USER AGREEMENT

Date August 16, 2023

This User Agreement (hereinafter, the “Agreement”) governs the relationships between a Servercore Group company (hereinafter, the “Contractor”) and you, an unlimited number of individuals and legal entities wishing to use services and functionality offered by the Contractor (hereinafter, “you”, the “Client”, the “Customer”).

You must carefully read this Agreement, which outlines the general terms and conditions (in accordance with the laws of the Contractor according to the Exhibit “About Servercore Group” to the Agreement). If you register an Account by clicking the link my.servercore.com , it shall be understood that you have fully read and entirely and unconditionally accept the Agreement in accordance with the laws of the Contractor according to the Exhibit to the Agreement, and confirm the conclusion of this Agreement by the Parties as well as your intention to use the Contractor’s services and functionality. If you do not accept this Agreement or disagree with any of the terms or conditions stated herein, please, refrain from registering an Account. If the Contractor has made any amendments to the Agreement that you do not accept, you must discontinue using the Contractor’s services.

TERMS AND DEFINITIONS

This Agreement may use terms that are not defined in this section. In this case, such terms shall be construed according to the applicable laws. If the laws do not define a term, its scope and content shall be determined according to established practice, based on the lexical meaning of the term.

Registration Data – information entered by the Client, such as the country of residence and other data related to the Client and determining the country of its residence. 

Exhibit “About Servercore Group” – an integral part of the Agreement that defines, based on Registration Data:

1. the Servercore Group company, with which you conclude this Agreement and which is the Contractor,
2. the laws, under which you conclude the Agreement,
3. Agreement clauses conditioned on the applicable laws;
4. a list of other Servercore Group companies.

Ticket System – a system for exchange of messages between the Client and the Contractor by means of sending/receiving requests via the electronic form available in the Account. 

Account – information (credentials) meant for the identification of the Client in the course of the services. The Client’s credentials shall be: the user email (login), a password to access the Account (password).

Client Account, Client Balance – an Account record reflecting financial arrangements between the Contractor and the Client. The Client Account shall be increased by the amount of payments transferred by the Client to the Contractor for the prepayment of the services and functionality provided by the Contractor to the Client, and shall be decreased by the cost of the services and functionality selected and enabled by the Client.–

Bonus Balance (Service Bonus Balance) – an Account record reflecting financial arrangements between the Contractor and the Client in the form of bonuses. The Bonus Balance shall be replenished by the Contractor under promotional offers and crediting of compensations for violation of the service level. The Bonus Balance shall be decreased by the cost of the services provided by the Contractor. 

Terms of Use of Individual Services, Terms of Use – supplements to this Agreement concerning the procedure for the use of certain services, outlining, inter alia, the terms and conditions of service level agreements (SLA). In all respects not mentioned in the Terms of Use of Individual Services, relationships between the Client and the Contractor shall be governed by the Agreement.

Notification Centre – an Account interface element displaying notifications to the Client, specifically, of changes in documents, sale and promotional events, information about scheduled operations, other offers.

1. SUBJECT-MATTER

1.1. The subject-matter of the Agreement shall be the use by the Client of the Contractor’ services and functionality, including hosting and other related services, or provision by the Contractor of access to services of third-party service providers, including Servercore Group companies (hereinafter, the “Services”). The Contractor shall provide the Services to the Client in accordance with the Agreement, subject to the Terms of Use of Individual Services. A full list of the Services may be found in the Terms of Use as well as on the Contractor’s Website.

1.2. The Contractor may grant access to, and the Client may order, Beta Services. Beta Services shall be provided in the test mode for the purpose of collecting data on their functionality and shall not be payable by the Client. When providing Beta Services, the Contractor shall not be liable for their quality, and the Terms of Use shall not apply to Beta Services.

1.3. A third-party provider of the Services shall be determined according to the Terms of Use and/or the region of provision of the ordered Services, specified in the Account. A third-party service provider from the Servercore Group shall be determined according to the Region.

2. RIGHTS AND OBLIGATIONS OF THE PARTIES

2.1 Rights and Obligations of the Contractor

2.1.1. The Contractor shall provide access to the Account by a secure protocol and only after identification of the Client.

2.1.2. The Contractor may request a confirmation of the information specified in the Account and/or additional information, in particular:

• for individuals – a scanned copy of the Client’s identity document and/or document containing the Client’s address (utility bill or bank statement), a photo of the Client holding such documents in hand.
• for individual entrepreneurs – a scanned copy of the Client’s identity document and/or document containing the Client’s address (utility bill or bank statement), a photo of the Client holding such documents in hand; a scanned copy of the document confirming the individual entrepreneur status.
• for legal entities – a scanned copy of the document confirming the legal entity status and a constitutional document.

