DEFINITIONS AND INTERPRETATION

In this Agreement the following definitions shall apply:

Active Customer means an End User who has made a purchase, transaction or becomes a subscriber or customer or continues to be a subscriber or customer with the Client and/or any of its Affiliates (to the extent such Affiliates are included in this Agreement) in the 12 months prior to the Effective Date, Renewal Date and/or any such review date.

Additional Functionality means (where purchased by the Client) additional features and/or additional services which may include professional services as identified in the Order Form.

Affiliate means, in relation to a party, any business entity from time to time directly or indirectly controlling, controlled by, or under common control with that party, where control means the beneficial ownership of more than 50% of the issued share capital of a company or the legal power to direct or cause the direction of the general management of the company and controlling and controlled will be interpreted accordingly.

Agreement means the Order Form, the Terms of Service, Product Terms and the Data Processing Agreement.

Annual Fee has the meaning given to it in the Order Form.

Authorised Users has the meaning given to it in clause 2.3 of this Agreement.

Client Content means the audio, visual or textual information, data, content (including any message and/or call-to-action which is intended to be displayed to End Users), illustrations, logos, documents, products and any other content or materials provided by the Client for Mention Me’s installation, customisation, performance or maintenance of the Platform and provision of the Services. For the purposes of this Agreement, Influencer Content shall be Client Content but the Client acknowledges that the Intellectual Property Rights in Influencer Content shall be agreed between the End User influencer and the Client.

Client Marks has the meaning given to it in clause 4.11 of the Terms of Service.

Client Website means each website and/or application with a separate domain or mobile application, owned and operated by the Client, in which the Platform is embedded or otherwise identified as part of the registration process for the Service(s), including, where applicable, any emails or other e-communications sent by the Client to End Users which are related to such domain, website and/or mobile application.

Confidential Information means any information disclosed by or on behalf of a party (the Disclosing Party) to the other party (the Receiving Party) or its representatives that would be regarded as confidential by a reasonable business person relating to the business, affairs, customers, clients, suppliers, plans, intentions, market opportunities, operations, processes, product information, know-how, designs, trade secrets or software of a party or any of its Affiliates (but not information that is publicly known through no fault of the Receiving Party). Information shall not constitute Confidential Information for the purposes of this Agreement to the extent that the information (a) is or becomes publicly available through no fault of the Receiving Party; (b) is already in the Receiving Party’s lawful possession prior to the Disclosing Party’s disclosure; or (c) is received by the Receiving Party from a third party without any restriction and without breach of any confidentiality obligation.

Configuration means the way in which the Client’s Service(s) is or are set up from time to time, specifically including: (a) the nature and amount of any Rewards and/or commission; (b) the design and copy contained in any End User facing materials; (c) the wording of the Offer Terms and Conditions; and (d) the settings of all other optional or configurable aspects of the Service(s) within the Platform.

Contract Year shall mean a consecutive period of 12 months. Each Contract Year shall commence on the Effective Date and on each anniversary of the Effective Date. It is acknowledged that the first Contract Year may be a different period of months as set out on the Order Form. In such an instance the first Contract Year shall be as set out on the Order Form.

Creative Insight Services shall mean access to the Creative Insight Sites (formerly known as In Situ).

Creative Insight Sites shall mean https://www.insitu.so, app.insitu.so or https://creative-insights.mention-me.com.

Data Processing Agreement or DPA means the agreement governing the processing of Protected Data entered into between the parties and set out in Schedule 1 of these Terms of Service.

Effective Date has the meaning given to it in the Order Form.

End User(s) means any person who uses or accesses a Service as made available on the Client Website or the Mention Me Website and, for the purposes of this Agreement, End Users shall include both those persons who have made Referrals and any Referred End Users.

Fees has the meaning given to it in and shall be payable to Mention Me in accordance with, clause 4 of the Terms of Service.

Good Industry Practice in relation to any undertaking and any circumstances, the exercise of that degree of professionalism, skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced person or company engaged in the same type of activity under the same or similar circumstances.

Group means, in relation to a party, that party and its Affiliates.

Influencer Content means content created by an influencer in connection with an Influencer Programme.

Influencer Programme means a structured setup that a Client can use to invite specific groups of influencers or ambassadors for collaborations aiming to achieve marketing goals such as brand awareness, engagement, or conversions (including the ability for End Users to become an influencer and receive a Reward or commission or any other payments for performing services for a Client as instructed through the Platform).

Influencer Services shall mean the provision of an influencer platform.

Integration Instructions means the documentation and instructions provided by Mention Me to the Client which describe the steps necessary to integrate the Platform with the Client Website or Client social media profile and related integration requirements.

Intellectual Property Rights means all intellectual property rights arising from or under all laws, directives, rules and regulations worldwide, including, but not limited to, rights to copyrights, trademarks, trade secrets, patents and any registrations or applications for registrations of any of the foregoing.

IP Claim has the meaning given to it in clause 4.4 of the Terms of Service.

Launch Date means the date on which the Platform and Service(s) are first available to be used and accessed by End Users through the Client Website.

Mention Me means Mention Me Limited, incorporated and registered in England and Wales with company number 08382730 whose registered office is at 20-22 Wenlock Road, London, N1 7GU, UK.

Mention Me Content means the audio and/or visual information, documents, software, products and services contained in or made available via the Platform or Software, Creative Insight Sites to the Client or End Users in the course of using or accessing a Service.

Mention Me Marks has the meaning given to it in clause 4.12 of the Terms of Service.

Mention Me Website means www.mention-me.com.

Minimum Period has the meaning given to it in the Order Form.

Offer Terms and Conditions means the specific Client terms that apply to a Service including the type of Reward, the amount of any commission (if relevant) and any time periods within which it must be claimed by an End User and any other conditions relating to the offer of the Reward and/or commission or participation in the Service(s).

Order Form means the key commercial terms relating to the Services entered into between Mention Me and the Client, which is either signed by or agreed to by the Client prior to the installation of Platform.

Platform means Mention Me’s proprietary technology (including any part of the Software embedded in the Client Website and any other software, hardware, products, processes, source code, object code, APIs, SDKs, algorithms, user interfaces, know-how, techniques, designs and other tangible or intangible technical material or information and/or the Creative Insight Sites) made available to the Client by Mention Me to enable Mention Me to provide the Services.

Product Terms has the meaning given to it in clause 1.9 of the Terms of Service.

Promoter Programme means any programme that may entitle End Users to a Reward that is made available to End Users through the Platform and/or utilising the Software whether through the Client Website, Mention Me Website or otherwise. The programme will also include such other features (e.g. NPS collection) as outlined on mention-me.com.

Promoter Services shall mean the provision of a refer-a-friend platform.

Protected Data has the meaning given to it in the Data Processing Agreement.

Referral means the referral to the Client of a new End User by another End User through a Mention Me Promoter Programme and Referred shall be interpreted accordingly.

Referred End Users means an End User who has been Referred when purchasing goods and/or services from the Client (or taken such other steps as are required in order to be eligible for a Reward in accordance with the Offer Terms and Conditions).

