1: Terms and Conditions

1. These terms

1.1 What these terms cover. These are the terms and conditions on which we supply services to you as set out in the
Letter of Engagement and upon which you are granted access to The Social Value Portal (“The Portal”).

2. Information about us and how to contact us

2.1 Who we are. We are Social Value Portal Limited a company registered in England and Wales. Our company
registration number is 09197997 and our registered office is at 20-22 Wenlock Road, London, England, N1 7GU.

2.2 How to contact us. You can contact us by telephoning our service team at +44 (0)2033 550530 or by writing to us at
admin@socialvalueportal.com AND Tintagel House, 92 Albert Embankment, SE1 7TP.

2.3 How we may contact you. If we have to contact you we will do so by telephone or by writing to you at the email
address or postal address you provided to us in your order.

2.4 “Writing” includes emails. When we use the words “writing” or “written” in these terms, this includes emails.

3. Our contract with you

3.1 How we will accept your order. Our acceptance of your order will take place when we tell you that we are able to
provide you with the services, which we will also confirm in writing to you in our Letter of Engagement, at which
point a contract will come into existence between you and us.

3.2 What the Letter of Engagement will contain. The Letter of Engagement will set out the following information:
– Our scope of work
– Our fees
– Indicative timetable to complete the scope of work
– Our team
– The person who will be our point of contact at your business

3.3 Conflict with Letter of Engagement. If there is a conflict between the terms of the Letter of Engagement and these
terms, the Letter of Engagement shall prevail.

4. Your rights to make changes

4.1 If you wish to make a change to the services please contact us. We will let you know if the change is possible. If it is possible we will let you know about any changes to the price of the services, their timing or anything else which
would be necessary as a result of your requested change and ask you to confirm whether you wish to go ahead with
the change.

5. Our rights to make changes

5.1 Minor changes to the services. We may change the services:
(a) to reflect changes in relevant laws and regulatory requirements; and
(b) to implement minor technical adjustments and improvements, for example to address a security threat.
These changes will not affect your use of the services.

6. Providing the services

6.1 When we will provide the services. We will supply the services to you from the date set out in our Letter of
Engagement for the time period set out in the Letter of Engagement. The estimated completion date for the services
is as set out in the Letter of Engagement or until either you end the contract for the services as described in clause 7
or we end the contract by written notice to you as described in clause 8.

6.2 We will comply with all applicable law in our supply of the services in accordance with these terms and conditions
and the Letter of Engagement, which for the avoidance of doubt will include, but not limited to, the Bribery Act 2010
and the Modern Slavery Act 2015. We will ensure that we establish, maintain and enforce policies and procedures
which are adequate to ensure compliance with the Modern Slavery Act 2015 and the Bribery Act 2010 and to prevent
the concurrence of a Prohibited Act (as defined in the Bribery Act 2010). We will notify You immediately in writing of
any failure to comply with this clause. We will keep appropriate records of our compliance with these obligations
and make such records available on request. If We fail to comply with this clause, You will have a right to terminate
the Agreement immediately without further liability and without prejudice to any other rights or remedies that may
have accrued to your benefit under or in connection with this Agreement. We will refund you in full all sums paid by
You for the provision of the services.

6.3 We are not responsible for delays outside our control. If our performance of the services is affected by an event
outside our control then we will contact you as soon as possible to let you know and we will take steps to minimise
the effect of the delay. Provided we do this we will not be liable for delays caused by the event but if there is a risk
of substantial delay you may contact us to end the contract and receive a refund for any services you have paid for
but not received.

6.4 If you do not allow us access to provide services. If you have asked us to provide the services to you at your business
and you do not allow us access to your business premises as arranged (and you do not have a good reason for this)
we may charge you additional costs incurred by us as a result. If, despite our reasonable efforts, we are unable to
contact you or re-arrange access to your business we may end the contract and clause 7.3 will apply.

6.5 Information you must provide to us. The data you supply to us must be accurate and in line with our guidance notes. We will not be responsible for checking the accuracy of the data. The data sources are to be clearly identifiable and
open to evaluation by us. We must be provided with access to stakeholders upon reasonable notice. You will be
responsible for inputting data unless otherwise agreed in the Letter of Engagement.

