These October People Subscription Terms (“Terms”) govern the provision of the October People human resources information system and related services by October Health Limited (UK Co. No. 13365509) (“October”) to the customer identified in the applicable Order Form (“Customer”).
These Terms, together with the applicable Order Form, the Data Processing Addendum, and any schedules or addenda expressly incorporated by reference, form the Agreement between the parties.
1. Definitions and Agreement Structure
1.1 Agreement means the Order Form, these Terms, the Data Processing Addendum, and any schedules or addenda expressly incorporated by reference.
1.2 AI Credits means the monthly AI Credits included as part of the Customer’s subscription, calculated by reference to an AI usage allocation equal to ten percent (5%) of the Monthly Subscription Fees payable by the Customer for the relevant month, unless a different allowance is expressly stated in the applicable Order Form.
1.3 AI-Enabled Features means any feature, functionality or workflow within the Services that uses artificial intelligence, machine learning, large language models, generative AI, automated classification, parsing, summarisation, drafting, analysis, recommendation, detection or similar automated processing capability.
1.4 Monthly Subscription Fees means the recurring subscription fees payable by the Customer for the Services for the relevant month, excluding VAT, sales tax, withholding tax, implementation fees, professional services fees, once-off charges, pass-through costs, discounts, credits, refunds and any fees for Additional AI Credits.
1.5 AI Supplier Costs means the third-party and infrastructure costs reasonably incurred by October in providing AI-Enabled Features, including model/API usage, token usage, inference costs, embedding, retrieval, transcription, generation, classification, parsing, storage, compute and related AI processing costs.
1.6 AI Usage Page means October’s then-current online or in-product page, admin console page, pricing page, usage policy or other notice setting out information relating to AI Credit allowances, indicative AI Credit consumption, usage limits, top-up pricing, bundle pricing, overage settings and related AI usage rules, as updated from time to time.
1.7 Additional AI Credits means AI Credits purchased by the Customer in addition to the Included AI Credits, whether as a one-time top-up, prepaid pack, recurring bundle or other additional usage entitlement.
1.8 Authorised Users means the Customer’s employees, contractors, administrators, and other individuals whom the Customer authorises to access or use the Services on its behalf.
1.9 Customer Content means all data, records, documents, text, policies, files, branding, employee information, applicant information, and other materials submitted, uploaded, transmitted, or otherwise made available by or on behalf of the Customer in connection with the Services.
1.10 Included AI Credits means the AI Credits included as part of the Customer’s subscription, as determined by the applicable Order Form, subscription plan, AI Usage Page or other written agreement between the parties.
1.11 Order Form means the ordering document, purchase order, order summary, or other written commercial document entered into between the parties that sets out the commercial details of the Services.
1.12 Services means the October People software-as-a-service platform and any related services, functionality, modules, integrations, implementation, support, training, professional services, or other services purchased by the Customer under the applicable Order Form.
1.13 Subscription Term means the initial subscription term and any renewal term specified in the Order Form.
1.14 In the event of any conflict between the documents forming the Agreement, the order of precedence set out in the Order Form shall apply.
2. Services and Access Rights
2.1 Subject to the Agreement and payment of all applicable fees, October grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the Subscription Term to access and use the Services for the Customer’s internal business purposes.
2.2 The scope of the Services, including the specific modules, features, integrations, implementation services, support services, usage tiers, user or employee thresholds, and pricing metrics purchased by the Customer, shall be as specified in the applicable Order Form.
2.3 The Customer may permit Authorised Users to access and use the Services solely for the Customer’s internal business purposes and in accordance with the Agreement. The Customer is responsible for all use of the Services by its Authorised Users.
2.4 October may update, improve, modify, or refine the Services from time to time. October will not materially reduce the core functionality of the Services purchased by the Customer during a paid Subscription Term without prior notice. Core functionality shall be assessed with reference to the Services as a whole and not any individual feature.
2.5 Unless expressly stated otherwise in the applicable Order Form, no module, feature, integration, service level, implementation work, data migration service, or third-party service is included other than what is expressly identified in the Order Form.
3. Subscription Term, Renewal, and Fees
3.1 The Agreement begins on the Effective Date set out in the applicable Order Form and continues for the Subscription Term unless terminated earlier in accordance with the Agreement.
3.2 The initial term, any renewal term, renewal mechanics, billing frequency, and payment terms shall be as stated in the applicable Order Form.
3.3 Fees are as set out in the applicable Order Form and are payable in the currency specified therein.
3.4 All amounts payable under the Agreement are exclusive of VAT, sales tax, withholding tax, and any similar taxes, duties, or levies, which shall be payable by the Customer in addition where applicable, other than taxes based on October’s net income.
3.5 If the Customer fails to pay any undisputed amount when due, October may charge interest on overdue amounts at 2% per month or the maximum amount permitted by law, whichever is lower.
3.6 If any undisputed invoice remains unpaid after any applicable cure or notice period specified in the Order Form, or if none is specified, seven (7) days after written notice of non-payment, October may suspend access to the Services until payment is made in full. The Customer remains liable for all fees during any suspension period.
3.7 Unless otherwise expressly stated in the Order Form, all fees are non-cancellable and non-refundable.
3.8 To the extent the applicable Order Form provides for pricing based on employee count, user count, active jobs, candidate volume, usage thresholds, pricing bands, or other measurable criteria, the Customer acknowledges that additional fees, overage charges, or pricing tier adjustments may apply as set out in the Order Form.
