Master Terms

1.1 In this Agreement, unless the contrary intention appears:

‘Agreement’ means this Agreement, formed by each of the documents listed in the Service Contract as agreed and executed between the Provider and the Client, and including any additional Services Schedules added to the Agreement by the parties from time to time.

‘Authorised Representative‘ means a director of the Provider or the Client (as the context requires), or any person appointed by the Provider or Client with authority to make decisions binding on the Provider or the Client in respect of this Agreement.

‘Business Days’ means Monday to Friday of each week, excluding public holidays.

‘Commencement Date’ means the date this Agreement is signed by the Client.

‘Confidential Information’ means any information in any form whatsoever (including oral, written, and electronic information) of a personal, technical, business, corporate or financial nature of a Party that has either been marked as confidential or due to its character or nature, or manner of its disclosure, a reasonable person would consider to be as confidential. Without limitation, confidential information of the Client includes Client Data and confidential information of the Provider includes the personnel, policies and business strategies of the Provider and the terms of this Agreement.

‘Service Contract’ means the document titled Service Contract executed by both Parties specifying details of each Party and the documents forming this Agreement.

‘Client Data’ means all data and information, and all rights in such data and information, associated with the Client that is entered, stored, generated, processed, handled, transmitted, hosted or dealt with through, or in the course of providing, the Services.

‘Client Material’ means any material that the Client supplies to the Provider in order for the Provider to properly supply the Services, in which the Client owns or is licensed to use Intellectual Property Rights.

‘Emergency Interruption’ means a disruption or suspension of any Services immediately necessary to maintain the integrity, security, safety or quality of any part of the Services for Client or any other client of the Provider.

‘Intellectual Property Rights’ means all intellectual property rights, including:

(a) patents, copyright, rights in circuit layouts, registered designs, trademarks and the right to have confidential information kept confidential; and

(b) any application or right to apply for registration of any of those rights.

‘Information Security Management System‘ (ISMS) means a set of procedures, systems and controls in place for managing information security within an organisation.

‘Provider Material’ means any material in which Intellectual Property Rights exist, created, written or otherwise brought into existence by or on behalf of the Provider in the course of, or in connection with, the supply of Services, or material used by the Provider in the course of supplying Services in which the Provider owns, or is licensed to use, the Intellectual Property Rights.

‘Force Majeure’ means a circumstance beyond the reasonable control of the Parties which results in a Party being unable to observe or perform on time an obligation under this Agreement. Such circumstances will include but will not be limited to natural disasters, acts of war, terrorism, civil commotion, industrial action, governmental orders or interventions, epidemics or pandemics, malicious software or hardware attack or failure of third-party suppliers.

‘Master Terms’ means these Master Terms and Conditions.

‘Non-excludable Condition’ means an implied condition or warranty the exclusion of which from a contract would contravene any statute (including the Competition and Consumer Act 2010 (Cth)) or cause any part of this Agreement to be void.

‘Party’ means either the Provider or the Client as the context dictates and ‘Parties’ means both of them.

‘Provider‘ means the ASIC registered Australian Private Company Cloud Earth Pty Ltd with ACN 155 516 199 and ABN 97 155 516 199 that was first registered in New South Wales in 2012. Notwithstanding that a Service Contract or Services Schedule may refer to a registered business name of Cloud Earth, as recorded in the Australian Business Registry, the legal contractual obligations entered into through this Agreement are appropriately obligations entered into by Cloud Earth Pty Ltd as the legal entity.

‘Related Body Corporate‘ has the meaning given to that term in the Corporations Act 2001 (Cth).

‘Service Credit’ means a credit amount, such as a rebate, expressed in dollars, which may be issued by the Provider from time to time in accordance with a Services Schedule, which the Provider will set off against Services Fees that the Client would be otherwise be obliged to pay to the Provider under this Agreement.

‘Scheduled Interruption’ means a disruption or suspension of any Services in respect of which the Provider has given notice to the Client, including for maintenance or improvement to any Services.

‘Services’ means the services that the Provider will supply under this Agreement, as specified in any Services Schedule to this Agreement (including any Services Schedule added to this Agreement by the parties from time to time).

‘Services Schedule’ means a document that specifies the details of the services that the Provider will supply to the Client under this Agreement and includes Services Schedule Terms.

‘Services Schedule Terms’ means terms and conditions included in a Services Schedule that apply to the supply of the services specified in that Services Schedule, and are incorporated in this Agreement.

‘Services Fees’ means the fee or fees specified in a Services Schedule for the supply of the Services under that Services Schedule.

‘Service Level Targets’ means targets (if any) for the Provider in respect of the way in which the Provider will supply certain Services, that are specified in a Services Schedule.

‘Tax’ means any and all taxes (including GST), duties and other charges imposed or levied by any authority in connection with the Services.

‘Third Party Product’ means any product (including any hardware, software or material) resold or resupplied to the Client by the Provider, that incorporates the Intellectual Property Rights of a third party, where the Client’s right to use such Intellectual Property Rights is granted by the manufacturer or distributor of the product.

1.2 In this Agreement, unless the contrary intention appears:

(a) clause headings are for ease of reference only and will not be relevant to interpretation;

(b) words in the singular number include the plural and vice versa;

(d) a reference to a person includes bodies corporate and unincorporated associations and partnerships;

(e) a reference to a clause in these Master Terms is a reference to a clause of these Master Terms;

(f) a reference to a clause in a Services Schedule is a reference to a clause of that Services Schedule;

(g) where a word or phrase is given a particular meaning, other parts of speech and grammatical forms of that word or phrase have corresponding meanings; and;

(h) monetary references are references to Australian currency, unless otherwise stated.

2. Duration

2.1 This Agreement will commence on the Commencement Date and will continue in force until terminated in accordance with these Master Terms.

