October People Subscription Terms

These October People Subscription Terms (“Terms”) govern the provision of the October People human resources information system and related services by October Health Limited (UK Co. No. 13365509) (“October”) to the customer identified in the applicable Order Form (“Customer”).

These Terms, together with the applicable Order Form, the Data Processing Addendum, and any schedules or addenda expressly incorporated by reference, form the Agreement between the parties.

1. Definitions and Agreement Structure

1.1 Agreement means the Order Form, these Terms, the Data Processing Addendum, and any schedules or addenda expressly incorporated by reference.

1.2 Authorised Users means the Customer’s employees, contractors, administrators, and other individuals whom the Customer authorises to access or use the Services on its behalf.

1.3 Customer Content means all data, records, documents, text, policies, files, branding, employee information, applicant information, and other materials submitted, uploaded, transmitted, or otherwise made available by or on behalf of the Customer in connection with the Services.

1.4 Order Form means the ordering document, purchase order, order summary, or other written commercial document entered into between the parties that sets out the commercial details of the Services.

1.5 Services means the October People software-as-a-service platform and any related services, functionality, modules, integrations, implementation, support, training, professional services, or other services purchased by the Customer under the applicable Order Form.

1.6 Subscription Term means the initial subscription term and any renewal term specified in the Order Form.

1.7 In the event of any conflict between the documents forming the Agreement, the order of precedence set out in the Order Form shall apply.

2. Services and Access Rights

2.1 Subject to the Agreement and payment of all applicable fees, October grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the Subscription Term to access and use the Services for the Customer’s internal business purposes.

2.2 The scope of the Services, including the specific modules, features, integrations, implementation services, support services, usage tiers, user or employee thresholds, and pricing metrics purchased by the Customer, shall be as specified in the applicable Order Form.

2.3 The Customer may permit Authorised Users to access and use the Services solely for the Customer’s internal business purposes and in accordance with the Agreement. The Customer is responsible for all use of the Services by its Authorised Users.

2.4 October may update, improve, modify, or refine the Services from time to time. October will not materially reduce the core functionality of the Services purchased by the Customer during a paid Subscription Term without prior notice. Core functionality shall be assessed with reference to the Services as a whole and not any individual feature.

2.5 Unless expressly stated otherwise in the applicable Order Form, no module, feature, integration, service level, implementation work, data migration service, or third-party service is included other than what is expressly identified in the Order Form.

3. Subscription Term, Renewal, and Fees

3.1 The Agreement begins on the Effective Date set out in the applicable Order Form and continues for the Subscription Term unless terminated earlier in accordance with the Agreement.

3.2 The initial term, any renewal term, renewal mechanics, billing frequency, and payment terms shall be as stated in the applicable Order Form.

3.3 Fees are as set out in the applicable Order Form and are payable in the currency specified therein.

3.4 All amounts payable under the Agreement are exclusive of VAT, sales tax, withholding tax, and any similar taxes, duties, or levies, which shall be payable by the Customer in addition where applicable, other than taxes based on October’s net income.

3.5 If the Customer fails to pay any undisputed amount when due, October may charge interest on overdue amounts at 2% per month or the maximum amount permitted by law, whichever is lower.

3.6 If any undisputed invoice remains unpaid after any applicable cure or notice period specified in the Order Form, or if none is specified, seven (7) days after written notice of non-payment, October may suspend access to the Services until payment is made in full. The Customer remains liable for all fees during any suspension period.

3.7 Unless otherwise expressly stated in the Order Form, all fees are non-cancellable and non-refundable.

3.8 To the extent the applicable Order Form provides for pricing based on employee count, user count, active jobs, candidate volume, usage thresholds, pricing bands, or other measurable criteria, the Customer acknowledges that additional fees, overage charges, or pricing tier adjustments may apply as set out in the Order Form.

4. Customer Responsibilities

4.1 The Customer is responsible for:

4.1.1 ensuring that all Customer Content is accurate, complete, lawful and up to date;

4.1.2 obtaining and maintaining all lawful bases, notices, permissions, consents and approvals required to provide Customer Content to October and permit October to process it under the Agreement;

4.1.3 ensuring that it has authority to enable and use platform communications, workflow notifications, reminders, announcements, recognition features and integrations through channels such as email, SMS, Slack, Microsoft Teams and similar workplace tools;

4.1.4 determining which communication features, integrations, audiences and notification settings are enabled for its organisation and ensuring such use complies with applicable law, internal policies and employee notices;

4.1.5 designating appropriate administrators and maintaining the security and confidentiality of administrative credentials;

4.1.6 configuring and using the Services in accordance with applicable employment, labour, payroll, tax, data protection and workplace laws;

4.1.7 independently reviewing and validating all outputs, reports, analytics, recommendations and any AI-generated or automated outputs before relying on them; and

4.1.8 making and keeping all employment, payroll, disciplinary, promotion, benefits and other workplace decisions independently of October.

