RISKSCREEN CORE TERMS OF USE

These terms govern all use of RiskScreen Core and RiskScreen Pro which occurs after 00.01 UTC on Monday 15^th July 2019. These terms govern the use of the RiskScreen Core and RiskScreen Pro customer screening tools, and access to RiskScreen via the RiskScreen API and constitute Your User Agreement with Us.

Definitions

In these terms of use the words and expressions set out below will have the following meanings:

“Agreement” means the agreement formed between You and Us by Your acceptance of these Terms

“API” means the RiskScreen public Application Program Interface

“Assigned User” means a User of RiskScreen who has been granted access to RiskScreen by an Entitled User and who uses RiskScreen by spending valid Search Tokens granted to him or her by an Entitled User from the Entitled User’s stock of valid Search Tokens

“Completed Search” means a search request which has been sent to RiskScreen as a result of a User clicking the ‘SEARCH RISKSCREEN’ button and which has returned a valid result. A search becomes a “Completed Search” when RiskScreen delivers the results to the User, not when the User completes a report of their search.

“Dow Jones” means Factiva Limited, which is incorporated in England and Wales and whose registered place of business is The News Building, 1 London Bridge Street, London SE1 9GF, United Kingdom, trading as Dow Jones

“Dow Jones Information” means information supplied by Dow Jones and distributed to You via the RiskScreen Service. This information includes the records that are searched when You request a RiskScreen search in respect of a search subject’s sanction, PEP, Watch List or Black List status, and any resulting matches that are displayed to You.

“Entitled User” means a Registered User of RiskScreen in possession of at least one valid Search Token

“Licensors” means the parties which have licensed Us to display and make available to You their intellectual property in the course of the conduct of RiskScreen searches. Our Licensors include, but are not limited to, Dow Jones.

“Registered User” means a User who has provided Us with such identity and contact details as We may require

“RiskScreen” means the RiskScreen search engine versions 2.4 and above. These terms are expressly intended to cater for both RiskScreen Core and RiskScreen Pro, as well as access to the RiskScreen service via the RiskScreen API. References to “RiskScreen” shall be taken to expressly include reference to RiskScreen Core, RiskScreen Pro, and RiskScreen API unless the context clearly requires otherwise.

“RiskScreen API” means the RiskScreen search tool when accessed via the RiskScreen public API

“RiskScreen Core” means the RiskScreen search tool when accessed online via GUI

“RiskScreen Pro” means the RiskScreen Pro enhanced due diligence search tool (also referred to as ‘RiskScreen EDD’)

“RiskScreen Pro Search Token” means an electronic token which can be purchased by Entitled Users and exchanged for Completed Searches on the RiskScreen Pro enhanced due diligence search tool.

“Search Token” means an electronic token which can be purchased by Entitled Users and exchanged for Completed Searches on the RiskScreen search engine versions 2.0 and above.

“Terms” means the terms of use contained in this document and all of its schedules, to which You must agree prior to accessing or using the RiskScreen Service

“The Parties” means You and Us

“The RiskScreen Service” means RiskScreen Core and/or RiskScreen Pro and/or RiskScreen API as the context requires. The RiskScreen Service expressly includes the Dow Jones Information

“Third Party Content” means any text, files, images, photos, graphics, video, sounds, musical works, or any other materials published or posted on or through Our services produced by third parties (e.g. search results provided by RiskScreen but making use of underlying third party material).

“Trial User” means a Registered User of RiskScreen not in possession of at least one valid Search Token

“Us, Our, We” means KYC Global Technologies Ltd, trading as RiskScreen, whose registered office is at 95-97 Halkett Place, St Helier, Jersey, JE1 1BX

“Users” means Registered Users, Entitled Users, Assigned Users and Trial Users of RiskScreen Core and/or RiskScreen Pro as the context may require

“You, Your” means the party which has executed this Agreement by ticking the required box on our website when commencing access to the RiskScreen Service and/or by using the RiskScreen Service after 00.01 UTC on Monday 15^th July 2019

Accessing and Using RiskScreen

• Full access to RiskScreen is available only to Registered Users with valid Search Tokens (“Entitled Users”) and to other Users granted access by Entitled Users (“Assigned Users”) who have agreed to be bound by these Terms, including the Schedules hereto. We may from time to time make trial access available to Registered Users who do not hold valid Search Tokens (“Trial Users”) provided they also agree to these Terms. References made in these terms to “Users” are references to Registered Users, Entitled Users, Assigned Users, and Trial Users, unless the context clearly indicates otherwise.
• We may not offer or make available all of Our services or content to residents of certain countries. The terms in this document bind all Users of RiskScreen, whether they are Registered Users, Entitled Users, Assigned Users, or Trial Users, except where clearly otherwise indicated by these terms.
• These Terms constitute the sole basis on which You agree to access and use RiskScreen and supersede and extinguish all previous agreements, promises, assurances, warranties, representations and understandings, whether written or oral, relating to their subject matter.
• You acknowledge that in accessing and using RiskScreen You have not relied on any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in these Terms.
• You must not misuse RiskScreen by introducing viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful. You must not attempt to gain unauthorised access to RiskScreen, the servers on which RiskScreen is stored or any server, computer or database connected to RiskScreen.
• You may link to Our home page (www.riskscreen.com) on a website that You control, provided that You do so with Our prior permission in writing (which may impose additional terms on You in relation to the website on which You propose to link) and do not suggest any form of association, approval or endorsement on Our part unless that has been specifically agreed. We reserve the right to withdraw permission to link without notice. You may in no circumstances create a link to any part of RiskScreen other than the RiskScreen home page.
• Under no circumstances are You permitted to re-sell access to RiskScreen to any party.