After information has been provided, in case of changes in the presented documents, the Client shall notify the Contractor thereof no later than five (5) business days from the date of respective changes in the documents, and furnish scanned copies of the said documents.

2.1.3. The Contractor shall, no less than 72 hours in advance, advise the Client of scheduled maintenance or power outage periods that make it impossible to use the Services. Service interruptions for the specified reasons shall not be subject to compensation.

2.1.4. The Contractor may suspend the provision of the Services and/or block access to the Account:

• if the Client breaches the Agreement;
• in case of suspected Account compromise or in case of provision of false information;
• if the Client refuses to assist or evades assisting in investigations of the circumstances specified in Clause 2.2.2 hereof;
• if the Contractor receives an order from the government agency that regulates the given relationships and is appropriately authorized in accordance with the applicable laws, to suspend the provision of the Services to the Client;
• if the use of the Services by the Client may cause property damage to the Contractor or its customers and/or failures of hardware and software of the Contractor and third parties.

Suspension of the Services until the Client complies with the Contractor’s demands to remedy violations shall not exempt the Client from its duty to fulfill all of its obligations, shall not be regarded as an interruption of the Services, and may not be deemed as breach by the Contractor of its obligations.

In case of repeated breach, and also if, during the period of suspension of the Services, the Client fails to remedy violations within the term set by the Contractor, the Contractor may extrajudicially repudiate the Agreement and delete all of the Client’s data.

2.1.5. For the purpose of verifying the compliance with security requirements, the Contractor reserves the right, without limitation, to periodically scan public services hosted on resources owned or used by the Client, by using dedicated software, as well as to implement other measures as are available for the Contractor.

2.1.5.1. For the purpose of implementing measures aimed at preventing network and information security incidents and counteracting various network attacks, in particular, distributed denial-of-service (DDoS) attacks with respect to public IP addresses, the Contractor may, at any time, with a prior notice to the Client, impose restrictions, in particular, block ports or restrict access to an IP address, limit the bandwidth of the services that may be used for UDP-based amplification attacks, or reduce the usability of such services. A full list of blocked ports and other restrictions may be found in the Terms of Use.

2.1.6. The Contractor may remove all information processed by the Client on the Contractor’s equipment and with the use of the Contractor’s Services in case of termination of the Agreement and / or in case of non-payment for the Services.

2.1.7. With no prior notice, the Contractor may limit the bandwidth if, in the Contractor’s reasonable opinion, by using the Services within the existing bandwidth the Client may impair the functionality of equipment of the Contractor or its customers.

2.2. Rights and Obligations of the Client

2.2.1. The Client shall pay for the Services at the timings and on the terms specified in the Agreement, according to the rates and other agreements made between the Parties.

2.2.2. The Client shall assist the Contractor in the investigations of the causes of unscheduled service interruptions, violation of security requirements, and suspected breach of the terms hereof.

2.2.3. The Client shall maintain Account confidentiality. The Client shall entirely bear the risk of the impossibility of logging in to the Account or of logging in to the Account of an unauthorized person.

2.2.4. The Client shall take measures to remove vulnerabilities detected during checks of security requirements.

2.2.5. The Client shall monitor security and up-to-dateness of the hardware and software in use, and abide by the terms of use of software.

2.2.6. The Client shall only install licensed software on the Contractor’s hardware and shall be solely liable for its installation and use.

2.2.7. The Client shall, at its discretion, monitor the safety and integrity of information and, where necessary, provide in a timely manner for backup of the data placed with the use of the Contractor’s Services.

2.2.8. The Client shall not cause damage to the Contractor’s equipment. In case of disputes between the Client and the Contractor when establishing a causal connection between the Client’s actions and the damage inflicted upon the Contractor, the Contractor reserves the right to engage at its discretion competent authorities and/or organizations as experts. Costs on expert examinations shall be reimbursed by the Parties depending on the expert findings. In case of the Client’s misconduct, the Contractor may unilaterally order to collect such costs, including expert examination costs, from the Client Account.

3. SERVICES ORDERING AND PROVIDING PROCEDURE

3.1. The Client shall select available characteristics/configurations and order the Services via the Account. Where necessary, the Contractor shall request other specific information for enabling a respective Service. To start using the Services, it shall be necessary to replenish the Client Balance.

3.2. Where technically feasible, the Client shall select at its discretion the Services region – the territory where the infrastructure, under which the Services are provided, is located.

