Elucidate FinCrime Index (“EFI”) Client Agreement
1. Services

1.1. Elucidate is an advisory service provider delivering financial crime risk analysis and data analysis (the “Services”).

1.2. Services may be delivered via the website or other channel, utilising the Elucidate FinCrime Index (“EFI”) platform(“Platform”) as described here below under Cl. 2.

2. Platform Functionalities

2.1. Elucidate provides the Client with: (i) the access to the Platform in the agreed version at the router exit of the server center where the server with the Platform is located ("Delivery Point"); and (ii) the computing power required for use as well as the storage and the data processing space required to:

a. allow the Client to analyse their own financial crime risk or to provide their financial crime risk information
to other Clients (“Self Assessment”);

b. onboard Client Data so that Elucidate can assess Client or other Clients financial crime risk (“Portfolio

c. have access to supplementary functionalities (“Supplementary Functionalities”);

d. produce EFI work product results, risk metrics and/or scores (all together also, “Work Product”).
The Platform is provided for the use and storage of data via the Internet. Elucidate may provide the Work Product
itself or through third parties service providers.

2.2. Elucidate grants the Client the non-exclusive, non-transferable right, limited in time to the term agreed in the Order Form, to load the client interface of the Platform for display on the screen into the main memory of the Client's terminal devices. Except to the extent set forth herein, neither Party grants the other any express or implied license to or assigns its IP Rights (as defined below). Each Party shall remain the sole owner of its respective IP Rights.

2.3. Client hereby grants Elucidate all rights necessary to allow Elucidate to provide Services and the Work Product including, for the term of this Agreement, a non-exclusive, sublicensable, royalty-free, non-revocable (except as set forth in the termination provision), worldwide license to access, process and use Client Data, including the rights to:(i) collect, receive, assemble, compile, analyse, modify and transform Client Data; (ii) associate, combine and synthesize Client Data with other data, including publicly available data; (iii) use, copy, reproduce and make derivative works of Client Data as necessary for the provision of the Work Product; and (iv) share, transmit and distribute derivative works based on Client Data as necessary for the provision of the Services and according to the Applicable Laws (as defined below).

2.4. Clause 1.2 applies accordingly to the use of a plug-in provided by Elucidate with the proviso that the Client is entitled to install these plug-ins on its system, insofar as this is necessary for the use of the Services and/or the Work Product offered.

2.5. Unless otherwise agreed between the Parties, Client is not permitted to allow the usage and/or access and/or transmit, share or make available to third parties the Platform. Companies affiliated with the Client, including but not limited to branches, subsidiaries, representative offices and joint ventures, are also considered third parties.

3. Service Level, Availability and Maintenance

3.1. Elucidate’s Service Level Terms are available at https://elucidate.co/service-terms/ and Elucidate’s SupportProgramme is described at https://elucidate.co/support.The Client can register a support case via the contact form or by e-mail to support@elucidate.co. The Client is eligible for support services if the operation of the Platform does not comply with the specifications of the Product Description. In any event, the Client is obliged to report malfunctions or impairments of the Platform immediately and as precisely as possible. Such reports will be accepted and reviewed during the following normal business hours of Elucidate: Business days excluding bank holidays in Berlin, Germany 9 am to 5 pm CET.

3.2. Elucidate strives to provide access to the Platform to all Clients 24 hours a day, seven (7) days a week. Temporary interruptions due to: (i) the usual maintenance work, (ii) system immanent disturbances of the Internet with external service providers or with external network operators, (iii) hardware, Platform and technical infrastructure used by the Client, (iv) force majeure events, are however possible. The Client is therefore not entitled to uninterrupted access to the Platform at any time and, as far as such circumstances influence the availability or functionality of thePlatform provided by Elucidate, this has no effect on the contractual conformity of the Services provided and is a risk borne by the Client. Limited availability for system maintenance shall take place during the necessary maintenance periods and interruptions for offline backups shall be within reasonable limits in each case.

4. Data Processing, Security and Data Protection

4.1. Client Data provisioning may be required for the provisioning of Services and the Work Product.

4.2. Either Party represents and warrants that it complies with all the legislation and enactment or orders that are applicable to any of the Parties, including data protection laws (“Applicable Laws”). The terms “Personal Data,” “DataSubject,” “Controller,” “Processor,” have the meaning as defined in the Applicable Laws. This clause 3 is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation, in particular, notice and consent requirements. Elucidate’s Privacy Policy is available at https://www.elucidate.co/privacy-policy.