4.2 The Customer shall not, and shall not permit any third party to:

4.2.1 copy, modify, translate, or create derivative works of the Services except as expressly permitted under the Agreement;

4.2.2 reverse engineer, decompile, disassemble, or otherwise attempt to derive source code, object code, underlying structure, ideas, know-how, or algorithms of the Services except to the extent such restriction is prohibited by law;

4.2.3 use the Services to build, train, benchmark, fine-tune, or improve any competing product, service, or artificial intelligence or machine learning model;

4.2.4 use the Services in any unlawful, infringing, fraudulent, or abusive manner;

4.2.5 circumvent or interfere with the Services’ security, authentication, or access controls; or

4.2.6 resell, sublicense, lease, or commercially exploit the Services other than for the Customer’s internal business purposes unless expressly agreed in writing.

5. Data Protection, Confidentiality, Security, and Communications

5.1 Compliance with Data Protection Laws. Each party shall comply with all applicable data protection and privacy laws in connection with the Agreement, including, where applicable, the UK GDPR, the Data Protection Act 2018, the EU GDPR, the Protection of Personal Information Act 4 of 2013, and any other applicable data protection, privacy, electronic communications or employment-related privacy laws.

5.2 Data Roles. The parties acknowledge that, in relation to employment-related Personal Data processed through the Services, the Customer acts as the Responsible Party, Controller or equivalent data controller (“Controller”), and October acts as the Operator, Processor or equivalent data processor (“Processor”), when processing such Personal Data on the Customer’s documented instructions, as further described in the Data Processing Addendum.

5.3 Data Processing Addendum. To the extent October processes Personal Data on behalf of the Customer as Processor, the Data Processing Addendum applies and forms part of the Agreement.

5.4 Independent Processing by October. October may act as an independent Controller for limited processing activities where October determines the purposes and means of processing, including platform security, fraud prevention, system logs and audit trails, legal and regulatory compliance, aggregated and de-identified analytics, service improvement, and establishing, exercising or defending legal rights. Where October acts as an independent Controller, it shall process Personal Data in accordance with applicable data protection laws and its applicable privacy notices.

5.5 Customer Responsibilities and Lawful Basis. The Customer is responsible for ensuring that it has all necessary lawful bases, notices, permissions, consents and authorisations required to provide Personal Data to October and to enable October to process such Personal Data in connection with the Services.

5.6 No Sale or Unauthorised Use of Personal Data. October shall not sell Personal Data processed through the Services or use identifiable employee, candidate or Authorised User Personal Data for direct marketing in its own name, except where separately agreed in writing and permitted by applicable law.

5.7 De-identified Data. October may create and use aggregated, anonymised or de-identified data derived from the Services for analytics, benchmarking, security, product improvement, internal research and service development, provided that such data does not identify the Customer or any individual.

5.8 Confidential Information. Each party may receive non-public or proprietary information from the other party in connection with the Agreement (“Confidential Information”), including Customer Content, pricing, technical information, product documentation, security information, business plans, and any other information that is designated as confidential or that a reasonable person would understand to be confidential in the circumstances.

5.8A International data transfers. The Customer acknowledges that, in order to provide the Services, Customer Content and Personal Data may be transferred to, stored in, or accessed from jurisdictions outside the country in which the Customer or relevant Authorised Users are located.

October shall implement appropriate safeguards for all such transfers in accordance with applicable data protection laws. These safeguards may include, as relevant to the jurisdiction:

• standard contractual clauses or equivalent transfer mechanisms approved by the applicable data protection authority;
• reliance on an adequacy decision or finding applicable to the destination country;
• certification under an approved data privacy framework;
• transfer impact assessments where required; and
• appropriate technical

5.9 Exclusions. Confidential Information does not include information that the receiving party can demonstrate: (a) is or becomes publicly available without breach of the Agreement; (b) was lawfully known prior to disclosure; (c) is independently developed without use of the Confidential Information; or (d) is lawfully obtained from a third party without restriction.

