1. Definitions and Interpretation

1.1The words and expressions below will have the meanings set
out next to them:

1.2In this Contract unless otherwise expressly stated:

1. references to Clauses are to clauses of this Contract;
2. reference to the Schedules are to the schedules to this Contract which form part of this Contract and
   are incorporated herein;
3. references to the singular include references to the plural and vice versa;
4. headings are inserted for convenience only and shall not affect the construction or interpretation of
   this Contract;
5. any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression are
   illustrative and do not limit the sense of the words preceding those terms and such terms shall be
   deemed to be followed by the words “without limitation”;
6. references to a statute, or any section of any statute, include any statutory amendment, modification or
   re-enactment and instruments and regulations under it in force from time to time;
7. references to regulatory rules include any amendments or revisions to such rules from time to time; and
8. references to regulatory authorities refer to any successor regulatory authorities.

2. Subject and Scope of the Commissioned Processing of Personal Data

2.1[PROCESSOR] processes the Controller Data exclusively on
behalf of and on the instruction of [CONTROLLER] in accordance with Article 28 (1) GDPR (Commissioned Data
Processing). [CONTROLLER] remains the controller for the purposes of data protection law.

2.2Schedule 5 to this Contract contains an exhaustive list of
which types of Controller Data the Processor may process, the nature and purpose of processing, the
permitted duration of processing, and to which categories of data subjects the Controller Data relate as per
Article 28 (3).

2.3The processing of Controller Data will take place
exclusively in the territory of a Member State of the European Union or of a contracting party to the
Agreement on the European Economic Area (EEA). Data processing in other countries may only take place where
the [CONTROLLER] has provided their prior written consent and, where applicable, additionally the
requirements of Article. 44 to 47 GDPR are fulfilled, or there is an exception in accordance with Article.
49 GDPR.

3. Standards of Performance

3.1[PROCESSOR] hereby undertakes to [CONTROLLER] that it will
undertake the Services on behalf of [CONTROLLER] in accordance with this Contract using all reasonable skill
and care.

3.2[PROCESSOR] hereby provides sufficient guarantees to
implement appropriate technical and organisation measures in such a manner that processing meets the
requirements of Article 28 (1) of GDPR. These guarantees are listed in Schedule 6.

3.3[CONTROLLER] and [PROCESSOR] hereby acknowledge that in
relation to the Personal Data and for the purposes of the Applicable Laws, [CONTROLLER] is the Data
Controller and [PROCESSOR] is the Data Processor.

4. The Term

4.1This Contract shall continue in full force unless or until
terminated in pursuance of Clause 19.

5. Obligations of [CONTROLLER]

5.1[CONTROLLER] shall provide such information as [PROCESSOR]
may reasonably require for [PROCESSOR] to provide the Services outlined in Schedule 4.

5.2[CONTROLLER] shall instruct [PROCESSOR] generally in written
or text form which includes email communication. If required, [CONTROLLER] may also issue instructions
orally or via telephone. Instructions issued orally or via telephone require, however, immediate
confirmation by [CONTROLLER] in written or text form.

5.3[CONTROLLER] shall have legal title on all goods being
collected and therefore can instruct [PROCESSOR] to process equipment in accordance with the service agreed
in the schedule laid out in this contract.

6. Obligations of [PROCESSOR]

6.1[PROCESSOR] undertakes to [CONTROLLER] that it shall process
the Personal Data only on [CONTROLLER]’s instructions as given from time to time, and in accordance with the
terms of this Contract and all Applicable Laws.

6.2Any instructions issued by [CONTROLLER] to [PROCESSOR] shall
be done so in accordance with 5.2 and shall be documented by [PROCESSOR] to be evidenced to [CONTROLLER] on
request.

6.3If [PROCESSOR] is of the reasonable opinion that an
instruction by [CONTROLLER] breaches this Agreement, an earlier instruction, or applicable data protection
laws, [PROCESSOR] must inform [CONTROLLER] in writing of this immediately.

6.4[PROCESSOR] shall ensure that only such of its employees who
may be required by [PROCESSOR] to assist it in meeting its obligations under this Contract shall have access
to the Personal Data. [PROCESSOR] shall ensure that all employees used by it to provide the Services (i)
have undergone training in the laws of data protection and in the care and handling of the Personal Data in
accordance with such laws, and (ii) have undergone vetting to an appropriate level.

