GPUaaS Services Policy

SCHEDULE 1

SERVICE TERMS – GPUAAS

PART A – GENERAL TERMS APPLICABLE TO ALL GPUAAS

1. CUSTOMER DATA AND SOFTWARE USE RESTRICTIONS

1.1 Customer Data

1. As between the parties, the Customer and its licensors retain all Intellectual Property Rights in the Customer Data (in accordance with Clause 15 of the Agreement).
2. Without limiting the Customer’s obligations under Clause 4 of the Agreement, the Customer acknowledges and agrees that:
   1. the Customer is responsible for implementing appropriate backup, replication, encryption and disaster recovery strategies to protect Customer Data;
   2. the Customer assumes full responsibility for securing and managing all access controls, encryption keys, certificates, Authentication Credentials and application-layer security measures necessary to protect Customer Data; and
   3. Core42 is not required to perform backup, replication or restoration services for Customer Data.
3. The Customer will:
   1. ensure that all data processing activities carried out while using the Services comply with all applicable data protection, privacy and regulatory requirements; and
   2. all times comply with data protection rules and other Applicable Laws that may apply to Customer Data, including as required under Clause 3.1 and Clause 4 of the Agreement.
4. Unless otherwise agreed in writing, any Customer Data generated, stored or transmitted during the Committed Service Period, Renewal Period or for any Evaluation Services (as defined under Paragraph 4.1 of these Service Terms) may be subject to deletion upon expiry or termination of the Committed Service Period, Renewal Period or Evaluation Services, and the Customer is solely responsible for exporting or backing up its data prior to such expiry or termination.

1.2 Software Use Restrictions

1. The Customer shall not install, deploy or execute any software within the Core42 Platform that:
   1. is not properly licensed for the Customer's intended use;
   2. intentionally bypasses or disables hardware security controls, firmware restrictions or encryption modules without Core42's prior written consent;
   3. mines cryptocurrencies, renders blockchain validations or performs distributed ledger computations (in each case without Core42's prior written consent);
   4. imposes an excessive or abnormal load on hardware resources (such as sustained ‘maxed out’ CPU/GPU use outside normal operational tolerances);
   5. is subject to export control laws (including but not limited to the U.S. Export Administration Regulations, the International Traffic in Arms Regulations, EU Dual-Use Regulation, the United Arab Emirates Strategic Goods Law and the Wassenaar Arrangement) without first obtaining all necessary governmental authorizations, as further set out in Annex B of this Agreement; or
   6. enables penetration testing, security testing, vulnerability scanning or any network reconnaissance (in each case without Core42's prior written consent).
2. The Customer shall maintain complete and accurate records of all software installed or executed on the Core42 Platform and provide such records to Core42 upon reasonable request.
3. If the Customer is suspected of failing to comply with the software use restrictions set out in these Service Terms, Core42 may, without liability, suspend the Customer's access to the Core42 Platform and/or the affected hardware in accordance with Clause 7 of the Agreement.

2. SERVICE CONFIGURATION AND TESTING

1. These Service Terms and any relevant Service Specification include obligations, technical requirements and guidance relating to configurations that the Customer must perform on its own systems and applications to enable effective use of the relevant GPUaaS. The Customer is solely responsible for performing such configurations and ensuring that its systems meet the required conditions.
2. If requested by Core42, the Customer shall provide reasonable cooperation in connection with any testing Core42 may carry out.
3. Unless otherwise specified in the Service Order, Fees are payable from the earlier of:
   1. the Service Commencement Date; and
   2. the date on which the relevant GPUaaS is available for the Customer to use.

3. GPUAAS PERFORMANCE

1. The Customer acknowledges and agrees that:
   1. Core42 does not guarantee the achievement of specific computational benchmarks, training times, inference speeds or application performance outcomes;
   2. actual performance of the Customer's workloads may vary based on factors beyond Core42's control, including the Customer's software configurations, workload design, third party library performance, parallelization strategies and network conditions;
   3. Core42 does not warrant the compatibility of the relevant GPUaaS with the Customer's applications, software stacks or third party systems, unless explicitly agreed in writing;
   4. Core42 does not guarantee uninterrupted availability of specific resource levels (e.g., CPU cycles or GPU memory); and
   5. unless otherwise stated in the applicable Service Specification or Service Levels, all GPUaaS are provided on an "as is" and "as available" basis.
2. The Customer remains solely responsible for the performance tuning, optimization and resiliency of the applications and workloads it has deployed in its use of the GPUaaS.
3. Core42 may monitor the general health and use of the GPUaaS for operational purposes, but Core42 does not assume responsibility for monitoring or ensuring the Customer's application performance.