3.3. Unless otherwise specified in the Terms of Use, a Service shall be provided from the moment it is enabled by the Contractor.

3.4. In the event it is technically impossible to provide a Service, the Contractor shall advise the Client thereof by stating reasons why the Service cannot be provided on time and by specifying the scheduled date of commencement of the Service.

3.5. The Client shall independently use the Services by means of remote access thereto through public communications networks, install at its discretion and set up appropriate software, if such possibility is provided by the ordered Service.

3.6. The Client shall independently change the Service characteristics/configurations if technically feasible, otherwise the Client may contact the Contractor in the Ticket System.

4. COST OF SERVICES, ACCOUNTING AND PAYMENT PROCEDURE

4.1. The cost of the Services and the payment currency shall be published on the Contractor’s Website. The Client acknowledges that it has read and accepts the set rates. Prices shall include applicable taxes, unless expressly stated otherwise on the Website. 

4.2. The Client shall pay for the Services at the indicated prices, without deduction and withholding of taxes.

4.3. Where technically feasible, the Customer has the right to activate automatic replenishment of the Client Balance at its choice in the Account (hereinafter referred to as “Automatic Balance Replenishment”), specifying and saving the bank card data for automatic debiting, the amount of payment for each of the selected balances, the date of the next debiting or the amount threshold for each of the selected balances, upon reaching which the next debiting will occur. When saving bank card data for quick payment and subsequent quick payment or activating Automatic Balance Replenishment, the Customer agrees to accept-free automatic debiting of funds from the Customer’s bank account. Automatic Balance Replenishment may be deactivated and bank card data may be deleted by the Customer independently in the Account.

4.4. Money for the Services shall be debited from the Client Account on the basis of the data on the volume of the actually consumed Services, obtained with the use of the Contractor’s equipment, and on the basis of the Client’s order of the Services. 

4.5. Unless otherwise stipulated in the Agreement or the Terms of Use, the Services shall be paid for in advance. The Client Account may be replenished in any way selectable in the Account, including on the basis of the invoice (bill). The invoice (bill) shall be made out by the Client on its own in the Account. The Services shall only be provided if the Client’s Balance is positive.

4.6. Issuance of reporting documents for the Services rendered, and the possibility of payment for the Client by a third party shall be as per Exhibit 1.

4.7. If the Client cancels the Services prior to the expiry of the paid period, the Contractor shall refund the prepaid sums of money to the Client Balance for complete unused periods only.

4.8. The Contractor may unilaterally change the rates and the terms of the Services provided that the Client is notified thereof at least fifteen (15) calendar days prior to such change. In case of its disagreement, the Client shall discontinue using the Services.

4.9. Payment shall be deemed as confirmed upon receipt of appropriate information from the Contractor’s bank.

5. TERMINATION OF SERVICES

5.1. Unless otherwise specified in the Agreement and the Terms of Use, the Client may cancel at its discretion the Services in the Account.

6. REQUIREMENTS TO THE USE OF SERVICES AND INFORMATION SECURITY

6.1. The Client shall prevent unauthorized access to the software in use and not allow the resources owned by the Client or provided by the Contractor to be used for attempted unauthorized access to other Internet resources. In particular, the Client shall prevent situations when:

• ​email messages are sent from addresses that do not belong to the Client’s network (domain); 
• ​software uses default passwords;
• ​there are outgoing packets with a wrong source address (IP source address); 
• ​there are outgoing domain name system (DNS) packets with intentionally corrupted data; 
• ​there is malicious software; 
• software specifically designed for unauthorized access to information is present and/or operating.

6.2. The Contractor may provide for automatic traffic filtering with the aim to block sending of traffic with faked IP and MAC addresses. 

6.3. The Client shall not use the Services and the Contractor’s equipment for causing damage to the Contractor, its customers, or third parties, breaching the applicable laws, or assisting such breach. Such actions (omission) of the Client may include, but are not limited to:

6.3.1. actions of the Customer that violate the provisions of the current legislation, contrary to the prescriptions of the executive authorities and local acts applicable to the Parties;

6.3.2. actions of the Client aimed at disrupting smooth operation of the local network or Internet elements (computers, other hardware or software), which do not belong to the Client;

6.3.3. failure by the Client to comply with orders/regulations of competent authorities;

6.3.4. actions (omission) of the Client that entail losses for the Contractor or third parties;

6.3.5. disruption of smooth operation of the Internet elements (computers, other hardware or software), which do not belong to the Client;