3. Services

3.1 On and from the Commencement Date or as soon thereafter as is commercially practical, the Provider will make reasonable commercial efforts to provide the Services in accordance with this Agreement (but for the avoidance of doubt, if a date that is later than the Commencement Date for the start of supply (or intended start of supply) of any Service is specified in a Service Schedule, the supply of the relevant Service will not commence until on or after that date).

3.2 During the term of this Agreement, the Provider will provide the Services:

(a) in accordance with the specification of the Services in any Services Schedule as agreed and executed between the Provider and the Client;

(b) with appropriate care and skill;

(a) in compliance with all applicable laws, regulations, standards, awards and agreements that apply to the Provider.

3.3 The Client acknowledges that the Provider will not be in breach of any obligation under this Agreement to the extent the Provider’s inability to meet that obligation was caused or contributed to by any Scheduled Interruption or Emergency Interruption or the failure of any third-party equipment or service, including those used by a supplier to the Provider.

3.4 The Client agrees that it must:

(a) not interfere with the normal operation of the Services or any equipment used in the provisioning of the Services;

(b) if required, allow the Provider or any of the Provider’s third-party suppliers safe, sufficient and timely access to any premises as required in connection with the provision, maintenance, repair, de-commissioning and removal of any Services or any equipment used in the provision of any Services;

(c) permit the Provider or any of the Provider’s third-party suppliers to modify any equipment used in the provision of any Services where the Provider considers such modifications to be necessary or desirable.

3.5 The Parties acknowledge that the type and scope of any Services to be supplied under a Services Schedule may change during the term of this Agreement, and accordingly any Services Schedule may be varied at any time, provided that such variation to the schedules is:

(a) in writing;

(b) specifies any change to the Services Fee;

(d) specifies the date from which the varied Services are to be supplied and any increased Services Fee will apply.

3.6 The Parties may agree to add further Services Schedules to this Agreement at any time, by execution of such additional Services Schedule by an authorised representative of each Party. Any such additional Services Schedule will be incorporated into this Agreement.

3.7 At any time after the expiry of any fixed term for the supply of Services under a Services Schedule, the Provider may vary any Services Fee under such Services Schedule:

(a) where the variation is required to reflect an increase in fees the Provider must pay to any third-party supplier, immediately from when the third-party supplier increases its fees, provided that the Provider must provide notice of the amended Services Fees as soon as reasonably practical; and

(b) otherwise, at any time by giving the Client 30 days’ notice in writing.

4. Service Level Targets

4.1 Subject to clause 4.2, the Provider will make reasonable efforts to attain any applicable Service Level Targets.

4.2 The Client acknowledges that the Provider will not have failed to reach a Service Level Target (and no Service Credit will be due) if the Provider is delayed in meeting any timeframe or other requirement under this Agreement to the extent caused by:

(a) an act or omission of the Client or any third party acting under the direction of the Client (including the Client’s subcontractors);

(b) any failure of any equipment or system that is not owned or operated by the Provider; or

(c) any Scheduled Interruption or Emergency Interruption or the failure of any third-party equipment or service, including any equipment or service of a supplier to the Provider, or the failure of any equipment owned or operated by the Client affecting the Services to which the relevant Service Level Target relates.

4.3 The Provider will not breach this Agreement solely because it fails to achieve a Service Level Target.

4.4 Without limiting clause 4.2, the Client acknowledges that the Provider will have no responsibility or liability under the Agreement, including in under any Services Schedule, to the Client to the extent that the supply of any Services is prevented, disrupted or otherwise affected by any software or hardware installed or configured by the Client or any other person prior to the commencement of the Services or at any time after the start of the Services without the express approval of the Provider.

4.5 If the Client considers that the Provider has failed to meet any Service Level Target, and if pursuant to the applicable Service Schedule a Service Credit may be due to the Client as remedy for such failure, the Client must request in writing the issuing of such Service Credit within 7 days of the date on which the failure occurred, and must include in that request details of the time at which the failure occurred, and the duration of the failure. The Client agrees that should a request not be made within this timeframe, the Provider has no obligation to issue any Service Credit to the Client.

4.6 The Client acknowledges that if, pursuant to any Services Schedule, any Service Credit is granted to the Client (or would have been granted had the Client requested such Service Credit in accordance with clause 4.5) by the Provider in connection with any failure to achieve a Service Level Target, that Service Credit is the Client’s sole and exclusive remedy in respect of the failure to achieve the Service Level Target in respect of which the Service Credit is granted, and the Client will have no further right or claim against the Provider or any third party supplier of the Service in connection with such failure.

5. Charges and payment

5.1 On and from the Commencement Date, the Provider will charge the Client the Services Fees for the supply of the Services. However, for the avoidance of doubt, if a date for the start of supply (or intended start of supply) of any Service is specified in a Service Schedule such that the relevant Service supply date is later than the Commencement Date, Service Fees for the supply of the relevant Service will not commence until on or after that date.

5.2 If the Client requests that the Provider supply any services that are outside the scope of services the Provider is normally required to supply under a Services Schedule, the Provider may charge an additional amount for those services at the Provider’s standard rates, and may further charge the Client for any additional costs incurred by the Provider in supplying those services, including for engaging additional human or technical resources in order to meet the Client’s requirements.

5.3 The Provider will issue an invoice for all Services Fees and any additional costs incurred in accordance with clause 5.2 above. This may be issued in advance, monthly in arrears or as otherwise advised by the Provider. Subject to clauses 5.5 and 5.6, each invoice must be paid in full within 14 days from the date it is issued.

5.4 The Services Fee and any additional costs are exclusive of any Taxes and the Client must pay any such Taxes applied to any invoice, or otherwise upon request.

