Effective date: 2nd September 2025

BY VISITING OUR WEBSITE, SUBSCRIBING TO OUR PLATFORM, AND USING OUR WEB-BASED APP AND SERVICES, YOU AGREE TO BE BOUND BY THE FOLLOWING TERMS.

IF YOU DO NOT AGREE TO THESE TERMS, YOU SHALL STOP USING OUR SERVICES IMMEDIATELY.

BY AGREEING TO THESE TERMS, YOU ALSO AGREE TO BE BOUND BY THE DATA PROCESSING ADDENDUM, WHICH IS ANNEXED TO THESE TERMS AND CONDITIONS.

Organisation Name: Behaviour Help Pty Ltd

Business address: 5A Hartnett Close, Mulgrave, Victoria 3170, Australia

Contact email: team@behaviourhelp.com

“Account” shall mean an account enabling a User to access and use our Website and web-based app.

“App” / “Web-based App” shall mean the Behaviour Help App as described at: https://behaviourhelp.app/

“Agreement” / “Terms” / “Terms and Conditions” shall mean all Terms and Conditions contained in this document.

“Customer”/ “User”/ “You” shall mean the individual who accesses, uses our Website and web-based app, and subscribes to our Services.

“End-user” / “Supported Individuals” means individuals to whom the User provides his/her own services or for whose benefit the User uses the Services.

“Fees” shall mean the fees we charge for our Services.

"Service"/ “Services” / “Platform” shall mean all of the services, whether paid or free, that are made available to the Users through our Website, Web-based App, or Software.

“Subscription” / “Subscription Service” shall mean your access to and use of our Services through recurring payment of fees.

“Website” shall mean https://behaviourhelp.app/

“Us” / “We” / “Service Provider” / “Company” shall mean Behaviour Help Pty Ltd

These terms and conditions (the Terms) apply to your use of the Behaviour Help App, whether made available via our website or application (the Platform), and our website Behaviour Help App including all applications, tools, information, content, material,s and data made available to you time to time by Behaviour Help Pty Ltd.

Please read these Terms carefully before using or accessing the Platform. By using or accessing the Platform, our Website, or our Services, you agree to comply with these Terms and acknowledge that these Terms create a binding, legal agreement between us and you. If you do not agree to these Terms, immediately stop accessing, browsing, or using the Platform and our Website.

To the extent they are applicable, these Terms shall also apply to the individuals who visit and browse through our Website and to individuals who engage with Us outside the Website and Platform.

The Platform is a software solution designed to assist users (including educators, behaviour support practitioners, therapists, and mental health professionals) in collating and generating Functional Behaviour Assessments and Positive Behaviour Support Plans for the individuals they support (such as clients, students, or participants).

Our web-based app provides Users with a range of functionalities, features, and capabilities.

We do not make any warranties that a feature, functionality, or service on our web app will be available to you throughout the entirety of your access to and use of our app.

We reserve the right to update, alter, add, or remove any features, services, or tools on our website or app at our sole discretion and without prior notice.

We reserve the right to change the usage limits, such as the maximum number of files you can upload or create and the maximum number of end-users you can support, at our sole discretion at any time.

If such changes significantly reduce the overall functionality of our services, your only remedy will be the option to cancel your subscription, discontinue use of the services, or delete your account permanently.

5.1 User Responsibilities

You acknowledge and agree that in order for your employees, contractors, authorised representatives, and any other persons (Users) to access the Platform and/or Website and our services, you must procure and ensure that your Users agree to and comply with these Terms.

You shall comply with all applicable laws, regulations, and rules related to your use of the App.

In using the Platform and our Website, you must not, and you must procure that any Users do not:

• use the Platform or Website in any way that is unlawful or not permitted by these Terms;
• sell, market, license, sublicense, distribute, or otherwise grant to a third party any right to use the Platform or Website;
• copy, modify, enhance, reproduce, or create derivative works based on the Platform or Website in whole or in part;
• reverse-engineer, reverse-translate, disassemble, de-compile, or otherwise attempt to derive source code to the Platform or Website;
• incorporate, embed, combine, merge, or bundle the Platform or Website with any other hardware or software;
• distribute viruses, Trojans, or spyware, corrupt files, carry out denial of service attacks, or use any other similar software or programs that may interrupt the functionality of the Platform or Website or damage the operation of any computer hardware or software;
• use the Platform or Website to violate the security or integrity of any network, computer, or communications system, software application, or network or computing device;
• use any software or technologies to scrape information from the Platform or Website or collect or store personal information about any users of the Platform or Website;
• remove, erase, obsolete, or tamper with any copyright or any other product identification or proprietary rights notices, seal, or instructional label printed or stamped on, affixed to, or encoded or recorded in or on the Platform or Website;
• use the Platform or Website to infringe the intellectual property or proprietary rights, or rights of publicity or privacy, of any third party;
• provide us with inaccurate or incomplete information or impersonate any person or use a false email address;
• Upload or process through our app content that promotes illegal, obscene, defamatory, hateful, or unethical material, including but not limited to images depicting violence, harassment, exploitation, or any other harmful content deemed inappropriate by Us.
• directly or indirectly permit or assist any third party to do any of the above.