Renewal Date has the meaning given to it in clause 9 of the Terms of Service.

Representatives has the meaning given to it in clause 7.2 of the Terms of Service.

Revenue(s) means the Client’s total amounts generated from the actual invoiced price of the products and/or services offered for sale on the Client Website(s). Revenue shall not include delivery charges or refunds and is exclusive of VAT and any other government taxes, duties or levies.

Reward means the reward to which an End User may be entitled in accordance with the terms of the Service.

Services means all services provided by Mention Me relating to the Client’s Promoter Programmes, Influencer Programme, Creative Insight Services and (where purchased by the Client) Additional Functionality (in each case as outlined in the Order Form) through the use of the Software and the Platform as such services are from time to time detailed at mention-me.com which shall include the Set Up Services and Additional Functionality (where purchased).

Set Up Services shall mean the services described in the Statement of Work entitled implementation work breakdown.

Software means Mention Me’s proprietary computer software and any related user documentation and other online or offline materials that may be used by the Platform or by Mention Me in the provision of the Services.

Terms of Service means these terms of service.

Term has the meaning given to it in clause 9.1 of this Agreement.

Third Party Voucher means any Reward in the form of a voucher which can be redeemed for the goods or services of a business other than the Client (e.g. Amazon).

Working Day means a day other than Saturday, Sunday or a bank holiday in England.

These Terms of Service set out the terms and conditions upon which you (the Client) and your Affiliates may use the Mention Me Services, by using the Services, you agree to accept these Terms of Service. These Terms of Service serve as the master agreement governing your relationship with Mention Me. Any Product Terms and the Data Processing Agreement are supplemental agreements that, together with these Terms of Service, constitute the entire agreement between you and Mention Me regarding your use of specific products or Services.

IF YOU DO NOT ACCEPT THESE TERMS OF SERVICE DO NOT USE THE MENTION ME SERVICES.

1. The Services

1.1 Mention Me shall provide the Services detailed in the Order Form with commercially reasonable skill and care on and subject to the terms of this Agreement.

1.2 The Client may allow its Affiliates to access the Platform and use the Services provided that:

1.2.1 where the context requires, references to the “Client” in this Agreement shall be construed as referring to the Client’s Group;

1.2.2 the Client ensures that its Affiliates comply with the terms and conditions of this Agreement

1.2.3 the Client remains responsible for Affiliate’s acts and omissions

1.2.4 any Active Customers of the Client’s Affiliates will count towards the Client’s total number of Active Customers; and

1.2.5 any claims will be brought against Mention Me by the Client on behalf of its Group.

1.3 Mention Me shall not be liable for any failure to provide the Services to the extent such failure is caused by a failure of the Client to comply with the Client Responsibilities in clause 2.

1.4 Either party may suspend visibility of any part of the Service where the suspension is necessary to enable Mention Me or the Client to address any issues that might impair the performance or function of a Service or the Client Website and/or which either party reasonably considers may be damaging to the Client, Mention Me or any End User. Both parties agree to use all reasonable efforts to notify the other party before suspending visibility of a Service. In the event that prior notification is not possible, notification will be provided as soon as it is reasonably practicable to do so.

1.5 Mention Me may temporarily suspend the Platform for repair or maintenance or upgrade work with or without notice.

1.6 The Platform and Software are provided 'as is'. Mention Me shall use commercially reasonable efforts to resolve any issues promptly.

1.7 Mention Me is not liable for Service failures caused by Client non-compliance with its responsibilities.

1.8 Mention Me will use reasonable efforts to implement Client-requested changes but does not guarantee support and may charge additional fees (such fees to be mutually agreed prior to any work bein undertaken) for material changes.

1.9 Certain products and services offered through the Platform may be subject to additional product-specific terms and conditions (“Product Terms”). Where Product Terms apply, they supplement and form part of this Agreement. You will be presented with the applicable Product Terms before accessing or using such products, and your use of the product constitutes acceptance of those Product Terms.

2. Client Responsibilities

2.1 The Client acknowledges that many elements of the Platform are configurable and customisable by the Client or by Mention Me at the Client's request.. The Client shall approve and accept responsibility for the Platform Configuration on the Launch Date and approve any subsequent material changes to that Configuration. Subject to clause 10, Mention Me shall not make changes to the agreed Configuration without express Client approval.

2.2 Client employees, agents, partners for independent contractors may be granted log-in access to the platform for administrative and customer service purposes (Authorised Users). The Client shall be solely responsible for:

2.2.1 which personnel are granted access, the level of access and/or nominating individual administrators who are responsible within their organisation for doing this;

2.2.2 revoking the access of any of its Authorised Users;

2.2.3 ensuring Authorised Users maintain the safety and security of their log-in details;

2.2.4 informing Mention Me immediately of any loss, theft or misuse of Authorised User log in details;

2.2.5 ensuring Authorised User accounts cannot be shared or used by more than one individual and (if relevant) ensuring the number of Authorised Users and their level of accesss not exceeded; and

2.2.6 informing Mention Me promptly of any breach of the above sub-clauses.

2.3 Mention Me shall not be responsible for and shall be held harmless by the Client in respect of any claims or losses which result from:

2.3.1 unauthorised access to the Platform made using the log-in details of an Authorised User of the Client following the loss or theft of those details; and

2.3.2 any misuse of the Platform made by an Authorised User of the Client.

2.4 Client agrees that it shall only use the Platform for its own business purposes as contemplated by this Agreement and in accordance with all applicable laws.

2.5 Client agrees to not (and shall ensure that End Users and Authorised Users do not) submit any sensitive personal data, including health information, biometric data or government identification numbers though the website, the Platform, the Services or support tools.

2.6 Client agrees to not (and shall ensure that End Users and Authorised Users do not) use the Services to upload, transmit or distribute any unlawful, abusive, infringing or harmful content.

2.7 Client is not permitted to:

2.7.1 Scrape content or store content of the Platform on a server or other storage device connected to a network or create an electronic database by systematically downloading and storing all of the content of the Platform; or

2.7.2 Attempt to circumvent security or interfere with the proper working of the Platform or the servers on which it is hosted.

3. Fees and Payment

3.1 Except where a free trial is being offered in accordance with clause 8, the Fees shall consist of an annual fee (Annual Fee) and any such other fees as set out in the Order Form.

3.2 Charging of an Annual Fee will commence on the Effective Date. The Annual Fee shall be invoiced on the Effective Date and thereafter on each Renewal Date (or within 30 days of the start of the period to which it relates).

3.3. Payment may be made by credit or debit card or may be invoiced by us in accordance with this section. Mention Me accepts payment by most major credit and debit cards. Online payment transactions are subject to validation checks by your card issuer and Mention Me is not responsible if Client's card issuer declines to authorise payment for any reason. Mention Me is not responsible for any associated costs, including online handling fees or processing fees with making payment via credit or debit card.

3.4 The Fee on each Renewal Date shall be determined in line with the Order Form. If the fee due on renewal is not set out on the Order Form then Mention Me reserves the right to increase the Fees at each Renewal Date by no more than 10% of the previous Contract Year value.

