Microsoft Purchase Order Terms & Conditions (“PO Terms”)

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

1. Acceptance and Effect. These PO Terms are between the Microsoft entity (“Microsoft”) and the supplier identified in the

applicable SOW (“Supplier”) and cover:

a. “Cloud Services”: the services, websites (including hosting), solutions, platforms, and products that Supplier

makes available under or in relation to these PO Terms, including the software, mobile apps, equipment,

technology, and services necessary for Supplier to provide the foregoing.

b. “Deliverables”: all work product developed by Supplier (or Supplier’s approved subcontractor) for Microsoft as part

of the delivery of Goods, Services or Cloud Services, including intellectual property (“IP”) in connection with these PO

Terms. Deliverables are “work made for hire” for Microsoft as that term is defined under copyright law.

c. “Goods”: software and/or tangible goods licensed or purchased by Microsoft under these PO Terms.

d. “Services”: professional services, advertising, consulting services, and support and maintenance services

purchased by Microsoft under these PO Terms.

e. “SOW” means any of the following: (1) Microsoft purchase orders; (2) statements of work or other order forms

signed by both parties’ authorized representatives; or (3) written agreements signed by both parties’ authorized

representatives referencing, and subject to, these PO Terms.

These PO Terms are effective upon Supplier’s commencement of performance or the date of Supplier’s signature on the

applicable SOW, whichever is earlier. Except as set forth in Section 2 below, Supplier’s acceptance of these PO Terms is

expressly limited to these terms and conditions without counterproposal.

2. Relationship to Other Agreements. The terms and conditions of these PO Terms are the complete and binding agreement

between Microsoft and Supplier except:

a. If the parties mutually executed an agreement, such as a Microsoft Supplier Services Agreement, which is effective

on the date of these PO Terms and applies to the Goods, Services, or Cloud Services ordered with these PO Terms,

and that agreement applies to the relationship of the parties governed by these PO Terms, then the provisions of

such agreement are incorporated. If a conflict arises between these PO Terms and such agreement, to the extent

of that conflict, the terms of such agreement will apply. For the purposes of these PO Terms, online terms or

agreements that Microsoft accepts to login or access Goods, Services, or Cloud Services, such as installed

applications, embedded software, software as a service, or a platform, are not an agreement that has been

“mutually executed” and will not replace, supplement or amend the terms in these PO Terms in any way.

b. If multiple agreements with similar or contradictory provisions could apply to these PO Terms, the parties agree

the terms most favorable to Microsoft will apply, unless the result would be unreasonable, unconscionable, or

prohibited by law.

c. Except as stated above in this Section 2, and other than changes described in Section 9 and the Termination

provisions in Section 14, additional or different terms (for example, online terms or agreements) will not

supersede these PO Terms unless the parties mutually execute a written document.

3. Packing, Shipment and Returns of Goods or Deliverables. Unless specifically provided in these PO Terms:

a. Packing.

(1) Price based on weight will include net weight only.

(2) Supplier will not charge Microsoft for packaging or pre-shipping costs, such as boxing, crating,

handling damage, drayage, or storage.

b. Shipping.

(1) Supplier will mark all containers with necessary handling and shipping information, PO number(s), date of shipment,

and names of the consignee and consignor.

(2) An itemized invoice and packing list, and other documentation required for domestic or international transit,

regulatory clearance or identification of the Goods or Deliverables will accompany each shipment.

(3) Microsoft will only pay for the quantity received, not to exceed the maximum quantity ordered.

(4) Microsoft or its agent will hold over-shipments at Supplier’s risk and expense for a

reasonable time awaiting Supplier’s shipping instructions.

(5) Microsoft will not be charged for shipping or delivery costs.

(6) Unless otherwise agreed, Goods and Deliverables will be delivered on the 10

day after the purchase

order date:

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

(1) FOB to the Microsoft designated delivery location if the Goods and Deliverables originate in

the same jurisdiction as the Microsoft designated delivery location; or

(2) DDP (Incoterms 2010) to the Microsoft designated delivery location for cross border delivery of Goods

and Deliverables to the Microsoft designated delivery location.

(7) Supplier will bear all risk of loss, damage, or destruction to the Goods or Deliverables, in whole or in part, occurring

before final acceptance by Microsoft at the designated delivery location. Microsoft is responsible for any loss caused

by the gross negligence of its employees before acceptance.

c. Returns. Supplier will bear the expense of return shipping charges for over-shipped quantities or rejected items.

4. Invoices.`

a. Unless otherwise agreed, Supplier will invoice Microsoft monthly in arrears and only for accepted Goods,

Services and Deliverables.

b. To the extent that electronic invoice submission is available, Supplier will follow that process. MS Invoice

(https://einvoice.microsoft.com) is a web-based application, provided by Microsoft to its payees, which allows

payees to submit electronic invoices directly to Microsoft. The MS Invoice tool supports electronic invoice

submissions on a one-on-one basis or via mass upload if there are multiple invoices. Payee should contact the

Microsoft Accounts Payable Help Desk at https://www.microsoft.com/en-us/procurement/contracting-

apsupport.aspx and provide a valid justification if unable to submit invoices via this process; as an exception,

Microsoft will provide an alternative invoice submission process. Invoices must contain the following information:

PO number, item number, description of item, quantities, unit prices, extended totals, packing slip number,

shipping, ship to city and state, the Net Amount of the invoice; the VAT Number, VAT Rate, the VAT Amount, Total

Amount of Invoice, taxes, and any other information reasonably required by Microsoft. Supplier will not charge

Microsoft for researching, reporting on, or correcting any errors relating to its invoices. Microsoft may provide

electronic invoicing functionality to Supplier through the use of a third party invoicing service provider. In those

circumstances, Supplier authorizes the electronic invoicing provider to receive Supplier’s invoice data not yet

constituting an original invoice and subsequently to apply an electronic signature to the invoice data to issue

electronic invoices “in the name and on behalf of” Supplier.

c. Microsoft may dispute any invoice by providing written notice or partial payment. Microsoft will make

commercially reasonable efforts to notify Supplier in writing of any disputed amount within 60 days of receiving

the applicable invoice. Neither failing to provide notice nor payment of an invoice is a waiver of any claim or

right.

d. Most Favoured Pricing Commitment. These PO Terms are intended to provide Microsoft with Supplier’s

competitive pricing for the relevant Goods and/or Services. If it comes to either party’s attention that any non-

governmental agreement exists or is made between Supplier and any comparable third party which provides

lower pricing for comparable goods and/or services at similar volumes that comprise the relevant Goods and/or

Services, and under comparable terms and conditions, then Supplier agrees that thereafter Microsoft will be

entitled to pay for future Goods and/or Services at the lower pricing for the relevant Goods and/or Services.

e. Payment of Late Interest. If Microsoft fails to pay by the due date any amount payable by it under these PO

Terms, Supplier shall be entitled but not obliged to charge Microsoft interest on the overdue amount, from the

due date up to the date of actual payment, at the rate of two per cent (2%) per annum above the base rate for

the time being of the Bank of England. The parties agree that this constitutes a substantial remedy under the

Late Payment of Commercial Debts (Interest) Act 1998 (as amended or updated from time to time).

5. Payment Terms, Cash Discounts, Offset, and Expenses.

a. After Microsoft accepts the Goods, Services or Cloud Services and receives a correct and undisputed invoice (the “Create

Date”), Microsoft will release payment by net 10 days less a 2% discount on the invoiced amount or by net 60

days with no discount, following the Create Date.

b. Microsoft is not obligated to pay any invoice received from Supplier more than 120 days after Microsoft accepts the Goods,

Services or Cloud Services.

c. Payment of an invoice will not constitute acceptance under these PO Terms, and is subject to adjustment for errors,

shortages, defects, or other failure of Supplier to meet the requirements of these PO Terms.

d. Microsoft may set-off amounts owed to Microsoft against an amount Microsoft owes Supplier or Supplier’s affiliated

companies. Microsoft will provide notice to Supplier within a reasonable time after the set-off.

e. Unless otherwise agreed, Supplier is responsible for all expenses incurred providing the Goods, Services or Cloud Services

and performing under these PO Terms.

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

6. Taxes.

a. Except as otherwise provided below, the amounts to be paid by Microsoft to Supplier do not include taxes. Microsoft is not

liable for any taxes that Supplier is legally obligated to pay, including net income or gross receipts taxes, franchise taxes, and

property taxes. Microsoft will pay Supplier any sales, use or value added taxes it owes due to these PO Terms and which the

law requires Supplier to collect from Microsoft.

b. Microsoft will not be involved in the importation of the Goods, Services, or Cloud Services, and import taxes are the

responsibility of the Supplier unless otherwise agreed in a SOW.

c. If Microsoft provides Supplier a valid exemption certificate, Supplier will not collect the taxes covered by such certificate.

d. If the law requires Microsoft to withhold taxes from payments to Supplier, Microsoft may withhold those taxes and pay

them to the appropriate taxing authority. Microsoft will deliver to Supplier an official receipt for such taxes. Microsoft will

use reasonable efforts to minimize any taxes withheld to the extent allowed by law.