6.3.6. storage, publication, transfer, reproduction, distribution in any manner, use in any form of software or other protected intellectual property and means of individualization, without obtaining the owner’s permission; 

6.3.7. failure by the Client to provide a response to the Contractor to a complaint received from third parties about violation of their intellectual rights by the Client within fourteen (14) calendar days from the date of receipt of such a complaint by the Client. The Client’s response shall contain explanations to the third party’s demands stated in the complaint, otherwise, the Client’s response to the received complaint shall be deemed as not provided to the Contractor;

6.3.8. storage, publication, transfer, reproduction, distribution in any manner, use in any form of software or other content containing viruses and other malicious components; 

6.3.9. actions that directly or indirectly imply bulk mailing or facilitation of bulk mailing and other messaging (if such actions are detected, the Services to the Client shall be automatically limited); 

6.3.10. dissemination, publication, or other processing of information that contravenes the requirements of the applicable laws, violates third-party rights;

6.3.11. advertising of services, goods, other items, whose distribution is restricted or prohibited by the applicable laws;

6.3.12. falsification of the technical details, provided by the Contractor, when transmitting data over the Internet;

6.3.13. use of non-existent return addresses when sending emails and other messages;

6.3.14. actions aimed at obtaining unauthorized access to hardware or an information resource that does not belong to the Client, subsequent use of such access, as well as destruction or modification of software or data that do not belong to the Client, without securing consent of the owners of such software or data or the administrator of such information resource. Unauthorized access shall imply access in any manner other than that intended by the resource owner; 

6.3.15. actions relating to sending to third party computers or equipment meaningless or useless information that creates excessive (unwanted) traffic on such computers or equipment, including intermediate network sections, which exceeds the minimum volumes necessary for checking network connectivity and availability of individual network elements; 

6.3.16. scanning of network nodes for the purpose of detecting the internal network structure, security vulnerabilities, lists of open ports, etc., without securing express consent of the owner of the resource scanned;

6.3.17. violation of data security requirements, which jeopardizes operation of other (not belonging to the Client) resources of a local or global computer network;

6.3.18. use of default passwords in software;

6.3.19. use of outdated and/or vulnerable mail server software;

7. COMPENSATION PAYMENT PROCEDURE

Guaranteed availability – an individual percentage of the Service availability per month, set for each of the Services.

7.1 Table No. 1

unless specified otherwise:

Compensable downtime	Non-compensable downtime
Unavailability of the Services due to failure of the Contractor’s infrastructure. Downtime due to failure.	Unavailability of Control Middleware. Total frustration of any operation with the Services via the Account, total frustration of operations through API.

7.2. If the Service availability in a calendar month fails to match the Guaranteed Availability for the respective Service, set in the Terms of Use, the Contractor shall provide compensation according to the procedure outlined below, unless otherwise specified in the Terms of Use.

7.3. Periods of emergency and scheduled maintenance shall not be deemed as periods of the Service unavailability.

7.4. Compensation shall be calculated individually for each Service, based on the total unavailability in the month. The compensation percentage shall apply to the calculation base, which shall be equal to the amount debited for the provided Service for the month.

7.5. The Service unavailability (downtime) shall be determined as the interval of time between the moment when a message is sent via the Ticket System to the Contractor’s helpdesk and the moment when recovery operations are completed by the Contractor.

7.6. Compensation shall be determined as bonuses credited by the Contractor solely to the Bonus Balance. Bonuses shall be granted and used in the month following the month, in which a Service was unavailable, provided that a message stating downtime and requesting compensation was sent via the Ticket System.

7.7. No bonuses shall be granted for downtime due to force majeure and other circumstances that occurred through no fault of the Contractor. No bonuses shall be granted for downtime due to actions (omission) of the Client.’

7.8. Within the first ten (10) business days of the calendar month following the reporting one, the Contractor shall calculate compensation, or refuse to provide compensation if a Service was unavailable for reasons outside the control of the Contractor or if its unavailability was scheduled by the Contractor and the Client was advised thereof.

7.9. If the Contractor has its own data on the commencement of downtime and such data indicate that downtime commenced earlier than the Client sent a message via the Ticket System, the Contractor may use such data. Discrepancies concerning downtime shall be resolved through negotiations between the Parties in the Ticket System.

7.10. Once the Contractor decides to provide or to refuse to provide compensation, the Contractor shall advise the Client thereof.

7.11. If no message has been sent via the Ticket System and if the Contractor does not have its own data on the commencement of downtime, the Service shall be deemed as available and no compensation shall be provided. 