4.3. The Parties acknowledge that Client shall be regarded as the Controller with respect to the set of data shared with Elucidate (“Client Data”), and Elucidate is appointed as the Processor and shall, in relation to any Personal Data processed in connection with the performance of its obligations under this Agreement:

a. process that Personal Data only on behalf of and on the instructions of the Controller unless the Processor is required by Applicable Laws to process Personal Data (in which case, the Processor shall promptly notify theController);

b. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and that the undertaking to confidentiality shall continue to have effect after the termination of the processing activities;

c. taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of the natural person, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate the measures referred to in Article 32(1) of the EUGeneral Data Protection Regulation 2016/679 (“GDPR”).

d. not transfer any Personal Data outside of the European Economic Area (“EEA”) and/or, as applicable, the relevant territory (“Territory”) unless the prior written consent of the Controller has been obtained and such transfer is compliant in Applicable Laws;

e. assist the Controller, at the Controller’ cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Applicable Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, in particular, Processor shall:

i. promptly notify Controller if it receives a request from a Data Subject under any data protection law in respect of Controller Personal Data; and

ii. ensure that it does not respond to that request except on the documented instruction of the Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws, inform Controller of that legal requirement before responding to the request;

iii. notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data;

iv. co-operate with Controller and take reasonable commercial steps as are directed by Processor to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

f. comply with its obligations to destroy or delete Personal Data if and when requested by Controller; and

g. maintain complete and accurate records and information to demonstrate its compliance with this clause 3;

h. engage only Elucidate´s authorized Sub-processors listed at: https://elucidate.co/sub-processors and solely for the purpose of performing the Services and/or for the Work Product hereunder and ensure that theSub-processor are bound by the same security and data protection obligations as agreed with the Client.Where the Sub-processor fails to fulfil its obligations, Elucidate shall remain fully liable to the Client for the fulfilment of its obligations under this Agreement and for the purposes of this Agreement only;

4.4. Elucidate is generally authorised to exchange Sub-processors or engage with new Sub-processors. If the Elucidate chooses to do so it must inform the Client at least one month in advance through an in-platform notification. The Client has two weeks to object to any or all of the new Sub-processors. In case of an objection, the Parties will confer to address the concerns of the Client. If the Client maintains its objection, Elucidate is not permitted to engage with the relevant Sub-processor with respect to Personal Data processed on behalf of the Client but may terminate theAgreement and the processing in accordance with the terms of the present Agreement.

4.5. Elucidate ensures that it has in place all reasonable technical and organizational measures to protect Client Data against loss, damage, unauthorized or unlawful processing, use, alteration, access, publication and distribution, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Elucidate may modify the internal security measures, provided that no modification will derogate from the level of protection contractually agreed hereunder.

4.6. Elucidate ensures that Client Data are physically stored solely on servers located within the EEA and/or the relevantTerritory, as agreed between the Parties. For this purpose, Elucidate shall enter into data privacy and/or data processing agreements and/or EU Standard Contractual Clauses with any external cloud services providers and/or other authorized sub-processors to ensure compliance with Applicable Laws.

4.7. Client shall use reasonable efforts to ensure that any data or information provided to the Elucidate does not include or contain, or will not include or contain, any criminal or otherwise illegal (be in generally or just in relation to individual third parties) content, viruses, “trojan horses” or other harmful code of any kind or nature whatsoever.

4.8. Client represents and warrants that: (i) Client Data is hashed in such a way that Elucidate is reasonably in no position to determine individual individuals behind the Client Data; (ii) Client Data are provided in accordance with the EFI Data Protocols; (ii) does not include any information relating to a person younger than 16 years of age; (iii) it lawfully acquired Client Data and is authorised to share Client Data with Elucidate for the provision of the Services hereunder.

4.9. Client shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Client Data and Client is entitled to make changes to the structure of the Client Data or the data format in order to eliminate faults. Elucidate may rely on such information and data provided and is not responsible for evaluating such information and data or verifying their accuracy, unless expressly agreed otherwise.