7. Inspection and Acceptance.

a. Microsoft may cancel these PO Terms or the applicable SOW if Supplier fails to comply with the standards and specifications

in these PO Terms.

b. All Goods and Services will be subject to Microsoft’s inspection and testing, at any time and place, including the period of

manufacture and before final acceptance. If Microsoft inspects or tests at Supplier’s premises, Supplier, without additional

charge, will provide all reasonable facilities and assistance for the safety and convenience of Microsoft’s inspectors. No

inspection or testing done or not done before final inspection and acceptance will relieve the Supplier from responsibility for

defects or for other failure to meet the requirements of these PO Terms.

c. If any item provided under these PO Terms is defective in materials or workmanship or not in conformity with the

requirements, then Microsoft may reject it without correction, require its correction within a specified time, accept it with an

adjustment in price, or return it to Supplier for full credit. When Microsoft provides notice to Supplier, Supplier will promptly

replace or correct, at their expense, any item rejected or requiring correction. If, after Microsoft’s request, Supplier fails to

promptly replace or correct a defective item within the delivery schedule, Microsoft may, at its sole option: (1) replace or

correct such item and charge the cost to Supplier; (2) without further notice terminate these PO Terms or the applicable

SOW for default, return the rejected item to Supplier at Supplier’s expense and Supplier will promptly refund any amounts

paid by Microsoft for the returned item; or (3) require a reduction in price.

d. Notwithstanding any prior inspections or payments made, all Goods and Services will be subject to final inspection and

acceptance at Microsoft’s designated location within a reasonable time after delivery or performance. Records of all

inspection work will be complete and available to Microsoft during performance of these PO Terms and for such further

period as Microsoft determines.

8. Additional Cloud Services Requirements.

a. Service Levels. Supplier will schedule any Cloud Services upgrades or maintenance during the Maintenance Window defined

in the applicable SOW. Supplier will provide Cloud Services in accordance with the service levels and terms specified at

https://aka.ms/CS_SLA (or any successor link), which is deemed part of documentation (e.g., specifications) and

incorporated and made part of these PO Terms.

b. Business continuity. Supplier will be responsible for establishing, implementing, testing, and maintaining an effective

enterprise-wide business continuity program (including disaster recovery and crisis management procedures) to provide

continuous access to, and support for, the Cloud Services to Microsoft. At a minimum, Supplier must, at all times: (1) back

up, archive and maintain duplicate or redundant systems that: (i) are located at a secure physical location (other than the

location of primary system(s) used to provide Cloud Services); (ii) are updated and tested at least annually; and (iii) can fully

recover the Cloud Services and all Microsoft Materials on a daily basis; and (2) establish and follow procedures and

frequency intervals for transmitting backup data and systems to Supplier’s backup location. On request, Supplier will provide

Microsoft with an overview of Supplier’s enterprise business continuity program and will promptly and in good faith provide

written responses to Microsoft’s inquiries in connection with that program to enable Microsoft to review the adequacy of

the program.

c. Transition. If the applicable SOW terminates or expires, or if Microsoft requests in writing, Supplier will provide: (1) backup

media to Microsoft (as reasonably requested by Microsoft) containing all Microsoft Materials (unless the Cloud Services

provide this as a self-service function to Microsoft); and (2) all assistance Microsoft reasonably requires (at Microsoft’s

expense) to timely and smoothly transition from the Cloud Services.

9. Changes. Microsoft may suspend Supplier’s performance, increase or decrease the ordered quantities, or make changes for

Microsoft’s reasonable business needs (each, a “Change Order”), by written notice to Supplier, including via e-mail, and without

any notice to Supplier sureties, subcontractors, or assignees. Unless mutually agreed, a Change Order does not apply to change

the Goods and Services timely and fully delivered before the date of the Change Order. If any change causes an increase or

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

decrease in the cost of, or the time required for, Supplier’s performance, an equitable adjustment may be made in the price or

delivery schedule or both, if Microsoft agrees to such adjustment in writing.

10. Tools and Equipment. All tools, equipment or materials acquired by Supplier for use in providing the Goods and Services, which

have been furnished to, paid for by or charged against Microsoft, including specifications, drawings, tools, dies, molds, fixtures,

patterns, hobs, electrodes, punches, artwork, screens, tapes, templates, special test equipment, gauges, content, data, and

software, will remain or become Microsoft’s property, treated as Microsoft Confidential Information, and delivered in good

condition, normal wear and tear excepted, by Supplier to Microsoft’s designated delivery location per Section 3, immediately

upon demand and without cost to Microsoft. Supplier warrants the item(s) and information will not be used for any work or

production of any materials or parts other than for Microsoft, without Microsoft’s prior written permission. Supplier will identify

for Microsoft all third-party IP or software used in conjunction with the Services.

11. Transfer of Undertakings.

a. These PO Terms are intended to create an independent supplier relationship between the parties. Nothing will be

construed as creating an exclusive relationship between the parties.

b. Supplier shall indemnify on demand and keep indemnified and hold harmless Microsoft, each Microsoft Affiliate and any

Replacement Supplier from and against any and all liabilities, losses, demands, claims, damages, costs and expenses

(including reasonable legal costs and expenses) arising from any act or omission by Supplier or any Supplier Affiliate or any

Sub-Supplier relating to the employment or termination of employment of any employee of Supplier or any Supplier

Affiliate or any Sub-Supplier who was assigned wholly or predominantly in providing the Services under these PO Terms: (i)

whose employment transfers to Microsoft or any Microsoft Affiliate or any Replacement Supplier by virtue of the Transfer

Regulations applying to the termination or expiry of these PO Terms and/or the transfer of all or part of the Services to

Microsoft or any Microsoft Affiliate or any Replacement Supplier, or (ii) whose employment would have transferred to

Microsoft or any Microsoft Affiliate or any Replacement Supplier by virtue of the Transfer Regulations if that person had

not been dismissed on or before the date of termination or expiry of these PO Terms.

c. Should any employee of, or other person engaged by, Supplier, any Supplier Affiliate or any Sub-Supplier transfer to

Microsoft or any Microsoft Affiliate or any Replacement Supplier by virtue of the Transfer Regulations applying to the

termination or expiry of these PO Terms and/or the transfer of all or part of the Services to Microsoft or any Microsoft

Affiliate or any Replacement Supplier or if such employee or other person is otherwise found or alleged to be employed by

Microsoft or any Microsoft Affiliate or any Replacement Supplier arising out of or in connection with their involvement in

the provision of the Services: (i) Microsoft or any Microsoft Affiliate or any Replacement Supplier may as soon as

reasonably practicable and in any event within fourteen (14) days of discovering such a finding or allegation terminate

their employment; and (ii) Supplier shall indemnify on demand and keep indemnified and hold harmless Microsoft, each

Microsoft Affiliate and any Replacement Supplier from and against any and all liabilities, losses, demands, claims, damages,

costs and expenses (including reasonable legal costs and expenses) arising out of or in connection with the employment or

termination of employment of any person whose employment is terminated pursuant to Section 11(c)(i) above.

d. Microsoft, any Microsoft Affiliate and any Replacement Supplier may enforce the terms of Section 11(b) and 11(c) above

and the Contracts (Rights of Third Parties) Act 1999 shall apply accordingly save that the consent of any Microsoft Affiliate

and any Replacement Supplier shall not be required to vary or rescind the terms of these PO Terms.

e. For the purposes of Sections 11(b), 11(c) and 11(d) above: (i) "Affiliate(s)" means, with respect to an entity, any person or

entity that directly or indirectly owns, is owned by, or is under common ownership with that entity. For the purposes of

this definition, ownership means control of more than a 50% interest in an entity; (ii) "Replacement Supplier" means any

person or entity who provides services in part or in whole to replace in part or in whole the Services provided under these

PO Terms; (iii) "Sub-Supplier" means a third party to whom Supplier delegates one or more of its obligations under these

PO Terms; (iv) "Transfer Regulations" means (a) national legislation implementing the Acquired Rights Directive (Council

Directive 77/187/EEC) (as amended) and/or Council Directive 2001/23/EC in the relevant jurisdiction (for example the

Transfer of Undertakings (Protection of Employment) Regulations 2006 in the UK); or (b) if (a) does not apply, any relevant

employment law in the relevant jurisdiction which provides a person with a right to become employed by Microsoft or any

Microsoft Affiliate or any Replacement Supplier as a consequence of the termination or expiry of these PO Terms and/or

the transfer of all or part of the Services to Microsoft or any Microsoft Affiliate or any Replacement Supplier.

12. Reports. Upon request from Microsoft, Supplier will promptly provide Microsoft with a Software Bill of Materials (“SBOM”)

for all software provided under these PO Terms. Each SBOM will meet the minimum requirements established by the U.S.

Department of Commerce or otherwise set forth by Law.

13. Ownership and Use of the Parties’ Respective IP.

a. Each party will own and retain all rights to its pre-existing IP and any IP developed independently of the Goods,

Services and Cloud Services under these PO Terms, including any of such party’s IP rights therein.