4. PROOF OF CONCEPT, EVALUATION ACCOUNTS AND TRIAL CREDITS

1. From time to time, Core42 may, in its sole discretion, offer the Customer access to the GPUaaS on a limited basis for the purposes of evaluation, proof of concept or trial use ("Evaluation Services"), either free of charge or through the issuance of promotional credits.
2. Evaluation Services shall be subject to the terms of this Agreement (including these Service Terms), except that:
   1. Core42 provides the Evaluation Services on an "as is" basis and without warranty of any kind;
   2. Evaluation Services are provided without any service level commitments (including those set out in Schedule 3), Service Credits or performance guarantees;
   3. Core42 may suspend, limit or terminate Evaluation Services at any time without prior notice and without liability to the Customer; and
   4. the following Clauses of the Agreement do not apply to the Evaluation Services:
      1. Clause 2 (Services);
      2. Clause 5 (Security); and
      3. Clauses 10.2 and 10.5 (Indemnification).
3. Evaluation Services shall be limited to the usage limits, service features, resource allocations and duration specified by Core42 in the applicable offer, credits issuance or Service Order.

PART B – SERVICE-SPECIFIC TERMS

The applicability of the Service-Specific Terms set out below will depend on the GPUaaS solution being supplied (as determined by the relevant Service Order).

1. BARE METAL AS A SERVICE (BMAAS)

1.1 Service Description

Under the BMaaS offering, the Customer is given access to physical server hardware, without a hypervisor. BMaaS provides the Customer operating system level control over hardware resources. The Service gives the Customer the ability to deploy, configure and manage its chosen operating systems, applications and security controls on the allocated hardware, subject to the terms of this Agreement.

1.2 Hardware Allocation and Configuration

1. The configuration of hardware components including GPU, CPU, memory storage, network and related specifications are described in the applicable Service Specification.
2. The Customer is responsible for specifying its desired hardware configurations prior to the Service Commencement Date.
3. Unless otherwise specified in the Service Order, no hypervisors or visualization layer will be deployed.

1.3 Hardware Availability and Replacement

The Customer acknowledges and agrees that if Core42 replaces any failed components, then any such replaced components may be different models or specifications.

1.4 Hardware Restrictions

1. The Customer is not permitted to open chassis, remove parts, modify firmware or alter BIOS configurations.
2. Unauthorized hardware tampering by the Customer shall constitute a material breach of this Agreement.

1.5 Resource Reservation Commitment

1. Allocated hardware shall be reserved exclusively for the Customer's use during the applicable Committed Service Period or Renewal Period (as applicable).
2. The Customer acknowledges and agrees that the Fees for each GPUaaS are payable in full regardless of the actual use or workload volumes of the relevant GPUaaS.
3. Core42 may reallocate or substitute hardware of equivalent or superior performance specifications if required for operational reasons, provided that Core42 gives the Customer reasonable written notice of any such substitution.
4. At the end of the Committed Service Period or Renewal Period (as applicable), Core42 will be entitled to deallocate the reserved hardware (unless otherwise agreed).
5. Core42 may conduct periodic audits (not more than twice per year) to verify the configuration and use of reserved hardware, subject to reasonable prior notice.