The User must ensure that the Company's Services are protected at all times from misuse, damage, destruction, or any form of unauthorised use.

The User must keep accurate records of the use of the Company's Services and permit the Company to inspect such records during the Term.

You acknowledge and agree that you are responsible for the acts or omissions of your Users when using the Platform and/or Website by your Users. Any breach of these Terms by a User will be deemed to be a breach of these Terms by you.

5.2 User Warranties

You acknowledge and agree that:

The Platform or Website assists users in creating and managing behaviour support plans, and the Platform or Website is intended for educational purposes only.

Information or outputs provided or generated by the Platform or Website are not and are not intended to constitute clinical advice or professional advice.

You must not use or rely on the outputs or information provided or generated by the Platform or Website to diagnose or treat any medical condition or as a substitute for the advice of a health professional.

You are responsible for reviewing and validating any outputs or information provided or generated by the Platform or Website.

You are responsible for obtaining the required consent from individuals in accordance with the applicable data privacy laws and for providing appropriate privacy notice to such individuals.

You must review any information or outputs provided or generated by the Platform or Website prior to including such information or outputs in any professional reports.

You are solely responsible for ensuring that you comply with all applicable laws, regulatory requirements, and standards in preparing and generating any professional reports using the Platform or Website.

Behaviour Help does not make any decisions about a Supported Individual’s care or medical treatment, and any decisions about a Supported Individual’s care or medical treatment must be made by a health professional.

Where you use the Platform to generate information for inclusion in professional or medical reports, you must review such information and ensure that the information meets any applicable requirements and compliance obligations.

Nothing in these Terms excludes, restricts or modifies any guarantee, warranty, term or condition, right or remedy implied or imposed by any applicable law which cannot lawfully be excluded, restricted or modified.

Apart from the specific rights granted to the User under this Agreement, the Company and its licensors retain full ownership, rights, and interests in the Apps, Software, Services, and any related intellectual property, including but not limited to patents, trade secrets, copyrights, and other proprietary rights. No ownership or implied rights are transferred to the User.

We grant to you a non-exclusive, non-transferrable, revocable, limited licence to access and use the Platform and Website for the Term in accordance with these Terms.

The User shall not directly or indirectly cause any third party to, without limitation:

(i) Extract all or any part of the IP, or create any derivative work from all or part of the IP.

(ii) Remove, alter, or tamper with any proprietary notices or IP identifiers belonging to the Service Provider or its licensors.

(iii) Provide, distribute, sublicense, assign, share, sell, rent, lease, loan, use the IP for time sharing or service bureau purposes, or otherwise allow others to use the IP or the right to use the IP in any way for the benefit of itself or third parties.

(iv) Reverse engineer, decompile, or disassemble, adapt, modify, or transform in any way the IP and/or the object code of the App, Website, Software, and/or digital solution into source code or in any other way attempt to discover, copy, transfer or distribute source code or underlying ideas or algorithms of the App, Website, Software and/or digital solution.

(v) Incorporate, embed, or merge any part of the IP into another product, service, platform, or technological solution.

You may upload and provide certain information to the Platform in relation to Supported Individuals, including clinical notes, medical records, information relating to behavioural incidents, template reports, and related data and information (Your Content).

You own Your Content that you upload or provide to the Platform, as well as the reports, plans, and other outputs generated by the Platform based on Your Content (Outputs). You grant Behaviour Help a worldwide, royalty-free, perpetual, transferrable, sublicensable and non-exclusive licence to use, copy, reproduce, modify, adapt, create derivative works, distribute, publish, display information and content including the Outputs and Your Content that you upload or provide to the Platform in any and all media or distribution methods, for commercial and non-commercial purposes.

You are solely responsible for Your Content and all information or materials in any form or format that you upload, post, transmit, or otherwise disseminate using, or in connection with, the Platform, including ensuring that Your Content complies with all applicable laws and for obtaining any necessary consents or authorisations from third parties whose data or intellectual property is included in Your Content.

You must ensure that you regularly download and maintain a backup of Your Content and Outputs at all times. We do not guarantee that we will be able to provide you with a copy of Your Content and/or Outputs after termination, expiry, or suspension of your account or where you remove data associated with a Supported Individual on the Platform and/or Website.

