Mobile Connect Service Customer Proof of Concept Agreement

This Mobile Connect Service Customer Agreement (the “Agreement”) is an offer from GSMA MC LTD with an office at Floor 2, 25 Walbrook, London EC4N 8AF United Kingdom (“GSMA”) (the “Offer”).

If a person duly authorized by the entity identified below to accept this Agreement completes the form and clicks the “I Accept” button at the end of this Agreement, this Offer is accepted by the entity on whose behalf the form is completed and the “I Accept” button is clicked (“Customer”) and forms a binding contract (the “Agreement”), as of the date Customer clicks “I accept” (the “Effective Date”), for a period of 14 (Fourteen) days. This agreement is non-exclusive and either Party may terminate this Agreement for any reason immediately upon written notice to the other Party.

WHEREAS, GSMA wishes to provide and Customer wishes to use the Services for purposes of Customer conducting a Proof of Concept (“PoC”) on the terms and conditions specified herein. The Parties agree:

1. Agreement.  This Agreement is entered into by the Parties for the purpose of Customer testing the compatibility of the Application and the Services described and as defined at https://mobileconnect.io/in/attributes/
2. Pricing and Fees.  No Fees will be charged in connection with the PoC.
3. Resale. Customer acknowledges and agrees that:

(i) the underlying services constituting the Services are provided to GSMA by one or more Operators in India

(ii) the Services are being resold to Customer by GSMA per agreements between these Operators and GSMA (iii) the Resold Services will only work for End Users of the Operators with which GSMA has contractual arrangements to resell their underlying services, as set forth at https://mobileconnect.io/in/attributes/.  The list of Operators, at https://developer.mobileconnect.io/operators  may be updated by GSMA from time to time.

4. Access to the Services.

GSMA shall provide Customer with access to the Services, as set forth and described at https://mobileconnect.io/in/attributes/, as determined by GSMA from time to time.  The POC shall be limited to 10 users, each of whom shall be employed by Customer. Customer shall be permitted 10,000 Transactions during the term and shall not exceed 2 TPS.  GSMA shall be entitled, at any time and from time to time, in its sole discretion, to suspend or shut down Customer’s access to the Services.  Customer shall not have the right to provide access to the Service to any third parties.

5. Obligations of Customer. In addition to its other obligations under this Agreement, Customer will:

5.1       Utilize the Services pursuant to this Agreement;  Not resell, sublicense, lease, or otherwise make the Services available to any third party; Not attempt to gain unauthorized access to, or disrupt the Services or the data therein; Not modify, copy or create derivative works based on the Services without written consent;  Not reverse engineer the Services; Not Abuse the Services or allow others to do so for any purposes or in any manner that directly or indirectly or possibly violates the terms of this Agreement

5.2 Comply with all Applicable Laws, including those governing GSMA’s activities and ensure that Customer’s use of the Services is consistent with all such Applicable Laws, including, without limitation all licenses and authorizations held by GSMA; further the Customer shall, when required, assist GSMA in its dealings with law enforcement agencies and governmental authorities with regard to any investigation.

6. General

6.1         Customer represents and warrants to GSMA that (i) it has all requisite power and authority to execute this Agreement and to perform its obligations hereunder, (ii) its use of the Services and any of the Applications or other Customer Services it provides through the  Services do not and shall not infringe, or misappropriate the Intellectual Property Rights of any person or entity and  (iii) complies and will continue to comply with all of GSMA’s  guidelines, policies and business practices referenced in this Agreement. GSMA PROVIDES THE SERVICES “AS IS,” “WITH ALL FAULTS,” AND “AS AVAILABLE.”  CUSTOMER BEARS THE RISK OF USING THE SERVICES IN ITS APPLICATION(S).

6.2         Any data, reports, specifications, equipment, technology, hardware, software (and related documentation), trade secrets, know-how, Confidential Information or processes or the like, and any other Intellectual Property Rights owned or controlled by any Party and either provided to another Party or developed solely by one Party under this Agreement, shall remain the property of that Party.

6.3         Each Party assumes full responsibility and agrees to be liable to the other Party for any violation (whether occurring before or after termination of this Agreement) of any obligation assumed hereunder and agrees to take all necessary steps to ensure understanding of and compliance with these provisions by all persons having access to the other Party’s Intellectual Property Rights.

6.4         Nothing herein shall be construed as granting any rights by license or otherwise in any Confidential Information except as provided herein. No license is granted in any Intellectual Property Rights relating to the Confidential Information. Any provision of this Agreement which by law or by its nature should survive, shall survive the termination or expiry of all or any part of this Agreement.

