Master Services Agreement

Terms & Conditions
These Terms & Conditions form part of the Order Form agreed between PepTalk and the Customer.

This Master Services Agreement (“Agreement”) sets out the terms and conditions under which PepTalk (as identified in the Order Form) provides services to the customer identified in the Order Form (“Customer”). This Agreement is incorporated into and forms part of the Order Form and is effective from the Commencement Date set out therein.

The applicable PepTalk entity (“PepTalk”) is the contracting and invoicing party and is determined by the Order Form as follows:

- For customers based in Europe, the United Kingdom, and all other territories outside the United States: Langley Resources Limited, trading as PepTalk, a company incorporated in Ireland, with registered office at Block 1, Ground Floor, Millbank Business Park, Lower Lucan Road, Lucan, Co. Dublin, Ireland.

- For customers based in the United States: PepTalk USA Inc., a company incorporated in New York, with offices at 575 5th Avenue, WeWork, 14th Floor, New York, NY 10017.

References to “PepTalk”, “we”, “us”, and “our” throughout this Agreement mean the applicable entity above. Where no entity is specified in the Order Form, Langley Resources Limited trading as PepTalk applies by default.

1. Definitions

The following definitions apply throughout this Agreement:

- Additional Services: Any services provided by PepTalk to the Customer beyond the core Services, as agreed in writing from time to time.

- Affiliate: Any subsidiary or holding company of the Customer.

- Authorised Users: Customer Admins and Managers aged 18 or over who have been issued named accounts on the Platform by the Customer. Field workers, contractors, and trade partners who access the Platform anonymously via Kiosk, QR code, or hyperlink are not Authorised Users for the purposes of this Agreement.

- Business Day: Any day other than a Saturday, Sunday, or public holiday in Ireland.

- Commencement Date: The date set out in the Order Form.

- Confidential Information: All information obtained by one party from the other that is marked confidential, confirmed in writing as confidential within 7 days of disclosure, or is manifestly confidential in nature, including the terms of this Agreement.

- Content: All text, graphics, images, audio, video, data, and other materials made available to the Customer through the Platform.

- Customer Content: Data and content inputted by the Customer or its Authorised Users for the purpose of using the Services.

- Customer Personal Data: Any personal data relating to the Customer or its employees processed by PepTalk in connection with the Services.

- Data Protection Legislation: The GDPR (EU) 2016/679, the Data Protection Acts 1988–2018, and all related applicable laws, as amended from time to time.

- Initial Subscription Term: The initial term of this Agreement as set out in the Order Form.

- Intellectual Property Rights: All intellectual property rights worldwide, including patents, trade marks, copyright, database rights, design rights, trade secrets, and know-how.

- Admin User: A Customer employee or manager who has been issued a named account on the Platform by the Customer, with access to the Customer Dashboard, analytics, and workforce engagement data. Admin Users are Authorised Users for the purposes of this Agreement.

- Customer Dashboard: The web-based management interface and analytics tools made available by PepTalk to Admin Users under this Agreement.

- Kiosk: Any hardware device supplied by PepTalk to the Customer under this Agreement for the purpose of accessing the Platform and Services. Each Kiosk remains the property of PepTalk and is leased to the Customer for the duration of the Subscription Term. Where Kiosks are supplied, the detailed terms in Schedule 3 apply.

- Kiosk Terms: The terms governing the supply, use, and return of Kiosk hardware, as set out in Schedule 3.

- Normal Business Hours: For EU customers: 09:00 to 17:00 Irish Standard Time (IST/GMT) on each Business Day. For US customers: 09:00 to 17:00 Central Time (CT) on each Business Day. Where the Order Form designates a Customer as a US customer, US Normal Business Hours apply for all support and notice purposes under this Agreement.

- Order Form: The PepTalk subscription order form agreed between the parties, to which these Terms & Conditions are attached or linked.

- Platform: The online software platform made available by PepTalk to the Customer.

- Renewal Period: Each successive 12-month period following the Initial Subscription Term under an Annual Term, or each successive monthly period following the expiry of a Project Term, as described in Clause 12.1.

- Services: The services provided by PepTalk under this Agreement via the Platform, as described in the Order Form.

- Sub-processor: Any third party engaged by PepTalk to process Customer Personal Data.

- Subscription Fees: The fees payable by the Customer for the Services, as set out in the Order Form.

- Subscription Term: The Initial Subscription Term and any subsequent Renewal Periods.

- Support Policy: PepTalk’s support terms as set out in Schedule 1.

2. Subscription and Licence

2.1 Subject to the terms of this Agreement and payment of the Subscription Fees, PepTalk grants the Customer a non-exclusive, non-transferable licence to use the Services during the Subscription Term solely for the Customer’s internal business purposes.