3.5 If requested by Mention Me, the Client shall promptly provide to Mention Me information on its: number of Active Customers; Revenue; average order values; and such other information to enable Mention Me to calculate its Fees for the next Contract Year or validate that its Fees are accurate for that current Contract Year. The Client shall ensure such information is accurate, complete and not misleading.

3.6 All invoices must be paid within 30 days of the invoice date unless otherwise stated in the Order Form. Mention Me may, in its sole discretion, suspend provision of the Services if any undisputed sums owed by the Client are overdue for more than 14 days after being provided with a suspension notice by or on behalf of Mention Me.

3.7 All fees are quoted and payable in the currency set out on the Order Form.

3.8 The Fees do not include any direct or indirect taxes, levies, duties or similar governmental assessments of any nature, including value-added, sales, use or withholding taxes which shall (if applicable) be added to Mention Me’s invoice as required.

3.9 Mention Me shall have the right to charge interest on overdue invoices at the rate of 3% per annum above the base rate of Barclays Bank Plc, calculated from the date when payment of the invoice becomes due for payment up to and including the date of actual payment whether before or after judgment.

3.10 Invoices shall be paid without set off or deduction or counterclaim save for amounts disputed by the Client, acting reasonably and in good faith.

3.11 If the Client requires a purchase order number on its invoice, the Client hereby agrees to promptly provide Mention Me with the purchase order or purchase order number upon request. If the Client fails to provide Mention Me with a purchase order or purchase order number, Mention Me will invoice the Client without a purchase order number and the Client hereby agrees to pay such invoice. The parties agree that none of the terms and conditions in any purchase order issued by the Client will apply to or modify this Agreement.

4. Intellectual Property

4.1 Client acknowledges that Mention Me and/or its licensors own all Intellectual Property Rights and any other rights in or arising out of or in connection with the Platform, the Software and the Services, including any modifications, amendments, developments or updates made to the Platform, Software and/or Services after the date of this Agreement. Except as expressly stated in this Agreement, this Agreement does not grant the Client any Intellectual Property Rights or any other rights or licences in respect of the Platform, the Software or the Services.

4.2 The Client agrees that all features and functionality in or which form part of the Platform are proprietary to Mention Me and/or its licensors and contains valuable confidential information and the Client warrants that it will not nor will it enable others to, copy, port, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of the software or any services provided by Mention Me, or any part thereof.

4.3 Subject to the terms and conditions of this Agreement, Mention Me hereby grants the Client, solely during the Term, a limited, non-exclusive, non-sublicensable, royalty free, fully revocable licence to use the Platform and any Intellectual Property Rights owned by Mention Me that are contained within the Platform solely in connection with the Client’s (and its employees’ and End Users’) use of the Services as contemplated by this Agreement. Any rights not expressly granted to the Client under this clause in connection with the Platform or Mention Me’s Intellectual Property Rights are reserved by Mention Me and its licensors.

4.4.Subject to clause 4.5, Mention Me shall:

4.4.1 defend and indemnify the Client from and against any claim brought against the Client by any third party alleging that the Client’s use of the Services in accordance with this Agreement infringes any copyright, database right or registered trade mark, registered design right or registered patent in the United Kingdom (each an IP Claim); and

4.4.2 pay, subject to clause 4.5, all reasonable costs and damages awarded or agreed in settlement or final judgment of an IP Claim.

4.5 The provisions of clause 4.4 shall not apply unless the Client:

4.5.1 promptly (and in any event within 5 Working Days) notifies Mention Me upon becoming aware of any actual or threatened IP Claim and provides full written particulars;

4.5.2 makes no comment or admission and takes no action that may adversely affect Mention Me’s ability to defend or settle the IP Claim;

4.5.3 provides all assistance reasonably required by Mention Me subject to Mention Me paying the Client’s reasonable costs; and

4.5.4 gives Mention Me sole authority to defend or settle the IP Claim as Mention Me considers appropriate.

4.6 The provisions of clause 6 shall apply to any payment of costs and damages awarded or agreed in settlement or final judgment of an IP Claim under clause 4.4.

4.7 In the event of any IP Claim Mention Me may elect to:

4.7.1 procure for the Client the right to continue using the relevant Service (or any part thereof);

4.7.2 modify or replace the infringing part of the Services (or any part thereof) to avoid the infringement or alleged infringement; or

4.7.3 terminate the Agreement immediately by written notice and promptly refund to the Client on a pro- rata basis for any unused proportion of Fees paid in advance.

This clause 4.7 is without prejudice to the Client’s rights and remedies under clause 4.4.

4.8 Mention Me shall have no liability or obligation under this clause 4 in respect of (and shall not be obliged to defend) any IP Claim which arises in whole or in part from:

4.8.1 any modification of the Services (or any part) without Mention Me’s express written approval;

4.8.2 any Client Content;

4.8.3 any breach of the Agreement by the Client;

4.8.4 Client’s use of any external sites or applications in relation to any of the Services; and

4.8.5 any user generated content.

4.9 Subject to clause 6, the provisions of this clause 4 set out the Customer’s sole and exclusive remedy (howsoever arising, including in contract, tort, negligence or otherwise) for any IP Claim.

4.10 Save as expressly permitted in accordance with this Agreement, the Client shall not, and shall not authorise any third party to, modify, merge, sell, network, rent, lease, assign, or create derivative works based upon, the Platform or the Software in whole or in part, transfer or redistribute in any manner the Platform or the Software, or reverse engineer, decompile or otherwise derive the source code form of any components provided by Mention Me in object code form.

4.11 Mention Me acknowledges that the Client and/or its licensors own all Intellectual Property Rights in the Client Content and Client Marks. The Client hereby grants to Mention Me, solely during the Term, a limited, non- exclusive, non-sublicensable, royalty free, fully revocable licence to use, reproduce and display the Client Content (including any related registered and unregistered trademarks (Client Marks)) solely for the purposes of providing the Services as contemplated by this Agreement. Such licence shall be subject to any further written guidance with regard to the use of the Client Marks or Client Content that the Client provides to Mention Me. Any rights not expressly granted to Mention Me under this Agreement in connection with the Client Marks are reserved by the Client and its licensors.

4.12 Mention Me hereby grants to the Client, solely during the Term, a limited, non-exclusive, non-sublicensable, royalty free, fully revocable licence to use, reproduce and display Mention Me’s registered and unregistered trademarks and associated logos (Mention Me Marks) solely in connection with Client’s Service(s). Such license shall be subject to any further written guidance with regard to the use of the Mention Me Marks that Mention Me Client provides to the Client. Any rights not expressly granted to the Client under this Agreement in connection with the Mention Me Marks are reserved by the Mention Me and its licensors.

5. Data Protection

5.1 To the extent Mention Me processes Protected Data (as defined in the Data Processing Agreement), as a Data Processor, Mention Me shall process this data in accordance with the Data Processing Agreement.

5.2 To the extent Mention Me processes Protected Data (as defined in the Data Processing Agreement), as a Data Controller, Mention Me shall process this data in accordance with the Data Protection Policy which can be found here.