We, including our employees, agents, and contractors, may use, reproduce, distribute, and retain all data (including Outputs) generated by, submitted to, or evaluated utilising the Platform and all associated data residing on our systems for the purposes of:

• System and network maintenance, and the diagnosis, investigation, and correction of actual or suspected performance issues.
• Measurement or evaluation of software, services, or Platform usage and performance, and information security.
• Recommending, developing, or monitoring improvements, upgrades, or enhancements.
• Performing our obligations under these Terms.
• Analysing, modelling and auditing.
• Protecting against and/or preventing actual or potential fraud.
• Compliance with relevant laws.

To use the Platform, you must register and create an account on our Website. You acknowledge and agree that Behaviour Help may, in its sole discretion, accept or reject your account registration.

Where Behaviour Help accepts your account registration, we grant you the right to use the Platform during the Term in accordance with these Terms, unless your account is terminated or otherwise suspended.

You agree to maintain accurate, complete, and up-to-date information in your account. Your failure to maintain accurate, complete, and up-to-date account information may result in your inability to access and use the Platform or our termination of your account and these Terms.

If you change or deactivate your mobile telephone number, you must update your account information within 48 hours.

You acknowledge that the accessibility and functionality of the Platform require a connection to the internet.

You are responsible for all fees and charges associated with accessing the internet. These may include charges imposed by your mobile network in relation to data use.

When registering an Account, Users must create an account and provide a secure password.

Each user is responsible for maintaining the confidentiality of their account credentials.

Users are responsible for any activity conducted through their account. The Service Provider is not liable for any loss or damage arising from unauthorised use of a user’s account resulting from the user’s failure to safeguard their credentials. Users should select a password that is at least six characters in length. Users are encouraged to select a strong password that includes a combination of uppercase and lowercase letters, numbers, and special characters. Users are encouraged to update their passwords periodically for added security.

You must notify us immediately upon becoming aware of any breach of security or unauthorised use of your account. You may not use as a username the name of another person or entity or trademark that is not lawfully available for use, or a name or trademark that is subject to any rights of another person or entity other than you, without appropriate authorisation, or a name that is otherwise offensive, vulgar, or obscene. You expressly agree that we cannot be held liable for any loss or damage arising out of any misrepresentations you make in this regard.

The user acknowledges and agrees that when his/her subscription plan expires, but he/she does not delete the account registered with us, he/she will not be able to access the in-app data. If the User resubscribes, his/her data will be made accessible.

Your use of the Service is at your own risk. The Service is provided on an "AS IS" and "AS AVAILABLE" basis. To the maximum extent permitted under the applicable law, the Service is provided without warranties of any kind, whether express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, non-infringement, course of performance, suitability, reliability, availability, timeliness, security, accuracy, or completeness of the Services, Website, Content, Apps, and Services.

The Company makes no representations or warranties that the App, website, services, or content will satisfy your needs, function without errors or disruptions, or be free from harmful elements like viruses or malware. Although the Company strives to provide precise and up-to-date information within the App and Services, it does not ensure the accuracy, completeness, or reliability of such information.

The Company does not assure that the App will work seamlessly with all mobile devices, operating systems, or software versions.

The App, website, and services should not be interpreted as an endorsement or guarantee of any third-party products or services.

The Service Provider makes no representations or warranties, express or implied, that the use of the Services will result in the achievement of any specific outcome, objective, or result. The Services are provided on an "as is" and "as available" basis, and all warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement, are expressly disclaimed to the fullest extent permitted by law. The Client acknowledges that any reliance on the Services for a particular result is at the Client’s sole risk.

In no event shall the Service Provider, nor its directors, employees, partners, agents, suppliers, or affiliates, be liable to you for any indirect, incidental, special, consequential, or punitive damages, including without limitation, loss of profits, data, use, goodwill, or other intangible losses, personal injury, loss of data, business, markets, savings, income, profits, use, production, reputation or goodwill, anticipated or otherwise, or economic loss, under any theory of liability (whether in contract, tort, strict liability or any other theory or law or equity), regardless of any negligence or other fault or wrongdoing (including without limitation gross negligence and fundamental breach) by Service Provider or any person for whom Service Provider is responsible resulting from:

1. Your access to or use of or inability to access or use the Service.
2. Any conduct or content of any third party on the Service.
3. Any content obtained from the Service.
4. Unauthorised access, use, or alteration of your transmissions or content, whether based on warranty, contract, tort (including negligence), or any other legal theory, whether or not we have been informed of the possibility of such damage, and even if a remedy set forth herein is found to have failed of its essential purpose.

The Company's absolute and maximum total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution, or otherwise arising out of or in connection with the User's use of the Company's Services shall be capped to the aggregate Fees paid or payable by the User and duly received by the Company under the Agreement during the past twelve (12) months preceding the date when liability the claim arises. If the claim arises in the first twelve (12) months from the Effective Date, then the amount shall be an estimate of the Fees paid or payable by the User for a full twelve (12) months.