5.5 If the Provider has issued any Service Credit to the Client, then the Provider will set off the value of the Service Credit against any Services Fees invoiced to the Client, and the Provider will accept that Service Credit as payment for the value of the Services Fees set off, provided that:

(a) any Services Credit is able to be applied to Service Fees due within 90 days of the day on which the Service Credit is issued (and if no Service Fees are due within that time, that Service Credit will expire and become void and the Provider will have no liability to the Client in respect of that void Service Credit); and

(b) Services Credit may not be redeemed for cash or otherwise claimed or redeemed against the Provider or any other person or entity.

5.6 If the Client disputes the whole or any portion of an amount claimed in an invoice submitted by the Provider, the Client will pay the portion of the amount stated in the invoice which is not in dispute and will notify the Provider in writing (which notice must be given within seven days of receipt of the invoice, and if such notice is not given, the full amount of the invoice must be paid without further dispute) of the reasons for disputing the remainder of the invoice. Following consideration of the Client’s notice, if the Provider reasonably resolves that some or all of the amount in dispute ought properly to have been paid at the time it was invoiced, then the Client will immediately pay the amount due.

5.7 To support vulnerable clients, the Provider will arrange a payment plan that aligns with the Telecommunications (Financial Hardship) Industry Standard 2024. Clients that meet set criteria may request assistance under the Provider’s Financial Hardship Assistance Policy. This policy is available on request and on the Provider’s website. It outlines eligibility criteria, the process for applying for financial hardship assistance, available options for support, and how to initiate a payment plan arrangement. Upon receiving a request for financial hardship assistance, the Provider will work collaboratively with eligible Clients to identify suitable payment solutions. Any arrangements made under the Financial Hardship Assistance Policy will be documented, and the Client will be provided with a clear outline of the terms of the arrangement, including any modifications to payment schedules or amounts due. The Provider will work with the Client to find a path forward that respects the client’s circumstances, while upholding the terms of our service agreement.

5.8 The Parties acknowledge that invoicing errors may occur, and that corrections will be made when identified. If the Services rendered during the term of this Agreement have not been invoiced, the Provider reserves the right to invoice for the Services at any time, including after the Agreement has ended. The Client agrees to notify the Provider if they identify that any services provisioned have not been invoiced. This will prevent the Client accumulating debt to the Provider. Clients are obliged to pay all invoices relating to the Services received under the terms of this Agreement. Any disputes or financial hardship concerns may be addressed in accordance with subclauses 5.6 and 5.7.

6. Intellectual Property Rights

6.1 Unless explicitly stated otherwise in a Services Schedule, the Client acknowledges that all rights to use Intellectual Property Rights in Third Party Products are granted to the Client directly by the original developer or distributor of that Third Party Product and the Provider will have no liability to the Client in connection with any claim by any third party against the Client that the Client’s use of the Third Party Products constitutes an infringement of any third party’s Intellectual Property Rights.

6.2 All Intellectual Property Rights in the Provider Material are the exclusive property of the Provider or its licensors, and unless explicitly stated otherwise in a Services Schedule, nothing in this Agreement assigns or vests any Intellectual Property Rights in the Provider Material to the Client or any other person. For the avoidance of doubt, any material created by the Provider in the course of supplying the Services, including any adaptation or modification of any existing material, will on creation be deemed the Provider Material.

6.3 The Provider grants a non-exclusive, royalty free licence to use the Provider Material solely for the purpose of, and to the extent required to, enjoy the benefit of the Services. For the avoidance of doubt, the Client may not adapt, modify, reproduce or sub-licence the Provider Material without the express written approval of the Provider.

6.4 The Client grants to the Provider a non-exclusive worldwide licence to use, reproduce, modify and adapt the Client Material for the purpose of, and to the extent necessary for, the supply of Services.

6.5 Subject to clauses 6.6 and 6.7, the Provider will indemnify the Client against liability under any final judgement or settlement in proceedings brought by a third party against the Client which determine that the Client’s use of the Provider Material constitutes an infringement in Australia of any of the third party’s Intellectual Property Rights.

6.6 The Provider will not be required to indemnify the Client as provided in clause 6.5 unless the Client:

(a) notifies the Provider in writing as soon as practicable of any infringement, suspected infringement or claim alleging infringement;

(b) gives the Provider the option to conduct the defence of such a claim including negotiations for settlement or compromise prior to the institution of legal proceedings;

(d) permits the Provider to modify, alter or substitute the infringing part of the Provider Materials at its own expense in order to avoid continuing infringement, or authorises the Provider to procure for the Client the authority to continue the use and possession of the infringing the Provider Materials.

6.7 The Provider will not indemnify the Client to the extent that an infringement, suspected infringement or alleged infringement arises from:

(a) use of software or any other goods or services provided by any third party;

(b) without limiting paragraph (a), use of the Provider Materials in combination by any means and in any form with other goods or services not specifically approved by the Provider;

authorised by the Provider;

(d) modification or alteration of the Provider Materials without the prior written consent of the Provider;

(e) any transaction entered into by the Client relating to the Provider Materials without the Provider’s prior consent in writing; or

(f) an act or omission of the Client (including any of its representatives) or any third party (other than one acting under the direction of the Provider).

6.8 The Client will indemnify the Provider against any losses, costs, expenses, demands or liability, whether direct or indirect, arising out of a claim by a third party against the Provider alleging infringement of any of that third party’s Intellectual Property Rights if and to the extent:

(a) the claim relates in any way to the Client Material;

(b) the claim arises from an event specified in clause 6.7; or

(c) the ability of the Provider to defend the claim has been prejudiced by the failure of the Client to comply with any requirements of clause 6.6.

7. Confidentiality

7.1 A Party will not, without the prior written approval of the other Party, disclose the other Party’s Confidential Information.

7.2 A Party will not be in breach of clause 7.1 in circumstances where it is legally compelled to disclose the other Party’s Confidential Information.

7.3 Each Party will take all reasonable steps to ensure that its employees and agents, and any sub-contractors engaged for the purposes of this Agreement, do not make public or disclose the other Party’s Confidential Information, except where reasonably necessary to fulfill its obligations under this Agreement.