7.12. The maximum amount of compensation shall be bonuses in the amount of the cost of the Service for the preceding month. Compensation may not be in the form of payment of money and may not be credited to the Client’s account. Compensation shall in no event exceed the amount paid by the Client for a month of using the Service.

7.13. In case of loss of/damage to data as a result of emergency through the fault of the Contractor, compensation in the amount of the cost of the Service for 1 month shall be provided to the Client. Compensation shall be provided in the manner as set out in this section. 

8. CONFIDENTIALITY

8.1. The Parties hereby acknowledge that confidential information exchanged between the Parties in preparation of and after the conclusion of this Agreement shall be deemed as confidential information, valuable for the Parties and not subject to disclosure since such information is a business and/or trade secret, is of actual and potential commercial value due to its non-public nature, and is not freely legally accessible. Any information communicated via the Ticket System or by email and/or obtained reduring visits of the Client’s representatives to the Data Centre shall be confidential. In the Contractor’s Data Centre, it shall be prohibited to take photographs or videos without securing the Contractor’s written consent. 

8.2. The Client gives its consent to the disclosure of the fact of the Client’s cooperation with the Contractor, the Client’s use of specific Services, and authorizes the Contractor to publish the Client’s firm name, business name and trademarks in public sources and on the Contractor’s Website. Such use shall not imply disclosure of other details of cooperation. The Contractor shall notify the Client of the disclosure of the fact of cooperation and publication of the Client’s firm name, business name and trademarks, thirty (30) calendar days prior to such disclosure and/or publication, using the Ticket System and/or email and/or phone. 

8.3. The information mentioned in Clause 8.1 may not be published or transferred to third parties without the other Party’s written consent, during the term of this Agreement and also during five (5) years from termination hereof for any reason. 

8.4. Each Party shall take all reasonable measures as may be necessary and appropriate for preventing unauthorized disclosure of confidential information. In doing so, the measures taken shall be no less substantial than those taken by a Party to protect its own information of this kind.

8.5. The Contractor may only disclose information about the Client in accordance with the applicable laws.

8.6. In case of breach of the confidentiality requirements stipulated herein, the Contractor may unilaterally refuse to continue providing the Services to the Client, as from the date such breach is detected, and also demand compensation of losses incurred as a result of the Client’s breach of the confidentiality requirements.

9. LIABILITIES OF THE PARTIES

9.1. The Parties shall be held liable for improper performance of the Agreement in accordance with the applicable laws, subject to the terms and conditions stipulated herein. 

9.2. The Contractor shall ensure uninterrupted operation of its equipment used in the provision of the Services, save during scheduled maintenance, operations in response to failure of hardware or software, and also when the Contractor’s own resources cannot be used to the full extent due to actions or omission of third parties and/or failure of traffic channels, as well as in case of emergency or force majeure. In case of unscheduled power outage or emergency, the Contractor shall immediately proceed to troubleshooting and, where practicable, notify the Client of unscheduled outages.

9.3. The Client assumes full responsibility and all risks in connection with the use of the Internet through resources and/or the Services of the Contractor.

9.4. In case of claims and/or lawsuits field to the Contractor by third parties as well as by rightholders (in cases on the protection of exclusive rights to items illegally placed on the Website(s) of the Client and/or the Client’s customers), the Contractor may join the Client to the case as a co-defendant, and also demand reimbursement of court fees and losses on a recourse basis if monetary funds are charged from the Contractor for breach of the applicable laws, committed by the Client. Furthermore, the Contractor may demand reimbursement of losses on a recourse basis if the Client breaches license terms when using software rented from the Contractor. 

9.5. The Client shall be solely responsible for the content of the information processed with the use of the Services, transmitted by it or other person under its network credentials over the Internet and own resources of the Contractor, for the reliability of such information, freedom from third-party claims, lawfulness of its dissemination, and personal or property damage caused by its acts (personally by it or by other person under its network credentials) to individuals, legal entities, the state, or morals of society.

10. DISCLAIMER

10.1. The Contractor shall not be liable for the Client’s illegal actions.

10.2. The Contractor shall not be liable for violation of third-party rights due to actions of the Client with the use of the Services provided by the Contractor.

10.3. The Contractor’s liability for losses incurred in connection with the performance of the Agreement shall in no event exceed the amount of the monthly fee for the Services provided under the Agreement.

10.4. The Contractor provides no warranties that the software obtained by means of the Services provided or any other content are free of viruses and other malicious components, and shall not be liable for direct or indirect damage incurred to the Client as a result of errors, omission, interruptions, delays in operation, deletion of files, and other defects during data transmission.