We disclaim all liability concerning third-party products and services that you use.

If any guarantee, condition, warranty or term is implied or imposed by any applicable law and cannot be excluded (a non-excludable provision), and we are able to limit your remedy for a breach of the non-excludable provision, then our liability for breach of the non-excludable provision is limited exclusively (to the maximum extent permitted by law) at our option to the supplying of the Platform again, or the payment of the cost of having the Platform supplied again.

Our liability to you is reduced to the extent that your acts or omissions (or those of a third party) contribute to or cause the loss or liability.

You agree to defend, indemnify, and hold harmless the Service Provider and its licensees and licensors, and their employees, contractors, agents, officers, and directors, from and against any claims, damages, obligations, losses, liabilities, costs, or expenses (including but not limited to reasonable legal and professional fees), resulting from or arising out of:

• Any breach by the User of any of its representations, warranties, covenants, or obligations under this Agreement.
• Any negligence, wilful misconduct, or unlawful act or omission by the User or its employees, agents, or contractors in connection with the performance of this Agreement.
• Any third-party claim, suit, or action resulting from the User’s breach of any applicable law or regulation, including but not limited to violations of intellectual property rights, data protection laws, or contractual obligations.

In the event that the Indemnified Party becomes aware of any claim or loss that may give rise to an indemnification obligation under this clause, the Indemnified Party shall notify the Indemnifying Party in writing promptly upon becoming aware of such claim or loss.

Upon receiving notice of a claim, the Indemnifying Party shall have the right to assume and control the defence of such claim at its own cost and expense, provided that the Indemnified Party may participate in the defence at its own expense with legal representatives of its own choosing.

Each party (referred to as the "Receiving Party") acknowledges that the other party (the "Disclosing Party") has shared or may share business, technical, or financial information connected to the Disclosing Party's operations (collectively, "Proprietary Information"). For the Company, Proprietary Information includes confidential details about the features, functionality, and performance of the Service. For the User, Proprietary Information encompasses non-public data provided to the Company to facilitate the delivery of the Services ("User Data").

The Receiving Party agrees not to disclose any of the Disclosing Party's Proprietary Information to third parties without obtaining the Disclosing Party's prior written approval.

The receiving party agrees that it shall implement appropriate technical, organisational, and contractual measures to ensure the ongoing confidentiality of data.

The term commences on the day on which you pay the then-current applicable annual subscription fee, and we confirm your Subscription via email.

Your Subscription shall not commence unless all fees are paid and your Subscription is confirmed via email.

Your Subscription shall last for a continuous period of 12 months (the Term) and shall not automatically renew on an annual basis.

You must pay the then-current applicable annual subscription fee in respect of your use of the Platform and Services (Subscription Fee) as set out at https://www.behaviourhelp.app/pricing.

The Subscription Fee is an upfront fee to access the Platform for the Term and, to the extent permitted by applicable law, it is a non-refundable fee.

Except as specifically provided for in these Terms, you may not cancel your Subscription prior to the end of your Current Term, and we will not provide any refunds of prepaid fees or unused Subscription Fees through the end of your Current Term.

We reserve the right to change the subscription Fees at any time. Any changes made shall take effect following the next billing period.

The Subscription Fee will not increase during the Current Term of your subscription unless (i) you exceed your Maximum number of Supported Individuals or other applicable limits, (ii) you subscribe to additional features or services, as otherwise agreed to in your Subscription.

Once your account registration is accepted, you may select a plan by choosing the number of individuals you wish to enter information in relation to on the Platform (Supported Individuals). You must pay the relevant Subscription Fee in accordance with this Clause and Clause 14.

Your account permits you to enter information for the number of Supported Individuals specified in the plan you select. You may increase the number of Supported Individuals (provided that this does not exceed 100 Supported Individuals) at any time through your account settings on our Website. Additional fees per Supported Individual will apply in accordance with the pricing provided on our Website.

All amounts on the Website are quoted in the currency stated on the Website and must be paid to Behaviour Help in the quoted currency. You are solely responsible for the impact of current currency exchange rates on any payments and for ensuring payment to Behaviour Help in cleared funds. All amounts are inclusive of GST.

Payment of the Subscription Fee is processed through our third-party payment processor, Stripe. By providing your payment details and confirming payment, you authorise Behaviour Help (and Stripe, acting on our behalf) to charge the applicable Subscription Fee to your nominated payment method. In the event of a failed attempt to charge your Authorised Payment Method (for example, if your Authorised Payment Method has expired or is no longer valid), we reserve the right, and you authorise us, to retry billing your Authorised Payment Method.

