18. FORCE MAJEURE
18.1 If Yapily is prevented, hindered or delayed in or from performing any of its obligations under this Agreement by a Force Majeure Event, Yapily shall not be in breach of this Agreement or otherwise liable for any such failure or delay in the performance of such obligations. The time for performance of such obligations shall be extended accordingly.
18.2 Yapily shall:
18.2.1 as soon as reasonably practicable after the start of the Force Majeure Event, notify the Customer of the Force Majeure Event, the date on which it started, its likely or potential duration and the effect of the Force Majeure Event on its ability to perform any of its obligations under this Agreement; and
18.2.2 use all reasonable endeavours to mitigate the effect of the Force Majeure Event on the performance of its obligations.
18.3 If the Force Majeure Event prevents, hinders or delays Yapily’s performance of its obligations for a continuous period of more than thirty (30) days, either party may terminate the Agreement by giving thirty (30) days’ written notice to Yapily.
19. ASSIGNMENT
19.1 The Customer shall not assign, transfer, mortgage, charge, declare a trust of, or deal in any other manner with any or all of its rights and obligations under this Agreement without Yapily’s prior written consent.
19.2 Each party confirms it is acting on its own behalf in relation to the Agreement and not for the benefit of any other person.
20. ENTIRE AGREEMENT
20.1 This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous discussions, correspondence, negotiations, drafts, agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
20.2 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no rights or remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
20.3 Each party agrees that it shall not have any claim for innocent or negligent misrepresentation or negligent misstatement based on any statement or warranty in this Agreement.
20.4 Nothing in this clause 20 operates to limit or exclude any liability for fraud.
21. NOTICES
21.1 For the purposes of this clause 21, but subject to clause 21.6, notice includes any other communication.
21.2 A notice given to a party under or in connection with this Agreement:
21.2.1 shall be in writing and in English;
21.2.2 shall be sent to the relevant party for the attention of the contact and to the address, or email address specified in clause 21.3, or such other contact, address, email address as that party may notify in accordance with clause 21.4;
21.2.3 shall be:
21.2.3.1 delivered by hand;
21.2.3.2 sent by pre-paid first class post or another next working day delivery service if the sender and recipient are both based within the United Kingdom; 21.2.3.3 sent by pre-paid airmail or by reputable international overnight courier if one or more of the sender or recipient is based outside of the United Kingdom; or 21.2.3.4 by e-mail.
21.3 The addresses, email addresses and contacts for service of notices are: 21.3.1 Yapily:
21.3.1.1 the contact details, post address and email address as set out at https://www.yapily.com/legal-policies as may be updated from time to
time; and
21.3.2 Customer:
21.3.2.1 such address, contact and email address as provided in the application form submitted by the Customer on the Yapily website or, where you have entered into a Pricing Agreement with us, such details as provided in the Pricing Agreement.
21.4 A party may change its details for service of notices as specified in clause 21.3 by giving notice in writing to the other party. Any change notified pursuant to this clause shall take effect at 9.00 am on the later of:
21.4.1 the date (if any) specified in the notice as the effective date for the change; and 21.4.2 the date five Business Days after deemed receipt of the notice of change.
21.5 A notice is deemed to have been received (provided that all other requirements in this clause 21 have been satisfied):
21.5.1 if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the address;
21.5.2 if sent by pre-paid first class post or another next working day delivery service, providing proof of postage to the postal address of Yapily specified in clause 21.3, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service;
21.5.3 if sent by pre-paid airmail, providing proof of postage to the postal address of Yapily specified in clause 21.3, at 9.00 am on the fifth Business Days after posting or at the time recorded by the delivery service;
21.5.4 if sent by reputable international overnight courier to an address outside the country from which it is sent, on signature of a delivery receipt or at the time the notice is left at the address; or
21.5.5 if sent by email, at the time of transmission PROVIDED that if deemed receipt under the previous sub-clauses of this Clause 21.5 would occur outside the Usual Business Hours, the notice shall be deemed to have been received when Usual Business Hours next recommence. For the purposes of this clause, Usual Business Hours means 9.00 am to 5.30 pm local time on any day which is not a Saturday, Sunday or public holiday in the place of receipt of the notice (which, in the case of service of a notice by email shall be deemed to be the same place as is specified for service of notices on the relevant party by hand or post). For the purposes of this clause 21.5, all references to time are to local time in the place of deemed receipt.