2.2 The Customer must ensure that:

- each Authorised User keeps their access credentials secure and confidential;

- the Customer maintains an up-to-date list of Authorised Users and provides it to PepTalk within 5 Business Days of a written request;

- PepTalk may audit usage of the Services once per quarter, on reasonable notice, to verify compliance; and

- if any audit reveals underpayment of Subscription Fees, the Customer shall pay the shortfall within 10 Business Days.

2.3 On or after the Commencement Date, PepTalk will provide the Customer with access credentials.

2.4 The Customer is responsible for all use of its access credentials and must prevent unauthorized access to the Services. Any suspected unauthorized access must be reported to PepTalk promptly.

2.5 The licence granted under this Clause 2 is to the Customer only. Affiliates require separate written consent from PepTalk.

2.6 The Services and Content are provided on an “as is” basis. PepTalk does not warrant that the Services will be uninterrupted, error-free, or meet the Customer’s specific requirements.

2.7 Where PepTalk supplies one or more Kiosks to the Customer, the Kiosk Terms in Schedule 3 apply and are incorporated into this Agreement by reference. Title to all Kiosks remains with PepTalk at all times. Risk in each Kiosk pass

2.8 Dashboard and Admin User Access.

Where PepTalk provisions named accounts for Admin Users, the following terms apply:

- PepTalk will provide Admin Users with access to the Customer Dashboard, including workforce engagement analytics and reporting tools, during the Subscription Term.

- The Customer is responsible for ensuring that Admin Users access the Customer Dashboard only for the Customer’s internal workforce management purposes. Admin Users must not share, export, or disclose Dashboard data or analytics insights to any third party without PepTalk’s prior written consent.

- The Customer must ensure Admin Users keep their login credentials confidential and must notify PepTalk immediately of any suspected unauthorised access. The Customer is liable for all activity carried out under its Admin Users’ accounts.

- Admin Users must not attempt to reverse engineer, extract, or replicate any underlying data model, algorithm, or benchmarking methodology used by the Platform.

- Dashboard analytics and insights are derived from anonymised and aggregated data. The Customer must not attempt to identify any individual from Dashboard outputs.

- On termination or expiry of this Agreement, all Admin User accounts will be deactivated and access to the Customer Dashboard will cease. PepTalk will retain Dashboard data in accordance with Schedule 2.

2.9 AI-Assisted Insights.

The Customer Dashboard uses AI-assisted analysis to generate workforce engagement insights from anonymised and aggregated platform data. These insights are designed to support management decision-making and are informational in nature. They should be considered alongside the Customer’s own operational knowledge and judgement. PepTalk does not warrant the accuracy or completeness of AI-generated insights and is not liable for decisions made by the Customer or its Admin Users in reliance on them. PepTalk is committed to transparency in its use of automated tools and complies with applicable obligations under the EU AI Act and any other relevant legislation as they come into force.

3. Acceptable Use

3.1 The Customer must not use the Services to access, store, distribute, or transmit any material that is unlawful, harmful, threatening, defamatory, obscene, harassing, or discriminatory, or that infringes any third-party rights. PepTalk may suspend access to any such material without liability.

3.2 The Customer must not (and must ensure its Authorised Users do not):

- copy, modify, reverse engineer, or create derivative works of the Services or Platform;

- use the Services to build a competing product or provide services to third parties;

- licence, sell, assign, or transfer access to the Services without PepTalk’s written consent; or

- permit access to the Services to anyone under the age of 18.

3.3 The Customer must not attempt to gain unauthorised access to the Platform, its underlying systems, or any connected databases.

4. Services

4.1 PepTalk will provide the Services during the Subscription Term in accordance with this Agreement.

4.2 PepTalk will use commercially reasonable efforts to ensure the Platform is available in accordance with Schedule 1, except during scheduled or emergency maintenance.

4.3 PepTalk will provide customer support during Normal Business Hours in accordance with the Support Policy in Schedule 1.

4.4 If the Customer requires Additional Services, these will be provided at PepTalk’s discretion at agreed rates. PepTalk has no obligation to provide Additional Services.

5. Customer Content

5.1 The Customer owns all Customer Content and is solely responsible for its legality, accuracy, and quality.

5.2 The Customer grants PepTalk a non-exclusive, royalty-free licence to use Customer Content during the Subscription Term solely to provide the Services.

5.3 PepTalk will follow its standard backup and archiving procedures. In the event of loss or damage to Customer Content, PepTalk’s sole obligation is to use reasonable efforts to restore from its most recent backup. PepTalk is not responsible for loss caused by third parties, except those contracted by PepTalk for data maintenance purposes.