You acknowledge and agree that:

• All payments are subject to Stripe’s terms and conditions and privacy policy, which are available on Stripe’s website.
• Behaviour Help is not responsible for any errors or issues arising from Stripe’s services.
• You are responsible for ensuring that your payment information remains current, complete, and accurate at all times.

All fees are exclusive of any applicable foreign taxes (e.g., VAT). Customers outside Australia are responsible for paying any applicable taxes in their jurisdiction.

You may not transfer to any third party any of your rights or obligations under these Terms without our written consent.

A failure or delay by us to exercise any right or remedy under these Terms or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under these Terms or by law shall prevent or restrict the further exercise of that or any other right or remedy.

If the Company is prevented from carrying out its services and/or obligations due to an act of God or force majeure (which shall include war, riot, civil commotion, explosion, fire, radiation, accident, government action, interruption in the supply of power, labor dispute, epidemic or other circumstances which are both beyond the Company’s control and which the application of due diligence and foresight could not have prevented) the Services shall be suspended until the circumstances have ceased.

This clause also applies to unforeseen technical issues, including but not limited to server outages, third-party service provider disruptions, or failures in internet connectivity that are beyond the Company's control.

If the suspension continues for a period greater than one month, the Company may terminate the Contract upon service of one month's written notice.

We may suspend or terminate your account or access to the Platform immediately and without notice:

• In the case of system failure, maintenance or repair, or any reason beyond our control.
• If we reasonably believe that you are or are likely to be involved in using the Platform in breach of these Terms or inappropriately.
• Where you fail to pay the Subscription Fee.

We do not guarantee that the Platform will be available 24/7 and reserve the right, without prior notice to you, to suspend the Platform pending maintenance, repair, diagnosis, analysis, or upgrade of the Platform or to modify the Platform, or discontinue the Platform at any time, in any event, without liability to you.

At our discretion, we may at any time without prior notice restrict, block, or disable access, edit, and/or remove some parts of or the entire Platform or any content, including any material which in our reasonable opinion may give rise to a breach, or be in violation of these Terms, or is otherwise harmful.

If your account is terminated (either by us or by you) or your access to the Platform expires or is suspended, you must stop all activities authorised by these Terms, including your use of any of the Platform.

Where your account is terminated or suspended by us, we may provide you with a copy of your Content and Outputs held on the Platform to the extent that we are able to do so and provided that you make a request to us within 24 hours of such termination or suspension.

If any part of these Terms is held to be unenforceable, the unenforceable part is to be given effect to the greatest extent possible, and the remainder will remain in full force and effect.

These Terms are governed by the laws of Victoria, Australia, and each party irrevocably submits to the exclusive jurisdiction of the courts of Victoria and the Commonwealth of Australia.

These Terms are the entire agreement between you and Behaviour Help relating to the Platform and Website and supersede all prior or contemporaneous oral or written communications, proposals, and representations with respect to the Platform and/or Website or any other subject matter covered by these Terms.

Each party agrees that the other may communicate with it electronically for all aspects of any product purchase, including by sending electronic notices.

The provisions of these Terms, which by their nature survive termination or expiry, will survive termination or expiry of these Terms.

Sometimes our Platform or Website may contain links to other websites and/or advertisements that contain embedded links. We are not responsible for the content or accuracy of any linked websites and we do not endorse the content of any linked website or the subject matter of the advertisement. You should review the terms of use and privacy policies of each website you visit, as you do so at your own risk.

Where we make the Platform available for download as an application:

• You acknowledge and agree that you must comply with all relevant App Store and Google Play user terms and conditions (as appropriate and as may be amended from time to time).
• You must also download the most recent version of the App available on the Google Play Store or Apple iTunes Store and maintain current software on your smartphone (or other device), as updated from time to time.

The term “including” when used in these Terms is not a term of limitation.

A person who is not a party to this Agreement shall have no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement. This clause does not affect any right or remedy of a third party that exists or is available independently of that Act.

We may update these Terms from time to time. Amendments become effective when we post the updated terms on our Website. Your continued access to or use of the Platform or Website after these Terms are updated constitutes your consent and agreement to be bound by the updated Terms. If you do not agree to our updated Terms, you may request deletion of your account at any time and must stop accessing, browsing, or using the Platform and Website.

Last updated: 2nd September 2025

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Agreement“/ “Addendum” / “DPA”) forms part of the Agreement between “Customer” and “Company”/”Service Provider”, as specified in the Terms and Conditions (“Terms”/”Agreement”) signed between the Parties.