Modifications

• We may, at Our discretion change, remove, suspend or discontinue any aspect of RiskScreen at any time including the availability of any Third Party Content (e.g. the searching of a particular sanctions list).

Our Technology

• RiskScreen’s technology, trademarks, copyright, patents, logos, domain names and other related intellectual property rights or other features of Our brand belong to Us or to Our Licensors. Your use of Our services does not grant You any rights in Our and/or Our Licensor’s intellectual property whether for commercial or non-commercial use save as expressly provided in these Terms.
• We grant Our Users a licence to access and use RiskScreen subject to the following specific usage restrictions:
• You may only use Our services for Your personal, private or internal commercial purposes subject to these Terms.
• You must not commercially exploit, or sell any content appearing on RiskScreen or on the services provided through it, or access to RiskScreen itself, without first obtaining a licence from Us or Our licensors (which We/They may grant in Our/Their sole discretion and subject to the agreement of terms with You).
• You may print off one copy, and may download extracts, of any page(s) from RiskScreen for Your personal use or for internal commercial use within Your business.
• You may refer others within Your organisation to content posted on RiskScreen or search results.
• You must not modify the paper or digital copies of any materials You have printed off or downloaded in any way.
• Our status as the providers of search results on RiskScreen must always be acknowledged.
• If You are in breach of these Terms, Your right to use RiskScreen will cease immediately and You must, at Our option, return or destroy any copies of the materials You have made.
• In consideration for the rights that We have granted You under these Terms, You permit Us to provide advertising and other information to You, including permitting Our third party affiliates to do the same.

Third Party Content

• Third Party Content included as part of Our services (e.g. in the form of search results), is licensed to You either under these Terms of use or through such third party terms and conditions as will be made known to You as and when they become relevant.
• We do not endorse any Third Party Content, nor do We guarantee the accuracy or authority of any Third Party Content.

Dow Jones Information

• RiskScreen’s sanctions, PEP and Watch List/Black List data is provided by Dow Jones (the “Dow Jones Information”). Save as expressly provided in these Terms, You will not acquire any rights in the products, services, or intellectual property rights pertaining to the Dow Jones Information. Infringement of the copyright in the Dow Jones Information will constitute a breach of these Terms.
• By agreeing to these Terms You represent and warrant to Us that:

• You further covenant that such representations and warranties will remain true and correct throughout the term of this Agreement. Except as provided herein, the Dow Jones Information is provided on an "as is", “as available” basis without warranties, conditions or representations of any kind and Dow Jones does not warrant the accuracy, timeliness, completeness, adequacy, merchantability or fitness for a particular purpose of the Dow Jones Information. Dow Jones shall not be liable to You or to any third party in respect of any actual or alleged inaccuracy, untimeliness, inadequacy, merchantability or unfitness of the Dow Jones Information. You shall not make any statement respecting Dow Jones or the Dow Jones Information that is contradictory or inconsistent with the foregoing statements or that has not been approved in writing and in advance by Dow Jones.
• You agree to indemnify RiskScreen, Dow Jones and members of the Dow Jones Group and each of its respective officers, directors and employees, agents and representatives (the “Dow Jones Parties”) against any and all loss or damage suffered by RiskScreen or the Dow Jones Parties arising out of any use of the Dow Jones Information by You beyond the rights expressly granted under this Agreement or in breach of the terms of this Agreement.
• You acknowledge that RiskScreen is not a “consumer reporting agency” and that the Dow Jones Information does not constitute a “consumer report” or “investigative consumer report” as such terms are defined in the Fair Credit Reporting Act, 15 U.S.C. §1681, et seq. (FCRA), or any applicable state fair credit reporting laws. Accordingly, You represent and warrant that You will not use the Dow Jones Information for any permissible purpose under FCRA or applicable state or national fair credit reporting laws. You shall indemnify, defend and hold harmless RiskScreen, Dow Jones or its Affiliates for any loss or damage suffered arising out of any breach by You of the representation and warranty given by You in this Section 6.5.
• Other than pursuant to section 8.1, neither Dow Jones nor RiskScreen shall be liable to You (jointly or severally) for any of the following types of loss: (a) any special, indirect or consequential loss; (b) any incidental, punitive and/or exemplary damages; (c) loss of profits (whether direct or indirect); (d) loss of business (whether direct or indirect); (e) loss of anticipated savings or loss of revenues (in either case, whether direct or indirect); and/or (f) loss of reputation or goodwill (in either case, whether direct or indirect) (collectively the “Excluded Damages”) howsoever arising, whether or not characterised in negligence, tort, breach of statutory duty, contract, or other basis of liability, even if any of the other party has been advised of the possibility of or could have foreseen any of the Excluded Damages and the protection of this clause shall also extend to Dow Jones.