6.6 What will happen if you do not provide required information to us. As we informed you in the Letter of Engagement, we will need certain information from you so that we can provide the services to you. We will contact you in writing
to ask for this information. If you do not, within a reasonable time of us asking for it, provide us with this information,
or you provide us with incomplete or incorrect information, we may either end the contract (see clause 8.1) or make
an additional charge of a reasonable sum to compensate us for any extra work that is required as a result. We will
not be responsible for providing the services late or not providing any part of them if this is caused by you not giving
us the information we need within a reasonable time of us asking for it.

6.7 Reasons we may suspend the services. We may have to suspend the services to:
(a) deal with technical problems or make minor technical changes;
(b) update the services to reflect changes in relevant laws and regulatory requirements;
(c) make changes to the services as requested by you or notified by us to you (see clause 5).

6.8 Your rights if we suspend the services. We will contact you in advance to tell you we will be suspending the services, unless the problem is urgent or an emergency. If we have to suspend the services for longer than three months in
any six month period we will adjust the price so that you do not pay for services while they are suspended. You may
contact us to end the contract if we suspend the services, or tell you we are going to suspend them, in each case for
a period of more than three months and we will refund any sums you have paid in advance for services not provided
to you.

6.9 We may also suspend the services if you do not pay. If you do not pay us for the services when you are supposed to (see clause 10.3) and you still do not make payment within 10 days of us reminding you that payment is due, we may
suspend supply of the products until you have paid us the outstanding amounts. We will contact you to tell you we
are suspending supply of the products. We will not suspend the products where you dispute the unpaid invoice (see
clause 10.7). We will not charge you for the services during the period for which they are suspended. As well as
suspending the services we can also charge you interest on your overdue payments (see clause 10.6).

7. Your rights to end the contract

7.1 You can always end the contract before the services have been supplied and paid for. You may contact us at any time to end the contract for the services, but in some circumstances we may charge you certain sums for doing so,
as described below.

7.2 What happens if you have good reason for ending the contract. If you are ending the contract for a reason set out below the contract will end immediately and we will refund you in full for any services which have not been provided
or have not been properly provided. The relevant reasons are:
(a) We have committed a material breach of our obligation(s) and in the case of any such breach which is
capable of remedy, failed to remedy the breach within 10 days of notification of such breach;
(b) we have told you about an upcoming change to the services or these terms which you do not agree to (see
clause 5);
(c) we have told you about an error in the price or description of the services you have ordered and you do
not wish to proceed;
(d) we suspend the services for technical reasons, or notify you are going to suspend them for technical
reasons, in each case for a period of more than 2 months;
(e) you have a legal right to end the contract because of something we have done wrong;
(f) we enter into liquidation whether compulsory or voluntarily otherwise than for the purpose of
amalgamation or reconstruction without insolvency;
(g) we compound or make any arrangements with our creditors; or
(h) we cease, or threaten to cease, to carry on business.

7.3 What happens if you end the contract without a good reason. If you are not ending the contract for one of the
reasons set out in clause 7.2, the contract will end immediately but we may charge you reasonable compensation for
the net costs we will incur as a result of your ending the contract

8. Our rights to end the contract

8.1 We may end the contract if you break it. We may end the contract at any time by writing to you if:
(a) you do not make any payment to us when it is due and you still do not make payment within seven days
of us reminding you that payment is due;
(b) you do not, within a reasonable time of us asking for it, provide us with information that is necessary for
us to provide the services;
(c) you do not provide internal resources sufficient to enable us to complete the reporting process;
(d) you do not, within a reasonable time, give us access to your property to enable us to provide the services
to you; or
(e) it becomes apparent that we are unable to perform the services in a manner that is consistent with our
social value mission.
To the extent that you do not perform the above responsibilities, we have the option, where appropriate, of
performing those services for you and you agree to pay us an additional amount to reflect our additional services.

8.2 You must compensate us if you break the contract. If we end the contract in the situations set out in clause 8.1(a)-
(d) we will refund any money you have paid in advance for services we have not provided but we may deduct or
charge you compensation for the net costs we will incur as a result of your breaking the contract.

8.3 We may stop providing the services. We may write to you to let you know that we are going to stop providing the
services. We will let you know at least 1 month in advance of our stopping the services and will refund any sums you
have paid in advance for services which will not be provided.

9. If there is a problem with the services

9.1 How to tell us about problems. If you have any questions or complaints about the services, please contact us on the
number set out above.