6.5         Customer assumes all risks and liability inherent in all uses of the Services. Customer shall take all necessary measures to avoid any damage to GSMA.  Customer shall indemnify, hold harmless and defend GSMA and Operators (including their respective successors and assigns, Affiliates, officers, directors, employees, representatives, contractors and agents), from and against all claims, resulting from Customer’s use of the Services or any breach of this Agreement.

6.6         Except for actions, proceedings, claims or demands under Clause 6.4 (Confidential Information) and Clause 6.5 (Indemnification) neither Party shall in any event be liable for incidental, indirect, special or consequential damages of any kind or in connection with, this Agreement.  For all other claims: i) in no event shall GSMA’s aggregate liability arising out of this Agreement, whether in contract, tort or under any other theory of liability, exceed One Hundred US Dollars ($100.00); and ii) in no event shall Customer’s aggregate liability arising out of this agreement, whether in contract, tort or under any other theory of liability, exceed Five Thousand US Dollars ($5,000.00). 

6.7           The Parties agree that for purposes of any applicable Data Protection Laws: (a) each Operator is the “data controller” with respect to all “personal data” involved in the provision and resale of the Services by such Operator, (b) that Customer is a “data processor” and (c) GSMA is neither a data controller, data processor, nor a data sub-processor. Customer shall comply with the data protection/information security exhibit as set forth in the attached Exhibit 1, incorporated by reference (the “DP/IS Exhibit”).

6.8           Neither Party shall, without the other Party’s prior written approval, make any public announcement nor any disclosure as to the existence of or matters set forth in this Agreement.

6.9         This Agreement shall be governed exclusively by the internal laws of England and Wales, without regard to its conflicts of laws rules. The Parties hereby consent to the exclusive venue and jurisdiction of English courts for resolution of any disputes arising out of this Agreement.

6.10       For purposes of this Agreement:  “Abuse” means, without limitation, any use of the Services, that in GSMA’s reasonable opinion is for, or is reasonably likely to or results in (i) any illegal, abusive, annoying or offensive activities, including the commission or encouragement of any action that may reasonably constitute a criminal offence (including stalking or harassment), (ii) disrupting or interfering with any network computers or other devices (including the transmission of a virus or other harmful component), (iii) defamation or intellectual property infringement, (iv) interference with service provided by others, (v) consumption of excessive network capacity, and (vi) use of any GSMA or Operator systems in any manner that seeks to avoid payment of any fees otherwise payable to a Party under this Agreement; “Applicable Laws” means all laws, regulations, license conditions and orders, rules and decisions of the municipal, local, state, provincial and federal governments or other authorities that are applicable to GSMA or Customer; “Application” means a software application or service of the Customer; “Confidential Information” means all information of each Party or a third party, including without limitation, that Party’s own know how and Information of any kind whatsoever, which is disclosed by one Party directly or indirectly to the other Party hereunder whether in writing (physically or electronically), visually or orally and which is designated as proprietary or confidential or which, under the circumstances, should reasonably be considered confidential; “Data Protection Laws” shall mean any data protection laws applicable to Processing of Personal Data contemplated by the Agreement; “Transaction” means the Customer has received either a successful or unsuccessful response when accessing the Service. A Transaction could be made up of one or several technical API calls; and “TPS” means the number Transaction attempts per second.

END

EXHIBIT 1

Data Protection and Information Security Exhibit (“DP/IS Exhibit”)

1      Definitions

• For the purposes of this DP/IS Exhibit: (i) “Data Processor” means the entity which Processes Personal Data on behalf of the Controller; (ii) “Sub-processor” means any Data Processor engaged by the Customer; (iii) “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data; (iv) “Data Subject” means the identified or identifiable person to whom Personal Data relates; (v) “Personal Data” means any Information that relates to a natural person, which, either directly or directly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person; and (vi) “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (vii) “‘Services” shall have the meaning as set out in the Agreement; (viii) “Data Protection Laws” shall mean any data protection laws applicable to Processing of Personal Data contemplated by the Agreement,; (ix) “Information Security” is the practice of preventing unauthorized access, use, disclosure, disruption, denial of access, modification, inspection, recording or destruction of information, regardless of the form e.g. electronic or physical; (x) “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data from the European Union/European Economic Area to Data Processors established in third countries (Data Controller-to-Data Processor transfers); (xi) “Top 10 Risks” means those risks to Information Security set out in the Open Web Application Security Project – (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project); and (xii) “IT System” means any IT system involved in the provision of services and deliverables to the GSMA; (xii) “Data Protection Impact Assessment”, an assessment of the impact of the envisaged Processing operations on the protection of Personal Data.  Capitalized terms not otherwise defined in this Exhibit shall have the meanings set forth in the Agreement.
• In case of any conflict between the terms and conditions of this DP/IS Exhibit and the Agreement, this DP/IS Exhibit shall take precedence over the Agreement.

