Terms & Conditions

Introduction

This agreement (“Agreement”) sets out our and your legal rights and obligations in relation to our services. This Agreement (together with the documents referred to in it) tells you information about us and the legal terms and conditions on which we supply our services listed on our website katapult.io to you. Please read them carefully and make sure you understand them before ordering any Services (described below) from us

Agreeing to register for an account with us and agreeing to use the Services by clicking "Continue" constitutes your acceptance and agreement to be bound by the terms of this Agreement, and all other policies and procedures that may be published from time to time on katapult.io by us, each of which is incorporated by reference and each of which may be modified from time to time in accordance with this Agreement. You also acknowledge receipt of our Privacy Policy.

By entering into this Agreement with us you also confirm that you are over 18 years old or, if different, that you are of sufficient age to be entitled to enter into legal agreements in your jurisdiction.

We operate the website katapult.io. We are Krystal Hosting Ltd (trading as Katapult) a company incorporated in England and Wales whose registered number is 07571790 and whose registered office is at 124 City Road, London, EC1V 2NX (“Katapult”, “we”, “us”, “our”).

In this agreement we will refer to you, the person or organisation entering into a contract with us as “Customer”, “you”, “your”.

Each of Katapult and the Customer are a “party” and together Katapult and the Customer are the “parties”.

Background

1. Katapult hosts and manages various facilities and provides various services as more specifically described in this Agreement and which the Customer wishes to use for itself and its Authorised Users.
2. The Customer and its Authorised Users will be able to use these facilities and services by interacting with them remotely over the internet or by means of its own communications facilities.
3. Katapult wishes to provide these facilities and services and the Customer wishes to pay for the same on the terms of this Agreement

The Parties Agree:

1. Definitions

   1. In this Agreement:

      Authorised Users means those employees (including for this purpose only, individual third-party contractors used alongside its regular workforce) of the Customer as designated by the Customer in the Katapult Console on my.katapult.io as requiring access to the Cloud Services;

      Business Day means a day other than a Saturday, Sunday or bank or public holiday in England;

      Change Control Procedure means the procedure set out in Schedule 5;

      Cloud Services means those specific services being Rocks or Boulders with features as described on the site katapult.io selected by the Customer within the Katapult Console for provision by Katapult under this Agreement as they are more fully described in Schedule 2 and shall include all modifications, updates and extensions of those services made in accordance with the terms of this Agreement;

      Cloud Services Conditions means the technical and other conditions for Katapult’s supply of the Cloud Services and the conditions of the Customer’s access to, receipt of and use of them as more fully described in Schedule 3;

      Commencement Date is variously defined in Schedule 1 or, if there is no date that can be established with certainty, then the Commencement Date shall be the date on which the first Services are provided by Katapult to the Customer;

      Confidential Information means any and all confidential information (whether in oral, written or electronic form) including technical or other information imparted in confidence or disclosed by one party to the other or otherwise obtained by one party relating to the other’s business, finance or technology, know-how, Intellectual Property Rights, assets, strategy, products and customers, including without limitation information relating to management, financial, marketing, technical and other arrangements or operations of any person, firm or organisation associated with that party;

      Customer Data means all data and software, which are provided to Katapult or uploaded or hosted on any part of any Services by the Customer or by any Authorised User;

      Data Protection Losses has the meaning given in Schedule 6;

      Fees means those fees payable by the Customer under this Agreement calculated in accordance with their usage of the Services based on prices published on our site katapult.io which are calculated on the basis of complete minutes of Services used over the course of a Month as described in Schedule 2 and may comprise one-off charges or recurring charges;

      Force Majeure means an event or sequence of events beyond a party’s reasonable control (which could not reasonably have been anticipated and avoided by a party) preventing or delaying it from performing its obligations hereunder, including without limitation war, revolution, terrorism, riot or civil commotion, epidemic, pandemic, or reasonable precautions against any such; strikes, lock-outs or other industrial action, whether of the affected party’s own employees or others; blockage or embargo; action or inaction of a supplier of other third party (including but not limited to failure of an underlying third-party provider to process an application timely); acts of or restrictions imposed by government, military or public authority; explosion, fire, corrosion, flood, natural disaster, or adverse weather conditions; fibre or cable cut, subsea fibre damage, inability to secure materials, labour or transportation. Force Majeure does not include lack of funds;

      Intellectual Property Rights means any and all copyright, rights in inventions, patents, know-how, trade secrets, trademarks and trade names, service marks, design rights, rights in get-up, database rights and rights in data, semiconductor chip topography rights, utility models, domain names and all similar rights and, in each case:

      1. (a) whether registered or not;
      2. (b) including any applications to protect or register such rights;
      3. (c) including all renewals and extensions of such rights or applications;
      4. (d) whether vested, contingent or future; and
      5. (e) wherever existing;

      IP Claim has the meaning given in clause 12.5.1;

      Katapult’s Standard Pricing Terms means Katapult’s standard pricing terms for any service or activity, as amended by Katapult from time to time, and as at the date of this Agreement the latest version is available at katapult.io and any work that needs to be undertaken for a Customer that is outside the scope of the technical support provided within the Support Services shall be charged to the Customer at the rate of £500 per hour plus value added tax or the local equivalent tax together with any out of pocket expenses;

      Malware means any code or device intended to interfere with or having the effect of interfering adversely with, the operation of any hardware or software, including any bugs, worms, logic bombs, trojan horses or any other such programs;

      Month means a calendar month and Monthly shall be interpreted accordingly

      Operational Change means:

      1. (a) the application of any software fix or patch, update, upgrade and/or service pack generally released by the relevant software owner or licensor;
      2. (b) the application of any software fix or patch, update, upgrade and/or service pack necessary for the secure, lawful or otherwise proper functioning of the Services (or any part); and/or
      3. (c) any modification in Katapult’s operational, technical, security or other means of delivering the Services which, when implemented, will not cause any alteration in the Fees or have any directly adverse effect on the Customer’s receipt or use of the Services or conflict with Schedule 6;

      Policies means the Cloud Services Conditions, and the Security Procedures;

      Protected Data has the meaning given in Schedule 6;

      Security Procedures means those procedures set out in Schedule 4;

      Services means the Cloud Services and the Support Services;

      Supplier Indemnified Person means:

   1. (a) Katapult;
   2. (b) each direct and indirect sub-contractor of Katapult; and
   3. (c) the officers, directors, employees, agents, successors, and assignees of Katapult or any of Katapult’s direct or indirect subcontractors;

   Support Services means technical support provided by Katapult to the Customer in the use of the Cloud Services as selected by the Customer in the Katapult Console under this Agreement, and shall include all modifications, updates and extensions of such Support Services made in accordance with the terms of this Agreement; and

   Term means the period of one Month starting from the Commencement Date together with any period or periods of automatic renewal provided for in clause 3.

   VAT means United Kingdom value added tax and any other tax imposed in substitution for it and any equivalent or similar tax imposed outside the United Kingdom which is payable by the Customer at the rate and in the manner from time to time prescribed by law.