6. Liability

6.1 Clause 6 sets out the entire financial liability of each party to the other party:

6.1.1 arising under or in connection with this Agreement;

6.1.2 in respect of any use made by the Client of the Services, the Software, the Platform or any part of them; and

6.1.3 in respect of any representation, statement or tortious act or omission (including negligence) arising under or in connection with this Agreement.

6.2 Except as expressly and specifically provided in this Agreement all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement.

6.3 Nothing in this Agreement excludes the liability of a party for (i) death or personal injury; (ii) fraud or fraudulent misrepresentation; or (iii) any other liability that may not be lawfully excluded.

6.4 Subject to clause 6.3 and without prejudice to any specified liability provisions contained in the Data Processing Agreement:

6.4.1 neither party shall be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and

6.4.2 each party’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement (with the exception of sums payable in accordance with clause 3 and the recovery of the same) shall be limited to the total Fees paid for the Services during the 6 months immediately preceding the date on which the claim arose.

7. Confidentiality

7.1 The Receiving Party shall hold all Confidential Information in confidence and, except as required by law or permitted herein, shall not disclose it to third parties or use it other than for performing obligations or exercising rights under this Agreement, unless requested or agreed by the disclosing party.

7.2 Without prejudice to clause 7.1, the Receiving Party may disclose Confidential Information to itsAffiliates, employees, agents and advisors (Representatives) who need to know such Confidential Information solely for implementing this Agreement, provided the Receiving Party remains responsible for its Representatives’ compliance Each party shall ensure that its Representatives are bound by confidentiality agreements on terms no less onerous than this clause 7.

7.3 Where the Client is the Disclosing Party, Mention Me may disclose Confidential Information to:

7.3.1 third party partners and agencies (Partners) with the Client’s prior written consent. Mention Me’s obligations with respect to Confidential Information shared with its Partners ends when when the Client enters into its own agreement with the Partner; and

7.3.2 potential investors, disclosing only such Confidential Information as is reasonably necessary in connection with a merger, acquisition or equity investment by a third party,

Provided Mention Me ensures such Partners or investors are bound by confidentiality agreements on terms no less onerous than this clause 7 and remains responsible to the Client for their compliance.

7.4 The Disclosing Party represents and warrants that it has the authority to disclose the Confidential Information to the Receiving Party (or its Representatives).

7.5 Confidential Information remains the Disclosing Party’s exclusive property. The Receiving Party acquires no rights, title, interest or licence in Confidential Information or to any embodied Intellectual Property Rights. The Receiving Party acknowledges breach may cause irreparable harm for which damages are inadequate. The Disclosing Party may seek injunctive relief or specific performance for any threatened or actual breach by the Receiving Party, its Representatives or others receiving Confidential Information under this Agreement.

8. Free Trials

8.1 Mention Me may, at its sole discretion, offer a free trial of the Services. The duration of the trial and the specific features included shall be detailed in the applicable Order Form. On the expiry of the free trial, the Agreement may convert into a paid for service governed by the terms of this Agreement, and any Order Form. Mention Me reserves the right to modify, suspend, or terminate free trial offers at any time, without prior notice.

9. Term and Termination

9.1 Except where a free trial is being offered in accordance with clause 8, this Agreement commences on the Effective Date and continues for the Minimum Period. Unless terminated under this clause 9, the Agreement automatically renews for 12 months upon the expiry of the Minimum Period (first Renewal Date) and thereafter for twelve months on each anniversary of the first Renewal Date (each of the first Renewal Date and each such anniversary being a Renewal Date). The Minimum Period and each renewal period shall constitute the Term.

9.2 Either party may terminate the Agreement and/or any part of the Services on a Renewal Date by giving at least 30 days prior notice. Without such notice, the Agreement automatically renews.

9.3 Either party may terminate this Agreement without liability to the other if:

9.3.1 the other party commits a material breach of any of the terms of this Agreement and (if remediable) fails to remedy that breach within 30 days of written notice; or

9.3.2 an order is made or a resolution is passed for the winding up of the other party, or circumstances arise which entitle a court to make a winding-up order in relation to the other party; or

9.3.3 an order is made for the appointment of an administrator to manage the affairs, business and property of the other party, or documents are filed with a court of competent jurisdiction for the appointment of an administrator of the other party, or notice of intention to appoint an administrator is given by the other party or its directors or by a qualifying floating charge holder (as defined in paragraph 14 of Schedule B1 to the Insolvency Act 1986); or

9.3.4 a receiver is appointed over any of the other party’s assets or undertaking, or if circumstances arise which entitle a court of competent jurisdiction or a creditor to appoint a receiver or manager of the other party, or if any other person takes possession of or sells the other party’s assets; or

9.3.5 the other party makes an arrangement or composition with its creditors, or makes an application to a court of competent jurisdiction for the protection of its creditors in any way; or

9.3.6 the other party ceases, or threatens to cease, to trade; or

9.3.7 the other party takes or suffers any similar or analogous action in any jurisdiction in consequence of debt or insolvency.

References to “the other party” regarding the Client, includes the Client’s Group to the extent Group members access Services under this Agreement.

9.4 Mention Me may terminate immediately, without notice, if it believes in its sole discretion, that the Platform is being used inappropriately, illegally, harmfully, dangerously, in violation of third party right or otherwise in breach of this Agreement Either party may terminate immediately without notice if either party has become or believes, in its sole discretion but acting reasonably, that it is likely to become subject to a third party claim.

9.5 On termination or any reason:

9.5.1 all licences granted under this Agreement immediately terminate;

9.5.2 accrued rights and surviving provisions remain unaffected ;

9.5.3 Mention Me shall: (i) suspend the processing of the Protected Data as soon as possible; (ii) make Protected Data available to the Client in a reasonably requested mannor and format for up to 30 days post-termination and (iii) upon Client request, permanently remove all Protected Data and/ or Confidential Information from its systems where technically possible and legally permissible, and promptly confirm compliance in writing except as set out otherwise in this Agreement, the Client is not be entitled to any refund of Fees paid for the period during which the Services cease to be provided; and

9.5.4 Client shall: (i) promptly cease sharing any Personal Data with Mention Me; and (ii) remove any Mention Me javascript tags from the Client Website(s) and any other system integrations with the Platform.

9.5.5 Mention Me shall delete Client Protected Data in line with the Data Protection Agreement. If a non-renewing Client requests in writing that Protected Data be retained for a limited period, Mention Me may agree at its discretion and invoice monthly at 12.5% of the Annual Fee. Invoices are sent monthly in advance and payable per clause 3.

10. General

10.1 Mention Me reserves the right to modify, amend, or update these Terms of Service at any time and at its sole discretion. Mention Me will provide notice of any material changes by:

10.1.1. posting the updated Terms of Service on its website; and

10.1.2 indicating the date of the last revision at the top of the Terms of Service.

Your continued use of the services following the posting of any changes constitutes your acceptance of such changes. If you do not agree to any modification of these Terms of Service, you must immediately cease using the services.