7.4 Notwithstanding any other provision of this clause, the Provider may disclose the terms of this Agreement to its Related Bodies Corporate, solicitors, auditors, insurers and accountants.

7.5 This clause will survive the termination of this Agreement.

8. Limited License for Client Data Usage

8.1 The Provider acknowledges that at all times, Client Data shall remain the sole and exclusive property of the Client. This recognition extends to all forms of data provided by the Client under this agreement.

8.2 Recognising the necessity for the Provider to handle, use and transmit Client Data in order to deliver the Services, the Client grants the Provider a non-exclusive, non-transferable license to use, reproduce, modify, and communicate Client Data, strictly to the extent necessary for executing the Services outlined in this Agreement. This license is constrained to operational necessity, including but not limited to, providing, managing, and enhancing the Services, and adhering to applicable regulatory requirements. The Provider is authorised to sublicense these rights to third-party suppliers under the same conditions, solely for purpose directly related to the provision of Services. The Provider ensures adherence to data minimisation and purpose limitation principles to protect Client Data, in compliance with the Telecommunications Act 1997, Privacy Act 1998 and other relevant Australian law.

8.3 Notwithstanding anything else in this Agreement, including if the supply of Services is suspended in accordance with clause 12, the Provider commits to ensuring client access to their stored data by the Provider prior to termination of this Agreement. The Provider reserves the right to charge a reasonable fee for the provision of Client Data in such instances.

8.4 The Client recognises that, following the termination of this Agreement or any Service Schedule, the Provider is under no obligation to maintain or store any Client Data unless specified under applicable laws or regulations.

8.5 The Client is solely responsible for ensuring that Client Data complies with all relevant laws, including but not limited to privacy and intellectual property laws of any applicable jurisdiction.

8.6 The Client acknowledges that the Provider may, under law, be required to disclose Client Data to regulatory authorities, such as for law enforcement, regulatory compliance or national security purposes. In such legally mandated situations, the Provider will, where legally authorised to do so, notify and consult with the Client in order to ensure that the required information is disclosed consistent with the authorising warrant or direction, while minimising any adverse impact of such disclosures.

8.7 The Client shall indemnify and hold the Provider harmless from any direct or indirect losses, damages, expenses, claims, demands, actions, and proceedings arising from third-party claims related to Client Data, including but not limited to, breaches of law or claims of intellectual property infringement, to the extent not caused by the Provider’s actions.

9. Information Security, Privacy, Risk Management and Compliance

9.1 Both Parties shall comply with all relevant data protection laws and regulations applicable to their processing of personal and security-related data under this Agreement.

9.2 Both Parties agree to manage data collection, processing, storage, transfer, and destruction in accordance with their respective Information Security Management Systems (ISMS).

9.3 Each Party agrees to process the other Party’s data only for the purposes defined in this Agreement and to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including to take reasonable and appropriate measures to protect data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

9.4 Both parties commit to conducting regular data protection or cybersecurity training for any of their employees who handle personal and security-related data under this Agreement, or use the Services supplied through this Agreement, appropriately targeted towards their role and function with respect to the use or delivery of the data or Services. This training will cover obligations under this Agreement and under applicable data privacy laws and will aim to ensure awareness and understanding of these obligations among their employees.

9.5 The Provider is dedicated to delivering services under this Agreement in a manner that aligns with the good information security practices, as guided by the International Standard ISO/IEC 27001 ‘Information security, cybersecurity and privacy protection – Information security management systems’. This commitment by the Provider is subject to an ongoing process of continual improvement and regular review of its ISMS.

(a) As part of their commitment to maintaining high information security standards, the Provider will undergo an independent audit for ISO/IEC 27001 certification in 2024. Following this, the Provider will engage in necessary internal and external audits as may be required for compliance with the standard throughout the life of this Agreement.

(b) In addition, the Provider commits to conduct an annual internal audit of its own operations in line with Australian Cyber Security Centre’s Essential Eight Maturity Model to demonstrate the cybersecurity of its operations.

(c) The Provider agrees to produce any final audit reports conducted for 9.5 (a) or (b) to any independent auditor engaged under clause 9.8 of this Agreement.

9.6 The Provider may identify and communicate concerns regarding the Client’s cybersecurity practices during the delivery of Services under this Agreement. These concerns may pertain to practices that could potentially compromise the security of both the Services being provided and the Provider’s own systems. The Provider may, at its sole discretion, suggest solutions to prevent or mitigate these cybersecurity risks.

(a) Upon receiving such advisories, the Client commits to promptly address and rectify the identified issues within a mutually agreed timeframe. This commitment includes collaborating with the Provider to implement necessary controls and measures to mitigate the identified cybersecurity risks.

(b) In situations where the Client fails to implement the recommended security measures or controls, this will be taken into account when determining responsibility in the event of any cyber security incident related to the Services provided under this Agreement. The assessment of responsibility will consider the impact of the Client’s actions or inaction on the security breach.

(c) Nothing in this Agreement commits the Provider to provide cybersecurity advice over and above the Services specified in the relevant Services Schedules, as the Provider may do so at their sole discretion.

9.7 In the event of a data breach affecting the other party to this Agreement or giving rise to cyber security risks that are likely to adversely impact the other Party, the Party that has identified the breach shall notify the other Party within 48 hours after becoming aware of the breach. The notification shall include details about the nature of the breach; the types of information concerned that relate to the other Party to this Agreement, the likely risks for the Client (if known), and any measures taken or proposed to address the breach, whether to be undertaken by the Client or the Provider.

9.8 The Client may request to audit the Provider’s compliance with data security and privacy obligations under this Agreement. Such audits shall be conducted by an agreed-upon auditor and will maintain appropriate confidentiality for other clients of the Provider. The audit will be restricted to assessing those areas of the Provider’s operations that are directly relevant to the services provided under this Agreement.