9.2 Our guarantee. We offer the following goodwill guarantee which is in addition to your legal rights and does not affect
them. In the unlikely event there is any defect with the services:
(a) if remedying the defect is impossible or cannot be done within a reasonable time or without significant
inconvenience to you we will refund the price you have paid for the services.
(b) in all other circumstances we will use every effort to repair or fix the defect free of charge, without
significant inconvenience to you, as soon as we reasonably can and, in any event, within 1 month. If we
fail to remedy the defect by this deadline we will refund the price you have paid for the services.

10. Price and payment

10.1 Where to find the price for the services. The price of the services (which does not include VAT) will be the price we have set out in our Letter of Engagement.

10.2 We will pass on changes in the rate of VAT. If the rate of VAT changes between your order date and the date we
provide the services, we will adjust the rate of VAT that you pay, unless you have already paid for the services in full
before the change in the rate of VAT takes effect.

10.3 Expenses. You will reimburse all reasonable expenses incurred by our employees undertaking services on your behalf
such as travel, accommodation or special printing requirements properly and necessarily incurred in the course of
our services for you. We will submit receipts or other appropriate evidence of payment of these expenses.

10.4 Additional Fees. If, during the course of our services for you, a need for additional services not set out in the Letter
of Engagement is identified, agreement to these additional services will be obtained from you before any expenditure
is incurred.

10.5 When you must pay and how you must pay. The Letter of Engagement will set out our fees. You must pay each
invoice within 30 calendar days after the date of the invoice.

10.6 We can charge interest if you pay late. If you do not make any payment to us by the due date (see clause 10.1) we
may charge interest to you on the overdue amount at the rate of 2 % a year above the base lending rate of Barclays
Bank from time to time. This interest shall accrue on a daily basis from the due date until the date of actual payment
of the overdue amount, whether before or after judgment. You must pay us interest together with any overdue
amount.

10.7 What to do if you think an invoice is wrong. If you think an invoice is wrong please contact us promptly to let us
know. You will not have to pay any interest until the dispute is resolved. Once the dispute is resolved we will charge
you interest on correctly invoiced sums from the original due date

11. The Portal

11.1 Intellectual Property. The copyright in the material contained in the Portal (save for the products/ outcomes of the
services) and any trademarks and brands included in that material belongs to us or our licensors. We grant to You a
non-exclusive, non-transferable, licence to use such IPR for Your own internal business purposes with a right to sub-licence
such IPR on equivalent terms to an entity within the [company name] Group.

11.1A We assign to You by way of present and future assignment, with full title guarantee and free from all third party
rights, all intellectual property rights and all other rights in the products and /or outcomes of the services.

11.1B We will, promptly at Your request, do (or procure to be done) all such acts and things and the execution of all such
other documents as the You may from time to time require for the purpose of securing for You the full benefit of the
Agreement, including right, title and interest in and to the intellectual property rights and all other rights assigned to
the You in accordance with clause 11.1A.

11.2 Accuracy of Information. We will use reasonable endeavours to ensure that the information available on the Portal
is, at all reasonable times, accurate. We will use all reasonable endeavours to correct errors and omissions as quickly
as practicable after becoming aware or being notified of the same.

11.3 Changes to the Portal. We may also change, suspend or discontinue any aspect of the Portal, including the availability
of any features, information, database or content or restrict access to parts or all of the portal without notice or
liability.

12. Our responsibility for loss or damage suffered by you

12.1 We are responsible to you for foreseeable loss and damage caused by us. If we fail to comply with these terms, we
are responsible for loss or damage you suffer that is a foreseeable result of our breaking this contract or our failing
to use reasonable care and skill, but we are not responsible for any loss or damage that is not foreseeable. Loss or
damage is foreseeable if either it is obvious that it will happen or if, at the time the contract was made, both we and
you knew it might happen, for example, if you discussed it with us during the sales process.

12.2 We do not exclude or limit in any way our liability for the following:
(a) death or personal injury caused by our negligence or the negligence of our employees, agents or
subcontractors;
(b) for fraud or fraudulent misrepresentation;
(c) for breach of your legal rights in relation to the services;
(d) for Our liability under clause 13 (data protection).

12.3 Total Liability. Subject to clause 12.2, Our total liability to you in respect of all other losses arising under or in
connection with the services, whether in contract, tort (including negligence), breach of statutory duty, or otherwise,
shall in no circumstances exceed the fees received from you.

12.4 We are not liable for business losses. We will have no liability to you for any loss of profit, loss of business, business
interruption, or loss of business opportunity.