1.6 Data Retention and Deletion

1. At the end of the Committed Service Period or Renewal Period (as applicable), Core42 may perform data erasures across all Customer Data stored on the allocated hardware ("Data Wipe").
2. The Customer acknowledges and agrees that:
   1. the Data Wipe is designed to render Customer Data irretrievable using reasonable methods but does not guarantee absolute elimination of all residual data artifacts;
   2. Core42 will not be held responsible for verifying the completeness, accuracy, or success of the Customer's data backup or exports prior to the Data Wipe commencement;
   3. Core42 will not be responsible for any loss of Customer Data, or damage or liability arising from the Customer's failure to perform timely data exports, backups or retention of necessary information prior to hardware deallocation;
   4. Core42 disclaims all liability for forensic data recovery attempts conducted by third parties following the Data Wipe, whether successful or unsuccessful; and
   5. Core42 does not provide certifications of compliance with any industry-specific or regulatory data handling standards.

2. MANAGED KUBERNETES

2.1 Service Description

The Managed Kubernetes Service provides the Customer with a managed container orchestration environment on the Core42 Platform based on Kubernetes. The Service enables deployment, scaling and management of the Customer's containerized applications across clustered compute resources and includes features such as high availability (HA), load balancing and automated resource orchestration.

2.2 Configuration and Resource Scaling

1. The Customer shall deploy, configure, and manage its own containerized applications and Kubernetes resources (e.g., pods, deployments and config maps) in accordance with the Service Specification or as otherwise communicated by Core42 from time to time.
2. The Customer must define and apply appropriate workload resource settings, including resource requests, limits, autoscaling policies and tolerations.
3. The Customer must perform its own validation and capacity planning to ensure that deployed applications are properly configured for production use within the Core42 Platform.
4. The Customer acknowledges that workload resilience, application scaling behavior and performance outcomes depend on the Customer’s own configurations and application design.

2.3 Security and Access Controls

1. Core42 may apply Kubernetes network policies to restrict intra-cluster communications based on the Customer’s namespace configurations or default security settings.
2. The Customer is responsible for configuring and maintaining the security settings of its own containerized workloads, including service account permissions, secrets management and workload network controls.

2.4 Monitoring and Upgrades

1. Core42 is not responsible for monitoring the Customer's applications, containers or workload performance metrics. The Customer must monitor its own workloads, containers and application behavior.
2. Core42 may require periodic mandatory upgrades of the Kubernetes control plane and node components to maintain the security of the Service and lifecycle support.
3. The Customer is responsible for ensuring its deployed workloads and applications can tolerate standard Kubernetes upgrades.
4. The Customer acknowledges and agrees that downtime, application instability and/or performance degradation may arise from mandatory upgrades (as described in this Paragraph 2.4).

2.5 Service Disclaimers

1. Core42's responsibilities are limited to the provision, operation and maintenance of the Core42 Platform, including the Kubernetes control plane and underlying infrastructure layer forming part of the Service. Core42 does not manage or validate the Customer's containerized applications or workloads.
2. Core42 makes no warranty or representation that the Customer's use of the Service will achieve desired workload scalability, high availability, specific performance or compliance outcomes.
3. The Customer acknowledges and agrees that workload design flaws, configuration errors, software bugs and third party software may affect the availability of the Core42 Platform and may lead to losses.

3. MANAGED SLURM

3.1 Service Description

Managed Slurm is a high-performance computing ("HPC") service that provides the Customer with access to a Slurm Workload Manager environment operated by Core42 on the Core42 Platform. The Service enables the Customer to submit and manage HPC jobs across a multi-node compute infrastructure using Slurm-based scheduling, resource allocation and job execution features further described in the Service Specification.

3.2 Configuration

1. The Customer shall be responsible for submitting, configuring and managing its jobs, application optimization and workload parameters within the Managed Slurm environment.
2. Core42's responsibilities are limited to the provision, operation and maintenance of the Core42 Platform, including the Slurm Workload Manager and the scheduler environment forming part of the Service.

3.3 Resource Allocation and Scheduling

1. The Customer's job requests shall be scheduled using the Slurm Workload Manager within the Customer's dedicated compute environment on the Core42 Platform based on applicable partition policies and job parameters defined by the Customer.
2. Job resource allocation may be subject to internal partitioning or queuing configurations. The Customer acknowledges that scheduling times, wait times and job start times may vary depending on workload design, job sizes and the Customer's own job scheduling configurations.