3.9 AI Credits and Usage
3.9.1 Measurement of AI-Enabled Features
The Customer’s use of AI-Enabled Features is measured and managed using AI Credits. Each AI action may consume AI Credits based on the nature of the action, the amount of data submitted, processed or generated, the length and complexity of the relevant input and output, the AI model or system used, and related technical factors. October may publish indicative AI Credit consumption for common actions on the AI Usage Page, but such figures are illustrative only and may vary in actual use.
3.9.2 Included AI Credits
The Customer’s subscription includes a monthly pool of Included AI Credits. Unless the applicable Order Form states otherwise, the value of the monthly Included AI Credit pool will be calculated by October by reference to an AI usage allocation equal to five percent (5%) of the Monthly Subscription Fees payable by the Customer for that month.
Included AI Credits are made available to the Customer’s organisation as a shared organisation-level pool, from which all Authorised Users may consume AI Credits. The Included AI Credit pool is designed to support ordinary-course use of AI-Enabled Features by the Customer’s Authorised Users. October expects that this allowance will be sufficient for the substantial majority of customers using the Services in the ordinary course, but does not guarantee that the Included AI Credits will be sufficient for every Customer, use case, workflow, user behaviour or configuration.
Included AI Credits reset monthly on the first day of each calendar month, or on such other billing-cycle date specified by October. Unused Included AI Credits expire at the end of the relevant monthly usage period and do not roll over, carry forward, accrue or convert into any refund, credit, discount or other value.
3.9.3 Credit conversion and consumption
AI Credits are an internal usage measurement mechanism. The number of AI Credits consumed by an AI-Enabled Feature may vary depending on the relevant feature, model, workflow, volume of data submitted or processed, input and output length, context window, retrieval requirements, system load, supplier pricing and other technical or commercial factors.
October may determine and update the conversion between the Customer’s monthly AI usage allocation and AI Credits from time to time, provided that October will not use this mechanism to materially reduce the Customer’s Included AI Credit allocation during a paid Subscription Term other than where reasonably required due to changes in AI Supplier Costs, legal requirements, security requirements, technical constraints, abuse prevention, model availability or similar factors outside October’s reasonable control.
3.9.4 Nature of AI Credits
AI Credits are a usage measurement mechanism only. They are not legal tender, currency, stored value, a deposit, a bank account, a digital wallet, a payment instrument or any form of property right. AI Credits have no cash or monetary value, are not redeemable, refundable, exchangeable or transferable for money or any other value, and may only be used in connection with the Services. AI Credits are organisation-specific and may not be transferred, sold, assigned, pooled or reallocated between customers, organisations or accounts, except where October expressly permits this in writing or applicable law requires otherwise.
3.9.5 Consumption order
Unless October specifies otherwise on the AI Usage Page, AI Credits will be consumed in the following order: first, Included AI Credits; second, any one-time Additional AI Credits; third, recurring Additional AI Credit bundles; and finally, any approved overage or pay-as-you-go usage.
3.9.6 Essential and discretionary AI-Enabled Features
October may classify AI-Enabled Features as either essential or discretionary.
Essential AI-Enabled Features are AI-Enabled Features that support completion of a core workflow, including features such as document import mapping, file parsing, receipt scanning, CV or resume parsing, asset naming, task parsing, detection functions, data structuring and similar workflow-integrated functionality.
Discretionary AI-Enabled Features are AI-Enabled Features that provide assistive, conversational, drafting, analytical, coaching, insight-generation or similar functionality where a manual alternative is available.
If the Customer’s AI Credit pool is exhausted, October may pause or limit discretionary AI-Enabled Features until the AI Credit pool is replenished, Additional AI Credits are purchased, or approved overage is enabled. Essential AI-Enabled Features may continue to operate to preserve core workflow continuity, subject to any overage settings, fair use controls, abuse controls, technical limits and usage policies applicable to the Customer’s account.
3.9.7 Overage, top-ups and usage caps
The Customer will not be charged for AI Credit overage unless:
(a) overage, auto top-up or pay-as-you-go usage is enabled by an administrator or authorised billing contact within the Services;
(b) overage is expressly provided for in the applicable Order Form; or
(c) the Customer has otherwise approved the additional usage in writing.
Where the Customer’s Included AI Credit pool is exhausted, October may notify the Customer, pause or limit discretionary AI-Enabled Features, continue essential AI-Enabled Features to preserve core workflow continuity, or make Additional AI Credits available for purchase.
Additional AI Credits will be charged on a cost-recovery basis by reference to the applicable AI Supplier Costs, unless otherwise agreed in the Order Form or displayed at the time of purchase. October may require prepayment for Additional AI Credits or may invoice approved Additional AI Credits in arrears. All Additional AI Credit charges are exclusive of applicable taxes.
October may allow the Customer to configure organisation-level, administrator-level or user-level usage limits, overage limits, alerts, daily review controls, auto top-up settings or other usage-management controls. The Customer is responsible for configuring and monitoring such controls and for ensuring that only authorised administrators or billing contacts may approve Additional AI Credits or overage.