WHEREAS:

1. The Customer acts as a ‘Data Controller’. The Company acts as a ‘Data Processor’.
2. The Customer wishes to subcontract Company Services, which implies the ‘Processing’ of ‘Personal Data’ by the Company.
3. The Parties seek to implement a DPA that complies with the requirements of the current legal framework in relation to data processing and with the UK GDPR, UK Data Protection Act 2018, EU GDPR, and the EU data protection law regime.
4. In the event of a conflict between the terms of this DPA and the Terms and Conditions, the DPA terms shall prevail with respect to the Processing of Customer Personal Data.
5. Annex I, II, and III are integral to this DPA and provide details about the Processing activities.

DEFINITIONS

Addendum: means this Data Processing Addendum and all Annexes attached thereto.

Customer Personal Data: means any Personal Data Processed by the Company on behalf of the Customer in delivering the Services outlined in the Main Service Agreement.

Confidential Information / Proprietary Information: means all information (in any form) that concerns a Party's business operations and which any reasonable person would consider to be confidential, including trade secrets, methods, strategies, client lists, pricing, business processes and Customer Data.

Contracted Processor: means a Subprocessor of data.

Applicable Data Protection Law: covers any applicable legislative or regulatory regime enacted by a recognised government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons.

EEA: means the European Economic Area.

EU Data Protection Laws: means the EU GDPR, national implementations of the E-Privacy Directive, and all other applicable EU data privacy laws.

GDPR: means EU General Data Protection Regulation 2016/679 and the UK GDPR.

Services: means Company Services provided under the Main Service Agreement.

Main Service Agreement: means the Terms and Conditions signed between the Parties.

Subprocessor: means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Customer.

Data Controller / Controller: shall mean the Customer that makes Personal Data available to the Company.

Company / Processor: shall mean the entity providing the Services to the Customer.

The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.

1. COMPANY RESTRICTIONS AND RESPONSIBILITIES

1. The Company shall:
   • Comply with all applicable Data Protection Laws in the Processing of Customer Personal Data;
   • Not Process Customer Personal Data other than as required to provide Company Services or on the Customer’s documented instructions.
2. In the event the Company reasonably believes that an instruction issued by the Customer would violate any Applicable Data Protection Law, the Company shall promptly notify the Customer.
3. If the Company cannot comply with the terms of this DPA for whatever reason, then the Company shall promptly inform the Customer of the inability to comply.
4. The Company hereby undertakes that, upon the Customer's request, it will cooperate with the Customer to enable the Customer to:
   • Comply with reasonable requests of access, rectification, and/or deletion of Personal Data arising from a Data Subject;
   • Enforce rights of Data Subjects under the Applicable Data Protection Law;
   • Comply with all requests from a supervisory authority, including but not limited to in the event of an investigation.

2. CUSTOMER RESTRICTIONS AND RESPONSIBILITIES

1. The Customer undertakes that it will ensure that its instructions, its use, and any other processing of Personal Data provided by the Company will comply with all Applicable Data Protection Laws.
2. The Customer will be solely responsible for:
   • The accuracy, quality, and legality of Customer Data and the means by which the Customer acquired Personal Data;
   • Complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data;
   • Ensuring the Customer has the right to transfer, or provide access to, the Personal Data to the Company for Processing in accordance with the Agreement;
   • Ensuring that instructions to the Company regarding the processing of Personal Data comply with applicable laws;
   • Informing the Company without undue delay if the Customer is not able to comply with its responsibilities under this section or applicable Data Protection Laws.
3. The Customer is solely responsible for independently determining whether the data security provided in the Company Service adequately meets its obligations under applicable Data Protection Laws.
4. The Customer will also ensure that the processing of Personal Data in accordance with its instructions will not cause or result in the Company or Customer breaching any laws, rules, or regulations.
5. The Customer undertakes that it will use the Company’s services in compliance with the applicable laws and regulations, including obtaining lawful consent as required by the applicable laws. The Customer assumes full liability for collecting and processing Personal Data in compliance with the applicable laws.
6. The Customer instructs the Company to process the Customer's Personal Data.
7. The Customer warrants that it has legal grounds under the Data Protection Legislation to process Personal Data for all Data Subjects whose Personal Data is processed by Company as part of the Services.
8. The Customer will promptly notify Company where it becomes aware that any Personal Data which is processed as part of the Services is inaccurate, out-of-date, or incomplete, and will promptly provide Company with correct and up-to-date Personal Data.
9. The Parties each acknowledge that the subject matter, duration of processing, nature, and purpose of processing, categories of Data Subjects, and the types of Personal Data being processed are as detailed in Annexes I, II, and III.