3.4 Job Execution

1. The Customer is responsible for the accuracy, efficiency and reliability of its jobs, including defining accurate wall-time estimates, memory requests, and CPU/GPU use profiles.
2. The Customer acknowledges and agrees that job execution failure, job eviction, cancellation or failure to meet runtime expectations may arise due to:
   1. the Customer's job misconfiguration;
   2. application software errors or crashes; or
   3. node resource exhaustion.
3. The Customer shall not submit intentionally disruptive, unstable, or misconfigured jobs that could degrade performance, compromise node stability or otherwise interfere with the Core42 Platform. Core42 may suspend or cancel such jobs if required to maintain the integrity of the Service.

3.5 Data Storage and Deletion

1. Core42 may provide the Customer with access to storage for job input/output operations, subject to any storage limits and usage policies set out in the Service Specification.
2. Unless otherwise agreed, Core42 may delete job output files, logs, and temporary scratch files following job completion without notice.

3.6 Cluster Usage and Resource Abuse Mitigation

1. The Customer must comply with cluster usage parameters set out in the Service Specification, including maximum runtime limits, node allocation rules, storage quotas and network bandwidth thresholds.
2. Core42 may monitor the Customer's use of the Service to detect operational issues, abnormal job behavior, unauthorized access attempts or potential violations of these Service Terms.
3. Core42 may:
   1. suspend or terminate disruptive or non-compliant jobs;
   2. impose usage restrictions or configuration changes to protect the Core42 Platform; or
   3. temporarily suspend the Customer’s access to the Service in accordance with this Agreement.

3.7 Upgrades

Core42 may recommend upgrades to the Slurm Workload Manager forming part of the Service from time to time to enhance functionality, maintain compatibility or address security vulnerabilities, subject to mutual agreement between the parties.

4. WEBSITE HOSTING

4.1 Service Description

The Website Hosting Service provides the Customer with a container-based hosting environment on the Core42 Platform for its own websites and web applications. The Service includes automated orchestration, load balancing, resource allocation and high availability features as further described in the Service Specification.

4.2 Service Provisioning

1. The Customer is responsible for the deployment, configuration, security and maintenance of its web applications, websites and supporting container images.
2. Core42 is not responsible for website application errors, code vulnerabilities, application downtime or website performance problems caused by the Customer's application architecture or third party software dependencies.

4.3 Load Balancing and Resource Optimization

1. Core42 may adjust how system resources are used, such as increasing capacity or shifting workloads where needed to maintain the stability of the Service. Core42 may use resource orchestration features such as autoscaling, pod migration and dynamic resource allocation to optimize the Service.
2. The Customer is responsible for ensuring its applications can tolerate common hosting incidences such as temporary shutdowns, container restarts or interruption, including setting up fallback processes and handling traffic across different hosting locations if required.
3. The Customer must configure resource requests based on how much compute, memory and storage its applications need and ensure its software can handle common hosting conditions such as network fluctuations.
4. Core42 may suspend Customer workloads that materially impair the stability of the Core42 Platform, exceed agreed resource limits or breach applicable usage policies, without liability.

4.4 Security

1. The Customer is responsible for maintaining the security of its own web applications, API endpoints and container images, including compliance with Applicable Laws.
2. Core42 is not responsible for detecting or remediating security vulnerabilities on the Customer's web applications.

4.5 Monitoring

The Customer is solely responsible for implementing and maintaining application monitoring, alerting and performance optimization tools for its web applications and websites.

SERVICE LEVELS

1. DEFINITIONS AND INTERPRETATION

Capitalized terms used but not defined in this Schedule 3 shall have the meanings set out in Annex A of the Agreement.

The following definitions shall also apply:

1. "Available", "Availability" has the meaning given to it in the Service-specific Service Levels under Paragraph 3 of this Schedule 3, excluding periods covered by the exclusions listed under Paragraph 2.4 of this Schedule 3.
2. "Capacity Availability Rate" means the percentage of delivered system hours divided by the committed system hours in each Service Cycle. Capacity Availability is measured in service hours, which is the number of nodes dedicated to the Customer multiplied by the number of hours that the Customer has committed to use in each Service Cycle.
3. "Downtime" means any period during which the Services are not accessible in accordance with Service Availability criteria described in Paragraph 3 of this Schedule 3. Downtime excludes periods described in the exclusions listed under Paragraph 2.4 of this Schedule 3.
4. "Emergency Maintenance" means any maintenance activities that are not Planned Maintenance, such as urgent, unscheduled maintenance activities required to address critical vulnerabilities, imminent service threats, security incidents or hardware failures that, if not immediately addressed, could result in a Service outage, data loss, security breach or material degradation of the Core42 Platform.
5. “Maintenance” means Emergency Maintenance or Planned Maintenance, as applicable.
6. "Monthly Fee(s)" means the monthly fee payable by the Customer for the Services in a Service Cycle under the Service Order.
7. "Planned Maintenance" means scheduled maintenance activities reasonably required to maintain, upgrade, optimize or repair the relevant GPUaaS, provided that Core42 has given the Customer reasonable notice of such maintenance.
8. "Service Availability Rate" has the meaning given to it under Paragraph 2.1 of this Schedule 3.
9. "Service Credit" means the service credit issued by Core42 at its sole discretion for failure to meet the applicable Service Availability Rate, as specified in Paragraph 2.2 of this Schedule 3 and calculated in accordance with Paragraphs 3.1(b), 3.1(c), 3.2(b), 3.2(c), 3.3(b) and 3.3(c) of this Schedule 3 (as applicable to the relevant Service).
10. "Service Cycle" means the billing period, for which the Monthly Fees are charged to the Customer on a recurring basis in advance. Unless otherwise specified in the Service Order, each Service Cycle shall be one (1) calendar month.

2. GENERAL TERMS

2.1 Service Availability Calculation

The Service availability rate for each Service Cycle shall be calculated as the total number of 5-minute increments during which the Services are Available, divided by the total number of 5-minute increments in that Service Cycle ("Service Availability Rate"). For the avoidance of doubt, availability is measured in 5-minute intervals, and any period of one or more consecutive 5-minute intervals during which the Services are not Available shall constitute Downtime.

2.2 Service Credit Claims

1. If Core42 fails to meet the applicable Service Availability Rate during a Service Cycle, the Customer may submit a written claim for a Service Credit ("Service Credit Claim") within fifteen (15) days following the end of that Service Cycle. The Customer must include all information reasonably required by Core42 to verify the eligibility of the Service Credit Claim, including but not limited to log data, timestamps, and other supporting documentation.
2. Failure to submit a Service Credit Claim within the period specified under Paragraph 2.2(a) of this Schedule 3, or without the required information, will invalidate such claim.
3. Core42 will:
   1. determine in Core42’s sole discretion if the Customer is eligible to receive a Service Credit following successful submission of a Service Credit Claim; and
   2. notify the Customer if it determines that the Customer’s Service Credit Claim was approved.
4. If approved, the Service Credit will be applied as credit against a future invoice during the Committed Service Period or Renewal Period (as applicable). Service Credits may not be refunded, exchanged for money, or applied to other services or accounts.
5. Service Credit Claims will be evaluated by reference to information collected or validated by Core42, including information collected from Core42’s monitoring tools, data, systems logs and configuration records ("Core42 Records"). If there is any conflict between any Core42 Records and the information provided by the Customer in a Service Credit Claim, the Core42 Records will prevail.
6. The maximum amount of Service Credits applicable for any Service Cycle shall not exceed twenty-five percent (25%) of the Monthly Fee.
7. If no further invoices are due or the Service Order has expired or been terminated in accordance with the Agreement, the Service Credit Claim will be deemed waived by the Customer.
8. If a Service Credit Claim relates to more than one Availability commitment during a Service Cycle (e.g., both Service Availability and Capacity Availability), the Customer will only be entitled to claim the greater of the applicable Service Credits. Service Credits cannot be combined across multiple Availability commitments for the same Service Cycle.
9. Service Credits are the Customer’s sole and exclusive remedy for Core42's failure to meet the Service Availability or Capacity Availability commitments set out in this Schedule 3.