2. Interpretation

   1. In this Agreement:

      1. a reference to this Agreement includes its schedules, appendices and annexes (if any);
      2. a reference to a ‘party’ includes that party’s personal representatives, successors and permitted assigns;
      3. a reference to a ‘person’ includes a natural person, corporate or unincorporated body (in each case whether or not having separate legal personality) and that person’s personal representatives, successors and permitted assigns;
      4. a reference to a gender includes each other gender;
      5. words in the singular include the plural and vice versa;
      6. any words that follow ‘include’, ‘includes’, ‘including’, ‘in particular’ or any similar words and expressions shall be construed as illustrative only and shall not limit the sense of any word, phrase, term, definition or descripti preceding those words;
      7. the table of contents, background section and any clause, schedule or other headings in this Agreement are included for convenience only and shall have no effect on the interpretation of this Agreement; and
      8. a reference to legislation is a reference to that legislation as amended, extended, re-enacted or consolidated from time to time and a reference to legislation includes all subordinate legislation made from time to time under that legislation.

3. Commencement and Term

   1. This Agreement shall commence on the Commencement Date and shall continue throughout the Term unless before the end of the Term it is terminated in accordance with clause 15 or otherwise in accordance with this Agreement or is earlier terminated by agreement between the parties.
   2. At the end of the Term, this Agreement shall automatically renew without the requirement for notice by either party for successive periods of one Month each, unless either party serves a written notice on the other party requesting termination of the Agreement and giving at least 28 days notice, in which case this Agreement may continue until termination at the end of the said 28 day period.
   3. The terms of this Agreement shall also apply to any additional or changed Services agreed by the parties in the course of the Term, and shall apply to any renewal or extension of the Term.

4. Provision of the Services

   1. Katapult shall make available the Cloud Services and associated Support Services from the Commencement Date for the duration of the Term subject to the terms of this Agreement.
   2. The Customer may grant only the Authorised Users access to the Cloud Services. The Customer may at any time during the Term designate in the Katapult Console further individuals as Authorised Users. The Customer is responsible for ensuring compliance by the Authorised Users with the provisions of this Agreement.
   3. The Customer shall at all times during the Term comply with Policies.
   4. Katapult may, at any time and without notice, temporarily discontinue or modify the Cloud Services or any part of them where this is necessary in Katapult’s sole discretion for the purpose of making modifications to the design, specifications, network connectivity or method of operation of the Cloud Services in order to maintain their compliance with current security or other technical requirements or standards.
   5. In connection with any period of suspension or temporary discontinuance or modification of Katapult’s provision of the Services permitted by the terms of this Agreement:
      1. Katapult may delete or remove access to some or all of the Customer Data stored on the impacted Services;
      2. Katapult shall provide as much notice as is reasonably possible taking into account the urgency of the situation, its potential effect on Katapult’s ability to continue providing services to its customers generally and the need to maintain a safe and secure environment;
      3. Katapult shall not be liable for any loss or damage to the Customer including any liability it may incur to third parties; and
      4. Katapult shall be entitled to charge and be paid all Fees until the end of the period of suspension, discontinuance or modification.
   6. Without prejudice to the foregoing specific rights to suspend or temporarily modify or discontinue the Cloud Services, Katapult shall not be responsible or accept any liability for delays, failures or loss of or damage to data arising from the transfer of data over the internet or other communications networks or facilities other than those networks or facilities which are supplied by Katapult as part of the Cloud Services or which are under Katapult’s direct control or in its possession.
   7. The Customer acknowledges that the Cloud Services are subject to the limitations, delays and other technical issues which are inherent in the use of third-party networks or communications facilities including the internet.

5. Exclusions from the Services

   1. Katapult shall not be responsible for and the Customer shall accept sole responsibility for the following matters:
      1. supervision of the Authorised Users and ensuring compliance by each of them with the Policies;
      2. the inputting and maintenance of the Customer Data and (except as otherwise expressly agreed by the parties) its security and integrity;
      3. the taking of back ups of the Customer Data or any other data (and the Customer acknowledges that the Services do not include any dedicated data backup or disaster recovery facilities and that the Customer should ensure it at all times maintains backups of all Customer Data);
      4. the safety and integrity of any backups of the Customer Data; and
      5. except as otherwise agreed under this Agreement, extracting, transferring or recovering any data (including any Customer Data) whether during or after the Term (or providing any assistance with any such activities).
   2. The Customer acknowledges and agrees that it is responsible for maintaining safe backups and copies of any Customer Data, including as necessary to ensure the continuation of the Customer’s business(es). The Customer shall, without limitation, ensure that it backs up (or procures the back up of) all Customer Data regularly (in accordance with its and its Authorised User’s needs) and extracts all necessary Customer Data from all Services prior to the termination or expiry of this Agreement or the cessation or suspension of any of the Services.
   3. Katapult shall provide the Services in accordance with any laws applicable in the United Kingdom to the extent that they are general in nature or apply to a supply of services that are the same as or similar to the Services.
   4. The Customer shall be solely responsible for compliance with all laws applicable to it in its access to, receipt of and use made of the Services and shall further be solely responsible for compliance with all published policies, guidelines or industry codes of practice applicable to it but not having the force of law.
   5. Except to the extent Katapult has direct obligations under applicable laws, the Customer acknowledges that Katapult has no control over any Customer Data hosted as part of the provision of the Services and might not actively monitor or have access to the content of the Customer Data. The Customer shall ensure (and is exclusively responsible for) the accuracy, quality, integrity and legality of the Customer Data and that its use (including use in connection with the Services) complies with all applicable laws and Intellectual Property Rights.
   6. Katapult routinely undertakes regular backups of the Services (which may include Customer Data) for its own business continuity purposes. The Customer acknowledges that such steps do not in any way make Katapult responsible for ensuring the Customer Data does not become inaccessible, damaged or corrupted. To the maximum extent permitted by applicable law, Katapult shall not be responsible (under any legal theory, including in negligence) for any loss of availability of, or corruption or damage to, any Customer Data.
   7. Katapult is not responsible for the provision of any software, middleware or other platform whatsoever, the provision of which is entirely the Customer’s responsibility. In conjunction with the Services, you may be allowed to use certain software developed and owned by other organisations or its licensors. You agree to abide by any additional terms they may apply to your use of their software. Any such licence is deemed to exist between the Customer and the software provider directly, and not with Katapult. Katapult provides no warranties that the operating system software or other software used by the Customer is appropriate for the Customer’s needs.