5.10 Confidentiality Obligations. The receiving party shall: (a) use Confidential Information solely to perform its obligations or exercise its rights under the Agreement; (b) protect Confidential Information using at least reasonable care; and (c) not disclose Confidential Information except to employees, contractors, professional advisers, or subprocessors with a legitimate need to know and who are bound by confidentiality obligations no less protective than those set out herein.

5.11 Required Disclosure. Where disclosure of Confidential Information is required by law, regulation, or court order, the receiving party shall, to the extent legally permitted, provide prior notice to the disclosing party and disclose only the portion legally required.

5.12 Security Measures. October shall implement and maintain appropriate technical and organisational measures designed to protect Customer Content and Personal Data against unauthorised access, unlawful processing, accidental loss, destruction, damage, alteration or disclosure. Such measures shall be proportionate to the nature of the Services and associated risks, and may include: (a) encryption of Personal Data in transit and at rest; (b) role-based access controls and least-privilege access; (c) multi-factor authentication for administrative access; (d) secure cloud infrastructure controls; (e) audit logging, monitoring and alerting; (f) vulnerability management and regular security testing; (g) incident response and breach management procedures; (h) confidentiality obligations for personnel; and (i) security governance aligned with SOC 2 Type II or an equivalent framework.

5.13 Subprocessors. October may appoint subprocessors to assist in providing the Services, provided that October remains responsible for their compliance with the applicable data protection obligations under the Agreement.

5.14 Service Communications. The Customer acknowledges that October may send or facilitate service-related communications to Authorised Users through the Platform or through communication channels enabled or approved by the Customer, including email, in-app notifications, SMS, Slack, Microsoft Teams, and similar tools. Such communications may include operational, onboarding, workflow, notification and engagement-related messages necessary for the provision of the Services.

5.15 Security Documentation. Upon written request and subject to confidentiality obligations, October may provide reasonable security and compliance documentation, including SOC 2 reports, penetration testing summaries, and security materials, provided that October may redact information that is commercially sensitive or security-sensitive.

6. AI Features and Use of Data

6.1 Certain features of the Services may include AI-enabled functionality, automation, or generative assistance.

6.2 AI-generated or automated outputs are provided for assistive and informational purposes only and may contain inaccuracies, incomplete information, or biased or unexpected results.

6.3 The Customer acknowledges and agrees that:

(a) AI outputs require human review, judgment, and validation;

(b) the Services are not designed for solely automated decision-making with legal or similarly significant effects in relation to employees or applicants; and

(c) the Customer shall not rely on AI outputs as the sole basis for any employment, disciplinary, hiring, promotion, compensation, performance, or other material workplace decision.

6.4 AI governance and testing. October maintains commercially reasonable AI governance, oversight and risk-mitigation processes for AI-enabled features, which may include, as appropriate to the relevant feature and risk profile: human oversight, documented testing, prompt and output evaluation, safety testing, bias testing, flip testing, adversarial testing, access controls, logging, monitoring, and periodic review. October may update these processes from time to time to reflect changes in law, technology, product functionality and recognised good practice.

6.4A Bias testing. October conducts bias and fairness testing on relevant AI-enabled features, including testing designed to identify materially different outputs or treatment based on demographic or protected-characteristic signals. Such testing is intended to identify and mitigate unfair or inappropriate differential treatment, but does not guarantee that AI outputs will be error-free, bias-free or suitable for any particular employment decision without human review.

6.4B No high-risk deployment without customer responsibility. The Customer is responsible for determining whether its intended use of any AI-enabled feature is subject to employment, labour, data protection, equality, automated decision-making, AI-specific, or sector-specific legal requirements. The Customer shall not configure or use the Services in a manner that results in solely automated decisions with legal or similarly significant effects on employees, candidates or workers, unless expressly agreed in writing with October and permitted by applicable law.

6.5 October does not use identifiable Customer Confidential Information or Personal Data provided by the Customer to train publicly available third-party foundational AI models.

6.6 October may use anonymised, aggregated, and de-identified data derived from use of the Services to operate, support, secure, improve, and develop the Services and October’s internal tools, models, analytics, and methodologies, provided that such data does not identify the Customer or any individual.

6.7 The Customer is responsible for informing its employees and users, where legally required, that AI-enabled functionality forms part of the Services.