4.10. Elucidate is entitled to process Client Data for providing its Services and Work Product as described under Cl. 1.1and 2.3 above. For the sake of clarity, derivative works based on Client Data, shall refer to anonymised data irreversibly altered in such a way that Personal Data can no longer be identified directly or indirectly. As part of this anonymization process Elucidate uses eventualities tests, as explained in the EFI Data Protocols.

4.11. Elucidate is also entitled to store the Client Data in a backup system or separate backup server center and to conduct regular backups.

4.12.The Platform is an analytical tool rather than a monitoring or reporting tool and does not explicitly include any regulated activities, in particular but without limitation, pursuant to Regulation (EU) No 462/2013 of the EuropeanParliament and of the Council of 21 May 2013 amending Regulation (EC) No 1060/2009 on rating agencies.

5. Warranties of Elucidate

5.1. Elucidate does not grant any express or implied warranties other than expressly agreed with the Client or mandated by Applicable Laws. Specifically and without limitation, Elucidate does not warrant that the Services and the Work Product or any deliverables in connection therewith are without defect or error or that the operation of the Platform provided hereunder will be uninterrupted or error free, as long as such are not due to a fault of Elucidate.

6. Client Obligations and Warranties 

6.1. The Client must take all reasonable steps to support Elucidate in delivering its Services and Work Product to the Client, by:  (i) ensuring that the necessary system requirements (as described in the Product Description) for the use of the Platform and any other Services and Work Product are met; (ii) keeping the access credentials made available to him secret and ensure that any employees to whom access credentials are made available also comply with this obligation; (iii) providing data in accordance with the EFI Data Protocols.

6.2. The Client warrants to Elucidate that the use of the Platform occurs in compliance with any Applicable Laws and regulator guidance.

7. Limitation of Liability and Indemnities

7.1. To the maximum extent permitted by law, neither Party shall be liable for any indirect, special, incidental, punitive or consequential damages arising out of or related to this Agreement, however caused and under whatever cause of action or theory of liability brought even if such Party has been advised of the possibility of such damages. 

7.2. Subject to clause 6.3 below, Elucidate’s aggregate liability is limited to the greater of: (i) the amount due to Elucidate from Client for the 6 months preceding the moment the relevant claim arose, (ii) €20,000 (twenty thousand Euro). If the Client sustains damages as a result of the loss of data, Elucidate is not liable to the extent that such damages could have been avoided by a regular and complete backup of all relevant Client Data by the Client. The Client will carry out a regular and complete data backup itself or through a third party and is solely responsible for such backups.

7.3. Nothing in this Agreement excludes or limits either Party’s liability for: (i) fraud, fraudulent misrepresentation and gross negligence, (ii) breach of Confidentiality, (iii) breach of section 3 (Data Processing, Security and Data Protection), (iv) indemnity obligations, (v) payment of sums properly due and owing to the other in the course of normal performance of the Agreement, (vi) matters that cannot be excluded or limited under Applicable Law. 

7.4. Either Party (“Indemnifying Party”) will indemnify, defend and hold harmless the other Party (“Indemnified Party”)  its Affiliates, directors, officers, employees and agents against any liability, damage, loss, administrative fine or expense (including reasonable attorneys’ fees and expenses of litigation) (collectively, “Losses”) incurred by or imposed upon the Indemnified Party or any of them in connection with any third-party claim, suit, action, demand, proceeding or judgment (each, a “Claim”) arising out of or related to third party claims that, when true, would constitute the  Indemnifying Party’s breach of its representation, warranties and obligations hereunder. 

8. Subscription Fees and Payment

8.1. In consideration for the Services, Client shall pay fees to Elucidate (“Subscription Fees”), according to what is agreed under the Order Form part of the present Agreement.

8.2. If payment of the Subscription Fee is delayed by more than 2 (two) weeks beyond the due date, Elucidate is entitled to block access to the Platform. The Client’s obligation to pay the Subscription Fee remains unaffected. Access to the Platform will be re-activated immediately after payment of the arrears. Elucidate shall be entitled to block access in addition to any right to termination for course according to Section 11 below.

8.3. The Subscription Fee covers the Services and Work Product  as set out in the Order Form. Additional Supplementary Functionalities, will be charged as per the rate in the relevant Product Description or otherwise agreed with Elucidate in the Order Form, which may be updated in writing from time to time.