6. Changes to Services

   1. Katapult may by notice in writing make any changes to the Services which are necessary to comply with any law applicable anywhere in the United Kingdom or with any published policies, guidelines or codes of practice not having the force of law but which represent good practice.
   2. Where Katapult would be required to make a change to the Services consequent on a change in law which comes into force at any time after the Commencement Date (including those laws referred to in Schedule 6), then Katapult may instead terminate this Agreement by notice in writing of not less than 30 days, in which case this Agreement shall terminate at the end of that 30 day period.
   3. Katapult may at any time change the Policies or any part of them where this is desirable in Katapult’s sole discretion to comply with good practice and shall provide as much notice as reasonably practicable to the Customer save in the case of changes to the Security Procedures, where in cases of urgency, Katapult may introduce modifications or additional procedures where this is required to maintain a secure environment for the provision of the Services.
   4. Katapult may at any time and without prior notice to the Customer and without complying with the Change Control Procedure implement any Operational Change provided that neither the work of implementing the Operational Change nor the consequences of the Operational Change will have a directly adverse effect on the Customer’s access to, receipt of or use of the Services. Katapult may make any consequential alterations it considers necessary in its sole discretion following any Operational Change and shall give the Customer written notice of such alterations as soon as reasonably practicable.
   5. Katapult may at any time and without prior notice improve the Services or release new features within the Customer’s chosen Services without complying with the Change Control Procedure. If a Customer believes a change under this clause 6.5 to have a significant negative impact on the Customer’s rights and obligations, the Customer will raise the issue with Katapult as soon as possible and at least within 14 days with a view to it being dealt with as a dispute under clause 17. Any such improvements that have not been raised with Katapult 14 days after the change has been applied are deemed to be accepted by the Customer.
   6. Subject to clause 4.5 and clauses 6.1 to 6.5 (inclusive) and Schedule 6, any:
      1. modifications to the terms of this Agreement; and
      2. material modifications in the Services that will have the effect of significantly downgrading the Services that a large portion of Customers receive from Katapult; shall require compliance with the Change Control Procedure. All other changes, including those made pursuant to clause 4.5 and clauses 6.1 to 6.5 (inclusive) and/or paragraph 12 of Schedule 6 shall not require compliance with the Change Control Procedure.
   7. Nothing in this clause shall prevent either party terminating this Agreement in accordance with clause 3.2, 15, 21 or Schedule 6 .

7. Misuse of the Cloud Services

   1. The Customer is responsible for ensuring compliance by the Authorised Users with the terms of this Agreement (including the Policies) and shall be fully liable for the acts or omissions of the Authorised Users as if they were its own.
   2. The Customer shall be responsible for any acts of unauthorised access to the Services where such access is gained by unauthorised use of an Authorised User’s account. The Customer shall inform Katapult immediately on becoming aware of any unauthorised access, whether through an Authorised User’s account or otherwise.
   3. The Customer shall comply with any law applicable to it in its access to, receipt of or use of the Services.
   4. The Customer may not perform any security testing of the Services or of any infrastructure or facilities whatsoever used to provide the Services, including network discovery, port/service identification, vulnerability scanning, password cracking, remote access testing or penetration testing.
   5. If the Customer or any Authorised User fails at any time to comply with any of the Policies or clauses 7.3 and 7.4 in any, including a trivial respect, Katapult reserves the right without prior notice to suspend the Customer’s (and Authorised Users’) access to or use of the Services either completely or to the extent Katapult in its sole discretion deems necessary to ensure a safe and secure manner of providing its services to its customers in general. Katapult shall be entitled to maintain the suspension until the Customer is able to remedy its non-compliance with the Policies and clauses 7.3 to 7.4 and to demonstrate its future ability to comply with the Policies and such clauses to Katapult’s reasonable satisfaction.
   6. The Customer shall not use the Services, or allow any Authorised User to use the Services, to create, store, access, transfer to any third party or otherwise distribute any Malware or any other material which:
      1. is unlawful;
      2. fails to comply with any Policy;
      3. is in breach of any of Katapult’s obligations under Schedule 6;
      4. is or contains material which is harmful, obscene, defamatory, infringes any third party’s rights including any third party’s Intellectual Property Rights;
      5. is or contains material which is of a harassing or offensive nature;
      6. promotes the use of unlawful violence against a person or property; or
      7. is or contains material which is discriminatory based on race, origin, belief, sexual orientation, physical or mental disability, age or any other illegal category.
   7. In the event of any breach (or alleged breach) of clause 7.6, Katapult may without prior notice:
      1. disable or suspend access to or use of the Services or to any part of them that allows access to or use of any material which is causing (or is alleged to cause) a breach of clause 7.6; and/or
      2. delete any Customer Data that is causing (or is alleged to cause) a breach of clause 7.6, clause 4.6 shall apply to such disabling of access as it applies in the case of any suspension or temporary discontinuance or modification of the Services under clause 4.6.
   8. It is the Customer’s responsibility to understand if software within the Customer Data includes programs (including third party programs) that might access the Services or Customer Data. Katapult has no responsibility (howsoever arising, including in negligence) to prevent any such access nor for the consequences of such access (including the deletion or disclosure of Customer Data, whether or not intended or authorised).
   9. The Customer shall indemnify Katapult against all claims, losses, costs or expenses (including all Data Protection Losses) incurred by Katapult in consequence of any non-compliance by the Customer with the provisions in this clause 7, any of the provisions of Schedule 6 or with the Policies.

8. Fees

   1. Katapult shall invoice the Customer for the Fees Monthly in arrears. Katapult shall raise its invoices within two days of one complete Month’s usage of the chargeable Services to which the invoice relates. For illustrative purposes only the process is described in more detail in Schedule 1.
   2. On rare occasions, the Customer may be invoiced an amount up to the Customer’s current balance part way through a Month in an effort to verify the authenticity of the Customer’s account information. This process ensures that Customers without a payment history are not subjected to additional scrutiny. Payment terms for this type of invoice are the same as for the invoices you will receive on a Monthly basis.
   3. The Customer shall pay all invoices in full and in cleared funds upon receipt of each invoice from Katpault. Fees detailed in invoices are due on the day they are presented to the Customer.
   4. Unless stated to the contrary, all Fees are exclusive of VAT or other charges imposed by law from time to time, and the Customer shall in addition pay such VAT and other charges at the rate and in the manner prescribed by law from time to time. The Customer is responsible for any duties, customs fees, taxes and relates penalties, fines, audits, interest and back-payments relating to the Customer’s purchase of the Services, including any local sales taxes, national sales taxes or other charges similar in nature to VAT. Where Katapult is obliged to pay such taxes on behalf of the Customer, the Customer agrees to indemnify Katapult in full.
   5. Katapult may increase the Standard Pricing Terms from time to time provided it has given the Customer at least 31 days’ written notice of the increase coming into effect. This has the consequence that no Customer will have an increase in Standard Pricing Terms within the first Term after the Commencement Date.
   6. If, acting in good faith, the Customer disputes any item within an invoice, it shall raise such dispute by written notice to Katapult within three days of receipt of the invoice and the parties shall negotiate in good faith to attempt to resolve the dispute promptly. If the dispute is not resolved within 14 days of the said notice being given, the dispute shall be resolved in accordance with clause 17. Any amounts not disputed in accordance with this clause 8.6 shall be deemed accepted and must be paid by the Customer in accordance with clause 8.3. In relation to payments disputed in good faith, interest under clause 8.9 is payable after the dispute is resolved, on sums found or agreed to be due, from the due date until payment is made
   7. For Katapult accounts with a billing country set as the UK or any of the British Crown Dependencies or any British Overseas Territories, invoices will be raised in pounds sterling and the Customer shall make full payment in pounds sterling without set-off or deduction. For Katapult accounts with a billing country set as any country within the European Union, invoices will be raised in euros and the Customer shall make full payment in euros without set-off or deduction. For Katapult accounts with a billing country set as anywhere outside the UK (and its Crown Dependencies and British Overseas Territories) or the EU, invoices will be raised in US dollars and the Customer shall make full payment in US dollars without set-off or deduction.
   8. Timely payment shall be of the essence and in addition to its other rights and remedies under the terms of this Agreement or at law, Katapult may suspend any or all Services after 7 days of the due date pending full payment. Clause 4.6 shall apply to such suspension as it applies in the case of any suspension or temporary discontinuance or modification of the Services under clause 4.6.
   9. If any sum is not paid by the due date for payment as set out above, Katapult may charge interest on any outstanding balance at the rate of 5% per annum above the base rate of the Bank of England such interest to accrue on a daily basis 7 days after payment of the invoice falls due and to be compounded quarterly.