10.2 No term of this Agreement will be enforceable by virtue of the Contract (Rights of Third Parties) Act 1999 by any person that is not a party to it.

10.3 Each of the parties warrants that it has full authority and power to enter into this Agreement and that it has obtained all necessary approvals to do so.

10.4 Except for payment obligations, if a party is prevented or delayed in performing its obligations due to circumstances beyond its reasonable control, including, acts of war, terrorism, hurricanes, earthquakes, acts of God or of nature, strikes or other labour disputes, riots, or embargoes, such failure or delay will not be deemed to constitute a breach of this Agreement. The obligations remains in effect and must be performed as soon as reasonably practicable after the circumstances end, provided that if performance is prevented or delayed for more than ninety (90) days, the other party may terminate this Agreement with thirty (30) days’ written notice.

10.5 The Client agrees that Mention Me may change or update the Platform and/or Services without notice provided that such changes: (i) do not materially adversely affect the nature or quality of the Services; or (ii) are required to be made for legal or regulatory reasons.Any changes or updates are proprietary to Mention Me.

10.6 Each party acknowledges that this Agreement (including the Data Processing Agreement) contains the whole agreement between the parties and shall supersede and terminate all prior agreements, undertakings and arrangements (both written and oral) between the parties relating to the subject matter of this Agreement. Furthermore, each party acknowledges that it has not relied upon any oral or written representations made to it by the other or its employees or agents and has made its own independent investigations into all matters relevant to it.

10.7 If Mention Me requests and the Client agrees then the Client shall: (i) assist Mention Me to create a case study and participate in blogs, testimonials, social media and other marketing activities which refer to the Client; and (ii) participate in beta testing, a joint presentation at an industry event and a presentation at a Mention Me event.

10.8 Neither party will assign, subcontract, transfer or encumber any right or obligation under this Agreement, in whole or in part, without the other party’s prior written consent (not to be unreasonably withheld or delayed) or except as expressly permitted in this Agreement. Mention Me may at any time:

10.8.1 assign or transfer all or any of its rights or obligations under this Agreement to another member of its Group; and

10.8.2 subcontract its obligations under this Agreement to a third party, provided that Mention Me will remain liable to the Client for performance of the relevant obligations.

10.9 Any notice to be served on either party by the other shall be sent by pre-paid recorded delivery, registered post or email to the address of the relevant party shown on the Order Form or such other physical or electronic address as may be notified by one party to the other from time to time.

10.10 If any provision of this Agreement is, or is found to be, illegal, invalid or unenforceable, the remaining provisions shall continue in full force and effect and shall not be affected by such illegality, invalidity or unenforceability.

10.11 Failure by a party to enforce at any time or for any period any one or more of the terms or conditions of this Agreement shall not be a waiver by that party of the right at any time subsequently to enforce all terms and conditions of this Agreement.

10.12 This Agreement shall be governed by and construed in accordance with English law.

10.13 The parties hereby submit to the exclusive jurisdiction of the courts of England in respect of any dispute arising out of or in connection with this Agreement.

Data Processing Agreement

Definitions

Applicable Law means as applicable and binding on the Client, Mention Me and/or the Services:

any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of;
the common law and laws of equity as applicable to the parties from time to time;
any binding court order, judgment or decree; or
any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Business, Business Purpose, Consumer and Service Provider shall have the same meaning as in the CCPA;

CCPA means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq;

Client Agreement means the Terms of Service and Order Form entered into between Mention Me and the Client on or about the date of this agreement pursuant to which Mention Me has agreed to provide Services to the Client;

Data Controller has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws. For the purpose of clarity, the term Data Controller shall also mean “Business”;

Data Processor has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws. For the purpose of clarity, the term Data Processor shall also mean “Service Provider”;

Data Protection Laws means as applicable and binding on the Client, Mention Me and/or the Services:

the UK GDPR, as defined under Section 3(10), amended by Section 205(4), of the Data Protection Act 2018;
the Data Protection Act 2018;
the GDPR; the Privacy and Electronic Communications Regulations;
any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time; and
the CCPA if it is binding on the Client, Mention Me and/or the Services.

Data Protection Losses means all liabilities, including all:

1. costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non- material damage); and

2. to the extent permitted by Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and (iii) the reasonable costs of compliance with investigations by a Supervisory Authority;

Data Subject has the meaning given to that term in Data Protection Laws;

Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects or consumers under Data Protection Laws;

GDPR means the General Data Protection Regulation (EU) 2016/679;

International Organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

International Recipient means: (a) any country, territory or location outside the United Kingdom and European Economic Area; and/or (b) any International Organisation;

Personal Data has the meaning given to that term in Data Protection Laws;

Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

Processing has the meaning given to that term in Data Protection Laws (and related terms such as Process have corresponding meanings);

Processing Instructions has the meaning given to that term in clause 2.1.1;

Protected Data means Personal Data received from the Client in connection with the performance of Mention Me’s obligations under the Client Agreement;

Services means the Services to be provided by Mention Me to the Client pursuant to the Client Agreement;

Sub- Processor means another Data Processor engaged by Mention Me for carrying out Processing activities in respect of the Protected Data on behalf of the Client; and

Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

Specific Interpretive Provisions

In this Agreement:

a) capitalised terms not defined herein shall have the meanings ascribed to them in the Client Agreement;
b) references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable; and

c) a reference to a law includes all subordinate legislation made under that law.

Data Processing Provisions

1. Data Processor and Data Controller

1.1 Excluding Section 1.2, this Data Processing Agreement applies to the Processing of Protected Data by Mention Me as the Data Processor on behalf of Client as the Data Controller for the limited purposes identified in Appendix 1. For the purposes of the CCPA (and to the extent applicable), the Client shall be the “Business” and Mention Me shall be the “Service Provider” (as such terms are defined in the CCPA).

1.2 Notwithstanding Section 1.1, Client acknowledges that Mention Me is a Controller when it (a) uses Personal Data collected from or about a Data Subject for purposes other than those set out in Appendix 1, including (but not limited to) the administration of referrals and management of the influencer program; and (b) Processes or aggregates Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, feedback, product development, and compliance with laws.

1.3 Each of the parties shall comply with:

1.3.1 their obligations under all Data Protection Laws in connection with the Processing of Protected Data, the Services and the exercise and performance of their respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

1.3.2 the terms of this Agreement.

1.4 The Client warrants, represents and undertakes, that:

1.4.1 all data sourced by the Client for use in connection with the Services, prior to such data being provided to or accessed by Mention Me for the performance of the Services under this Agreement, shall comply in all respects, including in terms of its collection, storage and Processing, with Data Protection Laws;
1.4.2 all instructions given by it to Mention Me in respect of Personal Data shall at all times be in accordance with Data Protection Laws including (to the extent applicable) the pursuit of Business Purposes as under the CCPA; and

1.4.3 it is satisfied that Mention Me’s Processing operations are suitable for the purposes for which the Client proposes to use the Services and engage Mention Me to Process the Protected Data.