10.5. The Contractor shall not be liable to the Client: 

10.5.1. For any losses incurred by the Client due to disclosure, loss of or inaccessibility by the latter to its credentials. Any person using the account of one of the services required for the identification of the Client for authorization in the Account shall be deemed as its representative acting on behalf of the Client.

10.5.2. For loss of expected gain and lost profits as well as for any consequential losses incurred by the Client during the period of use or non-use of the Contractor’s Services.

10.5.3. For the smooth running of the Internet or parts thereof, as well as for their availability to the Client, unless otherwise expressly stipulated by the Agreement.

10.5.4. For any information, product or Service received through the Internet, specifically, if they are placed on the Contractor’s own resources.

10.5.5. For the quality, accuracy of and absence of malicious components in the software used on the Contractor’s servers and other Internet resources or offered to the Client, unless such has been developed by the Contractor itself, or if the Client is using equipment without mandatory licenses and certificates.

10.5.6. For delays, malfunctioning, and inability to use to the full extent the Contractor’s own resources caused, directly or indirectly, by actions or omission of third parties and/or failure of traffic channels outside the Contractor’s own resources.

10.5.7. For any illegal acts of third parties.

10.5.8. For the content of data nodes created and supported by the Client or users, without being responsible for any precensorship. Where appropriate, following breach by the Client of the Agreement and/or the laws, the Contractor shall have the right to block, modify, and delete the content of information resources of the Client or its users.

10.5.9. For the integrity of information placed by the Client with the use of the Contractor’s Services, unless the contrary is provided for in the Agreement. 

10.5.10. To the Client and/or third parties, for placement and/or use by the Client of any software and its components in the course of the provision of the Services by the Contractor. 

10.5.11. For breach by the Client of any license requirements and agreements.

10.6. The Contractor shall not be liable for the content of the information transmitted by the Client over the Internet and the Contractor’s own resources. The Contractor shall not monitor the content of the information stored, published or disseminated by the Client with the use of the Services provided, and shall bear no liability for the accuracy, quality and content of such information.

11. WARRANTIES AND REPRESENTATIONS

11.1. The Client represents that at the time of the Account registration the Client furnished to the Contractor true data on the Client.

11.2. The Client shall ensure that the Client data are up-to-date and shall notify the Contractor of changes in such data within five (5) business days from such changes.

11.3. The Client represents that it has no intention to use the Contractor’s Services for illegal purposes.

11.4. For the conclusion and performance hereof, the Client has obtained all necessary consents, approvals and authorizations, as are required to be obtained in accordance with the effective applicable laws, constitutional documents, and local regulations.

11.5. As at the date of conclusion, the person concluding the Agreement in the name and on behalf of the Client is fully authorized to do so.

11.6. There exist no laws or regulations, bylaws or individual acts, local documents, court orders, including orders and decisions of foreign courts, foreign and international agencies, and/or decisions of governing bodies, that would prohibit the Client or limit its rights to conclude and perform the Agreement.

11.7. The Client represents that it holds duly executed licenses, certificates and other permits and authorizations as may be necessary for conducting its activity, if its activity is subject to certification and/or licensing in accordance with the applicable laws. In the absence of required certificates and licenses, the Contractor shall not be liable for the Client’s use of equipment in violation of the applicable laws.

12. FORCE MAJEURE

12.1. The Parties shall not be liable for delays in the fulfillment of or for failure to fulfill the obligations under the Agreement if delays or failure is due to force majeure. Force majeure shall include (but is not limited to): war, hostilities, riot, sabotage, strike, fire, explosion, flood or other acts of God, enactment of prohibitive acts by public authorities, constituent entities or local government bodies, acts of foreign states and international authorities, particularly, decisions to impose sanctions with respect to the Parties to the Agreement, and other circumstances in accordance with the applicable laws.

12.2. Immediately after learning about the occurrence of any circumstances that delay or otherwise impede the performance of the Agreement, the Parties shall notify one another thereof in writing.

12.3. The Parties shall not be liable for any losses as well as for costs in connection with claims or demands of third parties, which may arise as a result of force majeure.

12.4. Should force majeure that causes material breach of or default on the obligations hereunder continue for more than thirty (30) calendar days, either Party has the right to terminate the Agreement after giving to the other Party a prior, five (5) business days in advance, written notice of its intention to terminate the Agreement.

13. DURATION, AMENDMENT AND TERMINATION

13.1. This Agreement shall be for a term of one year and shall come into force as from the date the terms of this Agreement are accepted (the date of acceptance) by the Client. The Agreement shall be deemed as extended for one year unless thirty (30) calendar days prior to the expiration hereof one of the Parties declares in writing termination hereof. The Agreement may be extended  for an unlimited number of times.