9. Warranties

   1. Each of the parties warrants to the other that it has full power and authority to enter into and perform its obligations under this Agreement.
   2. Katapult warrants to the Customer that:
      1. it has the right, power and authority to grant the Customer the rights set out in this Agreement and provide the Services;
      2. it will provide the Services using reasonable care and skill; and
      3. the access to, receipt of and use of the Services will not infringe the Intellectual Property Rights of any third party.
   3. Katapult does not warrant that the Customer’s use of the Services will be uninterrupted or error-free or that it will meet the Customer’s specific requirements. Katapult does not warrant that the Services are or will be interoperable with or capable of working in conjunction with any other software or hardware, for which the Customer takes full responsibility.
   4. The Customer warrants and represents to Katapult that it has done such reasonable due diligence of the Services prior to the Commencement Date and takes sole responsibility for their suitability for its own intended purposes. The Customer acknowledges that Katapult is making available to it a general service made available to its customers generally and that it is not making a bespoke service available specifically for the Customer’s individual requirements.
   5. The Customer warrants that the Customer and all the Authorised Users will behave at all times in a polite and professional manner towards all Katapult staff.
   6. Other than as set out in this Agreement all warranties, conditions, terms, undertakings or obligations whether express or implied and including any implied terms relating to quality, fitness for any particular purpose or ability to achieve a particular result are excluded to the fullest extent allowed by applicable law.

10. Data protection

    Each party shall comply with its respective obligations, and may exercise its respective rights and remedies, under Schedule 6.

11. Systems monitoring

    Katapult may monitor, collect, store and use information on the use and performance of the Services (including Customer Data) to detect threats or errors to the Services and/or Katapult’s operations and for the purposes of the further development and improvement of Katapult’s services, provided that such activities at all times comply with Schedule 6 and the Privacy Policy referred to therein.

12. Intellectual Property Rights

    1. Katapult or its licensors shall retain ownership of all Intellectual Property Rights in the Services and in any materials created by Katapult (or anyone acting on its behalf) in the course of providing the Services, whether those materials are provided to the Customer or not. The Customer shall execute all such documents and do such things as Katapult may consider necessary to give effect to this clause 12.1.
    2. The Customer shall retain ownership of all Intellectual Property Rights in the Customer Data.
    3. The Customer hereby grants Katapult a non-exclusive, sub-licensable (including by multi-tier), worldwide, royalty-free licence to use, transmit, copy, install and otherwise utilise:
       1. the Customer Data; and
       2. any software, materials and data made available to Katapult (or those acting on its behalf) by or on behalf of the Customer or any Authorised User, to the extent necessary to enable Katapult to provide the Services and exercise its rights and perform its obligations under this Agreement.
    4. Subject to clauses 12.7 and 14, Katapult shall:
       1. defend at its own expense any claim brought against the Customer by any third party alleging that the Customer’s use of the Services in accordance with this Agreement infringes any copyright, database right or registered trademark, registered design right or registered patent in the United Kingdom (an “IP Claim”); and
       2. pay all costs and damages awarded or agreed in settlement or final judgment of an IP Claim
    5. The provisions of clause 12.6 shall be the Customer’s sole and exclusive remedy (howsoever arising, including in contract, tort, negligence or otherwise) for any IP Claim.
    6. The provisions of clause 12.6 shall not apply unless the Customer:
       1. promptly notifies Katapult upon becoming aware of any actual or threatened IP Claim and provides full written particulars;
       2. makes no comment or admission and takes no action that may adversely affect Katapult’s ability to defend or settle the IP Claim;
       3. provides all assistance reasonably required by Katapult subject to Katapult paying the Customer’s reasonable costs; and
       4. gives Katapult sole authority to defend or settle the IP Claim as Katapult considers appropriate.
    7. The Customer shall indemnify, keep indemnified and hold harmless Katapult (on Katapult’s own behalf on behalf of each Supplier Indemnified Person) from and against any losses, claims, damages, liability, costs (including legal and other professional fees) and expenses incurred by it or by any Supplier Indemnified Person as a result of or in connection with any action, demand or claim that the transmission, receipt, copying, installation, use, possession or other utilisation of the Customer Data in accordance with this Agreement infringes the Intellectual Property Rights of any third party.

13. Confidentiality

    1. Each party agrees that it may use the other party’s Confidential Information only in the exercise of its rights and performance of its obligations under this Agreement and that it shall not disclose the other party’s Confidential Information including all knowhow, trade secrets, financial, commercial, technical, tactical or strategic information of any kind except in accordance with this clause 13.
    2. Subject to clause 13.5, each party may disclose the other party’s Confidential Information to those of its employees, officers, advisers, agents or representatives who need to know the other party’s Confidential Information in order to exercise the disclosing party’s rights or perform its obligations under this Agreement provided that the disclosing party shall ensure that each of its employees, officers, advisers, agents or representatives to whom Confidential Information is disclosed is aware of its confidential nature and complies with this clause 13 as if it were a party.
    3. Subject to clause 13.5, each party may disclose any Confidential Information required by law, any court, any governmental, regulatory or supervisory authority (including any regulated investment exchange) or any other authority of competent jurisdiction.
    4. Each party shall indemnify the other from and against any losses, damages, liability, costs (including legal fees) and expenses which the other party may incur or suffer as a result of or arising from any breach of its obligations under this clause 13.
    5. To the extent any Confidential Information is Protected Data, such Confidential Information may be disclosed or used only to the extent such disclosure or use does not conflict with any provision of Schedule 6.