13. Data Protection
For the purposes of this clause, the following terms will have the definitions set out below:
“Data” has the meaning given in the Data Protection Legislation and more specifically means data as described in
Appendix 1 to be made available by the Controller to the Processor for the purposes of providing the services;
“Data Controller” means the Customer as per the definition in the Data Protection Legislation;
“Data Processor” means the Supplier as per the definition in the Data Protection Legislation;
“Data Protection Legislation” means, for the periods in which they are in force in the United Kingdom, the Data
Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000,
the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the
Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC
Directive) Regulations 2003, the GDPR and all applicable Laws and regulations relating to processing of personal data
and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner,
in each case as amended or substituted from time to time;
“Data Subject” has the meaning given to it by the Data Protection Legislation;
“GDPR” means (a) the General Data Protection Regulations (Regulation (EU) 2016/679) which comes into force on
25 May 2018; and (b) any equivalent legislation amending or replacing the General Data Protection Regulations
(Regulation (EU) 2016/679;
“Personal Data” has the meaning as set out in the Data Protection Legislation which forms part of the Data;
“Personal Data Breach” has the meaning as set out in the Data Protection Legislation;
“Processing” has the meaning as set out in the Data Protection Legislation and “Process” and “Processed” shall be
construed accordingly;
“Special Categories of Personal Data” means Sensitive Personal Data or Special Categories of Personal Data, as
defined in the Data Protection Legislation, which is Processed by the Data Processor on behalf of the Data Controller
pursuant to or in connection with the Agreement;

13.1 Both parties shall duly observe all their obligations under the Data Protection Legislation which arise in connection
with the contract and shall not perform their obligations in such a way as to cause the other party to breach any of
its obligations under the Data Protection Legislation.

13.2 With respect to the parties’ rights and obligations under the contract, the Parties agree that [company name] Group
is the Data Controllers and that the Social Value Portal Limited is the Data Processor.

13.3 The Data Controller shall not disclose any Personal Data to the Data Processor save where it is lawful and in a form
which is lawful.

13.4 The subject-matter and duration of the Processing, nature and purpose of the Processing, types of Personal Data,
and categories of Data Subjects are set out in Appendix 1 to these Terms and Conditions.

13.5 The Data Controller may make reasonable amends to Appendix 1 by written notice to the Data Processor from time
to time as the Data Controller considers necessary to meet the requirements of the Data Protection Legislation.

13.6 The Processor agrees to only Process the Data in accordance with these Terms and Conditions and, subject to the
overriding requirements of Data Processing Legislation, undertakes to:

13.6.1 only process the Personal Data for and on behalf of the Controller, strictly in accordance with the written
instructions of the Data Controller, unless the Processing is required by applicable laws to which the Data
Processor is subject, in which case the Data Processor shall to the extent permitted by such applicable laws
inform the Data Controller of that legal requirement before Processing;

13.6.2 ensure that any personnel with access to Personal Data are subject to a duty of confidentiality (whether
contractual or statutory) and ensure that access is strictly limited to those individuals who need to know/access
the Personal Data;

13.6.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes
of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,
the Data Processor shall, in relation to the Personal Data, implement appropriate technical and organisational
measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred
to in Article 32(1) of the GDPR;

13.6.4 only engage Sub-Contractors with the prior written consent of the Data Controller and under a written contract,
imposing the same data protection obligations as set out in the Agreement, remaining liable to the Data
Controller for compliance of any Sub-Contractor engaged and informing the Data Controller of any changes
concerning the addition or replacement of Sub-Contractors giving the Data Controller sufficient opportunity to
object to such changes;

13.6.5 assist the Data Controller by appropriate technical and organisational measures, insofar as possible, for the
fulfilment of the Data Controller’s obligations to respond to requests for exercising the Data Subject’s rights laid
down in the Data Protection Legislation;

13.6.6 notify the Data Controller within five (5) Working Days if it receives a request from a Data Subject under the Data
Protection Legislation in respect of the Personal Data and not respond to any such request without the written
authorisation of the Data Controller or as required by the Data Protection Legislation to which the Data Processor
is subject but only after informing the Data Controller of such legal requirement before responding to the
request;

13.6.7 notify the Data Controller without undue delay, and at least within 48 hours, upon becoming aware of a Personal
Data Breach, providing the Data Controller with sufficient information to allow it to meet its obligations under
the Data Protection Legislation and to enable the Controller to report the breach to the Information
Commissioner’s Office within the 72 hour deadline imposed by the GDPR and assist the Data Controller, as
directed, in the investigation, mitigation and remediation of such Personal Data Breach;