1.5 Mention Me warrants and undertakes that it has, and will continue to have, sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

1.6 Nothing in this clause 1 shall exclude the liability of either party to the other for breach of any Data Protection Laws in relation to Protected Data as a result of negligence or lack of Appropriate Safeguards.

2. Instructions and details of Processing

2.1 Insofar as Mention Me Processes Protected Data on behalf of the Client, Mention Me:

2.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) Process the Protected Data only on and in accordance with the Client’s documented instructions as set out in this clause 2 and Appendix 1 (Data Processing details), as updated from time to time in accordance with the Client’s written instructions;

2.1.2 if Applicable Law requires it to Process Protected Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before Processing the Protected Data (unless Applicable Law prohibits such notification); and

2.1.3 shall promptly inform the Client if Mention Me becomes aware of a Processing Instruction that, in Mention Me’s opinion, infringes Data Protection Laws, provided that:

(a) this shall be without prejudice to clauses 1.3; and

(b) to the maximum extent permitted by mandatory law, Mention Me shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any Processing in accordance with the Client’s Processing Instructions following the Client’s receipt of that information.

2.2 The Processing of Protected Data to be carried out by Mention Me under this Agreement shall comprise the Processing set out in Appendix 1 (Data processing details), as may be updated from time to time by written agreement between the parties.

3. Technical and organisational measures

3.1 Mention Me shall implement and maintain, at its cost and expense, the technical and organisational measures:
3.1.1 in relation to the Processing of Protected Data by Mention Me, as set out in Appendix 2 (Technical and organisational measures); and

3.1.2 taking into account the nature of the Processing, to assist the Client insofar as is possible in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to Protected Data.

4. Using staff and other Processors

4.1 Mention Me shall not engage any Sub-Processor for carrying out any Processing activities except those listed in Appendix 1. If there is any addition, removal and/or change in a Sub-Processor Mention Me will give the Client 30 days’ written notice to object to any addition, removal and/or change in Sub-Processor, after which time if Mention Me has not received any objection from the Client in writing then the Client will be deemed to have accepted the addition, removal and/or change. If the Client objects Mention Me has, at its discretion, the option to maintain the status quo, work with the Client for a solution or, at the discretion of Mention Me terminate the Agreement on 60 days’ notice.

4.2 Mention Me shall:

4.2.1 prior to the relevant Sub-Processor carrying out any Processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing obligations which are at least as onerous as under clauses 1 to 11 (inclusive) that is enforceable by Mention Me;

4.2.2 ensure each such Sub-Processor complies with all such obligations; and

4.2.3 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

4.3 Mention Me shall ensure that all persons authorised by it (or by any Sub-Processor) to Process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Mention Me shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).

4.4 In the event that the Client makes a request for Mention Me to send any data to another supplier of the Client (Third Party Processor), the Client acknowledges and agrees that the Third Party Processor shall be a Data Processor directly for the Client and shall not be a Mention Me Sub-Processor. Mention Me shall not be liable to the Client for any breaches of Data Protection Laws by a Third Party Processor. The Client warrants that any such instructions to send data to the Third Party Processor shall comply with Data Protection Laws.

5. Assistance with the Client’s compliance and Data Subject rights

5.1 Mention Me shall refer all Data Subject Requests it receives to the Client without undue delay following receipt of the request.

5.2 Mention Me shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of Processing and the information available to Mention Me) to the Client in ensuring compliance with the Client’s obligations under Data Protection Laws with respect to:

5.2.1 security of Processing;
5.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
5.2.3 prior consultation with a Supervisory Authority regarding high risk Processing; and
5.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach.

6. International data transfers

6.1 Any transfer by Mention Me of Protected Data to an International Recipient shall be effected by way of Appropriate Safeguards as described in Articles 45-49 of the UK GDPR and in accordance with Data Protection Laws.

7. Records, information and audit

7.1 Mention Me shall maintain, in accordance with Data Protection Laws binding on Mention Me, written records of all categories of Processing activities carried out on behalf of the Client.

7.2 Mention Me shall, in accordance with Data Protection Laws, make available to the Client such information as is reasonably necessary to demonstrate Mention Me's compliance with its obligations under Article 28 of the UK GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose, subject to the Client:

7.2.1 giving Mention Me reasonable prior notice of such information request, audit and/or inspection being required by the Client;

7.2.2 ensuring that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);

7.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Mention Me's business.

7.3 The Client’s right to audit under this clause 7 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if the Client (acting reasonably) believes Mention Me is in breach of this Data Processing Agreement.

8. Breach notification

8.1 In respect of any Personal Data Breach involving Protected Data, Mention Me shall, as soon as practicable (and in any event within 24 hours of becoming aware of the Personal Data Breach):

8.1.1 notify the Client of the Personal Data Breach; and

8.1.2 provide the Client with details of the Personal Data Breach and all reasonable assistance which the Client may require.

9. Deletion or return of Protected Data and copies

9.1 Mention Me shall, at the Client’s written request, either delete or return all the Protected Data to the Client in such form as the Client reasonably requests within a reasonable time after the earlier of:

9.1.1 the end of the provision of the relevant Services related to Processing; or

9.1.2 once Processing by Mention Me of any Protected Data is no longer required for the purpose of Mention Me’s performance of its relevant obligations under this Agreement,

and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Mention Me shall inform the Client of any such requirement).

10. Liability, indemnities and compensation claims

10. Mention Me shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Agreement:

10.1.1 only to the extent caused by the Processing of Protected Data under this Agreement and directly resulting from Mention Me’s breach of this Agreement;

10.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Agreement by the Client (including in accordance with clause 2.1.3(b)); and

10.1.3 subject to any limits on its liability contained in the Client Agreement.

10.2 The Client shall indemnify and keep indemnified Mention Me in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, Mention Me and any Sub-Processor arising from or in connection with any:

10.2.1 non-compliance by the Client with the Data Protection Laws; or

10.2.2 breach by the Client of any of its obligations under this Data Processing Agreement, except to the extent Mention Me is liable under clause 10.1.

10.3 If a party receives a compensation claim from a person relating to Processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:

10.3.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and

10.3.2 consult fully with the other party in relation to any such action, but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under this Agreement for paying the compensation.

10.4 This clause 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

10.4.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and

10.4.2 that it does not affect the liability of either party to any Data Subject.

11. Survival of data protection provisions

11. Notwithstanding the termination (for any reason) or expiry of this Agreement:

11.1 clauses 9 to 11 (inclusive) shall survive and continue indefinitely; and

11.2 clauses 1 to 8 (inclusive) shall survive and continue until 12 months following the earlier of the termination or expiry (as applicable),

provided always that any termination or expiry of clauses 1 to 8 (inclusive) shall be without prejudice to any accrued rights or remedies of either party under any such clauses at the time of such termination or expiry.

APPENDIX 1

Data processing details

Capitalised Terms used in this Appendix 1 have the meanings given to them in the Client Agreement

Subject-matter of Processing:

Processing Personal Data for the purposes of storing and validating end-user contact information to provide Services to the Client

Duration of the Processing:

For the term of the Client Agreement

Type of Personal Data, Nature and purpose of the Processing and Categories of Data Subject

The level of Processing may be more limited than as set out in the below table depending on the Services being procured as set out in the Order Form.