14. Liabilities

    1. Notwithstanding any provision in this Agreement, neither party excludes or limits any liability for:
    1. personal injury or death to the extent that results from the negligence of a party or any person for whom it is responsible at law;
    2. fraud or fraudulent misrepresentation;
    3. any breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
    4. any other liability to the extent the same cannot be excluded or limited by law.
    1. Subject to clause 14.1, Katapult shall not be liable to the Customer in respect of:
       1. any loss of profit, business, contracts, opportunity, goodwill, revenues, anticipated savings or similar loss, or any loss of use, destruction or corruption of software or data (including Customer Data), or any claims or losses by third parties (and in each case, whether these losses are direct, indirect, special or consequential); and/or
       2. any indirect, special or consequential loss or damage (whether for loss of profit or otherwise), of whatever nature and whether based on contract, tort (including negligence), breach of statutory duty or otherwise arising out of or in connection with this Agreement or any activities related to this Agreement.
    2. Subject to clauses 14.1 and 14.2, Katapult’s maximum liability to the Customer for all and any claims of whatever nature and whether based on contract, tort (including negligence), breach of statutory duty or otherwise arising out of or in connection with this Agreement or any activities related to this Agreement shall be limited in any twelve month period starting with the Commencement Date to a sum equal to the Fees paid or payable by the Customer to Katapult in that twelve month period.
    3. The Customer takes full responsibility and shall accept all liability in respect of the use it makes of the Services and the results it achieves from them.

15. Termination

    1. Either party may terminate this Agreement at any time by giving notice in writing to the other party if:
       1. the other party commits a material breach of this Agreement and such breach is not remediable;
       2. the other party commits a material breach of this Agreement which is not remedied within 14 days of receiving written notice of such breach; or
       3. the other party has failed to pay any amount due under this Agreement on the due date and such amount remains unpaid within 7 days after the other party has received notification that the payment is overdue.
    2. Either party may terminate this Agreement at any time by giving notice in writing to the other party if that other party:
       1. stops carrying on all or a significant part of its business, or indicates in any way that it intends to do so;
       2. is unable to pay its debts either within the meaning of section 123 of the Insolvency Act 1986 or if the non-defaulting party reasonably believes that to be the case;
       3. becomes the subject of a company voluntary arrangement under the Insolvency Act 1986;
       4. has a receiver, manager, administrator or administrative receiver appointed over all or any part of its undertaking, assets or income;
       5. has a resolution passed for its winding-up;
       6. has a petition presented to any court for its winding-up or an application is made for an administration order, or any winding-up or administration order is made against it;
       7. is subject to any procedure for the taking control of its goods that is not withdrawn or discharged within seven days of that procedure being commenced;
       8. has a freezing order made against it;
       9. is subject to any recovery or attempted recovery of items supplied to it by a supplier retaining title in those items;
       10. is subject to any events or circumstances analogous to those in clauses 15.2.1 to 15.2.9 in any jurisdiction; or
       11. takes any steps in anticipation of, or has no realistic prospect of avoiding, any of the events or procedures described in clauses 15.2.1 to 15.2.10 including for the avoidance of doubt, but not limited to, giving notice for the convening of any meeting of creditors, issuing an application at court or filing any notice at court, receiving any demand for repayment of lending facilities, or passing any board resolution authorising any steps to be taken to enter into an insolvency process
    3. The right of a party to terminate this Agreement pursuant to clause 15.2 shall not apply to the extent that the relevant procedure is entered into for the purpose of amalgamation, reconstruction or merger (where applicable) where the amalgamated, reconstructed or merged party agrees to adhere to this Agreement.
    4. Termination or expiry of this Agreement shall not affect any accrued rights and liabilities of either party at any time up to the date of termination.

16. Consequences of termination

    1. Upon termination or expiry of this Agreement for any reason:
       1. the obligation on Katapult to provide any Services and any rights and licences granted by Katapult under this Agreement shall immediately terminate (including, for the avoidance of doubt, any rights granted to Authorised Users to access the Cloud Services);
       2. the Customer shall immediately pay all sums outstanding to Katapult; and
       3. each party shall return to the other party and make no further use of any materials, software or other items (excluding Customer Data, which is addressed in clause 16.4) whatsoever (or of any copies of them) belonging to the other party and/or provided by it pursuant to this Agreement.
    2. Termination or expiry of this Agreement for any reason is without prejudice to any rights or liabilities which have accrued prior to the date of termination.
    3. Termination or expiry of this Agreement will not affect those provisions which expressly or by necessary implication are intended to survive termination of this Agreement including clause 7 and clauses 10 to 14 (inclusive).
    4. Unless otherwise agreed in writing by the parties, the Customer hereby instructs that within 90 days of the earlier of the end of the Term or the end of the provision of the Services (or any part) relating to the processing of the Customer Data, Katapult shall securely dispose of all Customer Data in Katapult’s possession or control processed in relation to the Services (or any part) which have ended (and all existing copies of it) except to the extent that any Applicable Law (as defined in Schedule 6) requires Katapult to store such Customer Data. Katapult shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Customer Data undertaken in accordance with this Agreement.

17. Dispute resolution

    1. If any dispute arises between the parties out of, or in connection with, this Agreement, the matter shall be referred to directors, business owners or managers of an equivalent level of each party who shall use their reasonable endeavours to resolve it.
    2. If the dispute is not resolved within 14 of the referral being made under clause 1.1, the parties shall resolve the matter through mediation in accordance with the London Court of International Arbitration Mediation Rules.
    3. Until the parties have completed the steps referred to in clauses 17.1 and 17.2, and have failed to resolve the dispute, neither party shall commence formal legal proceedings or arbitration except that either party may at any time seek urgent interim relief from the courts or emergency arbitrator relief.

18. Entire agreement

    1. The parties agree that this Agreement and any documents entered into pursuant to it constitutes the entire agreement between them and supersedes all previous agreements, understandings and arrangements between them, whether in writing or oral in respect of its subject matter.
    2. Each party acknowledges that it has not entered into this Agreement or any documents entered into pursuant to it in reliance on, and shall have no remedies in respect of, any representation or warranty that is not expressly set out in this Agreement or any documents entered into pursuant to it. No party shall have any claim for innocent or negligent misrepresentation on the basis of any statement in this Agreement.

19. Notices

    1. Notices under this Agreement shall be in writing and sent to a party’s address as set out on the first page of this Agreement (or to the email address set out below). Notices may be given, and shall be deemed received:
       1. by first-class post: two Business Days after posting;
       2. by airmail: seven Business Days after posting;
       3. by hand: on delivery; and
       4. by email to team@katapult.io in the case of Katapult and the address registered on the account in the case of the Customer: on receipt of a delivery return email.
    2. This clause does not apply to notices given in legal proceedings or arbitration.

20. Announcements

    No announcement or other public disclosure concerning this Agreement or any of the matters contained in it shall be made by, or on behalf of, a party without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed), except as required by law, any court, any governmental, regulatory or supervisory authority (including any recognised investment exchange) or any other authority of competent jurisdiction.