3.9.8 Changes to AI Credit allowances, rates and consumption
October may update the AI Usage Page, AI Credit consumption rates, included allowances, conversion methodology, model routing, feature classification, top-up pricing, bundle pricing and overage pricing from time to time. October will use reasonable efforts to provide prior notice by email, in-product notice or update to the AI Usage Page where a change is reasonably likely to materially reduce the Customer’s Included AI Credits or materially increase the AI Credit consumption or price of a materially used AI-Enabled Feature.
Unless required sooner for legal, security, abuse-prevention, supplier-cost or technical reasons, material adverse changes to Included AI Credit allowances or overage pricing will take effect from the start of the next monthly usage period. For Customers with a fixed AI Credit allowance expressly stated in a signed Order Form, any material reduction to that fixed allowance will take effect no earlier than the next renewal term, unless the parties agree otherwise.
3.9.9 Additional AI Credits
The Customer may purchase Additional AI Credits through the Services, the AI Usage Page, an Order Form or another purchase process approved by October. Unless stated otherwise at the time of purchase:
(a) one-time top-up AI Credits expire at the end of the calendar month in which they are purchased;
(b) recurring monthly AI Credit bundles renew monthly until cancelled in accordance with the applicable purchase terms;
(c) Additional AI Credits are non-refundable, non-transferable and may only be used with the Customer’s organisation account; and
(d) all purchases are final, except where required by applicable law.
3.9.10 Usage dashboard, employee-level visibility and records
October will make AI Credit usage information available to the Customer through an administrative dashboard or other usage reporting mechanism. This may include organisation-level usage, feature-level usage, date-based usage, cost indicators, remaining AI Credit balances, and usage attributable to individual Authorised Users.
The Customer acknowledges that individual-level AI usage information may constitute Personal Data. The Customer is responsible for ensuring that it has an appropriate lawful basis, employee notices, internal policies and access controls in place for reviewing and using such information. The Customer shall use individual-level AI usage information only for legitimate purposes connected with the administration, security, billing, compliance, support and appropriate use of the Services, and shall not use such information as the sole basis for any employment, disciplinary, performance, promotion, compensation, termination or similarly significant workplace decision.
October’s usage records are determinative for billing and usage purposes in the absence of manifest error.
This is important because employee-level AI usage logs create privacy/employment-law risk. Your existing terms already deal with human review and not relying on AI outputs for employment decisions, which is good. The UK position also requires particular care around automated decisions with legal or similarly significant effects, including transparency, safeguards and human intervention.
3.9.11 Pausing or limiting AI-Enabled Features
The Customer acknowledges that pausing, limiting, throttling or disabling discretionary AI-Enabled Features as a result of exhausted AI Credits, usage limits, overage settings, abuse controls or fair use controls is an agreed usage-management mechanism. It does not constitute a suspension of the Services, a failure of availability, a service-level failure, a material reduction of the Services or a breach of the Agreement, provided that the Customer continues to have access to the core non-AI functionality of the Services.
3.9.12 Fair use and anti-abuse
The Customer must not, and must ensure that Authorised Users do not, use AI-Enabled Features in a manner that is unlawful, abusive, excessive, automated, non-ordinary-course, security-sensitive, harmful, or designed to avoid, manipulate, interfere with or distort AI Credit measurement, usage limits, billing, model restrictions, safety systems, rate limits or technical controls.
Prohibited conduct includes:
(a) automated, scripted, bot-driven or bulk use that is not expressly permitted by October;
(b) use that materially exceeds ordinary-course HR, people operations, recruitment, performance, payroll, compliance, analytics or workplace administration use for the Customer’s organisation;
(c) using the Services to train, fine-tune, benchmark, test, scrape, reverse engineer or improve any competing product, AI system, model or dataset;
(d) repeatedly submitting unusually large, duplicative, artificial or machine-generated prompts, files, requests or workflows for the purpose of consuming capacity, testing limits or distorting usage measurement;
(e) credential sharing, account pooling or attempts to bypass user-level, organisation-level or subscription-level limits;
(f) use that creates security, availability, legal, regulatory, supplier, reputational or operational risk for October, its customers, its suppliers or the Services; and
(g) any use that violates the Agreement, the documentation, the acceptable use policy, applicable law or the intended operation of the Services.
Where October reasonably suspects misuse, abuse, excessive use, circumvention, security risk or material non-ordinary-course usage, October may take reasonable protective steps, including issuing warnings, requiring the Customer to reduce or regularise usage, throttling requests, applying temporary rate limits, suspending or disabling AI-Enabled Features, disabling auto top-up, revoking improperly obtained AI Credits, requiring prepayment for further AI usage, or suspending the relevant Authorised User’s access to AI-Enabled Features.
Where reasonably practicable, October will provide notice before taking such steps. However, October may act without prior notice where necessary to protect the Services, comply with law, prevent abuse, manage supplier constraints, preserve security or avoid material cost exposure.
3.9.13 Order of precedence
If there is a conflict between this Section 3.9, the AI Usage Page and an applicable Order Form, the following order of precedence applies: first, the Order Form; second, this Agreement; and third, the AI Usage Page, unless the Order Form expressly states otherwise.