6.5In particular, [PROCESSOR] undertakes to [CONTROLLER] that
it will not disclose the Personal Data or any part thereof to any Third Party unless and only to the extent
instructed to do so in writing by [CONTROLLER].

6.6[PROCESSOR] undertakes to [CONTROLLER] that it will not
export the Personal Data or any part thereof outside the European Economic Area in any circumstances other
than at the specific written request of [CONTROLLER]. If [PROCESSOR] intends to transfer Controller Data to
a third country or an international organisation without having been instructed to this end by [CONTROLLER],
[PROCESSOR] will inform [CONTROLLER] without undue delay and as soon as possible about the purpose, legal
ground and affected Controller Data, to such an extent and insofar as such notification is not legally
prohibited on the grounds of a substantial public interest.

6.7For the mutual benefit of both Parties, and to ensure
compliance with this Contract and the Applicable Laws, [CONTROLLER] and [PROCESSOR] will liaise regularly,
and [PROCESSOR] will allow its data processing facilities, procedures and documentation to be reviewed by
[CONTROLLER] or its auditors.

6.8If at any time [PROCESSOR] is unable to meet any of its
obligations under this Contract, it undertakes to inform [CONTROLLER] immediately by notice in writing.

6.9[PROCESSOR] is not permitted to make any copies or
duplicates of the Controller Data without prior written approval by [CONTROLLER]. This excludes copies which
are necessary for the orderly performance of this agreement as well as copies which are necessary for
compliance with statutory retention obligations.

6.10Should [CONTROLLER] be required to provide information to a
public authority or a person relating to the processing of Controller Data, or to otherwise cooperate with a
public authority, [PROCESSOR] shall support [CONTROLLER] at the first request with the provision of such
information or the fulfilment of other obligations to cooperate. This applies to immediate provision of all
information and documents relating to technical and organisational measures taken in line with Article. 32
GDPR relating to the technical procedure for the processing of Controller Data, the sites at which
Controller Data are processed, and relating to the employees involved in processing the Controller Data.

6.11[PROCESSOR] will support [CONTROLLER] in any activity,
relevant to services being carried out by [PROCESSOR], which [CONTROLLER] or appointed agents must undertake
to comply with GDPR such as Data Privacy Impact Assessment and Register of Processing Activities.

6.12[PROCESSOR] must have a Data Protection Officer throughout
the term of this contract and inform [CONTROLLER] of the contact details of this appointment. Should the
[PROCESSOR] make any changes to the Data Protection Officer this information must be passed onto
[CONTROLLER] without undue delay. Should [PROCESSOR] believe they do not have to appoint a Data Protection
Officer this information should be passed onto [CONTROLLER] prior to the enactment of this contract.

7. Assignment & Subcontracting

7.1[PROCESSOR] shall not be entitled to assign this Contract
nor all or any of its rights or obligations hereunder, without the prior written consent of [CONTROLLER].

7.2The [CONTROLLER] hereby consents to the use by the
[PROCESSOR] of the services of the subcontractors set out in Schedule 3 of this Agreement for the purposes
set out therein.

7.3[PROCESSOR] shall not be entitled to sub-contract
performance of its obligations hereunder without [CONTROLLER]’s prior written consent and [PROCESSOR] shall,
at all times, be responsible as between itself and [CONTROLLER] for the observance by its assignees of the
obligations contained in this Contract as if such sub-contractors were [PROCESSOR].

7.4In the event that [PROCESSOR] requires [CONTROLLER]’s prior
written consent in pursuance of Clause 7, [CONTROLLER] shall be entitled, at its discretion, to withhold
such consent and prior to issuing such consent [CONTROLLER] may require the party that [PROCESSOR] proposes
to sub-contract the performance (or any part thereof) of its obligations hereunder, to enter into a direct
contractual relationship with [CONTROLLER] in respect of the processing of any Personal Data by such party.