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

b. Microsoft will own all Deliverables, including all IP rights, all media in any format, hardware, and other tangible

materials created by Supplier while delivering the Services. Any Supplier work which is a written or customized

product or report related to, or to be used in, a Deliverable is regarded as IP.

c. If Deliverables do not qualify as a work made for hire, Supplier assigns to Microsoft all right, title, and interest in

and to the Deliverables, including all IP rights. Supplier waives all moral rights in Deliverables.

d. If Supplier uses any Supplier or third-party IP in any Good or Service, Supplier will continue to own Supplier’s IP rights.

Supplier will grant Microsoft a worldwide, nonexclusive, perpetual, irrevocable, royalty-free, fully paid up right and

license, under all current and future IP rights, to use Supplier’s and third-party IP consistent with Microsoft’s ownership

interests under this Section 13.

e. Supplier grants to Microsoft and its affiliated companies (including their employees, contractors, consultants, outsourced

workers, and interns engaged by Microsoft or any of its affiliated companies to perform services) a worldwide, irrevocable,

nonexclusive, perpetual, paid-up and royalty free license for any Goods that include software or other IP not subject to a

mutually executed separate license (including installed applications). The license allows Microsoft to use such software

and IP in connection with Goods. Microsoft may transfer this license to a Microsoft affiliated company, or a successor

owner by sale or lease.

f. Supplier grants to Microsoft and its affiliated companies (including their employees, contractors, consultants, outsourced

workers, and interns engaged by Microsoft or any of its affiliated companies to perform services) and their end users (if

any), to the limited extent necessary to the performance of the Cloud Services, a worldwide, nonexclusive, unlimited,

paid-up and royalty free right to access and use, during the term, Cloud Services, in each case for Microsoft’s business

purposes. Access to the Cloud Services is unlimited unless otherwise specified in a SOW.

g. Pass through warranties and indemnities. Supplier assigns and passes through to Microsoft all of the third-party

manufacturers’ and licensors’ warranties and indemnities for the Goods.

h. Title to the Goods (other than licensed software) will pass from Supplier to Microsoft on final acceptance.

i. Microsoft IP.

(1) Supplier may use “Microsoft Materials,” meaning any tangible or intangible materials, provided by or on

behalf of Microsoft, any of its affiliated companies, or their respective end users, to Supplier to perform

Services or Cloud Services, or obtained or collected by Supplier in connection with the Goods, Services, or

Cloud Services (e.g., usage data) (including hardware, software, source code, documentation, methodologies,

know how, processes, techniques, ideas, concepts, technologies, reports and data). Microsoft Materials may

include any modifications to, or derivative works of, the foregoing materials, (i) Personal Data, (ii) trademarks,

(iii) inputs and prompts to and outputs generated by an AI Model (as defined below), and any data entered

into any Supplier database as part of the Services or Cloud Services. Microsoft Materials do not include

Microsoft products obtained by Supplier outside of and unrelated to these PO Terms.

(2) Microsoft grants Supplier a nonexclusive, non-sublicensable (except to subcontractors approved by Microsoft

in accordance with these PO Terms), revocable license (i) under Microsoft’s IP rights in the Microsoft Materials

to copy, use and distribute Microsoft Materials provided to it only as necessary to perform the Services in

accordance with these PO Terms, and (ii) to use Microsoft Materials only as necessary to perform the Cloud

Services in accordance with these PO Terms. Supplier will not Sell, share, license, or otherwise commercialize

any Microsoft Materials.

(3) Microsoft retains all other interest in Microsoft Materials and related IP rights. Supplier has no right to

sublicense Microsoft Materials except to approved subcontractors as required to perform the delivery of

Goods, Services and CloudServices. If the Microsoft Materials come with a separate license, the

terms of that license will apply and those terms control in the case of conflict with these PO

Terms.

(4) Supplier will take reasonable precautions to protect and ensure against loss or damage, theft, or

disappearance of Microsoft Materials.

(5) Microsoft may revoke the license to Microsoft Materials at any time for any reasonable business reason.

The license will terminate automatically on the earlier of the expiration or termination of these PO Terms

or an applicable SOW. Supplier will promptly return any Microsoft Materials on request or termination of

Supplier’s license.

(6) Regarding Supplier’s use of Microsoft Materials:

(i) Supplier will not modify, reverse engineer, decompile, or disassemble Microsoft Materials

except as allowed by Microsoft;

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

(ii) Supplier will leave in place, and not alter or obscure proprietary notices and licenses

contained in Microsoft Materials;

(iii) Microsoft is not obligated to provide technical support, maintenance, or updates for

Microsoft Materials;

(iv) all Microsoft Materials are provided “as-is” without warranty; and

(v) Supplier assumes the risk of loss, damage, unauthorized access or use, or theft or

disappearance of Microsoft Materials in Supplier’s (or subcontractor’s) care, custody, or

control.

(7) No Microsoft Materials, IP or Confidential Information, may be used by Supplier or an AI Model to

customize, train, or improve, directly or indirectly, any artificial intelligence model or product

(including the AI Model itself) without Microsoft’s express prior written consent. Any failure to

obtain such consent is a material breach and Supplier’s limitation of liability in Section 19 will not

apply to claims based on a breach of this section. If Microsoft provides such consent, the parties

will first enter into a separate written agreement that addresses the terms under which

customization, training, or other improvements will occur and allocates the parties’ rights to and

liabilities arising therefrom. “AI Model” means any artificial intelligence model (including a deep

learning or machine learning model) used in connection with or incorporated into the Goods,

Services, or Cloud Services. Supplier will comply with all Microsoft Policies and requirements

related to the use of AI Models and the responsible use of AI.

14. Representations and Warranties. Supplier represents and warrants that:

a. it has full rights and authority to enter into, perform under, and grant the rights in according to these PO

Terms and its performance will not violate any agreement or obligation between it and any third party;

b. Services will be performed professionally and be at or above industry standard;

c. Goods, Services, Cloud Services and Deliverables must meet the standards and

specifications in these PO Terms and be suitable for the intended use;

d. it will provide to Microsoft all Goods, Services and Deliverables free from: (1) any defects in design,

workmanship, and materials; (2) any liability for royalties; and (3) any mechanic’s liens or any other statutory lien

or security interest or encumbrance;

e. the Goods, Services, Cloud Services, Deliverables and any Supplier or third-party IP provided to Microsoft

under these PO Terms:

(1) are not governed, in whole or in part, by an Excluded License. “Excluded License” means any

software license that requires as a condition of use, modification and/or distribution, that the

software or other software combined and/or distributed with it be: (i) disclosed or distributed in

source code form; (ii) licensed to make derivative works; or (iii) redistributable at no charge; and

(2) will not be subject to license terms that require any (i) Microsoft product, service, or documentation, or any

Supplier or third-party IP licensed to Microsoft, or documentation which incorporates or is derived from such

Goods, Services, Cloud Services, Deliverables, or Supplier or third-party IP, or (ii) Microsoft Materials or

Microsoft IP, to be licensed or shared with any third party;

f. the Goods, Services, Cloud Services, Deliverables and any Supplier or third-party IP provided to Microsoft under

these PO Terms will not:

(1) to the best of Supplier’s knowledge, infringe any third-party patent, copyright, trademark, trade secret or

other proprietary right of any third party; or

(2) contain any viruses or other malicious code that will degrade or infect any Goods, Deliverables,

products, services, or any other software or Microsoft’s network or systems;

g. Supplier will comply with all Laws, rules, and regulations, including Data Protection Law (as defined in Exhibit A),

artificial intelligence Laws, and Anti-Corruption Laws (i.e., all Laws against fraud, bribery, corruption, inaccurate books

and records, inadequate internal controls, and/or money-laundering, including the U.S. Foreign Corrupt Practices Act),

whether local, state, federal or foreign. The Goods, Services, Cloud Services, parts, components, devices, software,

technology, and other materials provided under these PO Terms (collectively, “Items”) may be subject to applicable

trade laws in one or more countries. The Supplier will comply with all relevant laws and regulations applicable to the

import or export of the Items, including but not limited to, trade laws and regulations such as the U.S. Export

Administration Regulations or other end-user, end use, and destination restrictions by the U.S. and other governments,

as well as sanctions regulations administered by the U.S. Office of Foreign Assets Control (“Trade Laws”). Microsoft

may suspend or terminate these PO Terms immediately to the extent that Microsoft reasonably concludes that

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

continued performance would violate Trade Laws or put it at risk of becoming subject to sanctions or penalties under

Trade Laws. Supplier is responsible for ensuring compliance with the transfer or re-transfer of intangible items,

such as technology. Supplier agrees to provide Microsoft with the import/export control classifications and

information, including documentation, on the applicable import, export, or re-export authorizations, and all necessary

information about the Items for any required import, export or re-export procedures and/or licenses, without

additional cost to Microsoft. For additional information, see https://www.microsoft.com/en-us/exporting. “Law”

means all applicable laws, rules, statutes, decrees, decisions, orders, regulations, judgments, codes, enactments,

resolutions, and requirements of any government authority (federal, state, local, or international) having jurisdiction;

h. Supplier will comply with all applicable Anti-Corruption Laws. While performing under these PO Terms, Supplier will

provide training to its employees on compliance with Anti-Corruption Laws and, upon request by Microsoft, will

complete Microsoft’s standard online training for supplier compliance with Anti-Corruption Laws.

i. Supplier will, at its expense: (1) implement and maintain appropriate technical and organizational measures to

protect the Microsoft Materials, including Personal Data, and any other Microsoft Confidential Information against

accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Microsoft Materials,

including Personal Data, or any other Microsoft Confidential Information, transmitted, stored or otherwise

processed; (2) as soon as commercially and technologically practicable, remediate any material vulnerabilities of

which Supplier becomes aware; and (3) comply with Supplier’s confidentiality, artificial intelligence, privacy and

data protection obligations under these PO Terms, including Sections 15, 16 and Exhibit A.