3. Company Personnel

Company shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Company Security

Taking into account industry best practices, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall in relation to the Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

In assessing the appropriate level of security, the Company shall take into account in particular the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Company Sub-Processing

1. 5.1 The Customer hereby provides the Company with general written authorisation to engage Sub-Processors to access and process Personal Data.
2. 5.2 The Company will impose contractual obligations on its Sub-Processors, and contractually obligate its Sub-Processors to impose contractual obligations on any further subcontractors that they engage to process Personal Data, which provide the same level of data protection for Personal Data in all material respects as the contractual obligations imposed in this DPA.
3. 5.3 The Company will notify the Customer at least seven (7) days in advance (by email and by notice in the Service) of any changes to the list of Sub-Processors in place.
4. 5.4 Customer may reasonably object to the Company’s use of a new Sub-Processor (e.g., if making Personal Data available to the Sub-Processor may violate applicable Data Protection Law or weaken the protections for such Personal Data) by notifying the Company promptly in writing within seven (7) business days after receipt of the Company’s notice.
5. 5.5 Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-Processor, Company will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening Customer. If Company is unable to make available such change within a reasonable period of time, not to exceed thirty (30) days, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services that cannot be provided by Company without the use of the objected-to new Sub-Processor by providing written notice to Company. The Company will not refund the Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services.

6. Company Data Subject Rights

1. 6.1 Taking into account the nature of the Processing, Company shall assist the Customer by implementing appropriate technical and organisational measures, for the fulfilment of the Customer's obligations, as reasonably understood by the Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
2. 6.2 Company shall:
   • Promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data;
   • Ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Company is subject, in which case Company shall, to the extent permitted by Applicable Law, inform Customer of that legal requirement before Company responds to the request.

7. Company Personal Data Breach

In the event of a Personal Data Breach arising during the provision of the Services by the Company, the Company shall:

• Notify the Customer about the Breach without undue delay, but in no event less than seventy-two (72) hours, after becoming aware of the Personal Data Breach; as part of the notification under Section of this DPA, to the extent reasonably available at the time of notice;
• Provide a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of data records affected, the likely consequences of the Breach, and the risks to affected Data Subjects; promptly update the Customer as additional relevant information becomes available;
• Take all actions as may be required by Applicable Data Protection Law;
• Maintain records of all information relating to the Breach, including the results of its own investigations and authorities’ investigations, as well as remedial actions taken.

8. Company Data Protection Impact Assessment and Prior Consultation

Company shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

Company Deletion or Return of Customer Personal Data

Subject to this section, the Company shall promptly and in any event within one-hundred-and-twenty (120) business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and/or procure the deletion of all copies of Customer Personal Data except as required by Company to satisfy its business and legal obligations.

This section does not affect the Company’s rights to use non-personal customer data for its own purposes as specified in the Main Service Agreement.

9. Company Audit Rights

1. Subject to this section, the Company shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Personal Data by the Sub-Processors. Information and audit rights of the Customer only arise under this section to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
2. The Customer shall give the Company reasonable prior written notice, not fewer than twenty-eight (28) business days in advance, of any audit or inspection to be conducted under this Section and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing any damage, injury, or disruption to the Company.
3. The Customer and the Company shall mutually agree upon the scope, timing, and duration of the audit or inspection and any reimbursement of expenses for which the Customer shall be responsible.
4. The scope of audit rights does not extend to physical premises where the Personal Data is processed.

10. Company Data Transfers

The Customer provides the Company with general written authorisation to transfer Personal Data outside of the UK or to a jurisdiction that does not have adequacy status, provided that the Company complies with the UK GDPR’s international transfer rules and relies on an appropriate mechanism under article 46 of the UK GDPR.

11. General Terms

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Proprietary Information”) confidential and must not use or disclose that Proprietary Information without the prior written consent of the other Party, except to the extent that:

• Disclosure is required by law;
• The relevant information is already in the public domain.

All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.

12. Governing Law and Jurisdiction

This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be subject to the governing law and jurisdiction clause specified in the Main Service Agreement.

13. Liability

The liability of each party under this Agreement is subject to the exclusions and limitations of liability set out in the Main Service Agreement signed between the Parties.

The Data Controller warrants that it indemnifies, and shall keep indemnified, Data Processor against any liability, costs, expenses, losses, claims, or proceedings whatsoever arising under any statute, law, regulation, or at common law or for breach of contract arising out of, in connection with any act, omission or default of the Data Controller, its staff, agents or sub-contractors in relation to the Data, except in so far as such damages or injury shall be due to any wilful misconduct of the Data Processor.

14. International Data Transfers

The Customer hereby authorises the Data Processor to make international data transfers of Personal Data in accordance with this DPA so long as Applicable Privacy Laws for such transfers are respected.

Transfers out of the UK

The UK Data Transfer Addendum issued by the UK ICO applies to a transfer from the United Kingdom of Personal Data Processed under this DPA between you and us and is incorporated into this DPA.