5.4 Anonymised and Aggregated Data. PepTalk may collect, derive, and use anonymised and aggregated data generated through the Customer’s use of the Services (“Aggregated Data”) for the purposes of:

- benchmarking platform performance and service quality;

- improving and developing PepTalk’s products and services; and

- generating internal analytics and insights.

Aggregated Data will not identify the Customer or any individual Authorised User. PepTalk’s right to use Aggregated Data survives termination of this Agreement. Nothing in this Clause grants PepTalk any right to disclose raw Customer Content or Customer Personal Data to third parties

6. Third-Party Providers

6.1 The Services may provide access to third-party content or platforms. The Customer accesses these at its own risk. PepTalk is not responsible for third-party content, transactions, or services, and does not endorse any third-party website or platform accessible through the Services.

7. PepTalk's Obligations

7.1 PepTalk will provide the Services with reasonable skill and care.

7.2 If the Services fail to meet this standard, PepTalk will use reasonable efforts to correct the issue or provide an alternative solution. This is the Customer’s sole remedy for any breach of Clause 7.1.

7.3 PepTalk warrants that it holds all licences and consents required to perform its obligations under this Agreement.

8. Customer's Obligations

8.1 The Customer must:

- cooperate with PepTalk and provide all information reasonably required to deliver the Services;

- comply with all applicable laws in connection with its use of the Services;

- ensure Authorised Users use the Services in accordance with this Agreement;

- maintain all licences and consents required on its side for PepTalk to perform its obligations; and

- maintain network connections and systems that meet PepTalk’s specifications, and bear responsibility for any failures in its own network or telecommunications infrastructure.

9. Charges and Payment

9.1 The Customer agrees to pay the Subscription Fees as set out in the Order Form. All fees are exclusive of VAT and applicable taxes.

9.2 PepTalk is not obliged to provide the Services until Subscription Fees have been paid. No refunds are due on termination resulting from the Customer’s default, unless otherwise specified in this Agreement.

9.3 If payment is overdue, PepTalk may:

- charge interest at 4% per annum on the overdue amount, accruing daily from the due date until payment; and

- suspend the Services until all outstanding amounts are paid in full.

9.4 All amounts are payable in full without set-off, counterclaim, or deduction, except any withholding required by law.

9.5 PepTalk may increase the Subscription Fees on written notice. If the increase is not acceptable to the Customer, the Customer may notify PepTalk within 5 Business Days, and PepTalk may then terminate this Agreement on 30 Business Days’ written notice.

10. Intellectual Property

10.1 PepTalk and its licensors own all Intellectual Property Rights in the Services, Platform, and Additional Services. This Agreement does not transfer any such rights to the Customer.

10.2 The Customer must preserve all proprietary notices, logos, and trade marks applied by PepTalk to the Services or related materials.

10.3 PepTalk will defend the Customer against any third-party claim that the Services, as provided by PepTalk, infringe that third party’s Intellectual Property Rights, and will indemnify the Customer against damages finally awarded or agreed in settlement of such claim, provided that:

- the Customer notifies PepTalk promptly in writing of any such claim;

- the Customer gives PepTalk sole authority to defend or settle the claim; and

- the Customer provides reasonable cooperation at PepTalk’s expense.

PepTalk’s total liability under this IP indemnity shall not exceed the total Subscription Fees paid by the Customer in the 12 months immediately preceding the claim. PepTalk has no obligation under this Clause where the alleged infringement arises from: (a) the Customer’s modification or misuse of the Services; (b) use of the Services in combination with products not approved by PepTalk; or (c) continued use after PepTalk has notified the Customer of the alleged infringement.

11. Liability and Indemnity

11.1 Nothing in this Agreement limits liability for: (a) matters that cannot lawfully be excluded; (b) Subscription Fees due and payable; (c) infringement of either party’s Intellectual Property Rights; or (d) either party’s liability for death or personal injury caused by its negligence or for fraud or fraudulent misrepresentation.

11.2 Subject to Clause 11.1, PepTalk’s total liability under or in connection with this Agreement is limited to the Subscription Fees paid by the Customer in the 6-month period immediately before the relevant claim arose.

11.3 Neither party is liable for: loss of profits, loss of business, loss of goodwill, loss of anticipated savings, loss or corruption of data (subject to PepTalk meeting its security obligations), or any indirect, special, or consequential loss.

11.4 The Customer shall indemnify PepTalk against claims, losses, costs, and expenses arising from: (a) Customer Content; or (b) the Customer’s or its Authorised Users’ gross negligence or wilful misconduct in connection with the Services. The Customer’s total liability under this indemnity shall not exceed the amount set out in Clause 11.2. PepTalk will give the Customer prompt notice of any such claim, provide reasonable cooperation in its defence, and not settle any claim without the Customer’s prior written consent (not to be unreasonably withheld).