21. Force Majeure

    Neither party shall have any liability under or be deemed to be in breach of this Agreement for any delays or failures in performance of this Agreement which result from any event beyond the reasonable control of that party. The party affected by such an event shall promptly notify the other party in writing when such an event causes a delay or failure in performance and when it ceases to do so. If such an event continues for a continuous period of more than three months, either party may terminate this Agreement by written notice to the other party.

22. Assignment

    1. Neither party shall have any liability under or be deemed to be in breach of this Agreement for any delays or failures in performance of this Agreement which result from any event beyond the reasonable control of that party. The party affected by such an event shall promptly notify the other party in writing when such an event causes a delay or failure in performance and when it ceases to do so. If such an event continues for a continuous period of more than three months, either party may terminate this Agreement by written notice to the other party.
       1. The Customer shall not assign, subcontract or encumber any right or obligation under this Agreement, in whole or in part, without the prior written consent of Katapult.
       2. Katapult may assign, transfer, charge, sub-contract or deal in any other manner with any of our rights or obligations under this Agreement.

23. No partnership or agency

    The parties are independent businesses and are not partners, principal and agent or employer and employee and this Agreement does not establish any joint venture, trust, fiduciary or other relationship between them, other than the contractual relationship expressly provided for in it. None of the parties shall have, nor shall represent that they have, any authority to make any commitments on the other party’s behalf.

24. Severability

    1. Each provision of this Agreement is severable and distinct from the others. If any provision in this Agreement (or part thereof) is or becomes illegal, invalid or unenforceable under applicable law, but would be legal, valid and enforceable if the provision or some part of it was deleted or modified (or the duration of the relevant provision reduced):
       1. the relevant provision (or part thereof) will apply with such deletion or modification as may be required to make it legal, valid and enforceable; and
       2. without limiting the foregoing, in such circumstances the parties will promptly and in good faith seek to negotiate a replacement provision consistent with the original intent of this Agreement as soon as possible.

25. Waiver

    No failure, delay or omission by either party in exercising any right, power or remedy provided by law or under this Agreement shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right or remedy. No single or partial exercise of any right, power or remedy provided by law or under this Agreement shall prevent any future exercise of it or the exercise of any other right, power or remedy.

26. Third party rights

    Except as expressly provided for in this Agreement, a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 (C(RTP)A 1999) to enforce any of the provisions of this Agreement.

27. Conflicts

    1. In the event of any conflict or inconsistency between different parts of this Agreement, the following descending order of priority applies:
       1. the terms and conditions in the main body of this Agreement and Schedule 6 (including its Appendix 1 and the Privacy Policy referenced in Schedule 6);
       2. the other Schedules
    2. Subject to the above order of priority between documents, later versions of documents shall prevail over earlier ones if there is any conflict or inconsistency between them.

28. Governing law

    This Agreement and any dispute or claim arising out of, or in connection with it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England and Wales.

29. Jurisdiction

    The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of, or in connection with, this Agreement, its subject matter or formation (including non-contractual disputes or claims).

1. Once you have registered as a Customer, your Customer area can be found at my.katapult.io and is known as your “Katapult Console”.
2. If you create an account for a business it will be known as an organisation. If you create an account in your personal capacity it will be known as a personal organisation
3. Within the Katapult Console you may create organisations for each business account you require. Authorised Users may be added to each organisation within the Katapult Console.
4. If you registered initially as a business you may also create a personal account in your name, a personal organisation. A personal organisation is personal to the Customer and therefore you may not add Authorised Users to a personal organisation.
5. When you wish to start using the Services that are subject to Fees (even if you are not due to pay as a result of an applied account credit) you will need to login to your Katapult Console to order the Services. Within the Katapult Console you will need to choose (which will either be for you as an organisation or for you as a personal organisation) what level of Services you require to launch your virtual machine. When you confirm your choice of virtual machine you also confirm we may charge you the Fees as published on our site katapult.io, which is also referenced in Schedule 2.
6. The Commencement Date for your account will be the date you registered as a Katapult Customer. When you create an organisation or a personal organisation within your Katapult Console, the Commencement Date for that organisation or personal organisation will be the date you created it.
7. When you wish to change the Services you are receiving you need to login to your Katapult Console and choose the appropriate organisation or personal organisation and make the changes you want.

All up to date Services and associated prices can be found at katapult.io. This Schedule is for reference only. If there is a discrepancy between the figures quoted here and at katapult.io then the prices published on our site from time to time shall prevail.

1. This acceptable use policy sets out the terms between you and Katapult under which you may use our Services and is supplementary to the conditions set out in clause 7 above. We may revise these conditions at any time by providing you with at least 30 days notice in writing by email.
2. The Customer may use the Services only for lawful purposes. The Services may not be used:
   1. In any way that breaches any applicable local, national or international law or regulation, including copyright or other intellectual property law;
   2. In any way that is unlawful or fraudulent, or has any unlawful or fraudulent purpose or effect;
   3. For the purpose of harming or attempting to harm minors in any way;
   4. For using the Services in a way intended to harm our network, its reputation, or the reputation of Katapult;
   5. For misusing the Services and Katapult’s system resources in a way that employs programs that consume excessive network capacity, CPU cycles or disk IO;
   6. To transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam);
   7. To transmit knowingly any data, send or upload any material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.

3. The Services may not be accessed in order to damage or disrupt

   1. any part of our network; or
   2. any equipment used by our network; or
   3. any software used in the provision of our Services; or
   4. any equipment or network or software owned or used by any third party

Commercially reasonable efforts to keep Services and all data for which we are responsible secure. We adhere to industry best practice standards and work to certification standards internally to secure our service.

See our site katapult.io for details of security certifications

1. If either party wishes to make a change (“Change”) to this Agreement at any time, the Customer may request, and Katapult may recommend, any such change (“Change Request”) under the procedure set out in this Schedule
2. Subject to Changes that are excluded from this process according to the terms of this Agreement and its Schedules, all material modifications in the Services themselves that will impact significantly the Services that a large portion of Customers receive from Katapult shall be managed using this Change Control Procedure together with any modification to the terms of this Agreement.
3. Each Change Request shall contain the following information in order to enable the parties to assess the impact of the proposed change:
   1. Details of the party initiating the Change Request including name of individual/contact person, name of organisation (if applicable), contact email addresses or telephone numbers;
   2. Details of proposed Change;
   3. Details of the anticipated impact on the other party;
   4. Reasons the party wishes to make the proposed Change;
   5. Date proposed Change will come into effect.
4. When a party wishes to issue a Change Request they shall do so by email. For these purposes Katapult’s email address is team@katapult.io.
5. Where one party issues a Change Request, the other party shall reply to the Change Request within 10 Business Days of receipt, or such period as it otherwise agreed between the parties, either agreeing to the Change Request or refusing the Change Request and outlining the reasons for refusal.
6. A Change Request shall only become binding on the parties once the Change Request has been accepted by an authorised representative of both parties. No variation of this Agreement for issues covered by this Change Request Procedure shall be valid unless the provisions of this Schedule are complied with.
7. Until a Change Request has been made in accordance with this Schedule and has been accepted by an authorised representative of both parties, the Customer and Katapult shall continue to perform this Agreement in compliance with its terms prior to the written agreement of the Change Request.
8. Any services provided or goods supplies by Katapult which have not been agreed in accordance with the provisions of this Schedule shall be undertaken entirely at the expense and liability of Katapult.
9. Nothing in this Schedule shall prevent either party from terminating the Agreement in accordance with clause 3.2, 6.2, 15, 21 or Schedule 6.