21.6 This Clause 21 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
22. WAIVERS
22.1 No variation of this Agreement shall be effective unless it is in writing and signed by Yapily and the Customer (or their authorised representatives).
22.2 A waiver of any right or remedy under this Agreement or by law is only effective if it is given in writing and signed by the person waiving such right or remedy. Any such waiver shall apply only to the circumstances for which it is given and shall not be deemed a waiver of any subsequent breach or default.
22.3 A failure or delay by any person to exercise any right or remedy provided under this Agreement or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under this Agreement or by law shall prevent or restrict the further exercise of that or any other right or remedy.
22.4 A party that waives a right or remedy provided under this Agreement or by law in relation to one party, or takes or fails to take any action against that party, does not affect its rights in relation to any other party.
23. SEVERANCE
If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part provision shall be deemed deleted. Any modification to or deletion of a provision or part provision under this clause 23 shall not affect the validity and enforceability of the rest of this Agreement.
24. PARTNERSHIP
Nothing in this Agreement and no action taken by Customer or Yapily under this Agreement shall constitute a partnership, association, joint venture or other co-operative entity between Customer and Yapily.
25. RIGHTS AND REMEDIES
Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
26. THIRD PARTY RIGHTS
This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement. The rights of the parties to rescind or vary this Agreement are not subject to the consent of any other person.
27. GOVERNING LAW AND JURISDICTION
27.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.
27.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
28. MISCELLANEOUS
Yapily is allowed to identify the Customer as a customer only with written consent of the Customer. Yapily is allowed to make press releases announcing the Service, to promote and identify Company as a customer, to use the logo of Company and/or involve Company in case studies only with prior consultation and written consent of Company.
SCHEDULE 1 – PSP ACCOUNT INFORMATION
PSP Account Information shall include, but not be limited to, the following financial and personal information:
• Personal information: name, date of birth, full address(es), email address, phone number, gender;
• PSP Account Information: o account type (e.g. current, saving, investment, credit card); o account contract (e.g. interest rate, product reference); o account name; o IBAN/Account number/Sort code/SWIFT; o currency;
• Account balance information: o current balance; o available balance (credit cards);
• Transactions: o time; o description; o amount; o meta data (arbitrary data that banks associate with a transaction e.g. category); and/or • Additional data which Yapily may collect in the future (as confirmed in writing from time to time): o loans data; o insurance data; and/or o investments data.
SCHEDULE 2 – SERVICE LEVEL OBJECTIVE
1.1 Where you have entered into a Pricing Agreement with Yapily, Yapily’s service level commitments shall be those which are set out in the Pricing Agreement and paragraphs 1.2 to 1.4 below shall not be applicable. In all other cases, paragraphs 1.2 to 1.4 below shall apply in respect of the Service.
1.2 Yapily shall use reasonable endeavours, but shall not be under an obligation, to commit to up time of 99% for the Service, except for Permitted Down Time, and unless a reduction in service level percentage occurs as a result of a third party’s negligence or a Force Majeure event. Up time refers to services being available online.
1.3 Permitted Down Time shall be limited to the suspension of the Service necessary:
(a) to enable us or our Agents to comply with an order or request from the Government, any competent regulatory body or other competent administrative authority; or
(b) to enable us or our Agents to carry out work relating to the maintenance or upgrade of the Service.
1.4 We will use reasonable endeavours to ensure that all Permitted Down Time takes place during hours of low usage of the Service (including a standard internet maintenance window on Saturdays and Sundays between 0500 and 0900).
SCHEDULE 3 – DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) sets out the additional terms, requirements and conditions on which Yapily will process Personal Data when providing the Service.
