1 - PXC APIs Fair Usage Guide

1.1 PXC makes available APIs to API Users and third parties ("API Users") for the benefit of API Users for use as [a means of procuring Products and learning of the Products available to API Users to provide pre-purchase information] and only as only as set out in this fair usage guide. APIs are provided on an 'as is' basis and no warranty, guarantee or other commitment is given of the suitability of these APIs for any API User or other API User's purpose and may not be suitable to use for any other purpose. For more information, please see the Data Annex.

PXC may make its integration APIs available to API Users on a chargeable basis, where applicable. Pricing will be supplied, where API usage is chargeable.

Access to and use of the APIs may also be governed by other PXC agreements. If you are accessing as a API User, your API User Account Terms, Product Terms and ancillary documents will provide details of the terms of any access granted. These terms will apply in conjunction with these terms along with any terms that may appear when you access certain applications or order certain products, which PXC may publish or require from time to time. If you are using APIs as a third party but are not a API User, further terms may apply as notified from time to time in relation to your access (“API Agreements”)

1.2 License. Subject to the requirements of the API Agreements, PXC hereby grants to API User a fully revokable, non-exclusive, non-transferable, paid-up license to use the APIs to integrate access to the Service into API User websites and to publicly display API User websites incorporating the APIs in binary form to customers. API User shall not publicly display, transmit, distribute or otherwise divulge any information regarding the PXC APIs, including the operation and programmatic interface(s) thereof, to any third party. Except as expressly provided herein, API User has no other rights to install, integrate, use, reproduce or distribute PXC APIs. PXC accepts no responsibility for the continued availability of any PXC APIs and reserves the right to apply any suspension, withdrawal or preferred usage at its sole discretion. APIs may be changed at any time to meet PXC's commercial needs.

1.3 API User Applications and Incorporation. API User shall be solely responsible for creating, maintaining, hosting and supporting any API User websites that incorporate the APIs. API User shall implement the integration in accordance with any API reference documentation and guidelines PXC may provide from time to time.

1.4 API Technical Support. PXC shall provide limited technical support to API User for API User’s use of PXC APIs, (limited to API onboarding and setup.) PXC support does not include debugging or troubleshooting API User applications, websites or other programs or software not developed by PXC. PXC will work with API Users to resolve API issues on a reasonable endeavours basis only.

1.5 Conflict. In the event of any direct conflict between the terms and conditions of these fair usage terms and the API Agreements, the terms and conditions of the API Agreements shall control to the extent necessary to resolve the conflict. Any additional terms contained in the API Agreements shall be considered supplemental to these fair usage terms.

2 - PXC APIs Data Protection

If you provide Personal Data when setting up or using APIs, this must only be your own and will be subject the Privacy notices on our Website in relation to the use of this Personal Data. You should not provide any Personal Data of others at any time when using the APIs. No Proccessor relationship shall be implied, where Personal Data is shared or transferred setting up or via APIs in breach of this.

2.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation.

2.2 When PXC and API User Process Personal Data subject whether subject to a Contract or otherwise, they will be acting as independent Controllers.

2.3 Where PXC is acting as an independent Controller, it will do so in accordance with its Privacy Policy.

2.4 Where PXC is acting as a Processor:

(a) the Personal Data Annex sets out the scope, nature and purpose of Processing that may be carried out by PXC, the duration of such Processing, the types of Personal Data and the categories of Data Subject;

(b) without prejudice to the generality of Clause 2.1:

(i) API User will ensure that it has all necessary appropriate lawful reasons and notices in place to enable lawful transfer of the Personal Data to PXC for the purposes of the Contract or in the context of promoting PXC's services; and

(ii) PXC will:

(A) Process Personal Data only on the written instructions of API User, including regarding transfers of Personal Data outside of the United Kingdom, unless PXC is required to do so by a legal obligation and, if so, PXC will notify API User of this before such Processing, unless a legal obligation prohibits this;

(B) ensure that all personnel authorised by PXC to Process Personal Data are obliged to keep the Personal Data confidential;