This Schedule incorporates the body of this Schedule together with its Appendix 1.

1. Definitions

   1. In this Schedule defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of this Agreement. In addition in this Schedule the following definitions have the meanings given below:

      Applicable Law means applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states from time to time together with applicable laws in the United Kingdom from time to time;

      Appropriate Safeguards means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

      Certification Policy means Katapult’s policy relating to routine third party certifications and audits arranged by it in relation to the Services and its policies on disclosure of the same to customers (as Updated from time to time), which as at the Commencement Date is the latest version available at katapult.io;

      Controller has the meaning given to that term in Data Protection Laws;

      Data Protection Laws means all Applicable Laws relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances:

      1. (a) the GDPR;
      2. (b) the Data Protection Act 2018;
      3. (c) any laws which implement any such laws; and
      4. (d) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time);

      Data Protection Losses means all liabilities, including all:

      1. (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
      2. (b) to the extent permitted by Applicable Law:
      3. (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
      4. (ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
      5. (iii) the reasonable costs of compliance with investigations by a Supervisory Authority;

      Data Subject has the meaning given to that term in Data Protection Laws;

      Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

      GDPR means the General Data Protection Regulation, Regulation (EU) 2016/679;

      International Recipient means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer’s prior written authorisation;

      List of Sub-Processors means the latest version of the list of Sub-Processors used by Katapult, as Updated from time to time, which as at the date of this Agreement is detailed in our Privacy Policy;

      Onward Transfer means a Transfer from one International Recipient to another International Recipient;

      Personal Data has the meaning given to that term in Data Protection Laws;

      Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

      Privacy Policy Katapult’s privacy policy in relation to the Services (as Updated from time to time), which as at the Commencement Date is the latest version available at katapult.io;

      processing has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);

      Processing Instructions has the meaning given to that term in paragraph 3.1.1;

      Processor has the meaning given to that term in Data Protection Laws;

      Protected Data means Personal Data in the Customer Data;

      Sub-Processor means another Processor engaged by Katapult for carrying out processing activities in respect of the Protected Data on behalf of the Customer;

      Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;

      Transfer bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (or to the extent wider the definition of ‘transfer’ in equivalent provisions of UK Data Protection Laws). Without prejudice to the foregoing, this term also includes all Onward Transfers. Related expressions such as Transfers,Transferred and Transferring shall be construed accordingly;

      UK Data Protection Laws means Data Protection Laws that form part of the law of England and Wales, Scotland and/or Northern Ireland from time to time;

      Update has the meaning given in paragraph 12.2, and Updated shall be construed accordingly; and

      Update Notification has the meaning given in paragraph 12.1.

2. Processor and Controller

   1. The Parties agree that, for the Protected Data, the Customer shall be the Controller and Katapult shall be the Processor. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.
   2. To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct Katapult to process the Protected Data in accordance with this Agreement.
   3. Katapult shall process Protected Data in compliance with:
      1. the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under this Agreement; and
      2. the terms of this Agreement.
   4. The Customer shall ensure that it and each Authorised User shall at all times comply with:
      1. all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
      2. the terms of this Agreement.
   5. The Customer warrants, represents and undertakes, that at all times:
      1. all Protected Data (if processed in accordance with this Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws;
      2. it shall ensure (and is exclusively responsible for) the accuracy, quality, integrity and legality of the Protected Data and that its use (including use in connection with the Service) complies with all Applicable Laws and Intellectual Property Rights;
      3. fair processing and all other appropriate information notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by Katapult and its Sub-Processors in accordance with this Agreement;
      4. the Protected Data is accurate and up to date;
      5. it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to Katapult (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Katapult or any other person;
      6. all instructions given by it to Katapult in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
      7. without prejudice to the generality of clause 9.4, it has undertaken due diligence in relation to Katapult’s processing operations and commitments and it is satisfied (and all times it continues to use the Services remains satisfied) that:
         1. Katapult’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Katapult to process the Protected Data;
         2. the technical and organisational measures set out in Schedule 4 (as Updated from time to time) shall (if Katapult complies with such obligations) ensure a level of security appropriate to the risk in regards to the Protected Data; and 2.5.7.2 Katapult has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

3. Instructions and details of processing

   1. Insofar as Katapult processes Protected Data on behalf of the Customer, Katapult:
      1. unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this paragraph 3.1 and paragraphs 3.3 and 3.4 (including when making a Transfer of Protected Data to any International Recipient), as Updated from time to time and as otherwise set out in this Agreement (“Processing Instructions”);
      2. if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
      3. shall promptly inform the Customer if Katapult becomes aware of a Processing Instruction that, in Katapult’s opinion, infringes Data Protection Laws, provided that:
         1. this shall be without prejudice to paragraphs 2.4 and 2.5; and
         2. to the maximum extent permitted by applicable law, Katapult shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of the information required by this paragraph 3.1.3.
   2. The Customer shall be responsible for ensuring all Authorised User’s read and understand the Privacy Policy (as Updated from time to time).
   3. The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command Katapult is under no obligation to seek to restore it.
   4. The processing of the Protected Data by Katapult under this Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Appendix 1.

4. Technical and organisational measures

   Taking into account the nature of the processing, Katapult shall implement and maintain technical and organisational measures in relation to the processing of Protected Data by Katapult, as set out in Schedule 4 and the Privacy Policy; and subject to paragraph 6.1, to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with Katapult’s Standard Pricing Terms.

5. Using staff and other Processors

   Taking into account the nature of the processing, Katapult shall implement and maintain technical and organisational measures in relation to the processing of Protected Data by Katapult, as set out in Schedule 4 and the Privacy Policy; and subject to paragraph 6.1, to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with Katapult’s Standard Pricing Terms.

   1. Katapult shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data (except in accordance with this Agreement) without the Customer’s written authorisation of that specific Sub-Processor (such authorisation not to be unreasonably withheld, conditioned or delayed).
   2. The Customer authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as Updated from time to time.
   3. Katapult shall:
      1. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 2 to 13 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); and
      2. remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
   4. Katapult shall ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Katapult shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

6. Assistance with compliance and Data Subject rights

   1. Katapult shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay Katapult for all work, time, costs and expenses incurred in connection with such activity, calculated on a time and materials basis at Katapult’s rates set out in the Katapult’s Standard Pricing Terms.
   2. Katapult shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Katapult) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
      1. security of processing;
      2. data protection impact assessments (as such term is defined in Data Protection Laws);
      3. prior consultation with a Supervisory Authority regarding high risk processing; and
      4. notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach, provided the Customer shall pay Katapult for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at Katapult’s rates set out in Katapult’s Standard Pricing Terms.