13.6.8 assist the Data Controller in ensuring compliance with the obligations pursuant to the Data Protection Legislation
taking into account the nature of the Processing for the purposes of the Agreement and the information available
to the Data Processor, including but not limited to those obligations relating to (a) security of processing; (b)
notification of a Personal Data Breach to the Information Commissioner’s Office; (c) communication of a Personal
Data Breach to the Data Subject; and (d) Data Protection impact assessments and any subsequent consultations
with the Information Commissioner’s Office;

13.6.9 on the expiry or termination of the Agreement, promptly upon request from the Data Controller (at the Data
Controller’s discretion) either: (a) return all Personal Data to the Data Controller and delete all existing copies,
or procure such deletion; or (b) securely destroy such Personal Data, unless an applicable law requires storage
of the Personal Data but only to the extent and for such period as required by such law;

13.6.10 notify the Data Controller of the deletion of Personal Data in accordance with Clause 1.6.9 within 21 days of the
expiry or termination of the Agreement;

13.6.11 not transfer Personal Data outside the European Economic Area (EEA) without the prior written consent of the
Data Controller;

13.6.12 make available to the Data Controller on request all information necessary to demonstrate compliance with the
Data Protection Legislation, and allow for and contribute to audits, including inspections, by the Data Controller
or an auditor mandated by the Data Controller including to permit the Data Controller or its external advisers
(subject to reasonable and appropriate confidentiality undertakings) to inspect and audit the Data Processor’s
data processing activities and those of its agents, subsidiaries and sub-contractors and comply with all
reasonable requests or directions by the Data Controller to enable the Data Controller to verify and procure that
the Data Processor is in full compliance with its obligations under the Agreement.

13.7 The Data Processor shall, at all times during and after the term of the Agreement, indemnify the Data Controller and
keep the Data Controller indemnified against all losses, damages, costs or expenses and other liabilities (including
legal fees) incurred by, awarded against or agreed to be paid by the Data Controller arising from any breach of the
Data Processor’s obligations under this clause except and to the extent that such liabilities have resulted directly
from the Data Controller’s instructions.

13.8 The provisions of this clause shall apply during the continuance of the Agreement and indefinitely after its expiry or
termination.

14. Other important terms

14.1 You may only transfer your rights under our guarantee to someone else. You may only transfer your rights or your
obligations under these terms to another person with our written consent. We may withhold our consent.

14.2 Nobody else has any rights under this contract. This contract is between you and us. Save for [company name] Group
(as defined in the Letter of Engagement), no other person shall have any rights to enforce any of its terms. Neither
of us will need the consent of any person acquiring rights under our guarantee to end the contract or make any
changes to these terms.

14.3 Notices. Any notice or other communication given by us or you shall be in writing, addressed to us or you at the
registered office (if it is a company) or its principal place of business (in any other case) or such other address as we
or you may have specified in writing, and shall be delivered personally or sent by prepaid first-class post or other
next working day delivery service, or by commercial courier, or e-mail. A notice or other communication shall be
deemed to have been received: if delivered personally, when left at the address referred to in the Letter of
Engagement; if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second
business day after posting; if delivered by commercial courier, on the date and at the time that the courier’s delivery
receipt is signed; or, if sent by e-mail, on the sending of the e-mail.

15. Exclusive Terms. These terms apply to the Agreement to the exclusion of any other terms that you may seek to
impose or incorporate, or which are implied by trade, custom, practice or course of dealing.
15.1 If a court finds part of this contract illegal, the rest will continue in force. Each of the paragraphs of these terms
operates separately. If any court or relevant authority decides that any of them are unlawful, the remaining
paragraphs will remain in full force and effect.

15.2 Even if we delay in enforcing this contract, we can still enforce it later. If we do not insist immediately that you do
anything you are required to do under these terms, or if we delay in taking steps against you in respect of your
breaking this contract, that will not mean that you do not have to do those things or prevent us taking steps against
you at a later date. For example, if you miss a payment and we do not chase you but we continue to provide the
services, we can still require you to make the payment at a later date.

15.3 Dispute Resolution. Any and all disputes relating to this Agreement and/or the subject matter of it, shall in the first
instance be referred to the parties contract managers for resolution. Upon such referral the contract managers shall
meet within 5 days of such referral to resolve the issue. If the contract managers cannot resolve the issue within 5
days of their meeting, the matter shall be referred to the parties senior management for resolution. If the Senior
Managers cannot resolve the issue within 10 days of their meeting over it, the parties shall be free to refer the matter
to meditation or other alternative dispute resolution procedure.