8.4. In particular, the Subscription Fee shall cover the provision of Client Data in accordance with the EFI Data Protocols, should Client Data be provided in an alternative format, unless Elucidate is explicitly instructed otherwise in writing (email sufficient), reasonable efforts will be undertaken to perform required data engineering for an additional monthly fee (“Engineering Fee”), as outlined in the relevant Order Form.

9. Confidentiality

9.1. Elucidate will keep any confidential information provided by Clients secure in accordance with relevant organisational and technical standards. For this purpose, confidential information comprises all works, materials and other data uploaded for the purposes of compliance verification via the Platform (unless designated non-confidential by the Client), all information expressly or impliedly designated confidential by the Client; but not any information which is or in future comes into the public domain (unless as a result of the breach of this agreement); or any information which is already known to Elucidate and which was not subject to any obligation of confidentiality before it was disclosed to Elucidate by the Client (“Confidential Information”). The Client acknowledges and accepts that Elucidate may utilise any information, including Confidential Information, provided to it without Client consent:

a) to Elucidate’s employees and subcontractors who need to know the same for the purposes of the Platform, provided that they have been made aware of the applicable duties of confidentiality to the Client and are bound by similar duties of confidentiality;

b) for Elucidate’s professional advisors provided that they are under a professional duty of confidentiality; 

c) in accordance with legal requirements and the Applicable Laws, including where Elucidate exercising appropriate diligence and reasonable discretion considers such disclosure necessary to comply with requests or ensure appropriate cooperation with regulatory bodies and other agencies that may request disclosures; 

9.2. Elucidate may disclose the fact that Client is using the Services and the Work Product for marketing purposes and/or as a reference, in particular on its website or in other publications. 

9.3. Client consents to Elucidate sharing the EFI work product results and scorings with relevant third parties but without granting access to raw Client Data as provided by Client.

9.4. Client undertakes not to use any reports, data or other information contained within the Services and/or Work Product for any purposes except as permitted hereunder, in particular it will only share the Work Product of Elucidate with third parties on a non-reliance basis.

10. Intellectual Property

10.1. The Client acknowledges and confirms that it holds no claim to any copyright (in particular program/Platform code, databases, content and ideas) or any intellectual property rights under any Applicable Law relating to the Platform including any modifications made based on Client Data and any data generated or modified by Elucidate based on Client Data, in particular any data models, trained algorithms, analysis and other work product, but excluding the raw and unprocessed data (to the extent they are not intellectual property), of the Client (“IP Rights”).

10.2. As a precautionary measure the Client hereby (i) transfers all IP Rights to Elucidate and (ii) otherwise grants an unlimited, irrevocable, perpetual, unrestricted and exclusive license or other appropriate measure for all known purposes of use or the most suitable equivalent under Applicable Laws (this includes, for the avoidance of doubt, the right to copy, change, combine, convert into other forms, including programming languages, and to otherwise change, continue, supplement, distribute as is or modified, publish offline, digitally or wireless, grant sub-licenses and to transfer with or without compensation any work product), (iii) waives any rights to raise objections or challenges to use as well as any rights to compensation and remuneration in this regard and (iv) undertakes to take all necessary or desirable steps to give full effect to the aforementioned acts.

10.3. The Client maintains any right it may have to request the return or deletion of raw Client Data, unless this would cause the Client to violate Applicable Laws and regulations or binding contractual obligations to third parties. In particular, Elucidate is required to maintain such data in order to reproduce the EFI work product for audit purposes.  Removal of the data may therefore render the EFI work product invalid.

10.4. Elucidate may use raw Client Data for the following specific uses:

a. Updating or maintaining industry, region and country baselines within the EFI;

b. Calibration of synthetic data generation;

c. Calibration of individual model weights;

d. Execution of random spot backtesting of new model versions; and

e. Enabling the EFI’s recurrent neural network to form the connections between nodes from a directed graph along a temporal sequence exhibiting temporal dynamic behaviour.

11. Auditing

11.1. The Client may ask the Elucidate for evidence of compliance with this Agreement.

11.2. Audits by the Client or an appointed external auditor must be carried out during regular business hours without interrupting the working process and with a prior reasonable written notification of at least 30 working days. Such an audit cannot require the examination of raw data supplied to the Elucidate by other clients or third parties. If an auditor commissioned by the Client is in a competitive or conflicted relationship with Elucidate, Elucidate is entitled to object. Client shall have audit and inspection rights only for the purpose of verifying Elucidate´s compliance with this Agreement.