1. INTERPRETATION
1.1 Terms such as “process/processing”, “data subject”, “data processor”, “personal data” and “data protection impact assessment” shall have the same meaning ascribed to them in the Data Protection Legislation;
1.2 “Controller” means the Customer;
1.3 “Data Protection Legislation” has the meaning given to it in the main body of this Agreement; 1.4 “EEA” means the European Economic Area;
1.5 “Personal Data” means the personal data described in Schedule 1 of the Agreement and any other personal data processed by the Processor on behalf of the Controller pursuant to or in connection with the Agreement;
1.6 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
1.7 “Processor” means Yapily;
1.8 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these standard contractual clauses;
1.9 “Sub-processor” means any data processor (including any affiliate of the Processor) appointed by the Processor to process personal data on behalf of the Controller;
1.10 The Annexes form part of this DPA and will have effect as if set out in full in the body of the Agreement. Any reference to this DPA includes the Annexes.
1.11 In the case of conflict or ambiguity between:
1.11.1 any provision contained in this DPA and any provision contained in the Annexes, the provision in the DPA will prevail;
1.11.2 any of the provisions of this DPA and the provisions of the main body of the Agreement, the provisions of this DPA will prevail;
1.11.3 where the parties have entered into a Pricing Agreement, any of the provisions of this DPA and the provisions of the Pricing Agreement, the provisions of the Pricing Agreement will prevail; and
1.11.4 any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.
1.12 Unless otherwise specified, any terms which are defined in the main body of the Agreement shall have the same meaning given to them in this DPA.
2. PROCESSING OF THE PERSONAL DATA
2.1 Each party confirms that it will comply with the Data Protection Legislation.
2.2 Annex A describes the subject matter, duration, nature and purpose of processing, the Personal Data types and data subject categories in respect of which the Processor may process in accordance with this DPA.
2.3 The Processor shall only process the Personal Data in accordance with the Controller’s documented instructions (including any processing instructions set out in the main body of the Agreement) unless the processing is required by Applicable Law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data.
3. CONFIDENTIALITY
3.1 The Processor shall ensure that all such persons authorised in the processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. SECURITY
4.1 Each party shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 of the GDPR.
5. SUBPROCESSING
5.1 Subject to clause 5.3, the Processor shall not engage any Sub-processor to process Personal Data other than with the prior specific or general written authorisation of the Controller.
5.2 With respect to each Sub-processor, the Processor shall:
5.2.1 include terms in the contract between the Processor and the Sub-processor which are substantially similar to those set out in this Agreement;
5.2.2 insofar as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses into the contract between the Processor and the Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Processor may reasonably determine as providing an adequate protection in respect of the processing of Personal Data in such third country(or countries); and
5.2.3 remain fully liable to the Controller for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
5.3 As at the Commencement Date or (if later) implementation of this DPA, the Controller hereby authorises the Processor to engage those Sub-processors set out in Annex B of this Agreement.
5.4 The Processor shall subsequently inform the Controller of any intended changes concerning the addition or replacement of its appointed Sub-processors. The Processor shall allow the Controller (within 5 Business Days from notification by the Processor of the intended change) to object to the appointment of the new Sub-processor. If no such objection is received within 5 Business Days, the appointment shall be deemed approved. If the Controller notifies the Processor with an objection within the 5 Business-Day period, the parties shall enter into good faith discussions to agree a workaround which is suitable for both parties. If, in the Processor’s reasonable opinion, the parties fail to agree such a workaround within 15 Business Days of the original notification by the Processor of the intended change, the Processor reserves the right to terminate the Agreement (and this DPA) immediately on written notice.
6. DATA SUBJECT RIGHTS
6.1 The Processor shall without undue delay notify the Controller if it receives a request from a data subject under any Data Protection Legislation in respect of Personal Data, particularly requests by a data subject to exercise his or her rights under Chapter III of the GDPR.
6.2 The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.
7. INCIDENT MANAGEMENT
7.1 In the case of a Personal Data Breach, the Processor shall, without undue delay, notify the Personal Data Breach to the Controller providing the Controller with sufficient information which allows the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Legislation.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1 The Processor shall, at the Controller’s written request, provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 of the GDPR and with any prior consultations to the ICO which are required under Article 36 of the GDPR, in each case in relation to processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the processing and information available to the Processor.
9. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
9.1 The Processor shall, as soon as reasonably practicable after the earlier of: (i) cessation of processing of Personal Data by the Processor; or (ii) termination of the Agreement, at the choice of the Controller, either:
9.1.1 return a complete copy of all Personal Data processed by the Processor to the Controller; or
9.1.2 delete all copies of Personal Data processed by the Processor unless any applicable law requires storage of the Personal Data by the Processor.
10. AUDIT RIGHTS
10.1 The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections (at all times subject to clause 10.2) conducted by the Controller or another auditor mandated and professionally appointed by the Controller provided such audit is of any premises where the processing of Personal Data takes place.
10.2 The Processor shall permit the Controller or another auditor mandated and professionally appointed by the Controller during normal working hours and on reasonable prior written notice to inspect, audit and copy any relevant records necessarily required in order that the Controller may reasonably satisfy itself that the provisions of this DPA are being complied with provided that:
10.2.1 such audits shall be limited to once per calendar year; and
10.2.2 any such audits will be carried out with professionalism and with as little disruption to the Processor’s business as possible.
10.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this DPA infringes any of the Data Protection Legislation.
- INTERNATIONAL TRANSFERS
11.1 The Processor shall not transfer Personal Data outside the EEA unless it has provided the appropriate safeguards (which include the Processor and Controller or (where applicable) the Processor and Sub-Processor entering into the Standard Contractual Clauses).
12. LIABILITY
12.1 The Processor’s liability under this DPA shall be excluded and limited in accordance with the terms of the main body of the Agreement and such limitation and exclusion of liability provisions in the main body of the Agreement shall apply to this DPA.
12.2 Where the parties are involved in the same processing and one party has, in accordance with paragraph 4 of Article 82 of the GDPR, paid compensation for any damage caused by that processing, then that party shall be entitled to claim back from the other party such part of the compensation as corresponds to the other party’s share of responsibility for the damage.
13. COSTS
13.1 The Controller shall pay any reasonable costs and expenses incurred by the Processor in meeting the Controller’s requests made under clauses 6.2 or 8 of this DPA.
14. TERM AND TERMINATION
14.1 Without prejudice to either party’s right or remedy available to it (including in the main body of this Agreement), this DPA will remain in full force and effect for so long as:
14.1.1 the Agreement remains in effect; or
14.1.2 the Processor retains any Personal Data related to the Agreement in its possession or control.
ANNEX A
This Annex A includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data The subject matter is the provision of Services as described in the main body of the Agreement. The duration of the processing is equal to the duration of the term of the Agreement.
The nature and purpose of the processing of Personal Data Yapily offers an API service for the Customer which involves obtaining the Personal Data, using the Personal Data to access Open Banking account information, normalising the data fields and sending the Personal Data it has obtained, together with the normalised data, to the Customer.
- In the event of the Customer trying to retrieve financial data of an
End Client the data flow is summarised as follows:
• the Customer sends Yapily the type (or scope of data) requested and details of the bank. At this stage, no Personal Data is provided;
• the End Client is redirected to his or her bank website or app;
• the bank sends to Yapily the requested Personal Data relating to the End Client; • Yapily normalises the Personal Data and forwards the normalised data to the Customer;
• Yapily does not store the Personal Data but it does store the token of authorisation to facilitate the TPP API calls;
• Yapily derives anonymous data from the Normalised Data and uses such anonymous data to train and optimise Yapily’s categorisation engine which is used to provide the Services. 2. In the event of a payment being made by the End Client the data flow is as follows:
• the Customer sends Yapily the types of payment, the bank involved and details of the recipient party;
• Yapily may, in some cases, process the payment receiver’s personal details together with their account number and sort code. Yapily does not store this data;
• the End Client is redirected to his or her bank website or app;
• the bank confirms the payment was successful.
The types of Personal Data to be processed
The Personal Data described in Schedule 1 of the Agreement.
The categories of data subject to whom the Personal Data relates The End Clients and recipients of payments.
ANNEX B
Authorised Sub-processors
Google Cloud Platform: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland