the ordinary limitation period in civil and commercial law matters, to allow Spendesk and SFS SAS to defend their rights and interests in the event of a litigation.

For Processing carried out under a legal obligation, Spendesk and SFS SAS comply with the retention periods imposed by the applicable regulations.

C. Recipients of Personal Data

Spendesk and SFS SAS may need to share certain Personal Data with their sub-processors and partner payment service providers when necessary for the provision of the Payment Services, as well as to communicate this to the competent authorities insofar as they are required to do so by the applicable regulations.

2. Processing carried out by SFS SAS as an independent Controller

A. Characteristics of the Processing

SFS SAS, as an independent Data Controller, processes Personal Data collected indirectly from Data Subjects, through Spendesk or third parties (and in particular from publicly available information sources, administrative bodies, and public authorities), as set out below:

The Processing of the aforementioned Personal Data is mandatory. Failing that, the Customer will not be able to benefit from the Payment Services.

B. Personal Data retention periods

SFS SAS undertakes to retain Personal Data only for the period necessary to achieve the purposes described above.

Certain Personal Data may be kept for an additional period of five (5) years, in accordance with the ordinary limitation period in civil and commercial law matters, to allow SFS to defend its rights and interests in the event of a litigation.

For Processing carried out under a legal obligation, SFS SAS complies with the retention periods imposed by the applicable regulations.

For the Processing necessary for anti-money laundering and countering the financing of terrorism, the documents and information relating to the identity of the beneficial owners, legal representatives and Main User of the Customer are kept for a period of five (5) years from the termination of the business relationship with the Customer, and the documents and information relating to the Payment Transactions carried out by the Users are kept for a period of five (5) years from their execution.

C. Recipients of Personal Data

SFS SAS may need to share certain Personal Data with its sub-processors and certain regulated professions, as well as to disclose it to the competent authorities, in particular to respond to any demand or request issued within the framework of the applicable regulations.

3. Technical and organisational measures to ensure the protection of Personal Data

A. Security measures

Spendesk and SFS SAS place the utmost importance on the security and integrity of the Personal Data entrusted to them. SFS SAS and Spendesk undertake to take all necessary measures to preserve the security of Personal Data and, in particular, to protect Personal Data against any destruction, loss, alteration (accidental or unlawful), unauthorised disclosure or access, as well as against any other form of unlawful Processing or disclosure to unauthorised persons.

To this end, SFS SAS and Spendesk implement industry-standard security measures to protect Personal Data from unauthorised disclosure. In order to prevent in particular unauthorised access and to ensure the accuracy and proper use of Personal Data, SFS SAS and Spendesk have implemented the appropriate electronic, physical and management procedures to safeguard and preserve the Personal Data collected through the Services.

These commitments are valid regardless of the Processing controllership defined in paragraphs 1 and 2 of this Note.

B. Transfers of Personal Data

The Personal Data processed by Spendesk and SFS SAS are hosted within the territory of the European Union.

To provide Payment Services to Users, for example, to enable Card Payment Transactions or refunds of business expenses, certain Personal Data may be transmitted to sub-processors located outside of the European Union.

Spendesk and SFS SAS undertake to put in place an adequate transfer mechanism in accordance with the applicable regulations, in particular the Standard Contractual Clauses. They also require each of their sub-processors to comply with Data Protection Legislation, and to provide contractual guarantees regarding the security and confidentiality of Personal Data Processing.

C. Rights of Data Subjects

In accordance with the Data Protection Legislation, Data Subjects have a right of access, rectification, limitation, and erasure of Personal Data concerning them, as well as a right to object, a right to portability and a right to submit instructions concerning the handling of Personal Data after their death.

In accordance with the joint controllership agreement between Spendesk and SFS SAS, Spendesk is responsible for managing requests from Data Subjects exercising their rights under the GDPR.

Thus, Spendesk and SFS SAS have determined that the preferred point of contact for exercising the rights of Data Subjects is Spendesk's data protection officer (DPO). Requests for information and requests to exercise rights should therefore be addressed preferably:

• by email: privacy@spendesk.com; or

• by post: Spendesk SAS - Data protection officer (DPO) - 51 rue de Londres, 75008 Paris, France.

However, Data Subjects may exercise their rights with any Data Controller.

SFS SAS has also appointed a data protection officer (DPO), who can be contacted by email at: privacy@spendesk-sfs.com.

In any event, the Data Subject is informed that there are exceptions to the aforementioned rights. In particular, SFS SAS and/or Spendesk may refuse to comply with the request if:

• There are legitimate and compelling reasons to process the Personal Data, or that this is necessary for the establishment, exercise, or defence of legal rights;

• The relevant Processing is necessary for the performance of the General Terms and Conditions; or

• There is a legal obligation to process the Personal Data of the Data Subject.

For example, SFS SAS cannot respond to a request for right of access to the Personal Data of the Data Subject processed for AML-CFT purposes, in accordance with article L. 561-45 of the CMF. The right of access request relating to AML-CFT must be addressed indirectly to the French Supervisory Authority, Commission Nationale de l’Informatique et des Libertés (CNIL) at: www.cnil.fr.

Finally, the Data Subject has the right to notify the CNIL via its website (www.cnil.fr) or by post (CNIL, Service des Plaintes, 3 place de Fontenoy - TSA 80715 -75334 Paris Cedex 07).