7. Intellectual Property

7.1 As between the parties, October and its licensors retain all right, title, and interest in and to the Services, including all software, technology, system architecture, APIs, interfaces, workflows, designs, know-how, documentation, analytics methodologies, AI agents, prompt libraries, models, algorithms, improvements, derivative works, and all related intellectual property rights.

7.2 Except for the limited access and use rights expressly granted in the Agreement, no rights are granted to the Customer by implication, estoppel, or otherwise.

7.3 As between the parties, the Customer retains all right, title, and interest in and to Customer Content. For clarity, nothing in the Agreement limits any statutory rights that individuals may have in relation to their Personal Data under applicable data protection laws.

7.4 The Customer grants October a non-exclusive, worldwide, royalty-free licence during the Subscription Term to host, store, copy, transmit, process, display and otherwise use Customer Content solely to provide, maintain, secure, support and improve the Services, perform October’s obligations, comply with applicable law, and enforce the Agreement, in each case subject to the Agreement and the Data Processing Addendum. October shall only use identifiable Personal Data for service improvement where permitted by applicable law and the Agreement.

(a) provide, maintain, support, and improve the Services;

(b) perform October’s obligations under the Agreement;

(c) comply with applicable law; and

(d) enforce the Agreement.

7.5 To the extent the Customer provides suggestions, comments, ideas, or other feedback relating to the Services, the Customer grants October a perpetual, irrevocable, worldwide, royalty-free licence to use and incorporate that feedback without restriction or obligation.

8. Warranties and Disclaimers

8.1 Each party warrants that:

(a) it has the full corporate power and authority to enter into and perform the Agreement; and(b) the Agreement is validly executed and binding on it.

8.2 October warrants that it will provide the Services in a professional and workmanlike manner using commercially reasonable skill and care.

8.3 October warrants that it shall use commercially reasonable efforts to maintain the availability of the Services, excluding scheduled maintenance, emergency maintenance, force majeure events, failures of third-party networks or infrastructure outside October’s reasonable control, and downtime caused by the Customer or the Customer’s systems.

8.4 Except as expressly stated in the Agreement, the Services are provided on an “as is” and “as available” basis. To the maximum extent permitted by law, October disclaims all implied warranties, conditions, and representations, including any implied warranties of merchantability, fitness for a particular purpose, non-infringement, uninterrupted availability, or error-free operation.

8.5 The Customer acknowledges that the Services do not constitute legal, employment, tax, payroll, accounting, or regulatory advice. The Customer remains solely responsible for validating that its use of the Services and any outputs generated through the Services are appropriate for its own circumstances and compliant with applicable law.

9. Indemnities

9.1 The Customer shall defend, indemnify, and hold harmless October, its affiliates, and their respective directors, officers, employees, and contractors from and against any third-party claims, losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or relating to:

(a) Customer Content;(b) the Customer’s breach of the Agreement;(c) the Customer’s unlawful, improper, or unauthorised use of the Services;(d) the Customer’s failure to obtain required lawful bases, notices, permissions, or consents; or(e) the Customer’s violation of applicable law.

9.2 October shall defend the Customer against any third-party claim that the Services, as provided by October and used by the Customer in accordance with the Agreement, directly infringe a third party’s registered patent, copyright, or trademark, and October shall indemnify the Customer for damages finally awarded by a court of competent jurisdiction or agreed in settlement by October, provided that:

(a) the Customer promptly notifies October in writing of the claim;(b) October has sole control of the defence and settlement of the claim; and(c) the Customer provides reasonable cooperation at October’s expense.

9.3 If the Services become, or in October’s opinion are likely to become, subject to an infringement claim, October may, at its option:

(a) procure the right for the Customer to continue using the affected Services;(b) modify or replace the affected Services so that they become non-infringing without materially reducing core functionality; or(c) terminate the affected Services and refund any prepaid, unused subscription fees for the terminated portion of the Subscription Term.

9.4 October shall have no liability under Section 9.2 to the extent a claim arises from:

(a) Customer Content;(b) modifications not made by October;(c) use of the Services other than in accordance with the Agreement;(d) combination of the Services with third-party systems, data, software, or materials not provided or approved by October, where the claim would not have arisen but for such combination; or(e) any output, content, or functionality generated by a third-party AI model where the claim relates to that third-party model’s underlying training data or general model behaviour rather than October’s proprietary materials.

9.5 This Section 9 states the Customer’s sole and exclusive remedy, and October’s entire liability, for any third-party intellectual property infringement claim relating to the Services.