15.4 Which laws apply to this contract and where you may bring legal proceedings. These terms are governed by English
law and you can bring legal proceedings in respect of the services in the English courts.

APPENDIX 1: DATA PROCESSING

This Appendix includes certain details of the Processing of Personal Data as required by the Data Protection Legislation.

1 THE SUBJECT-MATTER AND DURATION OF THE PROCESSING

1.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist
of:

1.1.1 Subject Matter: the provision of services to [company name] Group by the Social Value Portal Limited, as
set out in the Letter of Engagement.

1.1.2 Duration of the Processing: the duration of the processing shall be for the term designated under the
agreement between the Social Value Portal Limited and [company name] Group.

2 THE NATURE AND PURPOSE OF THE PROCESSING

2.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist
of:

2.1.1 The Social Value Portal will process the Personal Data for the purposes of providing services to [company
name] Group, as set out in our Letter of Engagement.

3 THE TYPES OF PERSONAL DATA TO BE PROCESSED

3.1 The types of Personal Data that shall be processed in accordance with this Agreement will be:

3.1.1 The Personal Data that shall be processed in accordance with this Agreement shall include names,
telephone numbers, email addresses, job titles.

4 CATEGORIES OF DATA SUBJECTS TO WHOM PERSONAL DATA RELATES

4.1 The categories of individuals whose Personal Data is processed in accordance with this Agreement will be: Employees
5 SECURITY MEASURES

5.1 The Processor shall implement and maintain adequate security measures to standards no less than those
imposed on the Controller under the Data Protection Legislation whilst it continues to Process the Data on behalf
of the Controller, such measures shall include (but not be limited to):

5.1.1 Encryption: Data is encrypted as part of the cloud computing service sub-contracted to Salesforce.com.
This service uses industry-accepted encryption products to protect customer data and communications
during transmissions between a customer’s network and Salesforce, including 128-bit TLS Certificates
and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during
transmission between data centres for replication purposes. All Personal Data is processed through
Salesforce.

5.1.2 Backup: All data submitted to the Salesforce platform is automatically replicated on a near real-time
basis to a secondary data centre site and is backed up on a regular basis and stored on backup media for
an additional 90 days, after which it is securely overwritten or deleted. Any backups are verified for
integrity and stored in the same data centres as their instance. At the Social Value Portal we maintain a
weekly backup of data, stored securely with access permissions limited to key personnel. We have a
policy of not moving commercially sensitive data on removable media.

5.1.3 Resilience: All Salesforce networking components, network accelerators, load balancers, web servers and
application servers are configured in a redundant configuration. All Customer Data submitted to
Salesforce is stored on a primary database server with multiple active clusters for higher availability. All
Customer Data submitted to Salesforce is stored on highly redundant carrier-class disk storage and
multiple data paths to ensure reliability and performance. The Salesforce development environment
provides various protections against malicious code which are implemented in the Social Value Portal
application, such as user timeout values, session locking to specific domains, clickjack protection.

5.1.4 Disaster recovery: The Salesforce platform supports disaster recovery with a dedicated team and a 4
hour recovery point objective (RPO) and 12 hour recovery time objective (RTO). The Social Value Portal
maintains a Business Continuity Plan outlining business risks, detailing the impact and response to any
disruption, and appropriate recovery strategies.

5.1.5 Incident notification: Incident detection and response is part of the security procedures that are
incorporated into Salesforce standard practices. Salesforce also uses independent security service
providers to analyze and monitor the product for potential security issues. Salesforce maintains security
incident management policies and procedures, and will promptly notify their customers of any actual or
reasonably suspected unauthorized disclosure of their respective data. In the event of a disruption or
other incident, we would notify our customers directly by email based on our customer prioritisation
categories.

6 RECIPIENTS OF PERSONAL DATA

6.1 The Data Controller hereby consent to the Data Processor sub-contracting the following elements of the services:

6.1.1 SALESFORCE.COM EMEA LIMITED, Company Number: 05094083, Floor 26 Salesforce Tower, 110
Bishopsgate, London, United Kingdom, EC2N 4AY and providing the following services: cloud computing
storage, security and processing. This will include data transfers outside of the European Economic Area
(EEA) as required for cloud storage, where data centres (including primary and/or secondary locations)
are located in various secure locations globally.