Reliance on Information and Services

• We will always aim to provide You with the best service We can and will use Our reasonable endeavours to update the information on RiskScreen. However, we make no representations, warranties or guarantees, whether express or implied, that the content on RiskScreen is accurate, complete or up-to-date.
• The information provided by RiskScreen is for information purposes only and does not constitute advice on which You should rely.
• All of the information provided by RiskScreen is supplied by third parties. We have no control over Third Party Content and We are unable to guarantee the accuracy of such Third Party Content. You agree that You access any content at Your own risk. Before relying on any information, whether it is from Us or from Our Third Party partners, We advise You to verify the accuracy of such information.
• RiskScreen provides a facility by which names of individuals or legal entities may be entered in the characters of their original language. While We believe that entering such names in the characters of their original language will produce a robust and relevant search result, We cannot guarantee that entering a name in the characters of its original language will produce the same result as if it were entered transliterated into the characters of the Latin alphabet.
• RiskScreen enables the simultaneous searching of sanctions lists, PEP lists, Watch Lists, Black Lists, web sources, and certain deep web sources. However, We cannot guarantee that any particular combination of such sources will be available at the time when You conduct Your search.
• Sanctions lists, PEP lists, Watch Lists and Black Lists searched by RiskScreen may be updated by their authors without notice. Whilst We will make reasonable efforts to ensure that changes to all such lists are reflected within RiskScreen’s search results as soon as possible after they occur, We cannot guarantee that this will always take place within a set period of time.
• Original entries on certain sanctions lists, PEP lists, Watch Lists and black lists may be published in the alphabet of a primary language which does not use the Latin alphabet. Where this is the case Our Third Party content providers will make reasonable efforts to translate or transliterate the information on those lists using characters of the Latin alphabet, but for reasons of the structure and grammar of the primary language it may not always be possible to provide an exact transliteration of names in the characters of one alphabet into those of another.
• The compilation of lists of Politically Exposed Persons is an inherently uncertain exercise. Certain jurisdictions may choose not to make the necessary information publically available; others may do so after a period of delay. The definition of a Politically Exposed Person is also variable in some jurisdictions and territories. The providers of RiskScreen’s PEP lists make all reasonable efforts to keep the information therein current, accurate and complete, but no guarantee is made that it is so. RiskScreen’s PEP lists are assembled using the definition of PEP status adopted by the Wolfsberg Group. For further information, visit https://www.wolfsberg-principles.com/

Site Availability

Whilst We will do Our best to ensure that RiskScreen is fully operational at all times, We are not responsible for and shall not be liable to You for any problems or temporary interruptions in using RiskScreen arising from factors outside of Our control (e.g. technical problems from traffic congestion on the internet) or for any problems arising from participating in or from downloading Third Party Content.

Limitation of Our Liability to You

• Nothing in these terms of use excludes or limits Our liability for death or personal injury arising from Our negligence, or for fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by the law of Jersey.
• To the extent permitted by law, We exclude all conditions, warranties, representations or other terms which may apply to RiskScreen or any content on it, whether express or implied.
• We will not be liable to You for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with:
• use of, or inability to use, RiskScreen; or
• use of or reliance placed on any content displayed on RiskScreen, or on the absence of content displayed on RiskScreen (e.g. nil returns to search queries).

In particular, We will not be liable to You for:

• any indirect or consequential loss or damage.
• loss of profits, sales, business, or revenue;
• business interruption;
• loss of anticipated savings;
• loss of business opportunity, goodwill or reputation; or
• any regulatory, legal or other penalty, sanction or other determination to which You are subject as a result, in whole or in part, of Your usage of RiskScreen.
• In so far as We may be liable to You Our total liability to You in contract, tort (including without limitation negligence or breach of statutory duty howsoever arising and including the acts or omissions of its employees, agents and sub-contractors), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in in connection with the RiskScreen service shall be limited to £5,000 GBP or the total amount that You have paid to us in licence fees for RiskScreen over the preceding twelve months, whichever is lower.
• You are responsible for the computer hardware and software that You use to access RiskScreen. You should use Your own virus protection software. We will take reasonable steps to put in place and maintain firewalls, virus protection and other technical security measures but We will not be liable for any loss or damage caused by:
• a virus;
• denial-of-service attack,
• or any material that may infect Your computer equipment, computer programs, data or other material as a result of Your use of RiskScreen or downloading content on it, or on any website linked to it.
• We assume no responsibility for the content of any websites linked to RiskScreen. We do not endorse those linked websites. We will not be liable for any loss or damage that may arise from Your use of them.

Assignment

• You may not, without Our prior written consent, charge, sub-contract or deal in any other manner with all or any of Your rights or obligations as a User except in accordance with the ‘Entitled Usage Terms’ at Schedule 2 to these Terms.
• We may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of Our rights or obligations in relation to the provision of the RiskScreen Service.

Partnership and Agency

The provision by Us of the RiskScreen Service shall not operate to create a partnership between Us, or to authorise You or Us to act as agent for each other.

Third Party Rights

No one other than You or Us, or Our successors and permitted assignees, shall have any right to enforce any of these terms.

Changes to Our terms

We reserve the right to amend these terms of use at any time to ensure that We remain compliant with relevant laws and regulations or for any other purpose whatsoever. By continuing to use Our services after You have been notified of any changes being made, You accept those changes and will be bound by them. Any variations to these terms sought by You must be agreed in writing between Us and You.

Notices

• Any notice or other communication given to Us in connection with the RiskScreen service in accordance with these terms shall be in writing and shall be delivered by hand or by pre-paid first-class post or other next working day delivery service at Our registered office.
• Any notice or communication shall be deemed to have been received:
• if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; or
• if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service.
• This provision does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
• For the purposes of the giving of notice in accordance with these terms, “writing” shall not include email unless specifically stated.

Waiver

No failure or delay by You or Us to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

Termination

• We may terminate Your usage of RiskScreen if You fail to make payment in accordance with the terms set out at Schedule 2. We may also terminate Your usage of RiskScreen if You commit a material breach of any these terms where that breach is irremediable or (if such breach is remediable) You fail to remedy that breach within a period of 14 days after being notified by email to do so.
• We reserve the right to terminate Your usage of RiskScreen immediately and without notice in the event that You become subject to sanctions measures issued by one or more of the United Nations, the European Union, the United Kingdom or the United States of America.

The Effect of Termination

• Any of these terms that expressly or by implication are intended to come into or continue in force on or after termination or cancellation shall remain in full force and effect.
• Termination of Your access to the RiskScreen service shall not affect any rights, remedies, obligations or liabilities that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination.