12. Term and Termination

12.1 This Agreement begins on the Commencement Date and continues for the Subscription Term specified in the Order Form, which will be one of the following:

- Project Term: The Agreement expires on the project end date specified in the Order Form. There is no automatic renewal. If the project end date passes without either party terminating, the Agreement automatically continues on a month-to-month basis until either party gives at least 30 days’ written notice to terminate.

- Annual Term: the Agreement continues for an initial 12-month period and then automatically renews for successive 12-month Renewal Periods unless either party gives at least 30 days’ written notice before the end of the then-current term.

Where the Order Form does not specify a term type, an Annual Term applies by default.

12.2 Either party may terminate this Agreement immediately on written notice if the other party:

- commits a material breach that is not remedied within 30 days of written notice;

- becomes insolvent, goes into administration, receivership, or liquidation; or

- ceases or threatens to cease carrying on its business.

12.3 PepTalk may terminate this Agreement immediately if the Customer fails to pay any amount due and does not remedy that failure within 30 days of written notice, or if there is a change of control of the Customer.

12.4 On termination or expiry:

- all outstanding Subscription Fees become immediately due and payable;

- all licences granted under this Agreement terminate immediately;

- PepTalk will arrange collection of all Kiosks at PepTalk2019s cost within 14 Business Days, and the Customer must make all Kiosks available for collection; and

- any provisions that by their nature should survive termination will continue in force.

12.5 Termination does not affect any rights or remedies that have accrued prior to the date of termination.

13. General

13.1 Dispute Resolution If a dispute arises, the parties’ CEOs (or nominated senior representatives) will attempt to resolve it within 5 Business Days. If unresolved, the parties will attempt mediation for up to 15 Business Days, with a mediator nominated by the President of the Law Society of Ireland. If mediation fails, either party may refer the dispute to the courts of Ireland.

13.2 Force Majeure Neither party is in breach for any delay or failure caused by events outside its reasonable control. If such delay or failure continues for more than 90 days, the unaffected party may terminate on 30 days’ written notice.

13.3 Assignment The Customer may not assign or transfer its rights or obligations under this Agreement without PepTalk’s prior written consent. PepTalk may assign its rights freely.

13.4 Confidentiality Each party will keep the other’s confidential Information strictly confidential and will not use itexcept as necessary to perform this Agreement. This obligation survives termination. On termination, each party will promptly return or destroy the other’s confidential information.

13.5 Data Protection Each party will comply with applicable Data Protection Legislation. Where PepTalk processes Customer Personal Data as a processor on the Customer’s behalf, the obligations in Schedule 2 apply.

13.6 Entire Agreement This Agreement, together with the Order Form and Schedules, constitutes the entire agreement between the parties and supersedes all prior agreements, representations, and understandings relating to its subject matter.

13.7 Variation PepTalk may amend this Agreement on written notice to reflect changes in law or updates to the Services. If the Customer (acting reasonably) considers a material amendment detrimental, it may terminate on written notice within 30 days of receiving notification.

13.8 Waiver A waiver of any right or remedy is only effective in writing. Failure to exercise a right does not constitute a waiver of that right.

13.9 Severance If any provision of this Agreement is found to be invalid or unenforceable, it will be modified to the minimum extent necessary to make it valid. If modification is not possible, the provision will be severed. The remaining provisions continue in full force.

13.10 Notices All notices under this Agreement must be in writing and sent by email to the nominated address in the Order Form, by personal delivery, or by pre-paid recorded post. Notices sent by post are deemed received 48 hours after posting. PepTalk’s address for notices is:

  • PepTalk EU: Langley Resources Limited t/a PepTalk, Block 1, Ground Floor, Millbank Business Park, Lower Lucan Road, Lucan, Co. Dublin, Ireland.
  • PepTalk US: PepTalk USA Inc., 575 5th Avenue, WeWork, 14th Floor, New York, NY 10017.

13.11 No Partnership or Agency Nothing in this Agreement creates a partnership between the parties or authorises either party to act as agent for the other.

13.12 Third Parties No third party has any right to enforce any term of this Agreement.

13.13 Governing Law and Jurisdiction This Agreement is governed by and construed in accordance with the laws of Ireland. The parties irrevocably submit to the exclusive jurisdiction of the courts of Ireland for all disputes arising out of or in connection with this Agreement.