7.5For the assessment of such approval, [PROCESSOR] must
provide [CONTROLLER] with a copy of the intended commissioned data processing agreement between [PROCESSOR]
and the further commissioned data processor. [PROCESSOR] must obligate the further commissioned data
processor in that written agreement in exactly the same manner as the former is obligated on the basis of
this Agreement and include the requirements set out in Clause 14.

7.6[PROCESSOR] is obligated to only select – and, should
[CONTROLLER] approve, to make use of – those further commissioned data processors which offer sufficient
guarantees that the appropriate technical and organisational measures will be implemented in such a manner
that the processing of Controller Data takes place in accordance with the requirements of the GDPR.
[PROCESSOR] must satisfy itself prior to the commencement of the processing of compliance with the technical
and organisational measures by the further commissioned data processor and will confirm by means of a
request for approval by [CONTROLLER]. Upon request, [PROCESSOR] will provide evidence to [CONTROLLER] to
this end.

7.7There is no right or claim to the granting of approval. The
statutory liability of [PROCESSOR] in their capacity as commissioned data processor remains unaffected by
any approval granted.

7.5[CONTROLLER] must also be granted audit and examination
rights in relation to subcontractors in accordance with Clause 6 of this Contract. [CONTROLLER] may request
from [PROCESSOR] information about the essential terms and conditions of the subcontract and the
implementation of the subcontractor’s obligations relating to data protection, if necessary, also by
inspection of the relevant contractual documentation.

8. Security of Processing (As per Article 32 GDPR)

7.5[PROCESSOR] warrants that it undertakes appropriate
technical and organisational measures to ensure a suitable level of protection for the Controller Data
corresponding to the risk. This must be in consideration of the state of the art, implementation costs and
the type, scope, circumstances, and aims of the processing as well as the varying likelihood of occurrence
and severity of the risk to the rights and freedoms of data subjects. These measures include, inter alia,
the following:

1. the pseudonymisation and encryption of Controller Data;
2. the ability to permanently ensure the confidentiality, integrity and availability of the systems,
   services and Controller Data in connection with the processing;
3. the ability to rapidly recover the availability of the Controller Data and access to them, should a
   physical or technical disruption occur;
4. a process for the regular review, assessment, evaluation and evidence of the effectiveness of the
   technical and organisational measures for the purposes of ensuring the security of the processing.

8.5[PROCESSOR] guarantees that it has, prior to the
commencement of the processing of the Controller Data, provided evidence to [CONTROLLER] that it has taken
the appropriate technical and organisational measures to protect the data which is being processed. This
evidence could be the accreditation of its Data Processing Service by an industry recognised accreditation
scheme. (Article 28 (5) GDPR) [PROCESSOR] guarantees that it will maintain these during the term of the
Agreement.

8.6[PROCESSOR] guarantees that it adheres to an approved code
of conduct [Article 28 (5)] prior to the commencement of the contract.

8.7[PROCESSOR] guarantees that as technology and threat
evolves, by means of continual assessment, the technical and organisational measures in place are assessed
for appropriateness. Because of this assessment [PROCESSOR] is permitted to implement alternative, adequate
measures, if they do not fall below the security level of the measures agreed at the start of this
Agreement. Any alternative measures are subject to the prior clauses of this contract and evidenced to
[CONTROLLER] as per 8.1 and 8.2.

9. Transfer of Personal Data

9.1Before transferring any Personal Data to [CONTROLLER],
[PROCESSOR] will establish with [CONTROLLER] the appropriate method of transfer or transmission and will
securely transfer or transmit the Personal Data to [CONTROLLER] in line with [CONTROLLER]’s requirements.

10. Data Subject Requests

10.1[CONTROLLER] shall be responsible for responding to all
Data Subject Requests in accordance with Article 12. GDPR (“data subject rights”) which may be received from
Data Subjects to which the Personal Data relates.

10.2[PROCESSOR] hereby agrees to assist [CONTROLLER] with all
applicable Data Subject Requests which may be received from the Data Subjects to which the Personal Data
relates as per Schedule 1.

10.3If [PROCESSOR] receives a Data Subject Request from a Data
Subject relating to the Personal Data processed on behalf of the [CONTROLLER] it shall immediately and
without undue delay, forward it to the person nominated by [CONTROLLER] under clause 20 of this Contract.