15. Termination. Microsoft may terminate these PO Terms or the applicable SOW with or without cause.

Termination is effective upon written notice. If Microsoft terminates for convenience, its only obligation is to pay

for:

a. Deliverables or Goods it accepts before the effective date of termination; or

b. Services performed, where Microsoft retains the benefit after the effective date of termination; or

c. Cloud Services delivered before the effective date of termination (or any post termination transition requested by

Microsoft). Supplier will (without prejudice to any other remedies Microsoft may have) provide a pro-rata refund to

Microsoft for any prepaid unused fees.

16. Security, Privacy, Artificial Intelligence and Data Protection. Supplier will comply with the following, at its own cost

and expense.

a. Without limiting Microsoft’s audit rights in these PO Terms, Supplier will (1) participate in the Microsoft

Supplier Security and Privacy Assurance (“SSPA”) program, as required by Microsoft, including by

attesting to Supplier’s compliance status with respect to all applicable portions of Microsoft’s then

current Supplier Data Protection Requirements (“DPR”) on an annual basis (or more frequently if

additional portions of the DPR become available), and (2) comply with Microsoft’s then current DPR. See

https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx, Supplier Security and

Privacy Assurance (SSPA) (aka.ms), for SSPA program details, including the program requirements and

current DPR.

b. Supplier’s security procedures must include risk assessment and controls for: (1) system access; (2) system and

application development and maintenance; (3) change management; (4) asset classification and control;

(5) incident response, physical and environmental security; (6) disaster recovery/business continuity;

and (7) employee training. Those measures will be set forth in a Supplier security policy. Supplier will

make that policy available to Microsoft, along with descriptions of the security controls in place for the

Services and Cloud Services, upon Microsoft’s request and other information reasonably requested by

Microsoft regarding Supplier security practices and policies.

c. When Supplier provides Cloud Services, Supplier will only use the cloud infrastructure provider (“CIP”)

identified in the applicable SOW in providing Cloud Services and will notify Microsoft at least 90 days

before it changes, adds, or undertakes any plan to change, the CIP and at least 30 days before any

change in location of Microsoft Materials. If Microsoft rejects the change, it may terminate the

applicable SOW immediately, with no further obligations.

d. Supplier will comply with the privacy and data protection requirements in Exhibit A.

e. Without limiting Supplier’s obligations under these PO Terms, including the DPR, on becoming aware of

any Security Incident (defined below), Supplier will:

(1) notify Microsoft without undue delay of the Security Incident (in any case no later than it notifies any

similarly situated customers of Supplier and in all cases before Supplier makes any general public

disclosure (e.g., a press release));

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024) 
(2)  promptly investigate or perform required assistance in the investigation of the Security Incident and 
provide Microsoft with detailed information about the Security Incident, including a description of the 
nature of the Security Incident, the approximate number of Data Subjects affected, the Security 
Incident’s current and foreseeable impact, and the measures Supplier is taking to address the Security 
Incident and mitigate its effects; and 
(3)  promptly take all commercially reasonable steps to mitigate the effects of the Security Incident, or 
assist Microsoft in doing so. 
“Security Incident” means any: (1) accidental or unlawful destruction, loss, alteration, unauthorized disclosure 
of, or access to Confidential Information, including Personal Data, transmitted, stored, or otherwise processed 
by Supplier or its subcontractors; or (2) Security Vulnerability (i) related to Supplier’s handling of Confidential 
Information, including Personal Data, or (ii) impacting Microsoft products, services, software, network, or 
systems. “Security Vulnerability” means a weakness, flaw, or error found within a security system of Supplier or 
its subcontractors that has a reasonable likelihood to be leveraged by a threat agent in an impactful way. 
Supplier will comply with this Section 15(e) at Supplier’s cost unless the Security Incident arose from 
Microsoft’s negligent or willful acts or Supplier’s compliance with Microsoft’s express written instructions. 
Supplier must obtain Microsoft’s written approval before notifying any governmental entity, individual, the 
press, or other third party of a Security Incident that affected or reasonably could affect Microsoft, including any 
Confidential Information that Supplier received from Microsoft or Processed on behalf of Microsoft.  
f.  Artificial Intelligence. If the Goods, Services or Cloud Services include artificial intelligence technology, 
Supplier will, at its expense, implement and maintain appropriate technical and organizational measures 
to ensure such artificial intelligence technology complies with all Laws and industry standards, including 
standards and policies related to the ethical or responsible use of artificial intelligence; the ability to 
explain algorithms and logic in decision making and the output, the likely outcome of each AI Model 
with respect to end users, change management to comply with Laws and appropriate industry standards 
and employee training. Supplier will make that policy available to Microsoft on Microsoft’s request 
along with other information reasonably requested by Microsoft regarding Supplier practices and 
policies. 
g.  Notifications. 
(1)  Supplier must obtain Microsoft’s written approval before notifying any governmental entity, 
individual, the press, or other third party of a Security Incident or in connection with Supplier’s use of 
artificial intelligence technology including an AI Model (an “AI Inquiry”) that affected or reasonably 
could affect Microsoft, including any Confidential Information that Supplier received from Microsoft 
or Processed on behalf of Microsoft. For any disclosure of a Security Incident or AI Inquiry to a third 
party, Supplier will, as part of its notification to Microsoft, disclose the identity of the third party and a 
copy of the notification (if the notification to the third party has not been sent, Supplier will provide a 
draft to Microsoft). Supplier will permit Microsoft to offer edits or updates to the notification. 
Microsoft’s release of information about an AI Model in relation to an AI Inquiry is not a breach of 
Microsoft’s confidentiality obligations in these PO Terms. 
(2)  Supplier may notify a third party about a Security Incident affecting Personal Data if it is under a legal 
obligation to do so, provided that Supplier makes every effort to give Microsoft prior notification, as 
soon as possible and if prior notification is not possible, notify Microsoft immediately once it becomes 
possible to give notification. 
17.  Supplier Code of Conduct. Supplier will comply with the most current Supplier Code of Conduct at https://aka.ms/scoc and the 
most current Anti-Corruption Policy for Microsoft Representatives at http://aka.ms/microsoftethics/representatives, and any 
other Policies (e.g., physical or information security or artificial intelligence Policies) or training identified by Microsoft in a SOW 
or otherwise during the Term (and will provide such training). 
18.  Accessibility. Any device, product, website, web-based application, cloud service, software, mobile applications, or content 
developed or provided by or on behalf of Supplier or Supplier’s Affiliate under these PO Terms must comply with all legal 
accessibility requirements. For purchases with a User Interface (UI) this includes conformance to Level A and AA Success 
Criteria of the latest published version of the Web Content Accessibility Guidelines (“WCAG”), available at 
https://www.w3.org/standards/techs/wcag#w3c_all, Section 508 of the Rehabilitation Act, available at 
https://www.section508.gov and the European standard EN 301 549 available at https://eur-
lex.europa.eu/eli/dir/2016/2102/oj. Suggested documentation includes completion of the VPAT 2.4 INT: which incorporates all 
three of the above standards and is available at https://www.itic.org/policy/accessibility/vpat.  
19.  No Waiver. Microsoft’s delay or failure to exercise any right or remedy will not result in a waiver of that or any other 
right or remedy. 
20.  Insolvency; Limitations of Liability. 

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

a. The insolvency or adjudication of bankruptcy, filing a voluntary petition in bankruptcy, or making an assignment for the

benefit of creditors by either party will be a material breach of these PO Terms. For these PO Terms, “insolvency”

means either (1) the party’s liabilities exceed its assets, each fairly stated, or (2) the party’s failure to pay its business

obligations on a timely basis in the regular course of business.

b. Limitations of Liability. EXCEPT FOR THE INDEMNIFICATION OBLIGATIONS STATED IN SECTION 21, A BREACH

OF A PARTY’S CONFIDENTIALITY, SECURITY, PRIVACY, DATA PROTECTION, ARTIFICIAL INTELLIGENCE, AND

PUBLICITY OBLIGATIONS UNDER THESE PO TERMS, INFRINGEMENT, MISUSE, OR MISAPPROPRIATION OF IP

RIGHTS IN CONNECTION WITH THESE PO TERMS, OR FRAUD, NEITHER PARTY WILL BE LIABLE TO THE OTHER

FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES (INCLUDING DAMAGES

FOR LOSS OF DATA, REVENUE, AND/OR PROFITS), WHETHER FORESEEABLE OR UNFORESEEABLE, WHICH ARISE

OUT OF THESE PO TERMS, REGARDLESS OF WHETHER THE LIABILITY IS BASED ON BREACH OF CONTRACT,

TORT, STRICT LIABILITY, BREACH OF WARRANTIES OR OTHERWISE, AND EVEN IF THE PARTY IS ADVISED OF THE

POSSIBILITY OF THOSE DAMAGES.