2.3 Prerequisites

1. The Customer must promptly provide Core42 with any access (remote or otherwise) reasonably required to investigate or cure issues with the Services. Core42 shall have no obligation to resolve, or consider Service Credit Claims in respect of, any faults or vulnerabilities that fall within the exclusions listed under Paragraph 2.4 of this Schedule 3.
2. The Customer is responsible for configuring its workloads and applications in accordance with the applicable Service Specification and the obligations set out in the Service Terms, including but not limited to designing workloads to tolerate individual node failures, as physical hardware failures are inherently unpredictable and cannot be fully prevented or forecasted.

2.4 Exclusions

1. The Service Availability and Capacity Availability commitments in this Schedule 3 do not apply to any performance, availability issue or service interruption that is:
   1. caused by a Force Majeure Event;
   2. caused by internet access or connectivity issues outside of Core42 Platform's demarcation point, including any third-party network providers;
   3. caused by the Customer’s inputs, instructions, equipment, software, systems or other technology;
   4. caused by any third party products (including the Third Party Products), equipment, or other technology;
   5. a result of Planned Maintenance, Emergency Maintenance and/or upgrades carried out in accordance with the Service Terms;
   6. related to the Evaluation Services;
   7. caused by a failure by the Customer, or any End User, to adhere to the Service Specification, required configurations, settings, policies and operational guidance in relation to the Services;
   8. a result of the Customer’s actions or inactions (when required), or from any third party, including employees, agents, contractors, or vendors, or anyone gaining access to the Services by means of the Customer’s Authentication Credentials;
   9. caused by the Customer, or any End User, breaching any Applicable Law, the Service Terms or the Agreement; or
   10. in respect of any period when the Customer’s access to the Services has been suspended or terminated in accordance with the Agreement or applicable Service Order.
2. Core42 will not consider Service Credit Claims if any unavailability, delay or error if any of the exclusions set out above apply.

2.5 Maintenance

1. The Customer acknowledges and agrees that:
   1. during periods of Maintenance, the Services may experience reduced performance, limited availability or temporary interruptions; and
   2. Maintenance windows will be excluded from the Service Level availability calculations and, accordingly, such impacts shall not constitute Service Level failures or give rise to Service Credit eligibility (as defined in Schedule 3).
2. Core42 may perform Emergency Maintenance at any time without advance notice to the Customer if immediate action is necessary to protect Service integrity.
3. If feasible, Core42 will notify the Customer of Emergency Maintenance as soon as practicable, including a description of the reason for the emergency and estimated duration.
4. The Customer shall cooperate reasonably with Core42 during Maintenance events, including refraining from executing new deployments, upgrades or high-risk changes during published Maintenance windows.

3. SERVICE-SPECIFIC SERVICE LEVELS

3.1 Bare Metal as a Service (BMaaS)

(a) Service Availability Definition

1. BMaaS shall be considered “Available” when the allocated servers can be remotely accessed and are responsive to standard operating system-level commands.
2. Hardware failures impacting Availability shall be addressed under the Capacity Availability Service Level, and will not apply to the Service Availability Rate.

(b) Service Availability Target

(c) Capacity Availability Target

The Capacity Availability Service Level does not apply if the Customer subscribes to fewer than 64 physical nodes.

3.2 Managed Slurm

(a) Service Availability Definition

1. The Service shall be considered “Available” when the allocated servers can be remotely accessed and are responsive to standard operating system-level commands.
2. Hardware failures impacting Availability shall be addressed under the Capacity Availability Service Level, and will not apply to the Service Availability Rate.

(b) Service Availability Target

(c) Capacity Availability Target

The Capacity Availability Service Level does not apply if the Customer subscribes to fewer than 64 physical nodes.

3.3 Managed Kubernetes

(a) Service Availability Definition

1. Managed Kubernetes shall be considered Available when the allocated servers can be remotely accessed and are responsive to standard operating system-level commands.
2. Hardware failures impacting Availability shall be addressed under the Capacity Availability Service Level, and will not apply to the Service Availability Rate.

(b) Service Availability Target

(c) Capacity Availability Target

The Capacity Availability Service Level does not apply if the Customer subscribes to fewer than 64 physical nodes.

3.4 Website Hosting

(a) Service Availability Definition

Website Hosting shall be considered "Available" when hosted websites are accessible over the internet with acceptable response times and no critical errors that impact content delivery, transaction processing, or user interaction.