13.14 US Customers — Governing Law Carve-Out. Where the Order Form identifies the Customer as a US-based entity, the parties may agree in writing (in the Order Form or a signed addendum) to substitute the governing law and jurisdiction provisions of Clause

13.13 with the laws of the state of Delaware (or such other US state as agreed), with disputes submitted to the exclusive jurisdiction of the courts of that state. In the absence of such written agreement, Clause 13.13 applies in full.

SCHEDULE 1 — SUPPORT POLICY

Platform Availability

The Platform will be available throughout the Subscription Term, subject to scheduled and emergency maintenance. PepTalk targets 95% or above availability (excluding maintenance windows) and will provide reasonable advance notice of any scheduled maintenance. In the event of unplanned outages, PepTalk will use best efforts to restore access as quickly as possible.

Customer Support

Our support team is available during Normal Business Hours via the Customer’s nominated Account Manager. PepTalk will acknowledge support queries within 24 hours of receipt (or within 24 hours of Normal Business Hours resuming if received outside hours) and will provide regular updates until resolution.

Kiosk Support

PepTalk proactively monitors each Kiosk’s uptime, connectivity, and performance. Where PepTalk detects a fault or offline status, it will notify the Customer’s nominated contact without undue delay and initiate remediation. The Customer may also report Kiosk issues during Normal Business Hours. Where a fault is due to hardware failure not caused by the Customer, PepTalk will use reasonable efforts to provide a replacement Kiosk within 5 Business Days.

SCHEDULE 2 — DATA PROTECTION OBLIGATIONS

This Schedule applies to all processing of personal data by PepTalk as processor or sub-processor on behalf of the Customer under this Agreement. It covers obligations under EU GDPR (Regulation 2016/679), UK GDPR (as retained in UK law), and applicable US state privacy laws including CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and equivalents.

Part 1 — EU/UK Processing Obligations

1.1 Status of the Parties The parties acknowledge that, in relation to Customer Personal Data processed in connection with the Services:

- Where the Customer determines the purposes and means of processing, the Customer acts as Controller and PepTalk acts as Processor.

- Where PepTalk independently determines the purposes and means of processing (including for platform security, fraud prevention, and service improvement), PepTalk acts as an independent Controller.

- The parties are not Joint Controllers within the meaning of Article 26 GDPR unless separately agreed in writing.

- For UK customers, references to GDPR in this Schedule are to be read as references to UK GDPR and the UK Data Protection Act 2018.

- For US customers, the additional obligations in Part 3 of this Schedule apply alongside Part 1.

1.2 Processor Obligations

To the extent PepTalk processes Customer Personal Data as Processor, PepTalk shall:

- process Customer Personal Data only on documented instructions from the Customer, unless required to do so by EU, Member State, UK, or applicable US law, in which case PepTalk shall notify the Customer before processing (unless prohibited by law);

- ensure that all persons authorised to process Customer Personal Data are subject to binding confidentiality obligations;

- implement and maintain the technical and organisational security measures set out in Section 1.5 below;

- not engage any Sub-processor without the Customer’s prior written authorisation, in accordance with Section 1.8 below;

- assist the Customer to respond to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection;

- assist the Customer in ensuring compliance with obligations relating to security, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities;

- at the Customer’s election, delete or return all Customer Personal Data on termination or expiry of the Agreement, and delete all existing copies unless retention is required by applicable law;

- make available all information reasonably necessary to demonstrate compliance with this Schedule, and co-operate with and contribute to audits and inspections in accordance with Section 1.7; and

- notify the Customer promptly if, in PepTalk’s opinion, any instruction from the Customer would infringe applicable data protection law.

1.3 Customer Warranties and Obligations

The Customer warrants and undertakes that:

- it has obtained and will maintain all necessary consents, permissions, and authorisations required for PepTalk to process Customer Personal Data under this Agreement;

- it will provide data subjects with all required privacy notices under applicable law before or at the time of data collection;

- its instructions to PepTalk regarding the processing of Customer Personal Data will at all times comply with applicable data protection law;

- it is solely responsible for the accuracy, integrity, and legality of the Customer Personal Data it submits for processing; and

- for US deployments: the Customer shall ensure it has a lawful basis under applicable state privacy law (including where required, a valid employee privacy notice or consent) before providing employee data to PepTalk.

1.4 Personal Data Breach Notification

PepTalk shall notify the Customer without undue delay upon becoming aware of any personal data breach involving Customer Personal Data. Notification timelines are as follows:

- EU/EEA (GDPR): within 48 hours — to allow the Customer to meet the 72-hour supervisory authority deadline.

- UK (UK GDPR): within 48 hours — to allow the Customer to meet the 72-hour ICO deadline.