21. Subcontracting. Supplier will not subcontract with any third party to furnish any Goods, Services or Cloud Services

without Microsoft’s prior written consent. If Supplier subcontracts any Services or Cloud Services to any subcontractor,

Supplier will be fully liable to Microsoft for any actions or inactions of subcontractor, remain subject to all obligations

under these PO Terms, require the subcontractor to agree in writing that Microsoft is an intended third-party beneficiary

of its agreement with Supplier and require the subcontractor to agree in writing to terms no less protective of Microsoft

than the terms of these PO Terms applicable to the work performed by the subcontractor, including the privacy and data

protection terms in Section 15 of these PO Terms and Exhibit A.

22. Indemnification and Other Remedies.

a. Supplier will defend, indemnify and hold harmless Microsoft and Microsoft affiliates companies against all claims,

demands, loss, costs, damages, and actions for: (1) actual or alleged infringements of any third-party IP or IP

rights or Microsoft IP or IP Rights, which arise from the Goods, Services or Cloud Services provided under these

PO Terms; (2) any claim that, if true, would constitute a breach of Section 15, Exhibit A, or any Supplier warranty

contained herein; (3) any act or omission of or failure to comply with tax obligations or Law by Supplier or

Supplier’s agents, employees, or subcontractors; (4) any breach by Supplier or its subcontractors of

confidentiality, security, or privacy, data protection, artificial intelligence, or publicity obligations under these

PO Terms; (5) the negligent or willful acts or omissions of Supplier or its subcontractors, which results in any

bodily injury, including mental injury, or death to any person or loss, disappearance or damage to tangible or

intangible property; and (6) any claims of its employees, affiliated companies or subcontractors regardless of

the basis, including, but not limited to, the payment of settlements, judgments, and reasonable attorneys’ fees.

b. In addition to all other remedies available to Microsoft, if use of the Goods, Services, or Cloud Services under these PO

Terms are enjoined, injunction is threatened, or may violate applicable law, Supplier, at its expense will notify

Microsoft and immediately replace or modify such Goods, Services and Cloud Services so they are non-infringing,

compliant with applicable law, and useable to Microsoft’s satisfaction. If Supplier does not comply with this Section

21(b), then in addition to any amounts reimbursed under this Section 21 (Indemnification and Other Remedies),

Supplier will refund all amounts paid by Microsoft for infringing or non-compliant Goods, Services and Cloud Services

and pay reasonable costs to transition Services and Cloud Services to a new supplier.

23. Insurance. Supplier will maintain sufficient insurance coverage to meet obligations required by these PO Terms and by

Law. Supplier’s insurance must include the following coverage (or the local currency equivalent) to the extent these PO

Terms or the applicable SOW creates risks generally covered by these insurance policies:

Table A1 – Required Insurance Coverage

Coverage

Form

Limit

Commercial general liability, including contractual and product

liability

Occurrence

$ 1,000,000 USD

Automobile liability

Occurrence

$ 1,000,000 USD

Privacy and cybersecurity liability, as reasonably commercially

available (including costs arising from data destruction, hacking or

intentional breaches, crisis management activity related to data

breaches, and legal claims for security breach, privacy violations, and

notification costs)

Per claim

$2,000,000 USD

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Workers’ compensation

Statutory

Employer’s liability

Occurrence

$ 500,000USD

Professional liability/E&O, covering third-party proprietary

rights infringement (e.g., copyright and trademark) if

reasonably commercially available

Per claim

$2,000,000 USD

NOTES:

1 All limits per claim or occurrence unless statutory requirements are otherwise may be converted to local

currency.

2 Supplier will name Microsoft, its subsidiaries, and their respective directors, officers, and employees as

additional insureds in the Commercial general liability policy, to the extent of contractual liability assumed by

Supplier in Section 21.

3 With a retroactive coverage date no later than the effective date of these PO Terms or the applicable SOW or

Order. Supplier will maintain active policy coverage or an extended reporting period providing coverage for

claims first made and reported to the insurer within 12 months after these PO Terms terminate or expire or the

applicable SOW or Order is fulfilled.

Supplier must obtain Microsoft’s prior written approval for any deductible or retention in excess of $100,000 USD per

occurrence or accident. Supplier will deliver to Microsoft proof of the insurance coverage required under these PO Terms

on request. Supplier will promptly buy additional coverage, and notify Microsoft in writing, if Microsoft reasonably

determines Supplier’s coverage is less than required to meet its obligations.

24. Non-Disclosure of Confidential Matters. If the parties have entered into a standard Microsoft Non-Disclosure Agreement,

the terms of such agreement will apply to and be incorporated in these PO Terms and the existence of and all terms and

conditions of these PO Terms and Microsoft Materials will be deemed Microsoft Confidential Information. If the parties

have not entered into a standard Microsoft Non-Disclosure Agreement, then Supplier agrees that during the term of these

PO Terms and for 5 years thereafter, Supplier will hold in strictest confidence, and will not use or disclose to any third

party (except to a Microsoft Affiliate), any Microsoft Confidential Information. The term “Microsoft Confidential

Information” means all nonpublic information that Microsoft or an affiliated company designates in writing or orally as

being confidential, or which, under the circumstances of disclosure would indicate to a reasonable person that it ought to

be treated as confidential. Notwithstanding anything to the contrary in these PO Terms, all Personal Data shared with

Supplier or a Supplier affiliate and in connection with these PO Terms is Microsoft Confidential Information. If Supplier has

questions regarding what comprises Microsoft Confidential Information, Supplier will consult Microsoft. Microsoft

Confidential Information will not include information known to Supplier before Microsoft’s disclosure to Supplier, or

information publicly available through no fault of Supplier.

On expiration or termination of these PO Terms or the applicable SOW, or on request by Microsoft or Microsoft’s Affiliate,

Supplier will without undue delay: (i) return all Microsoft Confidential Information (including copies thereof) to Microsoft

or the applicable Microsoft Affiliate; or (ii) where requested by Microsoft or its Affiliate, destroy the Microsoft

Confidential Information (including copies thereof) and certify its destruction, in each case unless the Law expressly

requires otherwise or the parties otherwise expressly agree in writing. For any Microsoft Confidential Information that

Supplier retains after expiration or termination of these PO Terms or the applicable SOW (for example, because Supplier

is legally required to retain the information), Supplier will continue to comply with all terms of these PO Terms applicable

to that Confidential Information, including all confidentiality obligations, and those applicable terms will survive such

termination or expiration.

25. Independent Development. Nothing in these PO Terms restricts Microsoft’s ability to, directly or indirectly, acquire,

license, develop, manufacture, or distribute, same or similar technology or services to the Goods, Services or Cloud

Services contemplated by these PO Terms. Microsoft may use, market, and distribute such similar technology or services

in addition to, or in lieu of, the technology or services contemplated by these PO Terms, including any software or cloud

services (in whole or in part).

26. Audit. During the term of these PO Terms and for 4 years after, Supplier will keep usual and proper records and books of

account and quality and performance reports related to Goods, Services or Cloud Services, the Processing of Personal Data,

and as otherwise required for legal compliance (“Supplier Records”). During this period, Microsoft may audit and/or inspect

the applicable records and facilities to verify Supplier’s compliance with these PO Terms, including privacy, security, export

compliance, accessibility, and taxes. Microsoft or its designated independent consultant or certified public accountant

(“Auditor”) will conduct audits and inspections. Microsoft will provide reasonable notice (15 days except in emergencies) to

Supplier before the audit or inspection and will instruct the Auditor to avoid disrupting Supplier’s operations, including

consolidating audits where practical. Supplier agrees to provide Microsoft’s designated audit or inspection team reasonable

access to the Supplier records and facilities. If the auditors determine that Microsoft overpaid Supplier, Supplier will reimburse

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Microsoft for any such overpayment. If Supplier overcharged Microsoft 5% or more during an audited period, it will

immediately refund Microsoft all overpayments plus pay interest at 0.5% per month on such overcharge. Microsoft will bear

the expense of its auditors or inspection team. However, if the audit shows Supplier overcharged Microsoft by 5% or more

during such audit period, Supplier will reimburse Microsoft for such expenses. Nothing in this Section limits Microsoft’s right to

audit Supplier under any other Section of these PO Terms, including Exhibit A.

27. Assignments. No right or obligation under these PO Terms (including the right to receive monies due) will be assigned

without the prior written consent of Microsoft. Any assignment without such consent will be void. Microsoft may assign

its rights under these PO Terms.

28. Notice of Labor Disputes. Whenever an actual or potential labor dispute delays or threatens to delay the timely performance

of these PO Terms, Supplier will immediately notify Microsoft in writing of such dispute and furnish all relevant details.

Supplier will include a provision identical to the above in each subcontract and, immediately upon receipt of such notice, give

written notice to Microsoft.

29. Patent License. Notwithstanding other conditions stated herein, if Supplier fails in performance according to the terms of

these PO Terms, Supplier, as part of the consideration for these PO Terms

and without further cost to Microsoft, automatically grants to Microsoft an irrevocable, non-exclusive, royalty-free right

and license to use, sell, manufacture, and cause to be manufactured any and all products, which embody any and all

inventions and discoveries made, conceived, or actually reduced to practice by or on behalf of Supplier in connection with a

Deliverable under these PO Terms.