11.3. Client shall pay all costs and expenses associated with any audit initiated by Client and Elucidate will charge additional fees for the performance of an audit.

11.4. Upon reasonable advance written notice to Client of at least 14 (fourteen) calendar days, Client shall permit Elucidate to conduct an audit to check Client’s compliance with regard to the provisioned Client Data´s integrity. The audit shall be conducted by an independent third party auditor mutually agreeable to the parties. Any audit hereunder shall take place during regular business hours, without interrupting Client’s business operations and Client shall pay all costs and expenses associated with it.

12. Term and Termination

12.1. Should a trial period be agreed, the paid subscription as per the relevant Order Form will commence automatically upon completion of the trial period. The Client will be billed for the trial period, for the pro-rated subscription amount (“Trial Fee”), regardless of decision to continue with the Subscription. In case the Client wants to discontinue the Services after the trial period, it shall notify in writing Elucidate at least fifteen (15) working days in advance and by 5.00 pm (German time) of the relevant working day, otherwise the Subscription Term shall start upon the trial period completion.

12.2. The Parties‘ rights to terminate for cause remains unaffected, with prior written notification of 30 (thirty) days to the other Party. With respect to Elucidate such cause exists in particular, but without limitation, if the Client:

a. manipulates Client Data provided to Elucidate;

b. shares data received without required consent; or

c. otherwise substantially violates any of its obligations in particular pursuant to Clauses 3, 8 and 9.

12.3. Each Party may terminate the Agreement with a notice period of 90 (ninety) working days prior to the end of the relevant Subscription Term,  otherwise the subscription shall be extended for another term.

12.4. The Client is responsible for fully backing up its data at its expense prior to the expiration of the trial term or Subscription Term, as the case may be.

12.5. Either Party may terminate the Agreement if the other Party becomes insolvent or bankrupt, makes an assignment for the benefit of creditors, has a trustee or receiver appointed for it, becomes the subject of any voluntary or involuntary insolvency or dissolution, bankruptcy or reorganization proceeding, which, in the case of any involuntary proceeding, is not dismissed within 60 (sixty) days after it is commenced, or discontinues its business.

13. Governing Law and Jurisdiction

13.1. These terms and any disputes arising out of or in connection with them are subject to German law excluding the UN Convention on Contracts for the International Sale of Goods.

13.2. The exclusive place of jurisdiction for all disputes arising from or in connection with these terms shall be Berlin, Germany, provided that the Client is a merchant, a legal entity under public law or a special fund under public law.

14. Miscellaneous

14.1. This is the entire agreement of the Parties relating to this subject and it supersedes all other commitments, negotiations and understandings. This Agreement cannot be amended except by a writing signed by both Parties. This Agreement cannot be assigned without written consent of the non-assigning Party, except that either Party may assign this Agreement (i) to an acquirer of substantially all of that Party’s assets, stock or business by sale, merger or otherwise or (ii) to a corporate affiliate. Elucidate may assign its rights and obligations under the Agreement when the law provides for an automatic succession, to its Affiliates or in connection with the change of control transactions, including mergers, sales of all or substantially assets.

14.2. If any provision of this Agreement is unenforceable, that provision shall be re-interpreted to be as close to the Parties’ intent as legally possible and the validity of the remaining provisions will not be affected.

14.3. The Parties are independent contractors and nothing in this Agreement creates any partnership, agency or other similar relationship.

14.4. Notices must be in writing, in the English language and shall be sent to the address of the recipient set out in this Agreement. Any such notice may be delivered personally by hand or by registered or recorded delivery post with delivery confirmation, by facsimile transmission or sent by email, provided the email includes in the subject line “LEGAL NOTICE”. A notice sent by post shall be on the same day followed by an email notice summarizing the contents of the formal notice sent by post. A notice a deemed to have been given (i) if by hand, when delivered, (ii) if by post, seventy-two (72) hours after dispatch, and (iii) if by facsimile transmission or email when dispatched, provided there is proof of sending/delivery and no “failed delivery” message.