- California (CCPA/CPRA): within 72 hours — to allow the Customer to notify affected individuals per Cal. Civ. Code §1798.82.

- Other US states: without undue delay — no later than required to allow the Customer to comply with applicable state law.

The breach notification shall include, to the extent available: the nature of the breach; categories and approximate number of data subjects and records concerned; the name and contact details of the relevant PepTalk privacy contact; the likely consequences of the breach; and measures taken or proposed to address the breach.

1.5 Security Measures

PepTalk shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data, including as a minimum:

- Access Control: role-based access controls; principle of least privilege; multi-factor authentication for all administrative access to systems containing Customer Personal Data.

- Encryption: encryption of Customer Personal Data at rest (AES-256 or equivalent) and in transit (TLS 1.2 minimum).

- Pseudonymisation: where technically feasible, pseudonymisation applied to reduce risk of re-identification in processing activities.

- Resilience: systems and services designed to maintain ongoing confidentiality, integrity, availability, and resilience; regular backup procedures and disaster recovery testing.

- Testing and Review: regular testing, assessment, and evaluation of technical and organisational security measures; annual penetration testing by qualified third parties.

- Personnel: privacy and security training mandatory for all staff with access to Customer Personal Data; background checks conducted in accordance with applicable law.

- Incident Response: documented incident response plan, reviewed at least annually, covering detection, containment, eradication, recovery, and notification procedures.

1.6 Data Protection Impact Assessments

PepTalk shall provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) under Article 35 GDPR and equivalent obligations under applicable law, where the nature of the processing is likely to result in a high risk to the rights and freedoms of data subjects. PepTalk shall also assist the Customer with any required prior consultations with supervisory authorities under Article 36 GDPR. The costs of such assistance shall be borne by the Customer.

1.7 Audits and Inspections

PepTalk shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Schedule and shall permit and contribute to audits and inspections subject to the following conditions:

- the Customer shall provide at least 30 days’ prior written notice of any audit or inspection;

- audits shall be conducted during Normal Business Hours and in a manner that minimises disruption to PepTalk’s operations;

- no more than one audit per 12-month period, unless a personal data breach has occurred;

- the Customer shall bear all costs of any audit unless the audit reveals material non-compliance by PepTalk with this Schedule, in which case PepTalk shall bear its own reasonable costs;

- PepTalk may satisfy audit obligations by providing current third-party audit reports (e.g. ISO 27001 certification, SOC 2 Type II report) in lieu of a Customer-conducted audit, provided such reports adequately address the scope of the Customer’s audit requirements; and

- audits shall not require PepTalk to disclose information about its other customers, internal pricing, or commercially sensitive non-public information.

1.8 Sub-processors

The Customer grants general written authorisation for PepTalk to engage Sub-processors, subject to the following conditions:

- PepTalk maintains an up-to-date list of current Sub-processors at www.peptalkhq.com/legal/subprocessors.

- PepTalk shall notify the Customer at least 14 days in advance of adding or replacing any Sub-processor by updating the Sub-processor list and notifying the Customer’s nominated contact by email.

- the Customer may object to a proposed new or replacement Sub-processor on reasonable grounds by notifying PepTalk in writing within 14 days. In the event of a reasonable objection that cannot be resolved, either party may terminate the relevantServices on 30 days’ written notice without liability for early termination fees.

- PepTalk shall impose on each Sub-processor data protection obligations equivalent to those set out in this Schedule, by way of written contract; and

- PepTalk remains fully liable to the Customer for the performance of any Sub-processor’s obligations under this Schedule.

1.9 International Data Transfers

PepTalk shall not transfer Customer Personal Data outside the EEA, the United Kingdom, or (for US customers) outside the United States, without ensuring an appropriate transfer mechanism is in place, including:

- EU/EEA to third country: EU-US Data Privacy Framework (where applicable); 2021 EU Standard Contractual Clauses (SCCs) — Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) as appropriate; or European Commission adequacy decision.

- UK to third country: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs as approved by the UK ICO; or UK adequacy regulations.

- US to EEA/UK: EU-US Data Privacy Framework certification (where applicable) or SCCs/IDTA as above.

- Other transfers: any other appropriate safeguard approved by the relevant supervisory authority.

Where SCCs apply, the parties agree that the SCCs are incorporated into this Schedule by reference and shall prevail over any conflicting terms of this Schedule or the Agreement to the extent of any conflict relating to the transfer.