(a) The Provider may satisfy this requirement by providing recent third-party audit reports or compliance certifications where relevant to the audit requirements. All audits shall be conducted under strict confidentiality and scheduled at least four weeks advance to minimise disruption to the Provider’s operations and service delivery responsibilities (not limited to those delivered under this Agreement) and so that the Provider may assign appropriate personnel to support the audit.

(b) The Provider commits to cooperate proactively with any audit being conducted under this clause and to correct any issues identified within an agreed timeframe in accordance with the auditors’ recommendations.

(c) The Provider reserves the right to recover reasonable costs involved in conducting activities associated with audits that have been requested by, or on behalf of, the Client under this Section. Such costs will be recovered at the agreed hourly rate for technical support set out in the relevant Services Schedule. This may be done by an agreed estimation of costs or on a time and materials basis.

(d) Where additional security controls, equipment upgrades or process changes are recommended by the auditor above what was expressly agreed to be delivered as part of the Services set out under this Agreement, the Provider will provide a quote to the Client setting out the costs of implementing those additional requirements. The Client is not compelled to accept such quote, and the Provider is under no obligation to implement those additional controls, upgrades or process changes if their absence does not constitute a material breach of this Agreement.

9.9 Both Parties commit to promptly addressing any identified cybersecurity risks reasonably necessary and relevant to the effective delivery of the Services under this Agreement. The goal is to rectify these issues within 48 hours of identification. However, if an issue’s complexity or severity requires more time, the following approach will apply:

(a) If immediate resolution is not feasible, the responsible Party will provide a detailed explanation of the risk, the steps for mitigation, and any immediate controls implemented or planned.

(b) The responsible Party will actively work on resolving the issue with a sense of urgency that matches the risk level. They will keep the other Party informed about their progress according to a mutually agreed schedule. The other Party will provide any assistance that is reasonably necessary to support the resolution of the issue.

(c) In the absence of a specific agreement as to the schedule for communication of updates in resolution of the issue, updates will be provided every 24 hours for critical issues, every two business days for high-risk issues, weekly for medium-risk issues, and fortnightly for low-risk issues.

(d) Both Parties may agree in writing to a different timeline for addressing any issues identified under this clause. The negotiation of resolution should include reasonable consideration of the actual risk level, the effectiveness of any interim controls that are in place to mitigate the risk, and the impact on other priority operational service delivery responsibilities. All decisions will be made based on a risk assessment and prioritise a commensurately timely resolution.

9.10 Both Parties acknowledge the importance of effective cybersecurity for the integrity and reliability of their respective operations. Through this Agreement, the Parties jointly commit to maintaining and enhancing cybersecurity practices, and to resolve any related issues or incidents collaboratively and in good faith.

(a) The Provider and the Client will actively work together to improve cybersecurity measures. This includes sharing relevant information that can help both parties better mitigate potential cyber threats.

(b) Recognising the importance of open communication, both parties commit to maintaining clear and transparent channels for reporting and discussing cybersecurity concerns and incidents.

(c) Should a cybersecurity incident or vulnerability arise that affects either party, both will work together to address and resolve the issue collaboratively.

(d) All communications regarding cybersecurity issues will be handled with a high degree of confidentiality and sensitivity, and as required by law.

9.11 If a Party is primarily responsible for a breach due to non-compliance with appropriate security protocols, they will cover their own direct costs required to rectify the breach. This includes internal expenses such as overtime or contractors specifically engaged for remediation efforts but excludes the cost of third-party cybersecurity specialists engaged by the other Party.

(a) In instances where both Parties share responsibility for a breach, or if a cyber security incident’s cause is unable to be determined or beyond the influence of either party (for example widespread cyber-attacks or related force majeure events), each Party will bear its own direct costs as related to the breach rectification.

(b) In such circumstances the Parties agree to cooperatively plan their respective mitigation efforts, roles and responsibilities relevant to the incident. The allocation of responsibilities and costs will be designed to be timely. pragmatic, risk-based and appropriate to each Party’s capabilities and extant operational roles and responsibilities.

(c) The Provider reserves the right to recover its own costs in relation to remediating or mitigating any issue arising due to the Client’s failure to follow reasonable cybersecurity practices, including but not limited to recommendations made by the Provider. Such costs that the Provider may recover are limited to costs internal to the Provider’s operations and only where this is agreed in writing with the Client. It does not extend to the engagement of a third-party cyber security consultant, unless otherwise agreed between the Parties in writing.

(d) Any disputes regarding the allocation of these costs will be approached through negotiation, and if necessary, mediation or arbitration, with litigation considered only as a last resort. Both Parties commit to a fair resolution process, ensuring disputes are settled in a cost-effective and equitable manner, respecting each Party’s operational and financial constraints.

9.12 Upon detection of any security anomalies or potential cybersecurity incidents, the Provider commits to conducting a preliminary assessment to determine the nature and scope of the incident, including whether Client Data has been compromised or if there is a risk to the Client’s operations or privacy.

(a) The Provider shall notify the Client of a cybersecurity incident if the assessment concludes that:

(i) There is a reasonable likelihood that the incident has led to unauthorised access, disclosure, alteration or destruction of Client Data that could materially impact the Client’s operations or privacy;

(ii) The incident disrupts the continuity of the Services in a manner that could significantly affect the Client; or

(iii) Legal or regulatory obligations require notification.

9.13 If notification criteria are met, the Provider will notify the Client without undue delay, and no later than 24 hours after determining the incident’s potential impact, unless earlier notification is required by law or would significantly hinder the containment or investigation of the incident.

9.14 Incidents not meeting the notification criteria shall be thoroughly documented internally, including the assessment findings and rationale for the decision not to notify. The Provider shall review any such incidents periodically to identify and implement preventative measures. Summaries of such incidents and the measures taken in response will be made available to an auditor appointed by the Client in accordance with clause 9.8.