7. International data TransfersInternational data Transfers

   1. Subject to paragraphs 7.2 and 7.5, Katapult shall not Transfer any Protected Data:
      1. from any country to any other country; and/or
      2. to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries, without the Customer’s prior written authorisation except where Katapult is required to Transfer the Protected Data by Applicable Law (and shall inform the Customer of that legal requirement before the Transfer, unless those laws prevent it doing so).
   2. The Customer hereby authorises Katapult to Transfer any Protected Data for the purposes referred to in paragraph 3.4 to any International Recipient(s), provided all Transfers by Katapult of Protected Data to an International Recipient (and any Onward Transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws and this Agreement. The provisions of this Agreement shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1.1.
   3. Katapult (or its Sub-Processors) may only process Protected Data in the following locations: the United Kingdom, the European Economic Area, and other countries approved by the European Commission as providing an adequate level of protection which include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework).
   4. The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that Katapult does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Appropriate Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.

8. Information and audit

   1. Katapult shall maintain, in accordance with Data Protection Laws binding on Katapult, written records of all categories of processing activities carried out on behalf of the Customer.
   2. On request, Katapult shall provide the Customer (or auditors mandated by the Customer) with a copy of the third party certifications and audits to the extent made generally available to its customers. Such information shall be confidential to Katapult and shall be Katapult’s Confidential Information as defined in this Agreement, and shall be treated in accordance with applicable terms.
   3. In the event that the Customer, acting reasonably, deems the information provided in accordance with paragraph 8.2 insufficient to satisfy its obligations under Data Protection Laws, Katapult shall, on request by the Customer make available to the Customer such information as is reasonably necessary to demonstrate Katapult’s compliance with its obligations under this Schedule and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose provided:
      1. such audit, inspection or information request is reasonable, limited to information in Katapult’s possession or control and is subject to the Customer giving Katapult reasonable (and in any event at least 60 days’) prior notice of such audit, inspection or information request;
      2. the parties (each acting reasonably, and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Customer or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure Katapult is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3);
      3. the Customer shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of Katapult;
      4. the duration of any audit or inspection shall be limited to one Business Day;
      5. all costs of such audit or inspection or responding to such information request shall be borne by the Customer, and Katapult’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Customer on a time and materials basis in accordance with Katapult’s Standard Pricing Terms;
      6. the Customer’s rights under this paragraph 8.3 may only be exercised once in any consecutive twelve month period, unless otherwise required by a Supervisory Authority or if the Customer (acting reasonably) believes Katapult is in breach of this Schedule;
      7. the Customer shall promptly (and in any event within one Business Day) report any non-compliance identified by the audit, inspection or release of information to Katapult;
      8. the Customer agrees that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits shall be Katapult’s Confidential Information, and shall be treated in accordance with applicable terms;
      9. the Customer shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of Katapult while conducting any such audit or inspection; and
      10. this paragraph 8.3 is subject to paragraph 8.4.
   4. The Customer acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that Katapult or the Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 8.3 and:
      1. the Customer’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s);
      2. to the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this paragraph 8.4, equivalent restrictions and obligations on the Customer to those in paragraphs 8.3.1 to 8.3.10 (inclusive) shall apply together with any additional or more extensive restrictions and obligations applicable in the circumstances; and
      3. paragraphs 5.3.1 and 8.3 shall be construed accordingly.
   5. Notwithstanding paragraph 8.4, Katapult shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws. The Customer accepts that the provisions of paragraph 8.4 shall satisfy Katapult’s obligations in that regard.

9. Breach notification

   1. In respect of any Personal Data Breach involving Protected Data, Katapult shall, without undue delay (and in any event within 72 hours):
      1. notify the Customer of the Personal Data Breach; and
      2. provide the Customer with details of the Personal Data Breach.

10. Deletion of Protected Data and copies

    Following the end of the provision of the Services (or any part) relating to the processing of Protected Data Katapult shall dispose of Protected Data in accordance with its obligations under this Agreement. Katapult shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with this Agreement.

11. Compensation and claims

    1. Katapult shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Agreement:
       1. only to the extent caused by the processing of Protected Data under this Agreement and directly resulting from Katapult’s breach of this Agreement; and
       2. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Agreement by the Customer (including in accordance with paragraph 3.1.3(b)).
    2. If a party receives a compensation claim from a person relating to processing of Protected Data in connection with this Agreement or Katapult, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
       1. make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
       2. consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under this Agreement for paying the compensation.
    3. The parties agree that the Customer shall not be entitled to claim back from Katapult any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate Katapult in accordance with this Agreement.
    4. This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
       1. to the extent not permitted by Applicable Law (including Data Protection Laws); and
       2. that it does not affect the liability of either party to any Data Subject.

12. Updates

    1. Without prejudice to clauses 6.1 to 6.4 (inclusive), Katapult may at its absolute discretion make, and notify the Customer of, updated versions of this Schedule 6 (including Appendix 1), the List of Sub-Processors, the Certification Policy and/or the Privacy Policy from time to time by notifying the Customer of such update by e-mail (together with a copy of the update or a link to a copy of the update), by publishing an updated version of the Privacy Policy on the Katapult website or by any other reasonable means which Katapult elects (“Update Notification”). Katapult will comply with its related obligations in this Schedule 6.
    2. The document(s) subject to such Update Notification shall replace the preceding version of the same document(s) for the purposes of this Agreement from the date 20 Business Days’ after Update Notification of such revised document(s) (the “Update”) (or at such later date as Katapult may specify).
    3. In the event that the Customer reasonably believes that any Update materially impacts it negatively in any manner it may by notice elect to terminate this Agreement in respect of all impacted Services provided it exercises such right prior to such Update taking effect pursuant to paragraph 12.2 on not less than 10 Business Days prior written notice and notifies Katapult at the time of exercising such right of the negative impact which has caused it to exercise this right. In the event of such termination if the Customer has pre-paid any Fees the Customer shall receive a refund in respect of such terminated Services.

13. Survival

    This Schedule (as Updated from time to time) shall survive termination (for any reason) or expiry of this Agreement and continue until no Protected Data remains in the possession or control of Katapult or any Sub-Processor, except that paragraphs 10 to 13 (inclusive) shall continue indefinitely.

14. Data protection contact

    Katapult’s Data Protection Officer is Dave Kimberley who may be contacted at dave@katapult.io

Subject-matter of processing: performance of respective rights and obligations under this Agreement and delivery and receipt of the Services under this Agreement

Duration of the processing: : From the Commencement Date until the earlier of final termination or final expiry of this Agreement, except as otherwise expressly stated in this Agreement