1.10 Data Retention and Deletion

Customer Personal Data shall be retained for the duration of the Subscription Term and for a period of 30 days thereafter (the “Retention Period”), during which the Customer may request return or export of its data. Following expiry of the Retention Period, PepTalk shall securely delete or destroy all Customer Personal Data unless: (a) retention is required by applicable law, in which case PepTalk shall notify the Customer of the nature and duration of the retention obligation; or (b) the Customer has made a written request for return or deletion that is pending at the time of expiry, in which case the Retention Period is extended until completion of that request. Deletion shall be confirmed to the Customer in writing within 10 Business Days of completion.

Part 2 — Details of Processing

The following sets out the subject matter, duration, nature, purpose, types of personal data, and categories of data subjects in respect of Customer Personal Data processed by PepTalk as Processor under this Agreement.

Subject matter: Provision of the PepTalk workforce engagement platform and associated services to the Customer.

Duration: For the duration of the Subscription Term and the Retention Period of 30 days following expiry or termination of the Agreement.

Nature of processing: Collection, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, and deletion/destruction of personal data, for the purposes of providing the Services.

Purposes of processing: To onboard and authenticate Admin Users; to provide Admin Users with access to the Platform and Customer Dashboard; to provide team and manager-related features; to enable the Customer to manage user access and usage via the Customer Dashboard; to offboard Admin Users; and to provide customer support.

Categories of personal data: Name and professional email address of Admin Users (Customer Admins and Managers holding named accounts on the Platform). No personal data is collected from individuals accessing the Platform anonymously via Kiosk, QR code, or hyperlink.

Special category data: None collected by default. If the Customer or Admin Users submit special category data as Customer Content, the Customer acts as Controller and is responsible for ensuring a valid legal basis under Article 9 GDPR or equivalent.

Categories of data subjects: Admin Users (Customer Admins and Managers holding named accounts on the Platform, as defined in this Agreement).

Recipients: PepTalk personnel (on a need-to-know basis); Sub-processors listed at www.peptalkhq.com/legal/subprocessors; supervisory authorities and law enforcement where required by law.

Part 3 — US-Specific Data Privacy Obligations

3.1 Service Provider / Processor Status

For the purposes of applicable US state privacy laws, PepTalk acts as a “Service Provider” (under CCPA/CPRA), “Processor” (under VCDPA, CPA, CTDPA and equivalents), or equivalent role as defined under applicable law. PepTalk shall:

- process Customer Personal Data only for the purposes set out in Part 2 of this Schedule and as directed by the Customer, and not for PepTalk’s own commercial purposes;

- not sell Customer Personal Data or share it for cross-context behavioural advertising;

- not retain, use, or disclose Customer Personal Data outside the direct business relationship with the Customer, except as required by law;

- not combine Customer Personal Data with personal data received from other sources except as permitted under applicable law;

- provide the same level of privacy protection as required of the Customer under applicable law;

- notify the Customer if PepTalk determines it can no longer meet its obligations under applicable US privacy law; and

- grant the Customer the right, on reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorised use of Customer Personal Data.

3.2 Data Subject Rights — US

PepTalk shall assist the Customer in responding to data subject rights requests under applicable US state privacy law, including:

- Right to Know/Access (CCPA/CPRA, VCDPA, CPA, CTDPA): provide Customers with details of personal data held; support data portability export within 10 Business Days.

- Right to Delete (all applicable state laws): delete specified personal data on Customer instruction within 10 Business Days; confirm deletion in writing.

- Right to Correct (CPRA, VCDPA, CPA, CTDPA): correct inaccurate personal data on Customer instruction within 10 Business Days.

- Right to Opt-Out of Sale/Sharing (CCPA/CPRA): not applicable — PepTalk does not sell or share Customer Personal Data for advertising or commercial purposes.

3.3 Non-Discrimination

PepTalk shall not discriminate against data subjects for exercising their rights under applicable US privacy law. PepTalk shall not deny goods or services, charge different prices, or provide a different level of service quality on the basis that a data subject has exercised a privacy right.

3.4 Sensitive Personal Information (US)

PepTalk does not by default collect or process sensitive personal information as defined under CCPA/CPRA or equivalent state law (including Social Security numbers, financial account information, health data, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, or biometric data). Where the Customer or Admin Users submit such data as Customer Content, the Customer is responsible for ensuring a valid basis for that processing and for complying with any applicable use limitations or consent requirements.

3.5 Privacy Contacts and Supervisory Authorities

PepTalk Privacy Contact: privacy@peptalk.com / Langley Resources Limited t/a PepTalk, Block 1, Ground Floor, Millbank Business Park, Lower Lucan Road, Lucan, Co. Dublin, Ireland.

EU/EEA Supervisory Authority: Data Protection Commission (Ireland) www.dataprotection.ie.

UK Supervisory Authority: Information Commissioner’s Office (ICO) www.ico.org.uk.