9.15 All actions taken in connection with clauses 9.12 – 9.14 shall comply with any applicable data protection, privacy or cybersecurity legislation. The Provider is committed to cooperating with the Client to fulfill any legal or regulatory notification or reporting obligations arising from a cybersecurity incident.

9.16 In circumstances where the Client is also responsible for monitoring or managing their own information technology environment (including but not limited to their own systems, networks or servers) the Client agrees to notify the Provider of any potential cybersecurity incident, in a reciprocal manner of assessment, notification and cooperation clauses as is set out in clauses 9.12 – 9.15 above.

9.17 This Agreement recognises the necessity of a risk-based approach to cybersecurity controls, while acknowledging the complex and evolving nature of cyber threats and the need for a balanced and fair method for cost recovery and remediation. This Agreement is rooted in continuous improvement, due diligence, and proactive risk management.

(a) Cybersecurity measures will be adapted to align with the Client’s specific risk tolerance, operational needs, and budgetary constraints. This ensures a customised approach that respects the unique aspects of the Client’s operational environment and business requirements.

(b) Both Parties understand that information technology systems and supply chains often involve multiple stakeholders and integrated systems from various providers. While the Parties commit to managing and mitigating supply chain risks, through agreed practices and in accordance with our respective ISMS, both Parties recognise that such risks (including, but not limited to, lateral movement and human error) can never be entirely eliminated.

(c) Given that cybersecurity risks cannot be fully eliminated, nor transferred between Parties, and may not be clearly attributable, each Party is encouraged to obtain appropriate cyber insurance coverage. This is to acknowledge that despite best efforts, all businesses still face vulnerabilities to cyber threats just as they do to other types of Force Majeure. Therefore, both Parties recognise that proper insurance coverage forms part of a comprehensive risk management and business strategy.

10. Provider Employees

10.1 The Client acknowledges that the Provider may use its employees, agents, contractors, and third-party suppliers to deliver the Services. The Provider also retains the right to change these personnel or suppliers at any time without prior notice to the Client.

10.2 The Client agrees and acknowledges that the Provider:

(a) may engage employees, agents, contractors and third-party suppliers to provide some or all of the Services on the Provider’s behalf; and

(b) reserves the right to select, remove or replace any employee, agent, contractor or third-party supplier providing the Services, without notice to the Client.

10.3 The Client is responsible for maintaining a safe and healthy environment for the Provider’s personnel working at the Client’s premises, in line with health, safety, and welfare regulations.

10.4 The Client agrees not to solicit the Provider’s employees or contractors for employment during the term of this Agreement and for 12 months following its termination. This restriction does not apply if:

(a) the employee responds to a general job advertisement not specifically targeted at them; or

(b) the Provider gives written consent.

10.5 The Client recognises that the restrictions in clause 10.4 are reasonable and necessary to safeguard the Provider’s legitimate business interests.

10.6 If any Provider employee or contractor approaches the Client for employment or engagement independently of the Provider, the Client must notify the Provider in writing within 7 days of such an approach.

11. Warranties and Representations

11.1 The Provider, except as explicitly stated in this Agreement, excludes all implied conditions, warranties, and terms that might otherwise be inferred from statute, common law, or custom. This exclusion does not apply to any conditions or warranties which cannot legally be excluded (‘Non-excludable Conditions’).

11.2 The Client confirms that its agreement is based solely on the representations and terms expressly outlined in this Agreement. The Client acknowledges that it has not relied on any other representations or descriptions provided by the Provider, whether in proposals, catalogs, or marketing materials, unless explicitly included in this Agreement, including any referenced attachments.

11.3 The Client acknowledges that any representation made by the Provider, not expressly stated in this Agreement, has been independently verified by the Client for accuracy.

11.4 The Client warrants that it must not use or allow another person to use any part of the Services:

(a) in a manner contrary to any law;

(b) for the transmission, storage or manipulation of material which is, or may be, prohibited by any relevant law;

(c) for the purpose of disrupting or interfering with any computer network or any other person’s use of any software, hardware, network or services.

11.5 Each Party warrants that it:

(a) will not purport to act on behalf of the other Party;

(b) must comply with any reasonable direction of the other Party to assist in complying with any legal obligation;

(d) must comply with all applicable laws, regulations and legal obligations.

12. Liability and Indemnity

12.1 Except for liability in relation to breach of any Non-excludable Condition and liability under clause 12.3, the Provider’s total liability to the Client in contract, including for one or more breaches of any express term or terms of this Agreement (in aggregate), tort (including in negligence), statute, or otherwise, is limited to:

(a) where the liability arises from any failure by the Provider to supply a Service in accordance with a Services Schedule, an amount equal to the total Services Fees paid by the Client to the Provider in accordance with that Services Schedule during the 3-month period before the liability arose; or

(b) in any other case, an amount equal to the total amount actually paid by the Client to the Provider under this Agreement during the 3-month period before the liability arose.

12.2 The Provider’s total liability to the Client for a breach of any Non-excludable Condition (other than a Non-excludable Condition in respect of which by law liability cannot be limited) is limited, at the Provider’s option to any one of resupplying, replacing or repairing, or paying the cost of resupplying, replacing or repairing the goods in respect of which the breach occurred, or supplying again or paying the cost of supplying again, the services in respect of which the breach occurred.

12.3 Except for liability in relation to breach of any Non-excludable Condition, the Provider excludes all liability to the Client for lost profits, lost revenue, lost savings, lost business, loss of opportunity and any consequential or indirect loss arising out of, or in connection with, any Services, and any claims by any third person (such as a customer of the Client, or any person to which the Client resupplies any Service), or this Agreement, even if:

(a) the Provider knew that loss was possible; or

(b) the loss was otherwise foreseeable.