10.4Where [CONTROLLER] considers that it is necessary for
copies of the Personal Data to be transferred to it to respond to a Data Subject Request, [CONTROLLER] will
inform [PROCESSOR] that it requires copies to be transferred. Before transferring the copies, [PROCESSOR]
will establish with [CONTROLLER] the appropriate method of transfer and will securely transfer the copies of
the Personal Data to [CONTROLLER] in line with [CONTROLLER]’s requirements, to arrive no more than 10
working days from the date of [CONTROLLER]’s request to [PROCESSOR].

11. Complaints Relating to Processing of Personal Data under this Contract

11.1[CONTROLLER] shall be responsible for the handling of and
responding to processing any complaints or expressions of dissatisfaction which may be received from the
Data Subjects to which the Personal Data relates or others, in relation to the processing of the Personal
Data under this Contract.

11.2[PROCESSOR] hereby agrees to assist [CONTROLLER] with any
applicable complaints or expressions of dissatisfaction which may be received from the Data Subjects to
which the Personal Data relates or others, in relation to the processing of the Personal Data under this
Contract as per Schedule 1.

11.3If [PROCESSOR] receives any complaints or expressions of
dissatisfaction, relating to the Personal Data processed on behalf of the [CONTROLLER] it shall immediately
and without undue delay, forward it to the person nominated by [CONTROLLER] under clause 20 of this
Contract..

11.4Where [CONTROLLER] considers that it is necessary for
copies of the Personal Data to be transferred to it to allow it to respond to a complaint or expression of
dissatisfaction, [[CONTROLLER] will inform [PROCESSOR] that it requires copies to be transferred. Before
transferring the copies, [PROCESSOR] will establish with [CONTROLLER] the appropriate method of transfer and
will securely transfer the copies of the Personal Data to [CONTROLLER] in line with [CONTROLLER]’s
requirements, to arrive no more than 5 working days from the date of [CONTROLLER]’s request to [PROCESSOR].

12. Breach Identification and Notification

12.1Under the context of this contract a Data Breach is defined
as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise processed”

12.2[PROCESSOR] will ensure that there are sufficient checks
being made on processing activities to ensure that data is being protected at all time as per clause 8.

12.3[PROCESSOR] will without undue delay inform [CONTROLLER] if
the former becomes aware of an incident which under the definition of 12.1, constitutes a data breach. This
communication will be made to the contact as designated in Clause 20 and be classed as “Initial
Notification”.

12.4[CONTROLLER] will be responsible for informing the Local
Supervisory Authority as denoted in Clause 20. This notification will be made no later than 72 hours from
the “Initial Notification’ as per Article 33 GDPR.

12.5[PROCESSOR] must inform [CONTROLLER] within 24 hours of
Initial Notification the following details where possible; natural of personal breach including categories
and approximate number of data subjects concerned, names and contact details of the Data Protection Office
or other contact point, likely consequences of personal data breach and any measures taken or proposed to be
taken to mitigate the adverse effects of the data breach. Where it is not possible to provide this
information in full within 24 hours, a clearly articulated plan of activities and timelines for obtaining
any missing information should be submitted to [CONTROLLER] within the 24-hour window.

12.6[PROCESSOR] will support the [CONTROLLER] or [CONTROLLER]’s
appointed agent, in the investigation of any data breach incident unless such activities contravene legal or
contractual obligations already in place. In such situations, a written explanation supporting the
[PROCESSOR]’s position is required.

13. Retention and Disposal of Personal Data

13.1[PROCESSOR] undertakes to retain and dispose of the
Personal Data in line with the Retention and Disposal Guidelines, as contained in Schedule 7 to this
Contract.

14. Evidence and Inspections

14.1[PROCESSOR] shall provide [CONTROLLER] with all necessary
information to prove compliance with [CONTROLLER]’s obligations under this Agreement upon request. Upon
request of [CONTROLLER], [PROCESSOR] shall provide [CONTROLLER] immediately with all relevant certificates
and audit reports.

14.2[CONTROLLER] is entitled to receive information from the
Data Protection Officer of [PROCESSOR] relating to all aspects regarding the processing of Controller Data,
including the technical and organisational measures taken in accordance with Clause 8.