10. Limitation of Liability

10.1 Nothing in the Agreement excludes or limits either party’s liability for:

(a) death or personal injury caused by negligence;(b) fraud or fraudulent misrepresentation;(c) wilful misconduct; or(d) any liability that cannot lawfully be excluded or limited.

10.2 Subject to Section 10.1, October’s total aggregate liability arising out of or in connection with the Agreement, whether in contract, delict, tort (including negligence), misrepresentation, restitution, or otherwise, shall not exceed the total fees paid or payable by the Customer under the Agreement in the 12 months preceding the event giving rise to the claim.

10.3 Subject to Section 10.1, neither party shall be liable to the other for any indirect, incidental, consequential, special, punitive, or exemplary damages, or for any loss of profits, revenue, goodwill, anticipated savings, or business opportunity.

10.4 Subject to Section 10.1, October shall not be liable for any loss, liability, claim, or damage arising from:

(a) the Customer’s employment, payroll, tax, benefits, or disciplinary decisions;(b) inaccuracies in Customer Content or third-party data;(c) delays, failures, or errors caused by third-party systems or integrations not controlled by October;(d) the Customer’s failure to review, validate, or act appropriately on outputs, analytics, or AI-generated recommendations; or(e) use of the Services contrary to the Agreement or October’s instructions.

11. Suspension and Termination

11.1 October may suspend access to all or part of the Services on written notice if:

(a) the Customer fails to pay undisputed fees when due and remains in default after any applicable notice period;(b) the Customer’s use of the Services poses a security risk, may adversely impact the Services or other customers, or may expose October to liability; or(c) suspension is required by law or a governmental authority.

11.2 Either party may terminate the Agreement for cause by written notice if the other party materially breaches the Agreement and fails to cure that breach within 30 days after receiving written notice requiring it to do so.

11.3 Either party may terminate the Agreement immediately on written notice if the other party:

(a) ceases to carry on business;(b) becomes insolvent or unable to pay its debts as they fall due;(c) enters into liquidation, business rescue, administration, examinership, or any analogous process other than for a solvent restructuring; or(d) has a receiver, trustee, administrator, curator, or similar officer appointed over a material part of its assets.

11.4 Unless otherwise stated in the Order Form, the Customer may not terminate the Agreement for convenience during the Subscription Term.

11.5 On expiry or termination of the Agreement:

(a) the Customer’s rights to access and use the Services shall cease;(b) each party shall, on request, return or destroy the other party’s Confidential Information, subject to legal retention obligations;(c) all amounts accrued and payable up to the effective date of termination shall become immediately due and payable; and(d) Sections intended by their nature to survive shall survive, including provisions relating to fees owed, confidentiality, intellectual property, indemnities, data protection, liability, and dispute resolution.

11.6 Upon written request made within 30 days after the effective date of expiry or termination, October shall make Customer Content available for export in a commercially reasonable format. After that period, October may delete or anonymise Customer Content and Personal Data in accordance with its standard retention processes, subject to applicable law, the Data Processing Addendum, backup retention cycles, legal retention obligations, audit requirements, and dispute-resolution purposes.

11.7 Any transition assistance requested by the Customer beyond standard data export may be provided by October at its then-current professional services rates.

12. Publicity

12.1 Unless otherwise agreed in writing, October may identify the Customer as a customer of the Services in customer lists and sales materials using the Customer’s name and logo, provided that October does not imply endorsement and complies with any reasonable brand guidelines notified by the Customer. If the Customer requests in writing that October cease such use, October shall do so within a reasonable period.

13. General

13.1 Notices. Notices under the Agreement must be in writing and sent by email to the contact details stated in the Order Form or to any replacement contact notified in writing. Notices shall be deemed received at the time of transmission unless a delivery failure notice is received.

13.2 Assignment. The Customer may not assign, transfer, novate, or otherwise dispose of the Agreement without October’s prior written consent, not to be unreasonably withheld or delayed. October may assign or transfer the Agreement without consent in connection with a merger, acquisition, group restructuring, financing, or sale of all or substantially all of its business or assets relating to the Services.

13.3 Force Majeure. Neither party shall be liable for any delay or failure to perform its obligations under the Agreement, other than payment obligations, where such delay or failure results from events beyond its reasonable control.

13.4 Entire Agreement. The Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes all prior discussions, proposals, and understandings relating to that subject matter.