30. Jurisdiction and Governing Law. For Goods, Deliverables, Services and Cloud Services provided to Microsoft in the United

States, these PO Terms are governed by Washington State Law (disregarding conflicts of law principles), and the parties

consent to exclusive jurisdiction and venue in the state and federal courts in King County, Washington. All Cloud Services are

deemed provided in the United States if any access or use of Cloud Services by Microsoft occurs in the United States. For all

other Goods, Services and Cloud Services provided to Microsoft, the Laws, jurisdiction and venue of the country where

Microsoft (i.e., the entity other than Supplier who is the contracting entity to these PO Terms) is incorporated or otherwise

formed will govern these PO Terms. Neither party will claim lack of personal jurisdiction or forum non conveniens in these

courts. In any action or suit related to these PO Terms, the prevailing party is entitled to recover its costs including reasonable

attorneys’ fees.

31. Publicity; Use of Trademarks. Supplier will not issue press releases or other publicity related to Supplier’s relationship with

Microsoft or these PO Terms without prior written approval from Microsoft. If written approval is granted, Supplier may

only use Trademarks for Services, Cloud Services and Deliverables in compliance with the guidelines at

https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx.

32. Contracts (Rights of Third Parties) Act 1999. Except insofar as these PO Terms expressly provide that a third party

may in his own right enforce a term of these PO Terms, a person who is not a party to these PO Terms has no right

under the Contracts (Rights of Third Parties) Act 1999 to rely upon or enforce any term of these PO Terms but this

does not affect any right or remedy of a third party which exists or is available apart from that Act.

33. Severability, URLs. If a court of competent jurisdiction determines that any provision of these PO Terms is illegal,

invalid, or unenforceable, the remaining provisions will remain in full force and effect. URLs also refer to successors,

localizations, and information or resources linked from within websites at those URLs. Neither party has entered into

these PO Terms in reliance on anything not contained or incorporated in these PO Terms. These PO Terms will be

interpreted according to their plain meaning without presuming that they should favor either party.

34. Survival. The provisions of these PO Terms which, by their terms, require performance after the termination or

expiration or have application to events that may occur after the termination or expiration of these PO Terms or the

applicable SOW, will survive the termination or expiration of these PO Terms and the applicable SOW. All indemnity

obligations and indemnification procedures will survive the termination or expiration of these PO Terms and the

applicable SOW.

[Remainder of this page is intentionally left blank]

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Exhibit A – Data Protection

SECTION 1 Scope, Order of Precedence, and Term

(a) This Exhibit modifies and supplements the terms and conditions in the PO Terms as they relate to Supplier’s Processing

of Personal Data and compliance with Data Protection Law. The SOW (if any) designates the Supplier’s status as a

Controller or a Processor. Notwithstanding anything to the contrary in the PO Terms, if there is a conflict between this

Exhibit and the PO Terms, this Exhibit will control. This Exhibit will be attached to and incorporated into the PO Terms.

(b) This Exhibit applies only to the extent that Supplier receives, stores, or Processes Personal Data or Confidential

Information in connection with the Goods, Services, or Cloud Services.

SECTION 2 Definitions

(a) All capitalized terms not defined in this Exhibit will have the meanings set forth in the PO Terms.

(b) The following terms have the definitions given to them in the CCPA: “Business,” “Business Purpose,” “Sale,” “Share,”

“Service Provider,” “Contractor,” and “Third Party.”

(c) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. “Controller”

includes a Business, Controller (as that term is defined in the GDPR), and equivalent terms in Data Protection Laws, as

context requires.

(d) “Data Exporter” means the party that (1) has a corporate presence or other stable arrangement in a jurisdiction that

requires an International Data Transfer Mechanism and (2) transfers Personal Data, or makes Personal Data available to,

the Data Importer.

(e) “Data Importer” means the party that is (1) located in a jurisdiction that is not the same as the Data Exporter’s

jurisdiction and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by

the Data Exporter.

(f) “Personal Data Incident” means any:

(1) destruction, alteration, use, loss, disclosure of, or access to Personal Data transmitted, stored, or otherwise

processed by Supplier or its subcontractors that is not authorized by law or these PO Terms or any other breach of

the protection of Personal Data; or

(2) Security Vulnerability related to Supplier’s handling of Personal Data. “Security Vulnerability” means a weakness,

flaw, or error found within a security system of Supplier or its subcontractors that has a reasonable likelihood to be

leveraged by a threat agent in an impactful way.

(g) “Data Protection Law” means any Law applicable to Supplier or Microsoft, relating to data security, data protection,

and/or privacy, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to processing of personal data and the free movement of that data (“GDPR”),

and Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”), and any implementing,

derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced,

or re-enacted.

(h) “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by

referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more

factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural

person.

(i) “De-identified Data” means information that cannot reasonably be linked to an identified or identifiable

individual.

(j) “EEA” means the European Economic Area.

(k) “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) and any

other data or information that constitutes personal data or personal information under any applicable Data Protection Law.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier

such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural, or social identity of that natural person.

(l) “Process” or “Processing” means any operation or set of operations that a party performs on Personal Data, including

collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by

transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

(m) “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes Service

Provider, Contractor, Processor (as that term is defined in the GDPR), and equivalent terms in Data Protection Laws, as

context requires.

(n) “Protected Health Information” or “PHI” means Microsoft Personal Data that is protected by the Health Information

Portability and Accountability Act (HIPAA).

(o) “Pseudonymous Data” means information that cannot be attributed to a specific individual without the use of additional

information provided that it is kept separately and subject to appropriate technical and organizational measures to ensure

that it is not attributed to the individual.

(p) “Sensitive Data” means the following types and categories of data: (1) data revealing racial or ethnic origin, political

opinions, religious or philosophical beliefs, immigration or citizenship status, or trade union membership; genetic data; (2)

biometric data; (3) data concerning health, including protected health information governed by the Health Insurance

Portability and Accountability Act; (4) data concerning a natural person’s sex life or sexual orientation; (5) government

identification numbers (e.g., SSNs, driver’s license); (6) payment card information; (7) nonpublic personal information

governed by the Gramm Leach Bliley Act; (8) an unencrypted identifier in combination with a password or other access

code that would permit access to a data subject’s account; (9) personal bank account numbers; (10) data related to

children; and (11) precise geolocation.

(q) “Standard Contractual Clauses” means the European Union standard contractual clauses for international

transfers from the European Economic Area to third countries, Commission Implementing Decision (EU)

2021/914 of 4 June 2021, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-

dimension-data-protection/standard-contractual-clauses-scc_en.

(r) “Subprocessor” means a Processor engaged by a party who is acting as a Processor.

SECTION 3 Description of the Parties’ Personal Data Processing Activities and Statuses of the Parties

(a) Schedule 1 describes the purposes of the parties’ Processing, the types or categories of Personal Data involved in the

Processing, and the categories of Data Subjects affected by the Processing.

(b) Schedule 1 lists the parties’ statuses under relevant Data Protection Law.

(c) The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal

Data and categories of Data Subjects may be more specifically described in a statement of work, Microsoft purchase

order, or written agreement signed by the parties’ authorized representatives, which forms an integral part of the PO

Terms; if this is the case, the more specific description will control over Schedule 1.

SECTION 4 International Data Transfer

(a) Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra

measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does not

protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data Transfer

Mechanism”). The parties will comply with any International Data Transfer Mechanism that may be required by

applicable Data Protection Law, including the Standard Contractual Clauses.

(b) If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties will

work together in good faith to find a suitable alternative.

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Data Transfer Mechanism, (e.g., the EEA, Switzerland, or the United Kingdom) that Microsoft transfers to Supplier or permits

Supplier to access, the parties agree upon these PO Terms becoming effective they also execute the Standard Contractual

Clauses, which will be incorporated by reference and form an integral part of the PO Terms. The parties agree that, with respect

to the elements of the Standard Contractual Clauses that require the parties’ input, Schedules 1 and 2 contain information

relevant to the Standard Contractual Clauses’ Annexes. The parties agree that, for Personal Data of Data Subjects in the United

Kingdom, Switzerland, or another country specified in Schedule 1, they adopt the modifications to the Standard Contractual

Clauses listed in Schedule 1 to adapt the Standard Contractual Clauses to local law, as applicable.

SECTION 5 Mutual Obligations of the Parties

(a) Compliance. The parties will comply with their respective obligations under Data Protection Law and their privacy notices,

including by providing the same level of privacy protection that is required of Businesses under the CCPA.

(b) Information. Upon request, Supplier will provide reasonably relevant information to Microsoft to enable Microsoft to fulfill its

obligations (if any) to conduct data protection assessments or prior consultations with data protection authorities.

(c) Notification. Supplier will notify Microsoft if it determines that it can no longer meet its obligations under applicable Data

Protection Law.