2. General Terms

2.1  When Personal Data are processed under the Agreement, neither GSMA nor its affiliates are a Data Processor or Data Controller. For the purpose of this Agreement, the network operator, signing up end-users for the Services, will remain at all times the Data Controller.

3. Security of Data

3.1   Implementation of IT Systems

The Customer will implement appropriate technical, and organizational measures to ensure against unauthorized or unlawful access, use, disclosure, Processing or modification and accidental loss, destruction or damage (e.g. Data Controller Data ‘in flight’  or at rest will be encrypted and interfaces between IT Systems will use strong credentials and authentication.)  Security information will never be sent in the clear and administrative privileges will only be shared on a “need-to-know” basis. Logical and physical security of servers and other computer resources will be assured. Personal Data not needed at present will not be retained and will be retained for the shortest possible time. Data storage must be identified geographically. Any IT System shall protect against the Top 10 Risks.

3.2   Operation of IT Systems

The Customer will implement current industry standard protections for Information Security against any virus and internet attacks, not compromise security by functionality changes, patch IT Systems to industry good practice and keep code libraries up-to-date. It will achieve satisfactory test status by the Data Controller for all releases to the production environments, use a deployment process that ensures authority and efficacy of any release (including rollback and failed release planning) and maintain skilled staff or contractors to ensure IT Systems are appropriately supported at all times.

3.3   Upon written notice at reasonable intervals, and subject to the confidentiality obligations in the Agreement, the Customer shall make available a copy of the most recent audits or certifications.

4. The Customer’s Obligations

4.1   The Customer must at all times Process any Personal Data held in connection with the Agreement in accordance with all applicable Data Protection Laws and only for the purposes of fulfilling its’ obligations under the Agreement, and shall not Process Personal Data for any other purpose.

4.2   The Customer shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. The Customer shall ensure that access to Personal Data is limited to those personnel performing Services as per the Agreement.

4.3. If Customer becomes aware of: (a)    a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data which it  Processes; or (b)   any breach of any of the Data Protection Laws that apply directly to Customer, the Customer must take appropriate actions to contain, investigate, mitigate, recover, restore, and notify the GSMA without undue delay. The notification to the GSMA must contain sufficient information required to allow GSMA to identify the Data Controller.

4.4   In the event that the Customer receives any request or notice from a Supervisory Authority or Data Subject, the Customer will notify the Data Controller without undue delay and make all reasonable efforts to assist the Data Controller promptly with such requests.

4.5   In the event the Customer determines there is any event or condition for which notice must be provided by a Data Processor to a Data Controller under any applicable Data Protection Laws, Customer will provide such notice without delay to all appropriate Data Controllers.

4.6.  The Customer agrees it may engage third-party Sub-processors in connection with the provision of the Services. The written contractual agreement between Customer and each Sub-processor shall contain data protection obligations not less protective than those in this DP/IS Exhibit with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. At the request of GSMA or the Data Controller, the Customer shall make available to the Data Controller the current list of Sub-processors for the Services identified in the Agreement.

4.7   Transfer of Personal Data from the European Economic Area, Switzerland, and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Article 45 the GDPR (which includes the Privacy Shield Scheme) are only permitted where the the country or organization offers appropriate safeguards such as the Standard Contractual Clauses.

4.8   Immediately on termination, expiry of the Agreement, or upon request by the Data Controller, the Customer must, delete all Personal Data. If the relevant law binding on the Customer prevents it from doing as requested, the Customer hereby agrees that it will continue to observe the terms of this DP/IS Exhibit for as long as required to retain the Personal Data. Once no longer required to retain the Personal Data, the Customer will delete all Personal Data.

5. Data Protection Impact Assessments

5.1   Upon written request, the Customer will assist the Data Controller and GSMA in ensuring compliance with the Data Controller’s obligations to carry out a Data Protection Impact Assessments related to the Data Controller’s use of Services to the extent the Data Controller cannot access relevant information.