4. Customer Responsibilities
4.1 The Customer is responsible for:
4.1.1 ensuring that all Customer Content is accurate, complete, lawful and up to date;
4.1.2 obtaining and maintaining all lawful bases, notices, permissions, consents and approvals required to provide Customer Content to October and permit October to process it under the Agreement;
4.1.3 ensuring that it has authority to enable and use platform communications, workflow notifications, reminders, announcements, recognition features and integrations through channels such as email, SMS, Slack, Microsoft Teams and similar workplace tools;
4.1.4 determining which communication features, integrations, audiences and notification settings are enabled for its organisation and ensuring such use complies with applicable law, internal policies and employee notices;
4.1.5 designating appropriate administrators and maintaining the security and confidentiality of administrative credentials;
4.1.6 configuring and using the Services in accordance with applicable employment, labour, payroll, tax, data protection and workplace laws;
4.1.7 independently reviewing and validating all outputs, reports, analytics, recommendations and any AI-generated or automated outputs before relying on them; and
4.1.8 making and keeping all employment, payroll, disciplinary, promotion, benefits and other workplace decisions independently of October.
4.2 The Customer shall not, and shall not permit any third party to:
4.2.1 copy, modify, translate, or create derivative works of the Services except as expressly permitted under the Agreement;
4.2.2 reverse engineer, decompile, disassemble, or otherwise attempt to derive source code, object code, underlying structure, ideas, know-how, or algorithms of the Services except to the extent such restriction is prohibited by law;
4.2.3 use the Services to build, train, benchmark, fine-tune, or improve any competing product, service, or artificial intelligence or machine learning model;
4.2.4 use the Services in any unlawful, infringing, fraudulent, or abusive manner;
4.2.5 circumvent or interfere with the Services’ security, authentication, or access controls; or
4.2.6 resell, sublicense, lease, or commercially exploit the Services other than for the Customer’s internal business purposes unless expressly agreed in writing.
5. Data Protection, Confidentiality, Security, and Communications
5.1 Compliance with Data Protection Laws. Each party shall comply with all applicable data protection and privacy laws in connection with the Agreement, including, where applicable, the UK GDPR, the Data Protection Act 2018, the EU GDPR, the Protection of Personal Information Act 4 of 2013, and any other applicable data protection, privacy, electronic communications or employment-related privacy laws.
5.2 Data Roles. The parties acknowledge that, in relation to employment-related Personal Data processed through the Services, the Customer acts as the Responsible Party, Controller or equivalent data controller (“Controller”), and October acts as the Operator, Processor or equivalent data processor (“Processor”), when processing such Personal Data on the Customer’s documented instructions, as further described in the Data Processing Addendum.
5.3 Data Processing Addendum. To the extent October processes Personal Data on behalf of the Customer as Processor, the Data Processing Addendum applies and forms part of the Agreement.
5.4 Independent Processing by October. October may act as an independent Controller for limited processing activities where October determines the purposes and means of processing, including platform security, fraud prevention, system logs and audit trails, legal and regulatory compliance, aggregated and de-identified analytics, service improvement, and establishing, exercising or defending legal rights. Where October acts as an independent Controller, it shall process Personal Data in accordance with applicable data protection laws and its applicable privacy notices.
5.5 Customer Responsibilities and Lawful Basis. The Customer is responsible for ensuring that it has all necessary lawful bases, notices, permissions, consents and authorisations required to provide Personal Data to October and to enable October to process such Personal Data in connection with the Services.
5.6 No Sale or Unauthorised Use of Personal Data. October shall not sell Personal Data processed through the Services or use identifiable employee, candidate or Authorised User Personal Data for direct marketing in its own name, except where separately agreed in writing and permitted by applicable law.
5.7 De-identified Data. October may create and use aggregated, anonymised or de-identified data derived from the Services for analytics, benchmarking, security, product improvement, internal research and service development, provided that such data does not identify the Customer or any individual.
5.8 Confidential Information. Each party may receive non-public or proprietary information from the other party in connection with the Agreement (“Confidential Information”), including Customer Content, pricing, technical information, product documentation, security information, business plans, and any other information that is designated as confidential or that a reasonable person would understand to be confidential in the circumstances.
5.8A International data transfers. The Customer acknowledges that, in order to provide the Services, Customer Content and Personal Data may be transferred to, stored in, or accessed from jurisdictions outside the country in which the Customer or relevant Authorised Users are located.
October shall implement appropriate safeguards for all such transfers in accordance with applicable data protection laws. These safeguards may include, as relevant to the jurisdiction:
- standard contractual clauses or equivalent transfer mechanisms approved by the applicable data protection authority;
- reliance on an adequacy decision or finding applicable to the destination country;
- certification under an approved data privacy framework;
- transfer impact assessments where required; and
- appropriate technical
5.9 Exclusions. Confidential Information does not include information that the receiving party can demonstrate: (a) is or becomes publicly available without breach of the Agreement; (b) was lawfully known prior to disclosure; (c) is independently developed without use of the Confidential Information; or (d) is lawfully obtained from a third party without restriction.
5.10 Confidentiality Obligations. The receiving party shall: (a) use Confidential Information solely to perform its obligations or exercise its rights under the Agreement; (b) protect Confidential Information using at least reasonable care; and (c) not disclose Confidential Information except to employees, contractors, professional advisers, or subprocessors with a legitimate need to know and who are bound by confidentiality obligations no less protective than those set out herein.
5.11 Required Disclosure. Where disclosure of Confidential Information is required by law, regulation, or court order, the receiving party shall, to the extent legally permitted, provide prior notice to the disclosing party and disclose only the portion legally required.