13.2. The Contractor may unilaterally amend the Agreement. In case of amendments to the Agreement, the Contractor shall notify the Client fifteen (15) calendar days prior to the effective date of the said amendments. Amendments shall take effect 15 calendar days from the date of the notice. If the Client does not accept the amendments made, the Client may unilaterally cancel the Services by giving a written notice of its intention to terminate the Agreement within ten (10) calendar days from the date of the notice; in such case, the Agreement shall be terminated as from the effective date of the amendments. If no written refusal to accept the amended terms of the Services is received by the Contractor from the Client within ten (10) calendar days from the date of the notice, the amended terms shall be deemed as accepted by the Client.

13.3. Either of the Parties may terminate this Agreement by giving to the other Party a written notice thereof. The Agreement shall be deemed as terminated thirty (30) calendar days from receipt of the said notice. In case of termination of the Agreement due to breach hereof by the Client, the Contractor may set another term of termination hereof. Upon termination hereof, the Client shall pay the entire outstanding amount for the Services provided.

13.4. Also, the Contractor may unilaterally terminate the Agreement on an extrajudicial basis with a notice to the Client at any time after it becomes aware that

• any liquidation, winding-up, bankruptcy or any other similar procedure or measure becomes possible with respect to the Client (including, without limitation, appointment of a receiver, trustee, insolvency officer, liquidator, or other similar officer), which entails exemption or other reduction of the Client’s liability or obligations;
• the Client is subject to any procedure or measure that has been introduced or is being implemented with the aim to prevent insolvency or bankruptcy;
• the Client acknowledges its inability to pay its debt that falls due.

The Agreement shall cease to be effective on the date of termination hereof, stated in the notice.

13.5. Termination of this Agreement for any reason shall not release the Client from its duty to fulfill all monetary obligations stipulated by this Agreement and/or Addenda hereto.

14. DISPUTE SETTLEMENT PROCEDURE

14.1. In case of any disputes or controversies arising between the Client and the Contractor in connection with the Agreement or fulfillment or non-fulfillment by either Party of the obligations hereunder, the Parties shall endeavour to settle them through negotiations between their authorized representatives.

14.2. A pre-action protocol for resolution of disputes shall be mandatory. Claims shall be accepted in writing, given their validity, i.e., a claim sent by the Client to the Contractor shall contain a reference to the Agreement clause, an article of the law, or other regulatory act, which, in the Client’s opinion, has been violated by the Contractor. The Party that receives a claim shall answer it within 10 (ten) business days from the date of its receipt. 

14.3. Disputes that cannot be settled through negotiations and on the pre-action basis shall be resolved in accordance with the effective applicable laws according to the Exhibit “About Servercore Group”.

15. EXCHANGE OF MESSAGES

15.1. The Parties shall exchange messages, including legal communications, via the Ticket System.

15.2. The Contractor may also notify the Client by publishing information on the Contractor’s official Website and/or in the Account, by sending information to the email specified by the Client.

15.3. The risk of non-receipt by the Client of messages sent by the Contractor by any of the aforesaid means shall be on the Client, in particular, in case of refusals to read letters and messages, including those received via the Ticket System, and the like.

15.4. In case of changes in details, the Parties shall notify one another thereof within 10 days. The Client shall notify the Contractor by sending a notice via the Ticket System, and the Contractor – by publishing respective information on the Contractor’s Website and/or by sending a notice by email, and/or via the Ticket System.

15.5. The Parties shall deem as binding messages and documents exchanged via the Ticket System, on an equal basis with documents made in simple written form. An exception to this rule shall be this Agreement and documents required for accounting and tax accounting purposes.

15.6. In the event the Parties have suspicions about receiving and (or) sending messages by email and other operations relating to the use of the Contractor’s interfaces, reliable proof of the aforesaid shall be the data recorded by the Contractor.

16. FINAL PROVISIONS

16.1. Neither Party may transfer its rights and obligations under the Agreement without obtaining the other Party’s prior written consent, except where the Services are provided to the Client by third-party service providers, with which the Contractor has made appropriate contracts/agreements. 

16.2. If one or several provisions of the Agreement appear for some reason to be invalid, unenforceable, such invalidity shall not affect the validity of the Agreement in its entirety or the validity of any other provision hereof, which shall continue in force.

17. PERSONAL DATA

17.1. It is prohibited for the Client to use the Contractor’s Services for the purpose of collecting and storing data obtained in violation of the applicable data protection laws.