You agree that the UK Data Transfer Addendum is completed and supplemented as follows:

1. You are the data exporter and we are the data importer;
2. Table 1 of the UK Data Transfer Addendum is deemed to be populated with the information set out in Annex IA of Exhibit 2 of this DPA;
3. For Table 2 of the UK Data Transfer Addendum, the version of the “Approved EU SCCs” (including the appendix information, modules, and selected clauses) appended to the UK Data Transfer Addendum is the EEA SCCs:
4. The optional docking clause under Clause 7 of the EEA SCCs will not apply;
5. Option 2 under Clause 9 of the EEA SCCs applies, and you generally authorise us to engage Sub-processors according to Section 11 of this DPA;
6. The optional redress language under Clause 11(a) of the EEA SCCs will not apply;
7. Table 3 of the UK Data Transfer Addendum is deemed to be populated with the information set out in Annexes 1 and 2 of this DPA;
8. The “importer” and “exporter” option applies to Table 4 of the UK Data Transfer Addendum;
9. Under Part 2, the mandatory clauses of the UK Data Transfer Addendum will apply; and
10. By registering for and using our services, you will be deemed to have signed the UK Data Transfer Addendum.

Transfers out of Switzerland

Concerning Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of the supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner.

Transfers out of the EEA

Concerning Personal Data transferred from the European Economic Area, the New EU SCCs issued by the EU Commission on 04.06.2021 are hereby incorporated by reference and shall apply, and take precedence over the rest of this DPA as set forth in the New EU SCCs.

Module Two of the New EU SCCs, populated with Annex I, II, and III below, shall apply:

1. In Clause 7, the optional docking clause will not apply;
2. Option 2 under Clause 9 of the EEA SCCs applies, and we generally authorise you to engage Sub-processors according to Section 11 of this DPA;
3. In Clause 11, the optional language is deleted;
4. In Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined by the 'Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles);
5. The Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and
6. If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

Annex I

A. List of Parties

Data exporter:

• Name: Name of Customer / Data Controller who enters into the Main Service Agreement with Us.
• Address: Business address of the Customer
• Contact person’s name, position, and contact details: Contact details are provided when the Customer registers on our platform.
• Activities: Provision of Data Processor’s Services.
• Signature and date: The data exporter will be deemed to have signed this Annex I on the transfer of Personal Data in connection with the Services.

Data importer:

• Name: Data Processor as specified in this DPA.
• Address: As specified in this DPA.
• Contact person’s name, position, and contact details: Contact details are specified in this DPA.
• Activities: The data importer provides the Services to the data exporter following this DPA.
• Signature and date: The data importer will be deemed to have signed Annex I on the transfer of Personal Data in connection with the Services.

B. Description of Transfer

Categories of data subjects

Data subjects are individuals whose personal data are processed in the context of the provision of the Data Processor’s Services.

Categories of personal data transferred

• Individual’s contact details, including name, date of birth, postal and home addresses, email address, and phone number;
• Any details or information that are included on Functional Behaviour Assessments (FBAs) or Positive Behaviour Support Plans (PBSPs) and any data provided to us when you create FBAs or PBSPs via our Platform;
• Opinions and information about individuals’ preferences, strengths, and opinions.

Sensitive data transferred

• Health and medical information such as information in relation to an individual’s behaviour, general health and wellbeing, medical conditions, medications, vision and hearing, sleeping and other behaviour patterns, sensory needs and additional support requirements;
• Sensitive information such as race or ethnic origin, religious beliefs, sexual orientation, and criminal history;
• Behavioural data, including any details or information contained in incident reports such as frequency, duration, and intensity of behaviours of concern;

Frequency of transfer

Customer Personal Data may be transferred on a continuous basis until it is deleted in accordance with the DPA.

Nature of the processing

Collection, processing, storage, and transfer of personal data.

Purpose of the transfer

Provision of Services as specified in the Main Service Agreement.

Retention period

For the duration of the Agreement until deletion in accordance with the provisions of the DPA.

Sub-processors

As above.

C. Competent Supervisory Authority

The Irish Supervisory Authority - The Data Protection Commission, unless the data exporter notifies the data importer of an alternative competent supervisory authority.

Annex II

Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

• SSL Encryption
• Two-factor authentication
• Access control policy
• Access logs
• Confidentiality agreement with all staff
• Data retention policy
• Robust backup systems
• Firewall

Annex III

List of Sub-Processors

[ ]

Signatures

Data Controller

Data Processor

• Business Name: As specified above.
• Authorised individual: As specified above.
• Business Address: As specified above.

• Business Name: As specified above.
• Authorised individual: As specified above.
• Business Address: As specified above.

The Data Controller agrees to the execution of this Agreement in its entirety.

The Data Processor agrees to the execution of this Agreement in its entirety.