(b) Service Availability Target

If Website Hosting fails to achieve a Service Availability Rate of at least 95% (the "Service Commitment") in any given Service Cycle and the Customer’s Service Credit Claim is successful, Core42 will apply the following Service Credits.

Service Availability is measured through real-time observability and system health logs collected via the Core42 monitoring systems, with incident logs provided in post-event Root Cause Analysis (RCA) reports.

4. AMENDMENTS TO THESE SERVICE LEVELS

Core42 will provide the Customer with at least thirty (30) days’ prior written notice if Core42 makes any material changes to this Schedule 3.

SCHEDULE 4

DATA PROCESSING TERMS

1. DEFINITIONS

Capitalized terms used but not defined in this Schedule 4 shall have the meanings set out in the Agreement.

The following definitions shall also apply:

1. "Controller" shall have the meaning given to it in the GDPR;
2. "Core42 Contact" means the Core42 representative identified in the Agreement Details;
3. "Core42 Network" means the hosting server, networking equipment and other software and systems that are within Core42's control and which are used to provide the Services;
4. "Customer Data" shall mean the Personal Data provided by the Customer or by its End Users to Core42 pursuant to the Agreement or which is otherwise Processed by Core42 on behalf of the Customer pursuant to the Agreement;
5. "Data Protection Legislation" means all laws and regulations applicable to the Processing of Customer Data, including, as applicable, the GDPR;
6. "Data Subject" shall have the meaning given to it in the GDPR;
7. "GDPR" means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
8. "Personal Data" shall have the meaning given to it in the GDPR;
9. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
10. "Processing" shall have the meaning given to it in the GDPR and "Process" or "Processed" shall be construed accordingly;
11. "Processor" shall have the meaning given to it in the GDPR; and
12. "Sub-Processor" means any third party Processor appointed by a Processor, including a consultant, sub-contractor, agent or professional adviser or other third party which may receive and/or have access to the Customer Data.

2. ROLES OF DATA PROCESSING

The Parties agree and acknowledge that when Customer Data is Processed by Core42 as part of the Services, Core42 is a Processor and the Customer may be either a Controller or a Processor.

3. PROCESSING DETAILS

1. Subject-matter of Processing: the subject matter of the Processing under this Schedule 4 is the Customer Data.
2. Duration of the Processing: for so long as Core42 holds Customer Data under the Agreement that is Personal Data.
3. Nature and purpose of the Processing: the purpose of the Processing is for Core42 to provide the Services to the Customer in accordance with the Agreement. The nature of the Processing is AI compute, storage and such other Services described in the Agreement and/or the Service Order.
4. Type of Personal Data: Customer Data provided to Core42 through the Services by the Customer or its End Users.
5. Categories of Data Subjects: individuals whose Personal Data is provided to Core42 through the Services by the Customer or its End Users.

4. CUSTOMER OBLIGATIONS

The Customer shall:

1. ensure that it has all necessary rights and consents to Process the Customer Data and to disclose the Customer Data to Core42 in accordance with applicable Data Protection Legislation;
2. provide Core42 with the Customer's name and contact details (or those of its representative) and the name and contact details of its data protection officer (where one is appointed);
3. provide Core42 with documented instructions regarding the Processing to be carried out where these exceed the Services;
4. be responsible for deciding and determining the following:
   1. the subject-matter and extent of the Customer Data to be collected and Processed;
   2. the purpose and manner of Processing of the Customer Data;
   3. third parties to whom the Customer Data is disclosed (other than Core42's Sub-Processors);
   4. duration of retention of the Customer Data;
5. be responsible for the provision of a privacy notice to Data Subjects;
6. respond to and implement requests from Data Subjects exercising their rights under the Data Protection Legislation; and
7. carry out all data protection impact assessments where required by the Data Protection Legislation.