5.12 Security Measures. October shall implement and maintain appropriate technical and organisational measures designed to protect Customer Content and Personal Data against unauthorised access, unlawful processing, accidental loss, destruction, damage, alteration or disclosure. Such measures shall be proportionate to the nature of the Services and associated risks, and may include: (a) encryption of Personal Data in transit and at rest; (b) role-based access controls and least-privilege access; (c) multi-factor authentication for administrative access; (d) secure cloud infrastructure controls; (e) audit logging, monitoring and alerting; (f) vulnerability management and regular security testing; (g) incident response and breach management procedures; (h) confidentiality obligations for personnel; and (i) security governance aligned with SOC 2 Type II or an equivalent framework.
5.13 Subprocessors. October may appoint subprocessors to assist in providing the Services, provided that October remains responsible for their compliance with the applicable data protection obligations under the Agreement.
5.14 Service Communications. The Customer acknowledges that October may send or facilitate service-related communications to Authorised Users through the Platform or through communication channels enabled or approved by the Customer, including email, in-app notifications, SMS, Slack, Microsoft Teams, and similar tools. Such communications may include operational, onboarding, workflow, notification and engagement-related messages necessary for the provision of the Services.
5.15 Security Documentation. Upon written request and subject to confidentiality obligations, October may provide reasonable security and compliance documentation, including SOC 2 reports, penetration testing summaries, and security materials, provided that October may redact information that is commercially sensitive or security-sensitive.
6. AI Features and Use of Data
6.1 Certain features of the Services may include AI-enabled functionality, automation, or generative assistance.
6.2 AI-generated or automated outputs are provided for assistive and informational purposes only and may contain inaccuracies, incomplete information, or biased or unexpected results.
6.3 The Customer acknowledges and agrees that:
(a) AI outputs require human review, judgment, and validation;
(b) the Services are not designed for solely automated decision-making with legal or similarly significant effects in relation to employees or applicants; and
(c) the Customer shall not rely on AI outputs as the sole basis for any employment, disciplinary, hiring, promotion, compensation, performance, or other material workplace decision.
6.4 AI governance and testing. October maintains commercially reasonable AI governance, oversight and risk-mitigation processes for AI-enabled features, which may include, as appropriate to the relevant feature and risk profile: human oversight, documented testing, prompt and output evaluation, safety testing, bias testing, flip testing, adversarial testing, access controls, logging, monitoring, and periodic review. October may update these processes from time to time to reflect changes in law, technology, product functionality and recognised good practice.
6.4A Bias testing. October conducts bias and fairness testing on relevant AI-enabled features, including testing designed to identify materially different outputs or treatment based on demographic or protected-characteristic signals. Such testing is intended to identify and mitigate unfair or inappropriate differential treatment, but does not guarantee that AI outputs will be error-free, bias-free or suitable for any particular employment decision without human review.
6.4B No high-risk deployment without customer responsibility. The Customer is responsible for determining whether its intended use of any AI-enabled feature is subject to employment, labour, data protection, equality, automated decision-making, AI-specific, or sector-specific legal requirements. The Customer shall not configure or use the Services in a manner that results in solely automated decisions with legal or similarly significant effects on employees, candidates or workers, unless expressly agreed in writing with October and permitted by applicable law.
6.5 October does not use identifiable Customer Confidential Information or Personal Data provided by the Customer to train publicly available third-party foundational AI models.
6.6 October may use anonymised, aggregated, and de-identified data derived from use of the Services to operate, support, secure, improve, and develop the Services and October’s internal tools, models, analytics, and methodologies, provided that such data does not identify the Customer or any individual.
6.7 The Customer is responsible for informing its employees and users, where legally required, that AI-enabled functionality forms part of the Services.
6.8 AI usage and measurement.
The Customer’s use of AI-Enabled Features is measured and managed using AI Credits and is subject to the AI Credit terms set out in Section 3.9, the applicable Order Form and the AI Usage Page.
7. Intellectual Property
7.1 As between the parties, October and its licensors retain all right, title, and interest in and to the Services, including all software, technology, system architecture, APIs, interfaces, workflows, designs, know-how, documentation, analytics methodologies, AI agents, prompt libraries, models, algorithms, improvements, derivative works, and all related intellectual property rights.
7.2 Except for the limited access and use rights expressly granted in the Agreement, no rights are granted to the Customer by implication, estoppel, or otherwise.
7.3 As between the parties, the Customer retains all right, title, and interest in and to Customer Content. For clarity, nothing in the Agreement limits any statutory rights that individuals may have in relation to their Personal Data under applicable data protection laws.
7.4 The Customer grants October a non-exclusive, worldwide, royalty-free licence during the Subscription Term to host, store, copy, transmit, process, display and otherwise use Customer Content solely to provide, maintain, secure, support and improve the Services, perform October’s obligations, comply with applicable law, and enforce the Agreement, in each case subject to the Agreement and the Data Processing Addendum. October shall only use identifiable Personal Data for service improvement where permitted by applicable law and the Agreement.
(a) provide, maintain, support, and improve the Services;
(b) perform October’s obligations under the Agreement;
(c) comply with applicable law; and
(d) enforce the Agreement.
7.5 To the extent the Customer provides suggestions, comments, ideas, or other feedback relating to the Services, the Customer grants October a perpetual, irrevocable, worldwide, royalty-free licence to use and incorporate that feedback without restriction or obligation.