(C) ensure that it has in place appropriate technical and organisational measures designed to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach and the nature of the Personal Data to be protected. PXC shall have regard to the state of technological development and the cost of implementing any measures, including, where appropriate:

1) pseudonymising and encrypting Personal Data;

2) ensuring confidentiality, integrity, availability and resilience of its systems and services;

3) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and

4) regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it;

(D) notify API User without undue delay if it becomes aware of a Personal Data Breach;

3 - PXC APIs Data Protection Continued…

(E) assist API User in responding to any requests from Data Subjects and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with regulators, save that if this is not within the reasonable remit of the Products, this will be at API User’s cost;

(F) at API User’s written direction, delete (or put Beyond Use) or return Personal Data to API User once provision of the Products has ceased, provided that PXC may keep such limited copies of Personal Data as are strictly required for legal, regulatory, internal or external compliance and back-up purposes; and

(G) maintain records and information to demonstrate its compliance with Clauses 2.4(b)(ii), 2.4(c), and 2.4(d) and, where this is not sufficient, allow for audits by API User or API User’s auditor solely to demonstrate compliance, at API User’s cost, provided that:

1) API User:

a) will not exercise its audit rights more than once in any 3 year period, save where API User reasonably believes that a further audit is required due to a Personal Data Breach;

b) gives at least 30 days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence;

c) conducts its audit during normal business hours and limits it audit to a maximum of 2 Business Days; and

d) takes all reasonable measures to prevent material business interruption to PXC;

2) such audit is subject to the confidentiality provisions of the Contract; and

3) PXC may demonstrate its compliance with Clauses 2.4(b)(ii), 2.4(c), and 2.4(d) by complying with an approved code of conduct or by obtaining an approved certification;

(c) API User consents to PXC appointing the Third-Party Processors to assist it in providing the Products. If PXC intends to change any of the Third-Party Processors, it will notify API User by updating the Third-Party Processor List thereby giving API User the opportunity to object to such change; and

(d) PXC shall ensure that all agreements with the Third-Party Processors will incorporate terms that are substantially similar to those set out in this Clause 2.4. If a Third-Party Processor fails to fulfil its data protection obligations to API User, PXC will remain fully liable to API User for such Third-Party Processor’s obligations.

2.5 API User indemnifies and promises to pay on demand PXC and its Affiliates for any loss, fine, liability and cost arising out of or in connection with: (a) an act or omission of PXC arising from the instructions of API User; and (b) any breach by API User of the Data Protection Legislation, unless and to the extent that the breach was caused by PXC.

4 - PXC APIs Data Protection

Data Annex

Scope of Processing PXC Processes Personal Data to enable it to provide, manage, enhance, review and service its products and to discharge any legal obligations imposed upon it.

Nature and Purpose of PXC Processes the Personal Data to: (a) identify, manage and help resolve certain Incidents and problems; (b) receive, manage and help

Processing resolve certain requests, queries, complaints and claims; (c) provide certain its products e.g. call recording and security products; (d) help API User analyse and understand product availability and speeds; (e) migrate End Users at API User’s request or provide other services to support the sale or disposal of all or part of an API User customer base; and (f) deal with other ad-hoc requests from an API User.

Categories of Personal Data The Personal Data Processed shall concern some or all of the following categories of Personal Data only: (a) account data e.g. caller line identification/telephone numbers, account number, device ID, IP address, service history and usage data; (b) personal data e.g. name, title, date of birth, address and circuit ID;(c) company data where this identifies a Data Subject e.g. company name and company registered number; (d) contact information e.g. email address; (e) professional life data e.g. job title and employer; (f) Product information e.g. speed logs; and (g) special categories of Personal Data e.g. data relating to physical or mental health and biometric data for voice recognition software or the implementation of security measures.

Categories of Data Subject The Personal Data Processed shall concern the following categories of Data Subjects only: (a) officers and staff of API User, including where strictly necessary only employees, consultants, volunteers, agents, temporary workers, casual workers and other individuals authorised to act on behalf of API User; and (b) Ends Users or their authorised representatives.

Duration of Processing PXC shall Process Personal Data for no longer than is necessary for the purposes for which it is Processed.