14.3[CONTROLLER] or appointed agent is entitled, with
reasonable notice, to enter the business premises of [PROCESSOR] during normal business hours (Mondays to
Fridays from 09:00 until 18:00) and inspect the technical and organisational measures as well as the
processes of [PROCESSOR], to satisfy themselves of the compliance with the provisions of this Agreement as
well as the relevant statutory data protection provisions by [PROCESSOR].

14.4[PROCESSOR] guarantees [CONTROLLER], or appointed agent,
the access rights, information rights, and inspection rights necessary for this purpose. [PROCESSOR] will
guarantee access to the data processing facilities, files, and other documents to allow for monitoring and
auditing of the relevant data processing facilities, files and other documentation relating to the
processing of the Controller Data. [PROCESSOR] will provide [CONTROLLER], or an agent appointed by the same,
with all information necessary for the inspection.

14.5[CONTROLLER] and [PROCESSOR] are subject to public audits
by the competent data protection authorities. Upon request of [CONTROLLER], [PROCESSOR] will provide the
requested information to the supervisory authorities and will also grant the latter the opportunity to
audit; this includes inspections of [PROCESSOR] by the supervisory authorities and persons appointed by
them. [PROCESSOR] guarantees to the competent authorities in this context the necessary access rights,
information rights, and inspection rights.

14.6[PROCESSOR] shall hold relevant industry accreditations to
evidence capabilities in their field. These are to be maintained throughout the duration of this contract
and are listed in Schedule 8.

15. Indemnity

15.1[PROCESSOR] hereby agrees to indemnify [CONTROLLER] up to a
maximum of £5million per incident against all losses, costs, expenses, damages, liabilities, demands,
claims, fines, penalties, actions or proceedings which [CONTROLLER] may incur arising out of any failure by
[PROCESSOR] or its employees to comply with any of its obligations under this Contract.

15.2

16. Ownership

16.1All right, title and interest in the Confidential
Information shall vest solely with [CONTROLLER] or its licensees.

17. Confidentiality

17.1[PROCESSOR] shall procure that all Confidential Information
disclosed to it by [CONTROLLER] under this Contract or which at any time during the term of the Contract
come into [PROCESSOR]’s knowledge, possession or control, shall be kept secret and confidential and shall
not be used for any purposes other than those required or permitted by this Contract and shall not be
disclosed to any third party except insofar as this may be required for the proper operation of this
Contract and then only under appropriate confidentiality provisions approved in writing by [CONTROLLER].

17.2[PROCESSOR] will ensure, pursuant to Article. 29 GDPR, that
all persons under their authority process the Controller Data exclusively in accordance with this Agreement,
as well as the instructions of [CONTROLLER].

17.3The obligations of confidence contained in this Clause 17
shall not prevent [PROCESSOR] from disclosing information to the extent required by law or for any
regulatory purposes, provided that prior written notice is given to [CONTROLLER] of such disclosure.

17.4The obligations of confidence contained in this Clause 7
shall not apply to any information which:

1. is or becomes generally available to the public through no act or default of [PROCESSOR] or its
   directors, employees or agents; or
2. [PROCESSOR] can demonstrate from its written records, prior to its receipt from [CONTROLLER] was in its
   possession and at its free lawful disposal; or
3. [PROCESSOR] can demonstrate from its written records, is after its receipt from [CONTROLLER], generated
   by employees of [PROCESSOR] independently of, and without knowledge of, the Confidential Information; or
4. [PROCESSOR] can demonstrate from its written records, is subsequently disclosed to it without any
   obligation of confidence by a third party who has not derived it directly or indirectly from
   [CONTROLLER].

17.5The obligations of confidence contained in this Clause 17
shall survive the termination of this Contract for whatever reason for a period of: (i) three (3) years
following the final disclosure of the Confidential Information by [CONTROLLER] to [PROCESSOR]; or (ii) if
longer, but only to the extent reasonably required, for as long as the ongoing confidentiality of the
Confidential Information, or any part thereof, remains of value to [CONTROLLER] and or its interests.

18. Termination

18.1This Contract may be terminated by [CONTROLLER] giving not
less than 3 months written notice to [PROCESSOR].