8. Warranties and Disclaimers
8.1 Each party warrants that:
(a) it has the full corporate power and authority to enter into and perform the Agreement; and(b) the Agreement is validly executed and binding on it.
8.2 October warrants that it will provide the Services in a professional and workmanlike manner using commercially reasonable skill and care.
8.3 October warrants that it shall use commercially reasonable efforts to maintain the availability of the Services, excluding scheduled maintenance, emergency maintenance, force majeure events, failures of third-party networks or infrastructure outside October’s reasonable control, and downtime caused by the Customer or the Customer’s systems.
8.4 Except as expressly stated in the Agreement, the Services are provided on an “as is” and “as available” basis. To the maximum extent permitted by law, October disclaims all implied warranties, conditions, and representations, including any implied warranties of merchantability, fitness for a particular purpose, non-infringement, uninterrupted availability, or error-free operation.
8.5 The Customer acknowledges that the Services do not constitute legal, employment, tax, payroll, accounting, or regulatory advice. The Customer remains solely responsible for validating that its use of the Services and any outputs generated through the Services are appropriate for its own circumstances and compliant with applicable law.
9. Indemnities
9.1 The Customer shall defend, indemnify, and hold harmless October, its affiliates, and their respective directors, officers, employees, and contractors from and against any third-party claims, losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or relating to:
(a) Customer Content;(b) the Customer’s breach of the Agreement;(c) the Customer’s unlawful, improper, or unauthorised use of the Services;(d) the Customer’s failure to obtain required lawful bases, notices, permissions, or consents; or(e) the Customer’s violation of applicable law.
9.2 October shall defend the Customer against any third-party claim that the Services, as provided by October and used by the Customer in accordance with the Agreement, directly infringe a third party’s registered patent, copyright, or trademark, and October shall indemnify the Customer for damages finally awarded by a court of competent jurisdiction or agreed in settlement by October, provided that:
(a) the Customer promptly notifies October in writing of the claim;(b) October has sole control of the defence and settlement of the claim; and(c) the Customer provides reasonable cooperation at October’s expense.
9.3 If the Services become, or in October’s opinion are likely to become, subject to an infringement claim, October may, at its option:
(a) procure the right for the Customer to continue using the affected Services;(b) modify or replace the affected Services so that they become non-infringing without materially reducing core functionality; or(c) terminate the affected Services and refund any prepaid, unused subscription fees for the terminated portion of the Subscription Term.
9.4 October shall have no liability under Section 9.2 to the extent a claim arises from:
(a) Customer Content;(b) modifications not made by October;(c) use of the Services other than in accordance with the Agreement;(d) combination of the Services with third-party systems, data, software, or materials not provided or approved by October, where the claim would not have arisen but for such combination; or(e) any output, content, or functionality generated by a third-party AI model where the claim relates to that third-party model’s underlying training data or general model behaviour rather than October’s proprietary materials.
9.5 This Section 9 states the Customer’s sole and exclusive remedy, and October’s entire liability, for any third-party intellectual property infringement claim relating to the Services.
10. Limitation of Liability
10.1 Nothing in the Agreement excludes or limits either party’s liability for:
(a) death or personal injury caused by negligence;(b) fraud or fraudulent misrepresentation;(c) wilful misconduct; or(d) any liability that cannot lawfully be excluded or limited.
10.2 Subject to Section 10.1, October’s total aggregate liability arising out of or in connection with the Agreement, whether in contract, delict, tort (including negligence), misrepresentation, restitution, or otherwise, shall not exceed the total fees paid or payable by the Customer under the Agreement in the 12 months preceding the event giving rise to the claim.
10.3 Subject to Section 10.1, neither party shall be liable to the other for any indirect, incidental, consequential, special, punitive, or exemplary damages, or for any loss of profits, revenue, goodwill, anticipated savings, or business opportunity.
10.4 Subject to Section 10.1, October shall not be liable for any loss, liability, claim, or damage arising from:
(a) the Customer’s employment, payroll, tax, benefits, or disciplinary decisions;(b) inaccuracies in Customer Content or third-party data;(c) delays, failures, or errors caused by third-party systems or integrations not controlled by October;(d) the Customer’s failure to review, validate, or act appropriately on outputs, analytics, or AI-generated recommendations; or(e) use of the Services contrary to the Agreement or October’s instructions.
11. Suspension and Termination
11.1 October may suspend access to all or part of the Services on written notice if:
(a) the Customer fails to pay undisputed fees when due and remains in default after any applicable notice period;(b) the Customer’s use of the Services poses a security risk, may adversely impact the Services or other customers, or may expose October to liability; or(c) suspension is required by law or a governmental authority.
11.2 Either party may terminate the Agreement for cause by written notice if the other party materially breaches the Agreement and fails to cure that breach within 30 days after receiving written notice requiring it to do so.
11.3 Either party may terminate the Agreement immediately on written notice if the other party:
(a) ceases to carry on business;(b) becomes insolvent or unable to pay its debts as they fall due;(c) enters into liquidation, business rescue, administration, examinership, or any analogous process other than for a solvent restructuring; or(d) has a receiver, trustee, administrator, curator, or similar officer appointed over a material part of its assets.
11.4 Unless otherwise stated in the Order Form, the Customer may not terminate the Agreement for convenience during the Subscription Term.