For Promoter Services:

Data Subject/ Data Collected	How and When	Processing and Purpose
Historic customer ● Email addresses	Email addresses of existing customers are sent by you via secure transfer during set up. Mention Me keeps these emails in hashed format.	Historic customer’s email addresses are used as an unique identifier for referral. Referees are checked against this existing customer list to ensure they are genuine new customers. We use this information to: 1) check new customers against our list of potential Referees to confirm the referral purchase. 2) maintain the list of existing customers. 3) protect against gaming and selfreferral.
Historic customer order details ● Email addresses	Data transferred by the Client during set-up or otherwise provided by the Client during the Term. Mention Me keeps emails in hashed format as well as raw format if the customers are enrolled into the PromoterProgramme. In addition, there may be instances where Mention Me has Processed the Client’s data under a separate and/or prior agreement and in such an instance Mention Me shall continue Processing such data for the purposes set out in this Agreement and the Client agrees and confirms that they have all necessary permissions to allow Mention Me to continue Processing data.	Historic customer’s email addresses are used as an unique identifier for referral. Referees are checked against this existing customer list to ensure they are genuine new customers. We use this information to: 1) check new customers against our list of potential Referees to confirm the referral purchase. 2) maintain the list of existing customers. 3) protect against gaming and selfreferral.
Customer in your order or sign-up confirmation page • Email address	Data is collected via javascript tags placed on your order confirmation page.	Mention Me will use such data to: 1) check new customers against our list of potential Referees to confirm the referral purchase. 2) maintain the list of existing customers. 3) enroll End Users without requiring them to re-enter their details. 4) protect against gaming and selfreferral.
Customer in your order or sign-up confirmation page • IP Address/Cookie	As above	To protect against gaming and self referral.
Customer in your order or sign-up confirmation page • Coupon Code (if used)	As above	Required to enhance matching of referral conversion and order tracking if a different email address is used at checkout than at registration
Referee • Email address • IP Address/ Cookie • Full name (depending on client setup) • Phone number (depending on client set up)	A Referee enters their details after following a sharing link and the data is collected via a javascript tag placed in the checkout process	1) Referee data is checked against post-purchase tag feed to ensure a new purchase has been made 2) We pass Referee data to you if they have consented to receive marking communications from you
Full name, order details, IP address, customer IDs and email address and such other information shared by a Client, End User or Authorised User.	If Client, End User or Authorised User requires support services. This data will be Processed by Mention Me’s subprocessor, Crescendo AI.	To provide the Client, Authorised Users and End Users with an AI customer support platform and agent services.

Approved Sub-Processors

Entity	Function	Location	Further Details
Amazon Web Services, Inc. 1200 12^th Avenue South, Suite 1200, Seattle, WA 98144, United States	The PlatformMention Me platform is hosted by AWS.	EEA (and using AWS Cloudfront’s edge networking in Amazon’s European and North American network).	Please see: Amazon Data Protection Compliance. With respect to the non-EEA processing, AWS processes data in line with the EU model standard contractual clauses.
Mailjet SAAS Ltd 23 Copenhagen Street, London, England, N1 0JB	Mention Me uses Mailjet for the purposes of sending emails to participants in the Service	EEA and UK	Please see: Mailjet Data Protection Compliance
Google Cloud, Ireland Ltd Gordon House, Barrow Street Dublin 4 Ireland	Mention Me uses services within the Google Cloud platform alongside Amazon Web Services to build, run and extend the PlatformMention Me Platform.	EEA	Please see: Google Cloud Privacy and Compliance
Tray.io, Inc 25 Stillman Street, San Francisco CA 94107	(only relevant if client integrations and/or smart platforms) Mention Me uses Tray.io’s platform in order to send and receive data to and from third party companies (at the Client’s request).	EEA and USA	Please see: Tray.io security measures With respect to transfers to the U.S., Tray.io Processes data in line with the EU model standard contractual clauses.
Lacework Inc 391 San Antonio Road, Floor 3, Mountain View CA 94040	Mention Me works with a security partner to assist in threat monitoring and security intelligence to support Mention Me in its own information security.	EEA and USA	Please see: Lacework’s security standard With respect to transfers to the U.S., Lacework Processes data in line with the EU model standard contractual clauses.
OpenAI, LLC 3180 18th St., San Francisco, CA 94110	Mention Me uses OpenAI to power its AI functionality.	USA	Please see: OpenAI’s data protection compliance. With respect to its processing, OpenAI processes data in line with the appropriate model standard contractual clauses.
Tipalti Tipalti Europe Ltd, St Martins Court, 10 Paternoster Row, London, EC4M 7HP, United Kingdom.	Mention Me uses Tipalti to facilitate payouts to individuals for commission or any other payments earned.	EEA	Please see: Tipalti's data protection compliance
Crescendo AI Inc. 201 Spear Street, San Francisco, CA 94105, USA	Customer support platform and AI-guided agent services.	USA (with Processing also in the Phillippines by Partner Hero, a Crescendo affiliate)	Please see: Crescendo’s security compliance. Crescendo Processes data in line with the appropriate model standard contractual clauses.

APPENDIX 2

Technical and organisational measures

We take the following technical and organisational measures to protect the confidential and customer data which we Process on behalf of our clients.

Mention Me is ISO27001 certified.

The following is a summary of the policies specified by our ISO27001 certification.

1. Measures taken to ensure confidentiality

1.1 Physical access control

Measures to prevent unauthorised individuals from gaining physical access to IT and data processing systems for processing personal data and confidential files and storage media:

Confidential data is stored in either (a) the PlatformMention Me platform which is hosted with AWS or (b) the Mention Me data warehouse which is hosted with GCP (Google) in a Tier 1 data centre in various locations in Europe or (c) where they are represented by documents or emails in Google Workspace GSuite (email, Google docs) hosted by Google in a Tier 1 data centre with data storage in Europe.
These Tier 1 data centres have industry best practice physical security and Mention Me has no physical access to the computing resources it uses. Full details of the security measures in place are available here: https://aws.amazon.com/security and https://cloud.google.com/security
Our office has CCTV, alarms, key fob access for employees only and a controlled visitor policy.
We operate a paper-free office and clear desk policy in all office locations.
All workstations or laptops and any password manager applications are configured to automatically lock out users with a password after 15 minutes of inactivity. All laptop hard drives are encrypted using Mac OS X FileVault.
We do not permit the printing or storage of this data on flash drives or removable media or on non- approved laptops or mobile devices.

1.2 Logical access control

Measures to prevent protected data from being processed or used by unauthorised persons:

All access to all systems used and provided by Mention Me is done using individually identified user accounts.
All passwords conform to the following policy:
- Contain a minimum 10 characters
- Contain at least 1 number
- Contain at least one special (non-alphanumeric) character
- Not be the same as any previously used password
- Not contain some commonly used password fragments e.g. “password”
Optionally, clients can request that their employees’ passwords must be changed by the User at least every 90 days.
2FA authentication for all Client employee logins to the PlatformMention Me platform and for all logins to critical services used by Mention Me in the delivery of its services to Clients and Consumers. Access for administrators is secured via Amazon and Google’s IAM policy frameworks.
Clients can choose to provide an IP whitelist for their own employee access.
Brute force login prevention with timeouts of 1 minute after 5 failed attempts and 20 minutes after 15 failed attempts.
Our platform is penetration tested by an external third party each year and executive summaries are available for clients. Clients can PEN test our platform with prior agreement by Mention Me.

1.3 Data access control

Measures which guarantee that the person authorised to use the data processing processes can exclusively access personal data subject to their access authorisation so that data cannot be read, copied, changed, stored or removed during the processing without authorization:

We use roles and permissions for controlling who has access to what feature using the principle of least privilege.
Administrative users are either Employees of the Client or of Mention Me.
Mention Me grants access to one or more nominated Employees of the Client during the setup phase. These Employees are given Administrator access which allows them to set up, remove and adjust the privileges of other users within the Client Organisation.
Employees of the Client with Administrative access are responsible for managing the access levels and deactivation of Employees they grant access to in accordance with clause 2.3 of the Terms of Service.
When a new account is set up, the new user is emailed to the registered email address with a pre- generated password. They must change the password at first login.
Password resets are performed only by the Employee User themselves - this is requested via the forgotten password link whereupon an email is sent to the user containing a secure link. The link is valid for 24 hours. When the link is clicked the user can enter a new password and regain access to their account.
Clients can optionally add 2FA for their Employee Users.
Clients can optionally add Single Sign On (SSO) for their Employee Users
Administrative access by Mention Me employees to the platform infrastructure is managed using accounts which have different permissions - least privilege for day to day access and full administrative access strictly limited when required.
All confidential data is stored using Encryption at Rest using AWS AES256 encryption.

1.4 Data separation

Measures that ensure that data collected for different clients and/or different purposes is processed separately:

We operate a multi-tenanted platform with strong application and business logic which separates individual client data sets. We use manual and automated techniques to QA this.
We use only anonymised data in our test and development environments.
Developers and administrators have segregated access to different environments.

1.5 Pseudonymization

We store personal data about your customers in three ways – to maintain a list of historical customers for the purpose of excluding existing customers from being rewarded as an advocate, to store customers who enrol in any of our programmes and to store potential customers who have been introduced who may go on to become the Clients’ customers when they first purchase and to keep track of purchase history and frequency to allow Mention Me to segment each Customer as appropriate and to store potential customers who have been introduced who may go on to become the Clients’ customers when they first purchase. The historical customer data is hashed using SHA256 with a shared secret salt so that it can be used only for the purpose of checking whether a potential customer is an existing one or not.

Where the Client chooses to send us this data in bulk, they can choose to pre-hash it using the same secret salt or in plaintext after which we will hash it and discard the original. The other data sets are stored encrypted at rest using AES256.

1.6 Data fidelity

You can provide us with feeds of data to keep our customer records in sync with your own, if you choose – for example to tell us about changes to customer personal data (e.g. email or name), to tell us about lapsed customers or to update customer identifiers.

1.7 Data retention

By default we keep personal data on your customers for the length of our contract together for the purpose of keeping track of referral and purchasing and (where applicable) retain performance and allowing your customer service team to view and act on the history of activity.

We apply different retention policies to different classes of data - we automatically expunge enrolled referrers who haven’t shared after 48 months and registered referees or other customers who haven’t spent a reward they were given after 24 months. We can vary the retention policies upon your request.

At the end of our contract we have measures in place to securely anonymize all the data on your customers expunging it from our systems.

At the end of their life any storage (e.g. laptop hard drives) are destroyed securely using a reputable industrial shredding company.

2. Measures to ensure integrity

2.1 Data transfer control

Measures which guarantee that confidential data cannot be read, copied, changed or removed during the electronic transmission or during their transport except by authorised users:

Data is always encrypted in transit using best practice https (TLS)
We receive data via https from tags on the client site or via SFTP (SSH) batch files
Where an ad-hoc transfer of confidential data is required (for example lists of reward vouchers or customer details for promotion) secure data is transferred from the client to Mention Me and vice versa via the secure document transfer mechanism within the PlatformMention Me platform which transfers the data via TLS.

2.2 Input control

Measures which guarantee that it can be subsequently checked and determined whether and by whom personal data have been entered, changed in or removed from the data processing systems:

Where a significant activity takes place (for example approving or declining a reward for a customer, unsubscribing a customer), a sensitive action audit log is kept detailing the change and the user who took the action. We keep these audit logs indefinitely and they are available for Clients’ to download and review.
We have logs of all system activity stored for 60 days and other subsets of activity stored for the duration of our contract.

3. Measures to ensure availability and capacity

3.1 Change control

New software, including changes to the existing software is tested thoroughly prior to release, including a review for security risks. Most new customer-facing features are developed as options that Clients can choose to add into their programmes or not.
Release notes for changes made are kept for reference.
Approval for such changes to be released is made by the Mention Me CTO or a member of the senior engineering team.
Changes made to the configuration of the platform and/or network are documented in a change management system and peer reviewed prior to deployment.
Patches to operating systems are applied on a weekly schedule. Emergency patches which are required because of zero-day exploits are reviewed and applied as quickly as possible. Our platform infrastructure is mostly ephemeral and built from the latest baselines, pre-hardened for our use-case each time we do a deployment (via Docker and ECS). This means that our platform is always up to date with the best practice AWS infrastructure baselines - and doesn’t need explicit patching. Where necessary elsewhere patches are applied on a weekly basis and critical patches as quickly as possible.

3.2 Availability control

We use AWS’s multi-zone capabilities to ensure that the loss of equipment in one physical location does not impact availability – equipment is spread over 3 physically separated locations in Ireland.
We monitor our systems for capacity and regularly load test a replica platform to ensure we can meet future demand. Our use of AWS and GCE allows us to scale horizontally to support large scale traffic spikes.
Our availability target is less than 2 hours of downtime per month.
Our recent availability scores are visible here: https://status.mention-me.com/
Logs are reviewed on an ad-hoc basis in the case of a discrepancy.
We have Business Continuity and Disaster Recovery plans which are tested annually

3.3 Fast recoverability

In most disaster scenarios our multi-zone configuration means we can recover fast from a failure. Our RTO is 12 hours.
We have point-in-time restores from the last 30 days available to recover so our RPO is 1 hour.
We have Business Continuity and Disaster Recovery plans which are tested annually

4. Measures for the regular evaluation of the security of data processing

We operate our ISMS according to ISO27001 including monthly audits, 6 monthly reviews and regular management oversight.
We report on security matters to our Board of Directors.
We have a formal security breach process which includes notifying affected clients within a 24 hour window of us identifying a breach. Logs of security incidents, including root cause analysis are kept and used to take preventative action in future.
Clients have the right to audit us and our processes.