Force Majeure

We shall not in any circumstances have any liability to You if We are prevented from, or delayed in providing the RiskScreen service by omissions or accidents beyond Our reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes, failure of a utility service or transport network, act of God, war, riot, civil commotion, act of terrorism, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors.

The Law that Governs Our Services

These website terms of use and any dispute or claim arising out of or in connection with them (including non-contractual disputes or claims) are governed by and construed in accordance with the laws of the Bailiwick of Jersey and will be subject to the exclusive jurisdiction of the Jersey courts. If any of these terms should be determined to be illegal, invalid or otherwise unenforceable by reason of the laws of any state or country in which these terms are intended to be effective, then to the extent and within the jurisdiction which that term is illegal, invalid or unenforceable, it shall be severed and deleted and the remaining terms of use shall survive, remain in full force and effect and continue to be binding and enforceable.

Agreement to be Bound by these Terms

• You agree that You will indicate Your complete understanding of, and agreement to be bound by, these Terms by checking a box with wording to that effect on an electronic form which will be provided to You by Us. The date and time from which these Terms shall have effect with regard to You shall be the date and time at which You check the box. No wet ink signature or other form of electronic signature shall be required of You to make these Terms effective, however we may additionally require You to provide a wet ink or electronic signature at our discretion. Should we so require, You will be bound by Your wet ink or electronic signature just as You would be by checking a box on an electronic form as outlined above in this paragraph
• You further warrant and represent that You have sufficient authority to bind Your organisation in respect of the requirements of these Terms.
• Notwithstanding the provisions at clauses 19.1 and 19.2 above, Your usage of RiskScreen on or after 00.01 UTC on Monday 15^th July 2019 shall constitute full, final and irrevocable acceptance of these Terms in their entirety on Your part and that of Your organisation.

SCHEDULE 1 – THE RISKSCREEN SERVICE

The following description of what RiskScreen is, and is not, is important. Please read it carefully to ensure that You fully understand the capabilities and limitations of the service which RiskScreen offers.

What RiskScreen is

RiskScreen is an advanced and specialised form of search engine with access to a significant number of open sources, including the general web, certain parts of the deep web, and national sanctions databases. It also maintains access to regularly updated databases of Politically Exposed Persons, national Watch Lists and Black Lists, provided by Dow Jones. The main categories of Politically Exposed Persons maintained on the Dow Jones database utilised by RiskScreen are as follows:

• Heads of State, National and Regional Government;
• National and Regional Government Ministers and Senior Civil Servants;
• Embassy and Consular Staff;
• Senior Members of the Armed Forces;
• Senior Members of the Judiciary;
• Political Party Officials;
• Members of the National Legislature;
• Senior Members of the Police Force;
• Senior Secret Service Officials;
• State Corporation Executives;
• Local public officials;
• Religious Leaders;
• City Mayors;
• International Organisation Officials;
• National NGO officials;
• Political pressure and labour group officials;
• State agency officials;
• Family Members and associates of the persons described above;
• Individuals and entities within jurisdictions which are subject to sanctions or trade embargoes issued by the UN, OFAC or other similar institutions along with jurisdiction risk ratings. (The risk ratings applied against the jurisdictions are provided by the UN, OFAC or other similar institutions. Dow Jones does not impose any risk rating itself nor make any value judgment on this data.)

A full list of the countries and territories for which Politically Exposed Persons data is maintained can be viewed here /pep-coverage/. Note that the countries and territories for which PEP data is supplied by RiskScreen are liable to change without notice, and that RiskScreen cannot guarantee that all the above categories of PEP will be held for all countries for which PEP data is maintained. To see the lists currently searched, visit the hyperlink/URL above. A full list of the Watch Lists and Black Lists searched by RiskScreen can be viewed here https://search.riskscreen.com/help/watch-list-coverage. Note that the Watch Lists and Black Lists searched by RiskScreen are liable to change without notice. Whilst RiskScreen’s suppliers make all reasonable efforts to maintain PEP, Watch List and Black List data which is current, accurate and comprehensive, RiskScreen makes no warranties or representations regarding the accuracy, currency or completeness of its PEP, Watch List, Black List or Sanctions List data. The onus remains on You at all times to satisfy Yourself as to the accuracy, currency or completeness of any results – including nil returns – which may be produced by searches of RiskScreen. RiskScreen is owned and operated by KYC Global Technologies Limited, trading as RiskScreen.

What RiskScreen is not

RiskScreen has very powerful search capabilities but the information which it searches is limited to that provided by third parties. No research, analysis or other such work is carried out by KYC Global Technologies or its affiliates in connection with the individuals and entities submitted to RiskScreen as search queries. Search results are presented in order of relevance as determined by algorithms utilised by RiskScreen but there is no human intervention in this process. KYC Global Technologies cannot guarantee that, from a User’s perspective, the most relevant results in respect of a search query will be displayed first, or will be visible on the first page of search results. Nor can it guarantee the accuracy, currency or completeness of the content identified in search results drawn from third parties. The onus remains at all times on You as a User to critically interrogate and analyse the results which RiskScreen produces as You would the results of any other search engine.