11.5 On expiry or termination of the Agreement:
(a) the Customer’s rights to access and use the Services shall cease;(b) each party shall, on request, return or destroy the other party’s Confidential Information, subject to legal retention obligations;(c) all amounts accrued and payable up to the effective date of termination shall become immediately due and payable; and(d) Sections intended by their nature to survive shall survive, including provisions relating to fees owed, confidentiality, intellectual property, indemnities, data protection, liability, and dispute resolution.
11.6 Upon written request made within 30 days after the effective date of expiry or termination, October shall make Customer Content available for export in a commercially reasonable format. After that period, October may delete or anonymise Customer Content and Personal Data in accordance with its standard retention processes, subject to applicable law, the Data Processing Addendum, backup retention cycles, legal retention obligations, audit requirements, and dispute-resolution purposes.
11.7 Any transition assistance requested by the Customer beyond standard data export may be provided by October at its then-current professional services rates.
12. Publicity
12.1 Unless otherwise agreed in writing, October may identify the Customer as a customer of the Services in customer lists and sales materials using the Customer’s name and logo, provided that October does not imply endorsement and complies with any reasonable brand guidelines notified by the Customer. If the Customer requests in writing that October cease such use, October shall do so within a reasonable period.
13. General
13.1 Notices. Notices under the Agreement must be in writing and sent by email to the contact details stated in the Order Form or to any replacement contact notified in writing. Notices shall be deemed received at the time of transmission unless a delivery failure notice is received.
13.2 Assignment. The Customer may not assign, transfer, novate, or otherwise dispose of the Agreement without October’s prior written consent, not to be unreasonably withheld or delayed. October may assign or transfer the Agreement without consent in connection with a merger, acquisition, group restructuring, financing, or sale of all or substantially all of its business or assets relating to the Services.
13.3 Force Majeure. Neither party shall be liable for any delay or failure to perform its obligations under the Agreement, other than payment obligations, where such delay or failure results from events beyond its reasonable control.
13.4 Entire Agreement. The Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes all prior discussions, proposals, and understandings relating to that subject matter.
13.5 Amendments. No amendment to the Agreement shall be effective unless in writing and signed by authorised representatives of both parties, except that October may update policies, subprocessors lists, or technical descriptions referenced in the Agreement where such update does not materially reduce the Services or materially increase the Customer’s obligations during the current Subscription Term.
13.6 Severability. If any provision of the Agreement is held invalid, unlawful, or unenforceable, that provision shall be deemed modified to the minimum extent necessary to make it enforceable, or if that is not possible, severed, and the remainder of the Agreement shall continue in full force and effect.
13.7 Waiver. No failure or delay by either party in exercising any right under the Agreement shall constitute a waiver of that right.
13.8 Third-Party Rights. A person who is not a party to the Agreement shall have no right to enforce any term of the Agreement, except as expressly stated otherwise.
13.9 Governing Law and Dispute Resolution. The Agreement is governed by the laws of England and Wales, subject to any mandatory employment, consumer or data protection laws that apply in the country where employees are located. Any dispute, controversy, or claim arising out of or in connection with the Agreement shall be finally resolved by arbitration under the Rules of the London Court of International Arbitration. The arbitration shall be conducted virtually, including by video conference and electronic submissions, and each party is entitled to require that all hearings be conducted virtually. An in-person hearing shall be held only where both parties agree in writing, or where the tribunal determines it to be strictly necessary to ensure due process; any such in-person hearing shall take place in London, England. The language of the arbitration shall be English. Nothing in this clause prevents either party from seeking urgent interim or injunctive relief from a court of competent jurisdiction.
Annexure A: Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Agreement between October Health Limited (“Processor”) and the Customer identified in the applicable Order Form (“Controller”).
This DPA applies only to the extent October processes Personal Data on behalf of the Customer as an Operator, Processor or equivalent data processor in connection with the Services. This DPA does not apply to processing activities for which October acts as an independent Responsible Party, Controller or equivalent data controller, including limited processing for platform security, audit logs, legal compliance, aggregated and de-identified analytics, service improvement, and legal claims.
1. Subject Matter and Duration
1.1 This DPA applies to the extent that October processes Personal Data on behalf of the Customer in connection with the Services.
1.2 This DPA shall remain in force for the duration of the Agreement and for so long thereafter as October processes Personal Data on behalf of the Customer.
2. Nature and Purpose of Processing
2.1 October processes Personal Data solely for the purpose of providing, securing, supporting, maintaining, and improving the Services, performing implementation and support services, enabling authorised access, generating reports and analytics, and complying with applicable law.
3. Categories of Data Subjects
3.1 Data subjects may include:
(a) the Customer’s employees, workers, contractors, consultants, directors, officers, and candidates;(b) dependants or beneficiaries where such data is provided by the Customer in connection with the Services; and(c) the Customer’s administrators, HR personnel, managers, and authorised representatives.
4. Categories of Personal Data
4.1 Personal Data processed under this DPA may include:
(a) identification and contact data, including names, job titles, work email addresses, telephone numbers, employee numbers, dates of birth, and national identification numbers;
(b) employment and HR data, including department, manager, start date, end date, role history, compensation data, leave records, performance records, disciplinary records, training records, benefits data, emergency contact details, and employee documents;
(c) system and usage data, including login details, audit logs, device information, IP addresses, and support interactions; and
(d) any other Personal Data that the Customer chooses to upload to or process through the Services.