California Privacy Rights: submit requests to privacy@peptalk.com with subject line: CCPA Rights Request.

SCHEDULE 3 — KIOSK TERMS

Part 1 General

These Kiosk Terms govern the supply, rental, use, maintenance, and return of Kiosk hardware provided by PepTalk to the Customer. They form part of this Agreement and apply where the Order Form includes Kiosks. In the event of conflict between these Kiosk Terms and the main body of the Agreement, these Kiosk Terms prevail in respect of Kiosk hardware.

Part 2 Ownership and Risk

All Kiosks remain the sole property of PepTalk at all times. These terms constitute a rental arrangement only and confer no ownership, title, or equity interest in any Kiosk on the Customer. The Customer must not represent to any third party that it owns any Kiosk, and must not encumber, pledge, or grant any lien or security interest in any Kiosk.

PepTalk will deliver each Kiosk to the Customer’s site at PepTalk’s cost. Risk in each Kiosk passes to the Customer on delivery and returns to PepTalk on collection. The Customer is responsible for the cost of returning Kiosks to PepTalk at the end of the Subscription Term or on earlier termination.

Part 3 —Permitted Use and Site Obligations

The Customer must:

- use each Kiosk only for the purpose of accessing the Platform and Services, in compliance with all applicable law;

- not sub-let, transfer, assign, or grant any third-party rights over any Kiosk without PepTalk’s prior written consent;

- not modify, reverse-engineer, tamper with, or attempt to access the software or firmware of any Kiosk;

- keep each Kiosk at the site specified in the Order Form — relocation requires PepTalk’s prior written approval;

- secure Kiosks in locations that minimise exposure to environmental damage, tampering, or theft;

- ensure the installation environment meets PepTalk’s minimum technical requirements; and

For US customers: the Customer is responsible for ensuring that the deployment and operation of each Kiosk at its site complies with all applicable accessibility requirements, including the Americans with Disabilities Act (ADA).

Part 4 Damage, Loss, and Misuse

PepTalk will not cover repair or replacement costs where damage arises from misuse or negligent operation, neglect, vandalism or deliberate damage, inappropriate placement or environmental exposure, or unauthorised modification or repair.

The Customer must notify PepTalk promptly of any loss, theft, or damage to a Kiosk. The Customer is liable for the replacement cost of any lost, stolen, or damaged Kiosk (beyond fair wear and tear) as stated in the Order Form, or if not stated, at PepTalk’s then-current list price for the equivalent unit. PepTalk will invoice any damage or replacement costs following assessment on return. The Customer may dispute any such invoice within 10 Business Days of receipt, and unresolved disputes will be referred to the dispute resolution process in Clause 13.1.

Part 5 Maintenance and Support

PepTalk will provide remote technical support and troubleshooting during Normal Business Hours, and will repair or replace hardware faults arising from normal wear and tear at no additional cost. PepTalk will use commercially reasonable efforts to respond to reported faults promptly and resolve issues as quickly as practicable.

PepTalk will proactively monitor each Kiosk’s uptime, connectivity, and performance and will notify the Customer’s nominated contact promptly upon detecting any fault or offline status. The Customer must not attempt self-repair or engage third parties to repair any Kiosk. PepTalk may push software and firmware updates to Kiosks remotely. All intellectual property rights in Kiosk software remain exclusively with PepTalk.

Part 6 Return of Kiosks

At the end of the Subscription Term or on earlier termination, the Customer must return all Kiosks to PepTalk in good condition (fair wear and tear excepted) within 14 Business Days, at the Customer’s cost. PepTalk will confirm a return address on request.

PepTalk will assess the condition of returned Kiosks and invoice any damage charges in accordance with Part 4 above. Failure to return Kiosks within the required timeframe will result in additional rental charges accruing at the pro-rated contract rate until return is completed.

Part 7 Early Termination

If the Customer terminates this Agreement early other than for PepTalk’s material breach, PepTalk may invoice the Customer for all remaining Subscription Fees for the unexpired term as liquidated damages, representing a genuine pre-estimate of loss.

These Terms & Conditions are incorporated into the Order Form by reference. By signing the Order Form, the Customer agrees to be bound by this Agreement.

PepTalk.

Workforce insights for a safer,
more productive site.

Connect
Irish Construction Industry Awards 2024 logo with Innovation in Construction category and FINALIST banner.
Blue rounded badge with a green and blue checkmark and white text reading 'Cyber Essentials Certified'.
Deloitte Technology Fast 50 2022 Ireland winner logo with green and black text.
G2 badge indicating High Performer in Europe for Summer 2022.
Platform
why
Customers
industries
resources
about
Contact
© Peptalk. All rights reserved.
MSAPrivacy Policy