SCHEDULE 2 – ACCESS, USERS, PAYMENT AND CANCELLATION

Please read the terms in this Schedule carefully as they set out the terms for Your Entitled Usage of RiskScreen. If You access RiskScreen as an Assigned User as a result of being granted access by an Entitled User, these Terms will apply to Your usage as far as they are relevant. The duration of Your access is determined by the Entitled User. Any person over the age of 18 can become an Entitled User but We reserve the right to exclude certain territories from time to time and limit the entitlements on offer in any country. You must be 18 or older and have the power to enter into a contract with Us and not be prevented from doing so under any local laws. Access to RiskScreen Core is by way of a rolling twelve month subscription which, once commenced, automatically renews every twelve months unless cancelled in accordance with the procedure set out under ‘How can I cancel?’ below. Unless You change the volume of searches purchased, You will receive the same Search Bundle every twelve months as that which You first purchased from us. By registering to become an Entitled User, You agree that You have given Us accurate registration details, including payment information and will ensure that We always have up to date contact information. When You become an Entitled User, We will provide You with a username and password to enable You to access RiskScreen. You agree that You will ensure that Your username and password will only be used by You and will be kept secure and confidential. Access to and use of password protected or secure areas of RiskScreen is restricted to authorised Users only. You may not share Your password, account information, or access to RiskScreen, but You may grant access to Assigned Users, provided that You do not levy any charge or receive any reward from Assigned Users or their employers, employees or associates for granting them access to RiskScreen. You are responsible for all activities that occur under Your password or account or as a result of Your having granted Assigned Users access to RiskScreen. You agree to notify Us immediately of any unauthorised use of Your password or account. We reserve the right to refuse any application for access to RiskScreen or to revoke Your access to RiskScreen for any reason and We are under no obligation to divulge that reason to You or any applicant.

What is the duration of my access to RiskScreen?

Entitled User access to RiskScreen is granted to Registered Users who purchase one or more ‘bundles’ of RiskScreen Search Tokens. Your access as an Entitled User will start immediately once You have paid the required set up fee and Your first monthly payment/annual payment in advance, and will continue for as long as You continue to pay the required fee as follows:

• If paying annually in advance, until the expiry of the period lasting one calendar year since Your last full payment was received, or, until Your RiskScreen Search Tokens are exhausted, whichever comes first.
• If paying monthly in advance, until the expiry of the period lasting one calendar year since Your last bundle of RiskScreen Search Tokens was received by You, provided that You have made all required monthly payments in full since that date, or¸ until Your RiskScreen Search Tokens are exhausted, whichever comes first. If, paying monthly, You fail to make any required monthly payment within such time period as we may reasonably nominate, Your access to RiskScreen Core may be terminated at Our option. If Your access to RiskScreen Core is terminated in this manner, all unused RiskScreen Search Tokens on Your account will automatically expire.

All unused RiskScreen Search Tokens expire one year after purchase. Purchasing a new bundle of RiskScreen Search Tokens before the expiry of the remaining Search Tokens bought as part of a prior bundle will not extend the life of those other tokens. If at the end of a period lasting one calendar year from the date on which You received a bundle of RiskScreen Search Tokens You still have any unused Search Tokens from that bundle, those tokens will expire, and it will no longer be possible to redeem or exchange them for any RiskScreen searches, nor will they have any residual value whatsoever. For example, if at noon on 1 January 2018 You had purchased a bundle of 1,000 Search Tokens, and at 11.59am on 1 January 2019 You had 25 Search Tokens remaining, those tokens would expire at noon on 1 January 2019 and could not be used for any further searches. Unless You cancel Your subscription in accordance with the ‘How can I cancel?’ section below, it will automatically renew on the anniversary of the date on which Your access first commenced and You will be granted a new bundle of RiskScreen Search Tokens of the same size as that which You first purchased. You can amend the size of the bundle which You would like to receive on renewal by contacting us at least thirty days in advance of Your renewal date.

What does my access to RiskScreen cost?

To become an Entitled User of RiskScreen You must purchase at least one bundle of RiskScreen Search Tokens and pay the required set up fee. If not used, RiskScreen Search Tokens expire one year after purchase. Unexpired RiskScreen Search Tokens may be exchanged for searches conducted on the RiskScreen tool versions 2.4 and above (not including RiskScreen Pro) at a ratio of one Search Token to one Completed Search. Unexpired RiskScreen Search Tokens may be exchanged for searches conducted on the RiskScreen Pro tool at a ratio of ten RiskScreen Search Tokens to one RiskScreen Pro Completed Search. KYC Global Technologies may also sell bundles of RiskScreen Pro Search Tokens. Each RiskScreen Pro Search Token may be exchanged for a RiskScreen Pro search at a ratio of one RiskScreen Pro token to one completed RiskScreen Pro search. RiskScreen Pro Search Tokens cannot be exchanged for RiskScreen Search Tokens or used to pay for searches conducted on the RiskScreen tool versions 2.4 and above. The cost of Your bundle of RiskScreen Search Tokens will be made clear to You on Our sign-up pages and in Your welcome email and may vary from time to time or by country. You agree to pay the fees at the rates notified to You at the time You purchase Your bundle, together with a one off set up fee prior to Your access commencing. We may in Our discretion vary the fees required to purchase a RiskScreen Search bundle from time to time. If the cost of Your next bundle is due to increase by more than 5% since Your last purchase of a bundle of Search Tokens, we will notify You of the same at least 60 days in advance of the renewal of Your annual subscription. Payment can be made using all major credit or debit cards and by direct debit. Where relevant, currency conversion values may fluctuate and conversion fees may be charged by Your bank. By submitting payment details to Us, You promise that You are entitled to purchase access to RiskScreen using those payment details. We reserve the right to change fundamental details of the service which We provide with 30 days’ notice and affected Users may terminate their access to RiskScreen within this notice period.

Can I grant access to other Users?