18.2This Contract may be terminated by the [PROCESSOR] giving
not less than 3 months written notice to [CONTROLLER].

19. Consequences of Termination

19.1On termination of this Contract for whatever reason,
[PROCESSOR] shall cease to process the Personal Data and Confidential Information and shall arrange for the
prompt and safe return of all of the Personal Data and Confidential Information, processed under the terms
of this Contract to Controller, together with all copies of the Personal Data in its possession or control
or that of its agents or contractors, within such time and by such secure means as [CONTROLLER] shall
provide for in writing at the time of termination of the Contract.

19.2On termination of this Contract, should [CONTROLLER]
require the deletion of Controller Data still held by [PROCESSOR] then [PROCESSOR] should provide written
evidence to support the deletion activity.

19.3Termination of this Contract shall not affect any rights or
obligations of either Party which have accrued prior to the date of termination and all provisions which are
expressed to, or do by implication, survive the termination of this Contract shall remain in full force and
effect.

20. Notices

20.1Any notice under or in connection with this Contract shall
be in writing (but not by fax, e-mail or similar means) and shall be delivered personally, or sent by
courier or by recorded or registered mail to the following addresses:

A notice shall become effective on the date it is delivered to the address of the recipient Party shown
above. A Party may notify the other of a change to its notice details.

20.2Local Supervisory Authority for the purposes of this
contract is agreed to be the UK, Information Commissioners Office.

21. Severability

21.1Should any provision of this Contract be held to be
illegal, invalid or unenforceable in any respect by any judicial or other competent authority under the law
of any jurisdiction:

21.2If by substituting a shorter time period or more restricted
application of the provision, it would be valid and enforceable, such shorter time period or more restricted
application shall be substituted.

21.3If Clause 18.1 is not applicable:

1. such provision shall, so far as it is illegal, invalid or unenforceable in any jurisdiction, be given no
   effect by the Parties and shall be deemed not to be included in this Contract in that jurisdiction;
2. the other provisions of this Contract shall be binding on the Parties in that jurisdiction as if such
   provision were not included herein;
3. the legality, validity and enforceability of the provision in any other jurisdiction shall not be
   affected or impaired; and
4. the Parties shall negotiate in good faith to agree an alternative provision in terms which as closely as
   possible achieve the intention of the Parties in the original provision, do not substantially impair the
   Parties’ original interests and do not render such provisions invalid or unenforceable.

22. Variation

22.1No variation or amendment to this Contract shall bind
either Party unless made in writing and signed by duly authorised officers of both Parties.

23. Waiver and Remedies

23.1A failure to exercise or any delay in exercising any right
or remedy provided by this Contract or by law does not constitute a waiver of that right or remedy or a
waiver of any other rights or remedies.

24. Entire Contract

24.1This Contract constitutes the entire Contract and
understanding of the Parties relating to its subject matter and supersedes all prior proposals, Contracts
and understandings between the Parties or their advisors relating to such subject matter.

24.2Each of the Parties hereby acknowledges and agrees that in
entering into this Contract, it does not rely on any statement, representation, warranty, undertaking,
Contract or understanding of any nature whatsoever made by any person other than as expressly included in
this Contract as a warranty (a “Prior Representation”) and to the extent that it is so included that Party’s
only remedy shall be a contractual one for breach of warranty under the terms of this Contract for damages.
To the extent that, notwithstanding the foregoing a Prior Representation has been made and relied upon by
either Party, the relevant party unconditionally and irrevocably waives any claims, rights or remedies it
may have in relation thereto.

24.3Nothing in this Clause 4 or in this Contract shall operate
to limit or exclude any liability of either Party, or the remedies available to either Party for fraud,
including fraudulent acts and/or fraudulent misrepresentations.

25. Further Assurance

25.1The Parties shall execute all further documents as may be
reasonably necessary or desirable to give full effect to the terms of this Contract and to protect the
rights of the Parties under it.

26. Governing Law

26.1This Contract shall be governed in all respects by the laws
of England and Wales, and each Party hereby irrevocably submits for all purposes in connection with this
Contract to the exclusive jurisdiction of the Courts of England and Wales.