13.5 Amendments. No amendment to the Agreement shall be effective unless in writing and signed by authorised representatives of both parties, except that October may update policies, subprocessors lists, or technical descriptions referenced in the Agreement where such update does not materially reduce the Services or materially increase the Customer’s obligations during the current Subscription Term.

13.6 Severability. If any provision of the Agreement is held invalid, unlawful, or unenforceable, that provision shall be deemed modified to the minimum extent necessary to make it enforceable, or if that is not possible, severed, and the remainder of the Agreement shall continue in full force and effect.

13.7 Waiver. No failure or delay by either party in exercising any right under the Agreement shall constitute a waiver of that right.

13.8 Third-Party Rights. A person who is not a party to the Agreement shall have no right to enforce any term of the Agreement, except as expressly stated otherwise.

13.9 Governing Law and Dispute Resolution. The Agreement is governed by the laws of England and Wales. Any dispute, controversy, or claim arising out of or in connection with the Agreement, including any question regarding its existence, validity, or termination, shall be finally resolved by arbitration under the Rules of the London Court of International Arbitration, which Rules are deemed to be incorporated by reference into this clause. The seat, or legal place, of arbitration shall be London, England. The language of the arbitration shall be English.
The parties agree that any hearings and proceedings may be conducted in person, virtually by video conference or other remote means, or on a documents-only basis, and no party shall object to the use of such remote or virtual procedures. Nothing in this clause prevents either party from seeking urgent interim or injunctive relief from a court of competent jurisdiction.

Annexure A: Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Agreement between October Health Limited (“Processor”) and the Customer identified in the applicable Order Form (“Controller”).

This DPA applies only to the extent October processes Personal Data on behalf of the Customer as an Operator, Processor or equivalent data processor in connection with the Services. This DPA does not apply to processing activities for which October acts as an independent Responsible Party, Controller or equivalent data controller, including limited processing for platform security, audit logs, legal compliance, aggregated and de-identified analytics, service improvement, and legal claims.

1. Subject Matter and Duration

1.1 This DPA applies to the extent that October processes Personal Data on behalf of the Customer in connection with the Services.

1.2 This DPA shall remain in force for the duration of the Agreement and for so long thereafter as October processes Personal Data on behalf of the Customer.

2. Nature and Purpose of Processing

2.1 October processes Personal Data solely for the purpose of providing, securing, supporting, maintaining, and improving the Services, performing implementation and support services, enabling authorised access, generating reports and analytics, and complying with applicable law.

3. Categories of Data Subjects

3.1 Data subjects may include:

(a) the Customer’s employees, workers, contractors, consultants, directors, officers, and candidates;(b) dependants or beneficiaries where such data is provided by the Customer in connection with the Services; and(c) the Customer’s administrators, HR personnel, managers, and authorised representatives.

4. Categories of Personal Data

4.1 Personal Data processed under this DPA may include:

(a) identification and contact data, including names, job titles, work email addresses, telephone numbers, employee numbers, dates of birth, and national identification numbers;

(b) employment and HR data, including department, manager, start date, end date, role history, compensation data, leave records, performance records, disciplinary records, training records, benefits data, emergency contact details, and employee documents;

(c) system and usage data, including login details, audit logs, device information, IP addresses, and support interactions; and

(d) any other Personal Data that the Customer chooses to upload to or process through the Services.

4A. Special Category Data and Sensitive Personal Information4A.1 Depending on the Customer’s configuration and use of the Services, Personal Data processed under this DPA may include special category data, sensitive personal information or information subject to heightened protection under applicable law, including health-related information, disability information, racial or ethnic information, trade union membership, biometric identifiers, national identification numbers, payroll information, financial information, disciplinary records, grievance records, dependants’ information, beneficiaries’ information and other sensitive employment-related records.

4A.2 The Customer is responsible for ensuring that it has an appropriate lawful basis and, where required, any additional statutory authorisation, notice, consent or employment-law basis required to process such information through the Services.

4A.3 October shall process such information only in accordance with the Agreement, this DPA and the Customer’s documented instructions, and shall apply appropriate technical and organisational measures designed to protect such information.

5. Controller Obligations

5.1 The Customer warrants and undertakes that:

(a) it has all necessary authority and lawful bases to instruct October to process Personal Data in accordance with the Agreement; and(b) its instructions to October shall comply with applicable data protection laws.