Entitled Users are permitted to grant access to RiskScreen to as many Assigned Users as they wish, subject to the conditions below. Assigned Users are permitted to conduct searches in RiskScreen provided they first agree to all of the Terms set out in this Agreement. Payment to RiskScreen for the Assigned User’s searches is made by using Search Tokens owned by the Entitled User who granted access to the Assigned User concerned. The cost of performing searches in RiskScreen is the same for an Assigned User as for an Entitled User. Under no circumstances may an Entitled User resell access to RiskScreen to an Assigned User or otherwise charge an Assigned User for granting access to RiskScreen, or profit from that access. Nor may an Assigned User sell access to or the results of RiskScreen searches, or profit from that access. Assigned Users must be bona fide directors, employees, contractors or associates of the same legal entity as employs, contracts with or is directed by the Entitled User. The provision of Assigned User access to RiskScreen to clients or prospective clients of the Entitled User or of the legal entity of which the Entitled User is a director, employee or associate is strictly prohibited.

How can I cancel?

You cancel Your access and the renewal of Your subscription by sending a notice to Us via email addressed to accountmanagement@kyc360.com from Your registered email address on a date which is at least 30 days before Your next annual renewal date. Notifications of Your desire to cancel received by Us after this date will not have effect. When cancelling Your access to RiskScreen, please state the following information in Your email:

• That You would like to cancel Your access to RiskScreen and stating that this is a notice of cancellation;
• When You last purchased a bundle of RiskScreen Search Tokens; and
• Your name and address.

On receipt of a valid notification from You, We will contact You via email to confirm the cancellation of Your Service, which will have effect from the date when Your next annual renewal was due to take place.

Can I get a refund if I cancel?

If You cancel Your access to RiskScreen within 14 days of the first day on which You received access, and You have not used any Search Tokens, We will refund any payments received from You using the same method of payment that You used to purchase Your bundle of Search Tokens. You will not be entitled to a refund of Your initial payment if You cancel after the first 14 days of the start of Your access to RiskScreen, or if You have used any Search Tokens.

How can We change these Terms?

We may amend these Terms at any time to ensure that We remain compliant with relevant laws and regulations or for any other reason whatsoever. If We make any important changes to these Terms We will notify You by email or by notice on the RiskScreen website.

What happens if I default on a payment?

If You default on any payment, We may:

• terminate Your access to RiskScreen;
• charge You for any Search Tokens which You have used for which You have not paid;
• send Your details to third party debt collectors; and/or
• take any action which is necessary in Our opinion to recover Our losses.

If Your access to RiskScreen has been terminated and You would like to regain access, We have the right to require payment in full of any outstanding amount owed to Us before granting You access.

How do I make a complaint?

If You would like to get in touch with Us to make a complaint, please use one of the following options:

• by email, please email Us on info@riskscreen.com;
• by post to RiskScreen User Services at 95-97 Halkett Place, St Helier, Jersey, JE1 1BX, GB.

Is there anything else I should know?

We may at any time and at Our sole discretion, terminate Your access to RiskScreen upon reasonable notice, and upon no notice where We believe that We have serious grounds to terminate (for example, for non-payment or breach of these terms). We may screen Your name and address against credit reference and fraud prevention databases when We decide whether or not to accept Your application for access to RiskScreen.  By providing Us with Your details, You confirm that We may carry out these checks. If We do not accept Your application for access to RiskScreen, We will terminate Your access and reimburse any payment that You have made. In addition to these standard access terms, You will also be subject to any specific terms relating to the offers made available to Our Users from time to time. If You are found to be abusing the terms of any of Our offers, We have the right to suspend and/or terminate Your access to RiskScreen and/or offer agreement with Us.

SCHEDULE 3 – PRIVACY AND DATA PROTECTION

Privacy

By becoming an Entitled User of RiskScreen, You agree that We may in Our discretion publicise the fact of Your usage of RiskScreen in marketing or advertising communications made by or on behalf of the KYC Global Technologies, including by use of Your logos, names, trademarks and brand imagery, provided that We do not attribute any endorsement to You other than the bare fact of Your usage of Our services, without Your prior written consent. For other details of how We will process Your personal information, please see Our Privacy Policy, which may be viewed at /riskscreen-privacy-policy/.

Data Protection

This Schedule 3 replaces the Schedule 3 which formed part of the Agreement between You and Us signed on or before 23 May 2018

Definitions

In this Schedule 3 the following terms shall have the following meanings:

“clause”: a clause in this Schedule 3.

“EEA”: European Economic Area.

“EU Data Protection Law”: EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

“GDPR”: EU General Data Protection Regulation 2016/679.

“Third Country”: a country that is not in the European Economic Area.

“Your personal data”: all personal data processed by Us or a sub-processor on behalf of You, including special personal data.

1.1 The terms “controller”, “data subject”, “special personal data”, “supervisory authority”, “personal data”, “personal data breach”, “processor” and “processing” shall have the same meaning as in the GDPR.

General

2.1 The Parties will comply with all applicable requirements under EU Data Protection Law. This Schedule 3 is in addition to, and does not relieve, remove or replace, Your or Our obligations under EU Data Protection Law.

2.2 For the purposes of this Schedule 3 We are a data processor within the meaning of the GDPR and You are a data controller within the meaning of the GDPR.

2.3 Under this Schedule 3 the personal data that We agree to process on Your behalf when You access and use Riskscreen for the purposes described in Schedule 1 of this Agreement is the following:

1. Names of individuals
2. Countries of association
3. Dates of birth
4. Gender
5. Personal Identification Document Number

2.4 Under this Schedule 3 the personal data that We agree to process on Your behalf when You access and use Riskscreen for the purposes described in Schedule 1 of this Agreement pertains to Your clients and customers (who are, for the avoidance of doubt, the data subjects for the purposes of this Agreement).