5. CORE42 OBLIGATIONS

Core42 shall:

1. Process the Customer Data only on the documented instructions of the Customer as set out in this Schedule 4, unless required to do otherwise by Applicable Law. If Core42 is of the opinion that any instruction given by the Customer breaches the Data Protection Legislation, Core42 shall inform the Customer of this where permitted to do so by such law;
2. ensure that its personnel who are authorized to Process the Customer Data are under obligations of confidentiality that are enforceable by Core42;
3. implement appropriate technical and organizational measures taking into account the factors set out in the Data Protection Legislation to ensure a level of security appropriate to protect the Customer Data, including protection from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access;
4. taking into account the nature of the Processing, assist the Customer with its obligations to comply with Data Subjects' requests and rights in the Data Protection Legislation through the use of appropriate technical and organizational measures;
5. taking into account the nature of the Processing and information available to Core42, assist the Customer in ensuring compliance with the Customer's obligations relating to security, notification of breaches to the applicable regulator and Data Subjects, data protection impact assessments and any consultation with regulators;
6. notify the Customer (to any specific contact details notified by the Customer) without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Without undue delay following the initial notification Core42 shall provide full details of the relevant Personal Data Breach (or shall provide such detail in phases where not possible to provide at once);
7. at any time up to the date of termination of the Agreement (the "Termination Date"), and for thirty (30) days following the Termination Date, subject to the terms and conditions of the Agreement, Core42 will return the Customer Data (including all copies) to the Customer in a format to be agreed between the Parties or, at the written election of the Customer, destroy the Customer Data (including all copies) unless any Applicable Law requires Core42 to continue to store the Customer Data; and
8. promptly inform the Customer of (to any specific contact details notified by the Customer) and provide assistance with responding to any enquiry made, or investigation or assessment of Processing initiated by an applicable regulatory authority in respect of the Customer Data.

6. SUB-PROCESSING

1. Customer provides general authorization to Core42's use of Sub-Processors to provide Processing activities on Customer Data on behalf of Customer in accordance with this Paragraph 6 of this Schedule 4.
2. Core42 shall put in place in writing with any Sub-Processor, contractual obligations which are at least equivalent to the obligations imposed on Core42 pursuant to this Schedule 4.
3. A list of the Sub-Processors that are currently authorized to be used by Core42 is available on request by contacting the Customer’s Core42 Contact.
4. In the event that Core42 changes the identity of any Sub-Processor, Core42 will provide Customer with a mechanism to obtain prior notice of that update. To object to a Sub-Processor, Customer may:
   1. terminate the Agreement pursuant to its terms;
   2. cease using the Service for which Core42 has engaged the Sub-Processor; or
   3. move the relevant Customer Data to another Hosting Location where Core42 has not engaged the Sub-Processor.

7. AUDITS

7.1 Core42 Audits.

Core42 shall procure an annual audit report ("Audit Report") from third party auditors to verify the adequacy of its data privacy and security measures, including the security of the data centers from which it provides the Services. The Audit Report shall constitute Core42's confidential information.

7.2 Audit Reports.

Core42 shall provide the Customer with a copy of the Audit Report upon Customer's written request and subject to the Customer entering into a suitable confidentiality agreement.

7.3 Customer Audit.

No more than once per year and on no less than thirty (30) days' written notice, Customer has the right to conduct an audit of Core42's compliance with this Schedule 4, by instructing Core42 to carry out the audit described in Paragraphs 7.1 and 7.2 of this Schedule 4. Customer shall be responsible for all costs and fees incurred by Core42 in relation to such audit. If Customer wishes to change the scope of this audit, then Customer may notify Core42 in accordance with the notice provisions of the Agreement. If Core42 does not agree to change the scope of the audit, Customer may terminate the Agreement in accordance with its terms.

8. TRANSFER OF PERSONAL DATA

1. The Customer can specify the location(s) where Customer Data will be processed within the Core42 Network (each a "Hosting Location"), including Hosting Locations in the European Economic Area ("EEA") and the United States. Once the Hosting Location has been specified, Core42 will not transfer Customer Data from Customer’s selected Hosting Location(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with Applicable Laws.
2. If the specified Hosting Location is in the EEA, or the United Kingdom, Core42 will not Process or transfer the Customer Data outside of the EEA or the United Kingdom (or any country deemed adequate by the European Commission or the UK government pursuant to the Data Protection Legislation) without putting in place adequate protection for the Customer Data to enable compliance by the Customer and Core42 with their obligations under the Data Protection Legislation.