6. Processor Obligations

6.1 October shall:

(a) process Personal Data only on the documented instructions of the Customer, unless otherwise required by law;

(b) ensure that persons authorised to process Personal Data are subject to confidentiality obligations;

(c) implement appropriate technical and organisational measures to protect Personal Data;

(d) notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA and, where reasonably practicable, provide initial notification within 72 hours. October shall provide reasonable information available to it to assist the Customer in assessing the breach, meeting any regulatory or data subject notification obligations, and mitigating adverse effects, including information about the nature of the breach, categories of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.;

(e) provide reasonable assistance to the Customer with data subject rights requests, security obligations, data protection impact assessments, and regulator consultations, taking into account the nature of the processing and the information available to October; and

(f) at the Customer’s choice, delete or return Personal Data on termination of the Services, unless retention is required by law.

7. Subprocessors

7.1 The Customer grants October general written authorisation to appoint subprocessors as reasonably necessary to provide, secure, support and improve the Services.

7.2 October shall maintain a current list of material subprocessors used in connection with the Services and make it available to the Customer through the Platform, website, Trust Centre, or on written request.

7.3 October shall ensure that each subprocessor is bound by written obligations that are no less protective in all material respects than the data protection obligations imposed on October under this DPA.

7.4 October shall remain responsible for the acts and omissions of its subprocessors to the extent required by applicable data protection law and this DPA.

7.5 Where required by applicable data protection law, October shall provide reasonable prior notice of any intended material change to subprocessors and allow the Customer to object on reasonable data protection grounds. If the parties cannot resolve the objection, the Customer may terminate the affected Services to the extent required by applicable law.

8. International Transfers

8.1 The Customer authorises October to transfer, store, process and permit access to Personal Data outside the country in which the Customer, Authorised Users or data subjects are located where reasonably necessary to provide, secure, support and maintain the Services.

8.2 October maintains a current list of the principal jurisdictions in which Personal Data is processed or stored, and the sub-processors involved, at [website URL]. This list is updated at least 14 days before any material change to October's international processing locations takes effect.

8.3 Where October transfers Personal Data to a jurisdiction that does not provide an equivalent level of data protection to that applicable in the Customer's jurisdiction, October shall ensure that the transfer is subject to an appropriate lawful transfer mechanism under applicable data protection laws. Such mechanisms may include:

• an adequacy decision or finding applicable to the destination country;
• standard contractual clauses or equivalent transfer mechanisms approved by the relevant data protection authority;
• an approved data privacy framework certification;
• binding corporate rules; or
• such other lawful transfer mechanism as is recognised under applicable data protection law.

8.4 Where required by applicable data protection laws, October shall conduct and maintain appropriate transfer risk assessments or transfer impact assessments, taking into account:

• the nature and sensitivity of the Personal Data;
• the destination country and its legal framework regarding data protection and government access;
• the safeguards implemented by October and its sub-processors; and
• the technical and organisational measures applied to mitigate transfer risks.

8.5 October shall implement appropriate supplementary measures to protect Personal Data transferred internationally, which may include:

• encryption in transit and at rest;
• access controls and least-privilege access principles;
• logging and monitoring of access to transferred data;
• contractual commitments with sub-processors regarding international transfers; and
• documented policies for assessing and responding to legally binding government access requests.

8.6 Where jurisdiction-specific transfer requirements apply to the Customer's Personal Data, the applicable transfer mechanisms and safeguards are set out in the relevant Data Processing Addendum Schedule or regional supplement, which forms part of this Agreement.

9. Audits and Information Rights

9.1 October shall make available to the Customer such information as is reasonably necessary to demonstrate compliance with this DPA.

9.2 Any audit rights exercised by the Customer shall be limited to no more than once annually, on reasonable prior written notice, during normal business hours, and subject to appropriate confidentiality, security, and non-disruption obligations.

9.3 October may satisfy audit requests through the provision of up-to-date audit reports, certifications, summaries, or other reasonable compliance documentation where appropriate.

10. Deletion and Return

10.1 Upon expiry or termination of the Agreement, October shall, at the Customer’s written election, delete or return Personal Data, unless retention is required by law.

10.2 Where the Customer does not make an election within 30 days after expiry or termination, October may delete or anonymise the Personal Data in accordance with its standard retention processes, subject to applicable law.

11. Liability

11.1 This DPA is subject to the exclusions and limitations of liability set out in the Agreement, to the extent permitted by applicable law.