2.5 Without prejudice to the generality of clause 2.1 of this Schedule 3, You will ensure that You have all necessary consents and notices in place to enable lawful transfer of personal data to Us for the duration and purposes of this Agreement.

2.6 The Parties may from time to time agree to make such reasonable adjustments to the personal data in clause 2.3 and the categories of data subject in clause 2.4 as they consider necessary to comply with their obligations under Art.28 of the GDPR.

2.7 The duration of Our processing of Your personal data will be for the period necessary for Us to fulfil Our obligations to You under this Agreement.

Processing by Us

3.1 We shall:

• comply with all applicable EU Data Protection Law in the processing of Your personal data;
• not process Your personal data other than on Your documented instructions unless processing is required by Union or Member State law to which We are subject, in which case We shall to the extent permitted by the applicable law inform You of that legal requirement before the relevant processing of that personal data.

3.2 We shall take reasonable steps:

• to ensure the reliability of any employee or agent of Ours or any sub-processor who may have access to Your personal data, ensuring in each case that access is strictly limited to those individuals who need to know or access Your personal data as strictly necessary for the purposes of Our processing of Your personal data, and
• to comply with EU Data Protection Law in the context of those individuals’ duties to Us, ensuring that each of those individuals is subject to a confidentiality agreement or professional or statutory obligations of confidentiality.

3.3 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing to be undertaken by Us, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, We shall in relation to Your personal data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, We shall take account in particular of the risks that are presented by the processing, in particular from a personal data breach.

3.4 Taking into account the nature of the processing to be undertaken, We shall assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Your obligation to respond to requests for exercising the data subject’s rights under EU Data Protection Law.

3.5 We shall:

• promptly notify You if We receive a request from a data subject under EU Data Protection Law in respect of Your personal data;
• not respond to such request except on Your documented instructions or as required by any applicable law to which We are subject, in which case We shall, to the extent permitted by such applicable law, inform You of that legal requirement before We respond to the request.

3.6 We shall:

• notify You without any undue delay upon Us becoming aware of a personal data breach affecting Your personal data, providing You with sufficient information to enable You to meet any obligations to report or inform data subjects of the personal data breach under EU Data Protection Law;
• co-operate with You and take such reasonable commercial steps as are directed by You to assist in the investigation, mitigation and remediation of each personal data breach.

3.7 You agree that We may transfer personal data outside of the EEA under the Agreement (hereinafter ‘Permitted Transfers’) where:

• the transfer of any such personal data is being made to a third party which is located in a jurisdiction which the European Commission has decided pursuant to Art.45(3) of the GDPR that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organisation in question ensures an adequate level of protection (hereinafter ‘Adequate Jurisdictions’ or an ‘Adequate Jurisdiction’); or
• the transfer of any such personal data is being made to a third party where we have approved transfer mechanisms in place to protect Your personal data – i.e., by entering into the European Commission’s Standard Contractual Clauses (hereinafter ‘Approved Contracts).

3.8 In the case of Us transferring Your personal data under the Agreement to those processors (hereinafter ‘sub-processors’) listed below at clause 4.1, since this will (i) involve the transfer of personal data outside of the EEA and (ii) not to an Adequate Jurisdiction or (iii) not subject to an Approved Contract, You hereby warrant that: 3.8.1 You have obtained the explicit consent of the data subject for such a transfer, as described by clause 3.8, to take place; and 3.8.2 before obtaining the explicit consent of the data subject in accordance with clause 3.8.1, You informed the data subject of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. 3.9 You agree that We can make any necessary consequential amendments to clause 3.8 in order to reflect whether or not a transfer of Your personal data to those sub-processors contained in clause 4.1 will involve (i) the transfer of personal data outside of the EEA and (ii) not to an Adequate Jurisdiction or (iii) not subject to an Approved Contract. 3.10 Where the European Commission has made no adequacy decision pursuant to Art.45(3) of the GDPR in relation to a Third Country, territory or specified sector within that Third Country, or international organisation, You agree that We may also transfer Your personal data where one of the other derogations in Art.49 of the GDPR applies to the transfer.

Sub-Processing

4.1 You agree that We can use the following sub-processors at the date of the Agreement, subject to Us in each case as soon as practicable meeting the obligations set out in clause 4.5. You acknowledge that usage of each of these sub-processors is confined to searches conducted in the RiskScreen Pro tool, where You have expressly requested to search the database of the sub-processor concerned by selecting it as a source for Your Search. We warrant that no data is passed to any of these sub-processors at any time or for any purpose in the course of a RiskScreen Core search or a RiskScreen API search:

Sub-processor	Sub-processor Location
Investigative Dashboard	Operated by the Organised Crime and Corruption Reporting Project (OCCRP), a registered name of the Journalism Development Network, a charity based in Maryland, USA
OpenCorporates	Operated by OpenCorporates Ltd, a UK limited company, but servers hosted globally
Wikileaks	Sweden (a country within the EEA) but servers hosted globally

• You agree that We can use the following sub-processors in the course of searches conducted in the RiskScreen Core and RiskScreen Pro tools, subject to Us in each case as soon as practicable meeting the obligations set out in clause 4.5. The use of these sub-processors is confined to searches where You have expressly requested to search ‘Adverse Media’ sources.

Sub-processor	Sub-processor Location
Google LLC	Headquartered in the US with servers hosted globally
Bing (Microsoft Corporation)	Headquartered in the US with servers hosted globally

4.2 We shall not engage another sub-processor (other than: (i) sub-processors located in the EEA; (ii) sub-processors located in an Adequate Jurisdiction; or (iii) subject to an Approved Contract) to process Your personal data without Your prior written authorisation.