(d) Cooperation. If Supplier receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or

regulatory authority, or faces an actual or potential claim, inquiry, or complaint in connection with Parties’ Processing of Personal

Data provided to Supplier by or on behalf of Microsoft, its affiliates, or its respective end users, or obtained or collected by

Supplier in connection with the purposes described in Schedule 1 (collectively, an “Inquiry”), then Supplier will notify Microsoft

without undue delay, but in no event later than ten (10) business days, unless such notification is prohibited by applicable law.

Supplier will promptly provide Microsoft with information relevant to the Inquiry, including any information relevant to the

defense of a claim, to enable Microsoft to respond to the Inquiry.

(e) Confidentiality. Supplier will ensure that persons authorized to Process the Personal Data have committed themselves to

confidentiality obligations no less protective than those set forth in the PO Terms or are under an appropriate statutory obligation

of confidentiality.

(f) Security Controls. Supplier will abide by Schedule 2 and take all measures required in accordance with good industry practice and

by Data Protection Law relating to data security (including pursuant to Article 32 of the GDPR). Supplier will implement

appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

(g) Obligations Related to PHI. If Supplier’s engagement involves the Processing of PHI, Supplier must have a Business Associate PO

Terms and/or other required PO Terms in place with Microsoft.

SECTION 6 Supplier’s Obligations as Independent Controller (if applicable). If Supplier is a Controller of Personal Data that is

collected, exchanged, or otherwise Processed in connection with Supplier’s performance of the PO Terms (see Schedule 1), then:

(a) Supplier acknowledges and agrees that Supplier is independently responsible for compliance and will comply with

applicable Data Protection Law (e.g., obligations of Controllers);

(b) Supplier will not Sell Personal Data;

(c) Supplier agrees to be responsible for providing notice to Data Subjects as may be required by applicable Data Protection

Law (e.g., GDPR Articles 13 and 14, as applicable) and responding, as required by Data Protection Laws such as Chapter III

of GDPR, to Data Subject’s requests to exercise their rights and identifying a lawful basis of Processing (e.g., consent or

legitimate interest);

(d) Supplier agrees that will keep Pseudonymous Data separate from any additional information necessary to make such

Pseudonymous Data attributable to a specific individual and will subject such Pseudonymous Data to appropriate technical

and organizational measures to ensure that it is not attributed to specific individual; and

(e) Supplier agrees that it will take reasonable measures to ensure that De-identified Data cannot be associated with a

specific consumer or household, publicly commit to maintain the De-identified Data in de-identified form and not

attempt to reidentify it, and contractually commit any Subprocessors to do the same

SECTION 7 Supplier’s Obligations as Third Party (if applicable). If Supplier Processes Personal Data as a Third Party under the CCPA in

connection with Supplier’s performance of the PO Terms (see Schedule 1), then:

(a) Supplier will Process Personal Data only for the limited and specific business purpose(s) described in Schedule 1.

(b) Supplier agrees that the Personal Data is made available only for the limited and specified purpose(s) set forth in the contract,

and that Supplier may use the information only for those purposes.

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

(d) Supplier will allow Microsoft to take reasonable and appropriate steps to ensure that Supplier uses the Personal Data that it

received from, or on behalf of, Microsoft in a manner consistent with Microsoft’s obligations under the CCPA.

(e) Supplier will allow Microsoft, upon notice, to take reasonable and appropriate steps to stop and remediate any

unauthorized use of Personal Data.

SECTION 8 Supplier’s Obligations as a Processor, Contractor, Subprocessor, or Service Provider.

Supplier will have the obligations set forth in this Section 8 if it Processes the Personal Data of Data Subjects in its capacity as

Microsoft’s Processor, Contractor, or Service Provider; for clarity, these obligations do not apply to Supplier in its capacity as an

Independent Controller, Business, or Third Party.

(a) Scope of Processing

(1) Supplier will Process Personal Data solely to (i) provide Services to Microsoft (and where applicable for the

Business Purposes specified in the applicable SOW, (ii) carry out its obligations under the PO Terms, and (iii)

carry out Microsoft’s documented instructions. Supplier will not Process Personal Data for any other purpose,

unless required by applicable law, and will not Sell or Share Personal Data that it collects or obtains pursuant to

the PO Terms.

(2) Processing any Personal Data outside the scope of the PO Terms and this Exhibit will require prior written PO

Terms between Supplier and Microsoft by way of written amendment to the PO Terms.

(3) Supplier will notify Microsoft if it believes that it cannot follow Microsoft’s instructions or fulfill its obligations

under the PO Terms because of a legal obligation to which Supplier is subject, unless Supplier is prohibited by

law from making such notification.

(4) Supplier is prohibited from retaining, using, or disclosing the Personal Data (1) for any purpose other than the

Business Purposes specified in Schedule 1, including retaining, using, or disclosing the Personal Data for a

commercial purpose other than carrying out Microsoft’s instructions; (2) outside of the Parties’ direct business

relationship, unless permitted by applicable Data Protection Law, or (3) by combining Personal data that

Supplier receives from, or on behalf of, Microsoft with Personal Data that it receives from, or on behalf of,

another person or persons, or collects from its own interaction with the Data Subject, provided that Supplier

may combine Personal Data to perform any Business Purposes permitted by applicable Data Protection Law.

Supplier certifies that it understands with and will comply with the prohibitions set forth in this paragraph

(8)(a)(4).

(5) Supplier will allow Microsoft, upon notice, to take reasonable and appropriate steps to stop and remediate any

unauthorized use of Personal Data.

(b) Obligations Regarding Pseudonymous Data and De-identified Data

(1) Supplier agrees that will keep Pseudonymous Data separate from any additional information necessary to make

such Pseudonymous Data attributable to a specific individual and will subject such Pseudonymous Data to

appropriate technical and organizational measures to ensure that it is not attributed to specific individual;

(2) Supplier agrees that it will (i) take reasonable measures to ensure that De-identified Data cannot be associated

with a specific consumer or household, (ii) commit to maintain the De-identified Data in de-identified form and

not attempt to reidentify it, and (iii) contractually commit any Subprocessors to do the same.

(c) Data Subjects’ Requests to Exercise Rights. Supplier will promptly inform Microsoft if Supplier receives a request from a

Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law. Supplier

will not respond to such Data Subjects except to acknowledge their requests. Supplier will provide Microsoft with

assistance, upon request, to help Microsoft to respond to a Data Subject’s request. Microsoft will notify the Supplier of

any consumer request that the Supplier must comply with and will provide information necessary for compliance.

(d) Supplier’s Subprocessors. Supplier will not engage a Subprocessor without Microsoft’s prior written authorization.

Supplier will be liable for the acts or omissions of its Subprocessors to the same extent as Supplier would be liable if

performing the services of the Subprocessor directly under this Exhibit, except as otherwise set forth in the PO Terms.

Supplier will require Subprocessors to agree in writing to terms no less protective than the terms in this Exhibit.

(e) Personal Data Incident

(1) Without limiting Supplier’s obligations under the PO Terms, including the DPR and this Exhibit with respect to Personal

Data, on becoming aware of any Personal Data Incident, Supplier will:

(i) notify Microsoft without undue delay of the Personal Data Incident (in any case no later than it notifies

any similarly situated customers of Supplier and in all cases before Supplier makes any general public

disclosure (e.g., a press release));

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

(ii) promptly investigate or perform required assistance in the investigation of the Data Incident and provide

Microsoft with detailed information about the Personal Data Incident, including a description of the nature of

the Personal Data Incident, the approximate number of Data Subjects affected, the Personal Data Incident’s

current and foreseeable impact, and the measures Supplier is taking to address the Personal Data Incident

and mitigate its effects; and

(iii) promptly take all commercially reasonable steps to mitigate the effects of the Data Incident, or assist

Microsoft in doing so.

(2) Supplier will comply with this Section 8(e) at Supplier’s cost unless the Personal Data Incident arose from Microsoft’s

negligent or willful acts or Supplier’s compliance with Microsoft’s express written instructions.

(3) Supplier must obtain Microsoft’s written approval before notifying any governmental entity, individual, the press, or

other third party of a Data Incident that affected or reasonably could affect Personal Data that Supplier received from

Microsoft or Processed on behalf of Microsoft. Notwithstanding anything to the contrary in this Exhibit, Supplier may

notify a third party about a Personal Data Incident affecting Personal Data if it is under a legal obligation to do so,

provided that Supplier must: (i) make every effort to give Microsoft prior notification, as soon as possible, if it intends to

disclose the Personal Data Incident to a third party; and (ii) if it is not possible to give Microsoft such prior notification,

notify Microsoft immediately once it becomes possible to give notification. For any disclosure of a Personal Data

Incident to a third party, Supplier will, as part of its notification to Microsoft, disclose the identity of the third party and

a copy of the notification (if the notification to the third party has not been sent, Supplier will provide a draft to

Microsoft). Supplier will permit Microsoft to offer edits or updates to the notification.