4A. Special Category Data and Sensitive Personal Information4A.1 Depending on the Customer’s configuration and use of the Services, Personal Data processed under this DPA may include special category data, sensitive personal information or information subject to heightened protection under applicable law, including health-related information, disability information, racial or ethnic information, trade union membership, biometric identifiers, national identification numbers, payroll information, financial information, disciplinary records, grievance records, dependants’ information, beneficiaries’ information and other sensitive employment-related records.
4A.2 The Customer is responsible for ensuring that it has an appropriate lawful basis and, where required, any additional statutory authorisation, notice, consent or employment-law basis required to process such information through the Services.
4A.3 October shall process such information only in accordance with the Agreement, this DPA and the Customer’s documented instructions, and shall apply appropriate technical and organisational measures designed to protect such information.
5. Controller Obligations
5.1 The Customer warrants and undertakes that:
(a) it has all necessary authority and lawful bases to instruct October to process Personal Data in accordance with the Agreement; and(b) its instructions to October shall comply with applicable data protection laws.
6. Processor Obligations
6.1 October shall:
(a) process Personal Data only on the documented instructions of the Customer, unless otherwise required by law;
(b) ensure that persons authorised to process Personal Data are subject to confidentiality obligations;
(c) implement appropriate technical and organisational measures to protect Personal Data;
(d) notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA and, where reasonably practicable, provide initial notification within 72 hours. October shall provide reasonable information available to it to assist the Customer in assessing the breach, meeting any regulatory or data subject notification obligations, and mitigating adverse effects, including information about the nature of the breach, categories of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.;
(e) provide reasonable assistance to the Customer with data subject rights requests, security obligations, data protection impact assessments, and regulator consultations, taking into account the nature of the processing and the information available to October; and
(f) at the Customer’s choice, delete or return Personal Data on termination of the Services, unless retention is required by law.
7. Subprocessors
7.1 The Customer grants October general written authorisation to appoint subprocessors as reasonably necessary to provide, secure, support and improve the Services.
7.2 October shall maintain a current list of material subprocessors used in connection with the Services and make it available to the Customer through the Platform, website, Trust Centre, or on written request.
7.3 October shall ensure that each subprocessor is bound by written obligations that are no less protective in all material respects than the data protection obligations imposed on October under this DPA.
7.4 October shall remain responsible for the acts and omissions of its subprocessors to the extent required by applicable data protection law and this DPA.
7.5 Where required by applicable data protection law, October shall provide reasonable prior notice of any intended material change to subprocessors and allow the Customer to object on reasonable data protection grounds. If the parties cannot resolve the objection, the Customer may terminate the affected Services to the extent required by applicable law.
8. International Transfers
8.1 The Customer authorises October to transfer, store, process and permit access to Personal Data outside the country in which the Customer, Authorised Users or data subjects are located where reasonably necessary to provide, secure, support and maintain the Services.
8.2 October maintains a current list of the principal jurisdictions in which Personal Data is processed or stored, and the sub-processors involved, at [website URL]. This list is updated at least 14 days before any material change to October's international processing locations takes effect.
8.3 Where October transfers Personal Data to a jurisdiction that does not provide an equivalent level of data protection to that applicable in the Customer's jurisdiction, October shall ensure that the transfer is subject to an appropriate lawful transfer mechanism under applicable data protection laws. Such mechanisms may include:
- an adequacy decision or finding applicable to the destination country;
- standard contractual clauses or equivalent transfer mechanisms approved by the relevant data protection authority;
- an approved data privacy framework certification;
- binding corporate rules; or
- such other lawful transfer mechanism as is recognised under applicable data protection law.
8.4 Where required by applicable data protection laws, October shall conduct and maintain appropriate transfer risk assessments or transfer impact assessments, taking into account:
- the nature and sensitivity of the Personal Data;
- the destination country and its legal framework regarding data protection and government access;
- the safeguards implemented by October and its sub-processors; and
- the technical and organisational measures applied to mitigate transfer risks.
8.5 October shall implement appropriate supplementary measures to protect Personal Data transferred internationally, which may include:
- encryption in transit and at rest;
- access controls and least-privilege access principles;
- logging and monitoring of access to transferred data;
- contractual commitments with sub-processors regarding international transfers; and
- documented policies for assessing and responding to legally binding government access requests.
8.6 Where jurisdiction-specific transfer requirements apply to the Customer's Personal Data, the applicable transfer mechanisms and safeguards are set out in the relevant Data Processing Addendum Schedule or regional supplement, which forms part of this Agreement.
9. Audits and Information Rights
9.1 October shall make available to the Customer such information as is reasonably necessary to demonstrate compliance with this DPA.
9.2 Any audit rights exercised by the Customer shall be limited to no more than once annually, on reasonable prior written notice, during normal business hours, and subject to appropriate confidentiality, security, and non-disruption obligations.
9.3 October may satisfy audit requests through the provision of up-to-date audit reports, certifications, summaries, or other reasonable compliance documentation where appropriate.
10. Deletion and Return
10.1 Upon expiry or termination of the Agreement, October shall, at the Customer’s written election, delete or return Personal Data, unless retention is required by law.
10.2 Where the Customer does not make an election within 30 days after expiry or termination, October may delete or anonymise the Personal Data in accordance with its standard retention processes, subject to applicable law.
11. Liability
11.1 This DPA is subject to the exclusions and limitations of liability set out in the Agreement, to the extent permitted by applicable law.