4.3 We shall give You prior written notice of the appointment of any new sub-processor (other than: (i) sub-processors located in the EEA; (ii) sub-processors located in an Adequate Jurisdiction; or (iii) subject to an Approved Contract), including full details of the processing to be undertaken by the sub-processor. If within 14 days of the receipt of that notice You notify Us in writing of any objections (on reasonable grounds) to the proposed appointment, We shall not appoint the proposed sub-processor nor disclose any of Your personal data to the proposed sub-processor.

4.4 With respect to each sub-processor appointed pursuant to this clause 4 (and for the avoidance of doubt excluding: (i) sub-processors located in the EEA; (ii) sub-processors located in an Adequate Jurisdiction; and (iii) subject to an Approved Contract), We shall:

• 4.4.1 before the sub-processor first processes Your personal data carry out adequate due diligence to ensure that the sub-processor is capable of providing the level of protection for Your personal data required by EU Data Protection Law;
• 4.4.2 ensure that the arrangement between Us and the sub-processor is governed by a written contract including terms which offer at least the same level of protection for Your personal data as those set out in this Schedule and meet the requirements of Art.28(3) of the GDPR;
• 4.4.3 provide to You for review such copies of Our agreements with sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Schedule) as You may request from time to time.
• 4.4.4 We shall ensure that each sub-processor performs the obligations under clauses 3.1, 3.2, 3.3, 5.1, 6.2, 7.1 and 9.1, as they apply to processing of Your personal data carried out by that sub-processor, as if it were party to this Agreement in place of Us.

4.5 Where a sub-processor fails to fulfil its data protection obligations under EU Data Protection Law, We shall remain liable to You for the performance of that other processor’s obligations.

Data Subject Rights

5.1 Taking into account the nature of the Processing, We shall assist You by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Your obligations, as reasonably understood by Us, to respond to requests to exercise data subject rights under EU Data Protection Law.

5.2 We shall:

• promptly notify You if We or any sub-processor receives a request from a Data Subject under any EU Data Protection Law in respect of Your personal data; and
• ensure that neither We nor any sub-processor responds to that request except on the documented instructions of You or as required by applicable laws to which We or the sub-processor is subject, in which case We shall to the extent permitted by EU Data Protection Law inform You of that legal requirement before either We or the sub-processor (as the case may be) responds to the request.

Personal Data Breach

6.1 We shall notify You without undue delay upon Us or any sub-processor’s becoming aware of a personal data breach affecting Your personal data, providing You with sufficient information for You to meet any obligations to report or inform data subjects or other supervisory authorities (within the meaning of Art.51 of the GDPR) of the personal data breach under EU Data Protection Law. Such notification shall as a minimum:

• describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned;
• communicate the name and contact details of Our relevant contact from whom more information may be obtained;
• describe the likely consequences of the personal data breach; and
• describe the measures taken or proposed to be taken to address the personal data breach.

6.2 We shall co-operate with You and take such reasonable commercial steps as are directed by You to assist in the investigation, mitigation and remediation of each such personal data breach.

Data Protection Impact Assessments and Prior Consultation

7.1 We shall provide reasonable assistance to You with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which You reasonably consider to be required by Arts.35 or 36 of the GDPR or equivalent provisions of any other EU Data Protection Law, in each case solely in relation to processing of Your personal data by, and taking into account the nature of the processing and information available to, Us or a sub-processor.

Deletion or return of Your personal data

• 8.1 Subject to clauses 8.2 and 8.3 We shall promptly and in any event within 7 days of the date of cessation of any services involving the processing of Your personal data as determined by Schedule 2 (the ‘Cessation Date’), delete and procure the deletion of all copies of Your personal data.
• 8.2 Subject to clause 8.3, You may in Your absolute discretion by written notice to Us within 14 days of the Cessation Date require Us to (a) return a complete copy of all Your personal data to You by secure file transfer in such format as is reasonably notified by You to Us; and (b) delete and procure the deletion of all other copies of Your personal data processed by any sub-processor. We shall comply with any such written request within 14 days of the Cessation Date.
• 8.3 We and each sub-processor may retain Your personal data to the extent required by EU Data Protection Law and only to the extent and for such period as required by EU Data Protection Law and always provided that We shall ensure the confidentiality of all of Your personal data and shall ensure that Your personal data is only processed as necessary for the purposes specified in the EU Data Protection Law requiring its storage and for no other purpose.
• 8.4 We shall provide written certification to You that We and each sub-processor has fully complied with this clause 8 within 30 days of the Cessation Date.

Audit rights

• 9.1 Subject to clauses 9.2 to 9.4 We shall make available to You on request all information necessary to demonstrate compliance with this Schedule 3, and shall allow for and contribute to audits, including inspections, by You or an auditor mandated by You in relation to the processing of Your personal data by Us or Our sub-processors.
• 9.2 You shall give Us reasonable notice of any audit or inspection to be conducted under clause 9.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Our premises, equipment, personnel and business while Your personnel are on those premises in the course of such an audit or inspection.
• 9.3 We need not give access to Our premises for the purposes of such an audit or inspection:
  • to any individual unless he or she produces reasonable evidence of identity and authority;
  • outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and You have given notice to Us that this is the case before attendance outside those hours begins; or
  • for the purposes of more than one audit or inspection in any calendar year, except for any additional audits or inspections which:
• 9.4 You reasonably consider necessary because of genuine concerns as to Our compliance with this Schedule; or
• 9.5 You are required or requested to carry out by EU Data Protection Law, a supervisory authority or any similar regulatory authority responsible for the enforcement of EU Data Protection Law in any country or territory,

where You have identified Your concerns or the relevant requirement or request in Your notice to Us of the audit or inspection.