(f) Deletion and Return of Personal Data. On expiration or termination of the applicable statement of work, cloud order, purchase

order, or other written agreement between the parties, or upon request by Microsoft or Microsoft’s Affiliate, Supplier will,

without undue delay: (1) return all Personal Data (including copies thereof) to Microsoft or the applicable Microsoft Affiliate; or

(2) on request by Microsoft or its Affiliate, destroy all Microsoft Personal Data (including copies thereof), and certify its

destruction, in each case unless the Law expressly requires otherwise or the parties otherwise expressly agree in writing. For any

Microsoft Personal Data that Supplier retains after expiration or termination of the applicable statement of work, cloud order,

purchase order, or other written agreement between the parties (for example, because Supplier is legally required to retain the

information), (A) Supplier will continue to comply all terms of the PO Terms applicable to that Personal Data, including all with

the data security and privacy provisions in this Exhibit and those applicable terms will survive such expiration or termination and

(B) Supplier must De-identify or aggregate Personal Data (if any) to the extent feasible. All Personal Data is Microsoft Confidential

Information.

(g) Audits. Without limiting any of Microsoft’s existing audit rights under the PO Terms (if any), Supplier will make available to

Microsoft all information necessary to demonstrate compliance with Data Protection Law and allow for and contribute to audits,

including inspections, conducted by Microsoft or another auditor mandated by Microsoft.

[Remainder of this page is intentionally left blank]

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Schedule 1: Description of the Processing and Subprocessors

Processing Activity

Status of

the Parties

Categories of Personal

Data that May Be

Processed

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

Categories of Sensitive

Data that May Be

Processed

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

Applicable

SCCs

Module

Supplier Processes

Microsoft

• Location data

• Data related to

Module 2

Personal Data to

is a

• IP address

Children

Module 3, if

provide the Goods,

Services, or Cloud

Services.

Controller.

Supplier is

Processor.

• Device preferences &

personalization

• Service usage for

• Genetic data

• Biometric data

• Health data

Microsoft

acts as a

Processor

to another

websites, webpage

click tracking

• Racial or ethnic origin

Controller

• Political opinions

• Social media data, social

graph relationships

• Religious or

philosophical beliefs

• Activity data from

connected devices

such as fitness

monitors

• Contact data such as

name, address, phone

number, email

address, date of birth,

dependent and

emergency contacts

• Fraud and risk

assessment, background

check

• Insurance, pension,

benefit detail

• Trade union

membership

• A natural person’s sex

life or sexual

orientation

• Immigration status

(visa, work

authorization, etc.)

• Government Identifiers

(passport, driver’s

license, visa, social

security numbers,

national identify

numbers)

• Candidate resumes,

interview

notes/feedback

• Metadata and

telemetry

• Payment instrument

data

• Credit card no. &

expiration date

• Bank routing

information

• Bank account number

• Credit requests – Line

of credit

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Processing Activity

Status of

the Parties

Categories of Personal

Data that May Be

Processed

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

Categories of Sensitive

Data that May Be

Processed

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

Applicable

SCCs

Module

• Tax documents and

identifiers

• Investment data

• Corporate cards

• Expense data

• Azure tenant, M365

tenant

• Xbox Live, OneDrive

Consumer

• Customer originated

support ticket

• Billing data

• e-commerce data

• Event registration

• Training

• Globally Unique

Identified (GUID)

• Passport User ID or

Unique Identifier

(PUID)

• Hashed End-User

Identifiable

Information (EUII)

-Session IDs

• Device IDs

• Diagnostic Data

• Log Data

The parties Process

Personal Data of

Microsoft

is a

• Employee name, title,

and other contact

None

Module 2

Module 3, if

their employees to,

e.g., administer and

provide the Goods,

Controller.

Supplier is

information

• Employee IDs

Microsoft

acts as a

Processor

Services, or Cloud

Processor.

• Device and/or activity

to another

Services; manage

invoices; manage the

PO Terms and

resolve any disputes

relating to it;

respond and/or raise

general

Data related to a

Microsoft’s

employees’ clicks,

presses, or other

interactions with

Supplier’s hardware

and software

Controller

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Processing Activity

Status of

the Parties

Categories of Personal

Data that May Be

Processed

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

Categories of Sensitive

Data that May Be

Processed

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

Applicable

SCCs

Module

queries; comply with

their respective

regulatory

obligations; and

create and

administer web-

based accounts.

Supplier collects or

Microsoft

• Location data

• Data related to

Module 1

receives Personal

is a

• IP address

Children

Data as a

Controller.

Controller/Third

Supplier is

• Device preferences &

• Genetic data

Party.

personalization

• Biometric data

Controller/

• Service usage for

• Health data

Third

Party.

websites, webpage

click tracking

• Racial or ethnic origin

• Political opinions

• Social media data, social

graph relationships

• Religious or

philosophical beliefs

• Activity data from

connected devices

such as fitness

monitors

• Contact data such as

name, address, phone

number, email

address, date of birth,

dependent and

emergency contacts

• Fraud and risk

assessment, background

check

• Insurance, pension,

benefit detail

• Trade union

membership

• A natural person’s sex

life or sexual

orientation

• Immigration status

(visa, work

authorization etc.)

• Government

Identifiers (passport;

driver’s license; visa;

social security

numbers; national

identify numbers)

• Candidate resumes,

interview

notes/feedback

• Metadata and

telemetry

• Payment instrument

data

• Credit card no. &

expiration date

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Processing Activity

Status of

Categories of Personal

Categories of Sensitive

Applicable

the Parties

Data that May Be

SCCs

Processed

Module

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

The categories listed are

descriptive and do not

necessarily mean that

the parties are

processing each

category of data listed.

• Bank routing

information

• Bank account number

• Credit requests – Line

of credit

• Tax documents and

identifiers

• Investment data

• Corporate cards

• Expense data

• Azure tenant, M365

tenant

• Xbox Live, OneDrive

Consumer

• Customer originated

support ticket-

• Billing data o e-

commerce data

• Event registration

• Training

• Globally Unique

Identified (GUID)

• Passport User ID or

Unique Identifier

(PUID)

• Hashed End-User

Identifiable

Information (EUII)-

Session IDs

• Device IDs

• Diagnostic Data

• Log Data

Subprocessors

Supplier uses the Subprocessors listed in a statement of work or written agreement signed by the parties’ authorized

representatives when it acts as a Processor.

Information for International Transfers

Frequency of Transfer

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Continuous for all Personal Data.

Retention Periods

As Controllers, the parties retain Personal Data for as long as they have a business purpose for it or for the longest time

allowable by applicable law.

As a Processor, Supplier retains Personal Data it collects or receives from Microsoft for the duration of the PO Terms and consistent

with its obligations in this Exhibit.

For the purpose of the Standard Contractual Clauses:

• Clause 7: The parties do not adopt the optional docking clause.

• Clause 9, Module 2(a), if applicable: The parties select Option 1. The time period is 30 days.

• Clause 9, Module 3(a), if applicable: The parties select Option 1. The time period is 30 days.

• Clause 11(a): The parties do not select the independent dispute resolution option.

• Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Republic of Ireland.

• Clause 18: The parties agree that the forum is the High Court in Dublin, Ireland.

• Annex I(A): The data exporter is the Data Exporter (defined above) and the data importer is the Data Importer (defined

above).

• Annex I(B): The parties agree that Schedule 1 describes the transfer.

• Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.

• Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the

transfer.

For the purpose of localizing the Standard Contractual Clauses:

• Switzerland

o The parties adopt the GDPR standard for all data transfers.

o Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data

Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.

o Clause 17: The parties agree that the governing jurisdiction is Republic of Ireland.

o Clause 18: The parties agree that the forum is the High Court in Dublin, Ireland. The parties agree to interpret

the Standard Contractual Clauses so that Data Subjects in Switzerland are able to sue for their rights in

Switzerland in accordance with Clause 18(c).

o The parties agree to interpret the Standard Contractual Clauses so that “Data Subjects” includes

information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.

• United Kingdom

o “UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual

Clauses issued by the UK’s Information Commissioner’s Office under S119A(1) Data Protection Act 2018, as modified

by the Information Commissioner’s office from time to time, available at https://ico.org.uk/for-organisations/guide-

to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-

and-guidance/.

o For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the parties

hereby incorporate the UK SCC Addendum by reference and, by signing this DPA, also enter into and agree to be

bound by the Mandatory Clauses of the UK SCC Addendum.

o The parties agree that the following information is relevant to Tables 1 – 4 of the UK SCC Addendum and that by changing the

format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the UK SCC

Addendum).

▪ Table 1: The parties’ details, key contacts, data subject contacts, and signatures are in the signature block of the DPA.

▪ Table 2: The selected SCCs, Modules and Selected Clauses are described in Schedule 1.

▪ Table 3: The list of parties, description of transfer, and list of sub-processors are described in Schedule 1. The

Technical and Organizational measures to ensure the security of the data are described in Schedule 2.

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

▪ Table 4: Neither party may end the UK SCC Addendum when the Approved Addendum changes.

o Clause 17 of the Standard Contractual Clauses: The parties agree that the governing jurisdiction is the United Kingdom.

o Clause 18 of the Standard Contractual Clauses: The parties agree that the forum is the courts of England and Wales. The

parties agree that Data Subjects may bring legal proceedings against either party in the courts of any country in the United

Kingdom.

Microsoft Purchase Order Terms and Conditions (United Kingdom) (January 2024)

Schedule 2: Technical and Organizational Security Measures

Supplier will comply with Microsoft’s DPR as agreed in Section 15(a) of the PO Terms.

[Remainder of this page is intentionally left blank]