12.4 Subject to the limitations of liability in this Agreement, each Party (“Indemnifying Party”) indemnifies the other Party and its related bodies corporate (as that term is defined in the Corporations Act 2001), directors, officers, employees and agents from and against all losses, damages, liabilities, claims and expenses incurred (including but not limited to reasonable legal costs) arising as a result of:

(a) any breach by the Indemnifying Party of this Agreement (including any Services Schedule);

(b) any negligent act or omission of the Indemnifying Party or any of its employees, consultants, contractors, agents or representatives relating to this Agreement; or

(c) any claim by any third party (including any customer or associate of the Indemnifying Party) arising from the supply of Services to the Indemnifying Party, including that any Services were disrupted or unavailable.

12.5 In the event of data loss or failure of computer system backups, the Client agrees to indemnify and hold the Provider harmless from any resulting claims, damages, losses, or expenses, including reasonable legal fees. This indemnity applies specifically to scenarios where the Client has not purchased backup services from the Provider. It underscores the Client’s responsibility to choose adequate data protection measures offered by the Provider. By not purchasing backup services from the Provider, the Client acknowledges and accepts the risk of data loss and agrees not to hold the Provider liable for any such loss. This ensures the Client’s informed decision regarding data backup services directly influences their recourse in the event of data loss.

12.6 The Parties recognise the critical role of Multi-Factor Authentication (MFA) in protecting against unauthorised access and to improve cybersecurity. The assignment of MFA-related responsibilities is influenced by the specific scope of services outlined in this Agreement through the Services Schedule, the capabilities of the Computer Systems used by the Client, the Client’s operational requirements, and the Client’s risk tolerance. Responsibilities regarding MFA are detailed as follows:

(a) Where the Provider is responsible for security-related administrative functions for Computer Systems provided under this Agreement, the Provider will:

(i) Activate MFA on all applicable systems where such functionality is available; or

(ii) Communicate to the Client any inherent limitations within a Computer System covered by this Agreement, or any Client-specified operational process, that prevents the implementation of MFA. The Provider will also, where possible, discuss alternative security measures that may be implemented to reduce the risk associated not having MFA.

(b) Where the Client oversees or has the capacity to modify the security settings of Computer Systems provided under this Agreement, the Client will:

(i) Ensure the activation of MFA on all applicable systems where such functionality is available; and

(ii) Acknowledge and assume the risk associated with the use of any Computer System where MFA cannot be implemented and apply any available alternative security measures.

12.7 The Client agrees to indemnify and hold the Provider harmless against any claims, damages, losses, or expenses, including reasonable legal fees, that arise due to any decision, action, or omission by the Client (including their employees or agents) not to implement or properly use MFA as described in clause 12.6. This includes, but is not limited to, such harms arising from any of the following circumstances:

(a) the Provider is responsible for implementing MFA under subclause 12.6(a)(i);

(b) security-related administrative functions are a shared responsibility between the Client and the Provider; or

12.8 The Provider’s liability for damages arising from any failure to implement or properly use MFA only extends (subject to the general liability and indemnity provisions of clauses 12.1-12.5) in circumstances where all the following apply:

(a) the Provider is responsible for implementing MFA under clause 12.6(a)(i) or this is a shared responsibility between the Client and the Provider; and

(b) a decision, action or omission by the Provider (including their employees or agents) resulted in those damages; and

13. Suspension and Termination

13.1 This Agreement starts on the day it is signed and will continue until:

(a) either party gives notice in accordance with clause 13.2; or

(b) a party otherwise exercises an explicit termination right under this Agreement.

13.2 After the expiry or termination of all Services Schedules, either party may terminate this Agreement by giving 60 days’ notice in writing to the other Party.

13.3 Without limiting the generality of any other clause in this Agreement, a Party may terminate all or part of this Agreement (including any or all Services Schedules) immediately by notice in writing if:

(a) the other Party is in breach of any term of this Agreement and such breach is not remedied within 30 days of written notice requiring it to do so;

(b) a Party becomes, threatens or resolves to become or is in jeopardy of becoming subject to any form of insolvency administration; or

13.4 The Provider may terminate all or part of this Agreement (including any or all Services Schedules) immediately by notice in writing to the Client if the Provider suspends the Client’s access to any Services in accordance with clause 13.9 for a period of 7 days or longer.

13.5 If notice is given to the Client pursuant to clause 13.3 or 13.4, the Provider, in addition to terminating the Agreement:

(a) may immediately issue an invoice for all Services Fees for work performed but not yet paid for;

(b) will be discharged from any further obligations under this Agreement; and

13.6 Without limiting any other clause of this Agreement, the Provider may terminate this Agreement or any Services Schedule if any supplier of services to the Provider ends its supply of such services to the Provider, and the Provider:

(a) considers in its sole discretion that:

(i) the ending of the supply of services to the Provider is likely to inhibit the Provider’s ability to supply Services to the Client; and

(ii) it is not commercially or practically feasible to secure replacement services of a standard at least equal to the terminated services; and

(b) provides the Client with as much written notice of termination as is practical in the circumstances.

13.7 Without limiting any other clause of this Agreement, the Provider may terminate this Agreement or any Services Schedule if any supplier of services to the Provider ends its supply of such services to the Provider, and the Provider:

(a) considers in its sole discretion that:

(i) the terminated supply supply of the services is likely to inhibit the Provider’s ability to supply Services to the Client; and

(ii) it is not commercially, technically or practically feasible to secure equivalent replacement services; and

(b) provides the Client with as much written notice of termination as is practical in the circumstances.

13.8 Without limiting any other clause of this Agreement, the Provider may terminate this Agreement or any Services Schedule following any significant change in the circumstances in which the Client acquires any Service (including any change to the location at which the Client requires Service to be supplied), provided that prior to such termination the Provider assesses the changed circumstances and:

(a) The Provider determines that the supply of equivalent Services cannot be achieved under the changed circumstances; or

(b) The Provider has proposed a change to any Services Fees to reflect its increased costs arising from the changed circumstances, and the Client has not agreed to the revised Services Fees.

13.9 If notice is given to the Client pursuant to clause 13.6, the Provider’s sole liability to the Client arising from such termination is the repayment of any Services Fees that have been paid in advance for the supply of Services after the date on which the supply of those Services is terminated.

13.10 Without prejudice to its termination rights under this Agreement, the Provider may suspend the supply of any or all Services to the Client, and the Client acknowledges that the Provider will have no liability to the Client (under this Agreement or otherwise) arising from such suspension if:

(a) The Client fails to pay any correctly issued invoice by its due date; or

(b) The Provider reasonably considers such suspension to be necessary to protect the security or integrity of the Services, or any software, hardware, data or network, or to comply with any law or direction of a regulator or relevant authority.

13.11 The parties acknowledge that clauses 5, 6, 7 and 10, and each clause required to make them effective, continue after termination of this Agreement.

14. Force Majeure

14.1 Neither Party will be liable for any delay or failure to perform its obligations pursuant to this Agreement if such delay is due to Force Majeure.

14.2 If a delay or failure of a Party to perform its obligations is caused or anticipated due to Force Majeure, the performance of that Party’s obligations will be suspended.

14.3 If a delay or failure by the Party to perform its obligations due to Force Majeure exceeds sixty (60) days, either Party may immediately terminate the Agreement on providing notice in writing to the other Party.

15. Sub-Contracts

15.1 The Provider may, without the consent of, or notice to, the Client, subcontract any of its obligations under this Agreement (including any Services Schedule), or engage any third party to supply part or all of the Services to the Client. In sub-contracting any obligations under this Agreement, the Provider will apply due diligence in assessing the supplier’s capability to meet the obligations set out under this Agreement and any Services Schedule and any contract entered into with the third party will reflect the relevant requirements of this Agreement to the security and reliability of the particular services being subcontracted.

16. Entire Agreement

16.1 This Agreement constitutes the entire agreement between the Parties and supersedes all prior representations, agreements, statements and understandings, whether verbal or in writing.

17. Variation

17.1 The Provider may amend any term of the Agreement (including any Services Schedule) at any time by giving notice to the Client by email and posting on the Provider’s website. Such amendments will take effect 28 days thereafter.

17.2 If the Client does not accept any amendment notified by the Provider in accordance with clause 17.1, the Client must give notice to the Provider in writing of its rejection of the amendment, in which case the Agreement will continue on its existing terms.

17.3 The Client acknowledges that if the Client does not give notice to the Provider in accordance with clause 17.2, the Client’s continued use of Services will be deemed to indicate the Client’s agreement to be bound by the terms and conditions as amended.

17.4 Except where otherwise explicitly permitted by a clause of this Agreement, the provisions of this Agreement will not be varied, except by agreement in writing signed by the Parties.

18. Notice

18.1 Any notice required under this Agreement (including any Services Schedule) must be:

(a) made in writing and sent via email. Please note that a phone call is not an accepted method of communication and will not be accepted as notice.

(b) made by an Authorised Representative;

(c) sent to support@cloudearth.com.au. Please note that any correspondence emailed to any other email address other than support@cloudearth.com.au will not be accepted as notice.

18.2 Acknowledgement of receipt of any notice received via email will be sent to the Client within 2 business days (public holidays excluded). If the Client has not received acknowledgement within 2 business days, the Client must assume that the notice was not received, and the Client must resubmit the notice via email and call the Provider’s Accounts team on 1300 584 844 to confirm that delivery of notice has been received. The Client acknowledges that until they have received a confirmation email from the Provider, that any change to the client service has not been received nor actioned.

19. Disputes

19.1 Any dispute arising in connection with this Agreement must be handled in accordance with this clause before a Party may commence any form of litigation or legal proceedings.

19.2 A Party must give written notice to the other Party outlining the matter in dispute. Within 7 days of such notice:

(a) the Parties’ respective Authorised Representatives must meet personally (which meeting may occur by telephone, videoconference, or any other means convenient to both parties), to consider and seek to resolve the dispute;

(b) if the respective Authorised Representatives are unable to resolve the dispute within 14 days of their first meeting (or other such period as is agreed between the Parties), refer the dispute to the respective chief executive officers (or equivalent, or another person who alone has authority to make decisions on behalf of the Party) of each Party, who must meet within 7 days (or such longer period as the parties agree in writing) to discuss and seek to resolve the dispute; and

(c) if the respective chief executive officers are unable to resolve the dispute within 14 days of their first meeting, either party may commence or pursue any remedy or dispute resolution process, including litigation, available at law.

19.3 Nothing in this clause will prevent a Party from seeking urgent equitable relief before an appropriate court.

19.4 During the continuance of any dispute, each Party must continue to perform its obligations under this Agreement.

20. Assignment and Waiver

20.1 Subject to clause 20.2, neither party may assign or transfer part or all of this Agreement without the prior approval of the other party (which must not be unreasonably withheld).

20.2 The Client agrees that the Provider may assign or transfer, without seeking further approval of, or giving notice to, the Client, the whole of this Agreement and its related rights and obligations to any person or entity to whom any part of the assets (including without limitation, goodwill) of the Provider are transferred, and the Client will, if requested by the Provider, sign a deed of novation or such other document as may be necessary to effect any such assignment or transfer.

21. Severability

21.1 If any provision of this Agreement is held invalid, unenforceable or illegal for any reason, the Agreement will remain otherwise in full force apart from such provisions which will be deemed deleted.

22. Governing Law

22.1 This Agreement will be governed by and construed according to the law of the State of New South Wales, and each party submits unconditionally to the jurisdiction of the courts of that State.