17.2. The Client confirms its compliance with the requirements of applicable legislation  concerning the protection of personal data (Data Protection Laws).

17.3. The Client shall ensure the collection of consents to the processing of biometric and special categories of personal data (data concerning race, ethnicity, political opinions, religious or philosophical beliefs, health, private life) in accordance with Data Protection Laws (including laws of the country of the Client’s registration).

17.4. If the Client breaches the terms of Clause 17.1 and Clause 11.1 of the Agreement, the Contractor shall have the right to unilaterally terminate the Agreement with a notice thereof to the Client, at any time after it becomes known that the Client is using the Contractor’s Services for collecting and storing data obtained in violation of the applicable data protection laws.

17.5. The Contractor may unilaterally terminate the Agreement with a notice thereof to the Client at any time after it becomes known that the Client is using the Contractor’s Services for operations prohibited by the applicable laws (for example, dissemination of illegally obtained personal data).

17.6. The Contractor may anonymize the Client’s personal data upon expiry of one year from the date the Client discontinues activity in the Account. 

17.7. The Client acknowledges being familiar with Contractor’s Privacy Policy and relevant privacy notices.

18. DETAILS OF THE CONTRACTOR

https://servercore.com/legal/

---

TERMS OF USE OF INDIVIDUAL SERVICES

Date February 28, 2024

These Terms of Use of Individual Services (the “Terms of Use”) shall constitute an integral part of the User Agreement (the “Agreement”). Capitalized terms used but not defined herein shall have the meanings assigned to them in the Agreement. The Terms of Use shall set forth the individual procedure for the use of certain services, including the terms and conditions of service level agreements (SLA) for each of the services.

BASIC TERMS AND DEFINITIONS

Project — a logically isolated group of Resources, to which the User may have access.

Limit — a maximum available quantity of Resources that may be utilized by the User when using the service; the Limit may be changed by agreement of the Parties, and/or unilaterally decreased by the Contractor. 

Quota — a limit set by the User on the quantity of Resources used within the framework of a Project.  

Region — one or a group of data centres deployed within an agglomeration of large cities.

Availability Zone — one or several data centres located within one Region.

Pool — a part of the infrastructure of the Contractor or the Contractor’s partner, which is located in one of the data centres of the Region. 

Resource — an atomic unit that is a minimum possible part of the service provided. 

Resource Identifier — a unique Resource number 32 characters long. 

User — a login-password pair that is created by the Client and determines rights to use resources under an Account.

1. GENERAL RESTRICTIONS ON THE USE OF SERVICES

1.1. For the purpose of ensuring stable operation of the network equipment the number of MAC addresses on access ports shall be limited to 25 addresses per port. The number of MAC addresses may be increased at the Client’s request.

1.2. For the purpose of protecting the infrastructure from DDoS attacks, the following ports shall be blocked by default (they can be unblocked at the Client’s request): 

• UDP: 17, 111, 389, 520, 1900, 3702, 11211;
• TCP: 25;
• TCP/UDP: 135, 137, 138, 139, 445.

1.3. The terms of provision and the set of available functions/features under the Services may differ in different Regions. The Contractor shall not guarantee availability of the Services in all Pools.

3. GENERAL BILLING RULES

3.1. The reporting documents shall specify the Service name, and, if applicable, Region, Availability Zone, Resource Identifier.

3.2. The Resource price effective at the time the Resource is ordered shall be valid until the end of the paid Service period. The Service cost may be changed in accordance with the terms of the Agreement. A Service shall be renewed according to the current rate plan and period.

3.3. Outstanding amounts for Resources disabled because of non-payment shall be a sum of the cost of all Resources for the period of time, during which they were disabled. Once the Client Balance is replenished, the outstanding amounts shall be debited automatically.

3.4. If the Client Balance is zero or insufficient for the next debiting of money for Resources or a Service being consumed, the Service order and management options in the Account shall be disabled automatically. The Contractor shall send the Client a Service disconnection notification in the Notification Centre.

3.5. The Contractor may, in twenty-four (24) hours but no later than fourteen (14) calendar days after the options to order and manage unpaid Resources and Services in the Account are disabled, delete all information and data placed and handled by the Client with the use of unpaid Resources and Services, including any other objects of the Client as have been created within the scope of unpaid Resources and Services, including those stored on the equipment of the Contractor or its partners. The specified period may be extended by agreement of the Parties.

3.6. Once provided Resources or Services are paid, upon expiry of the specified period the provision of the Services shall be resumed in the same manner as at the time of the initial order.

3.7. In case of cancellation of a Resource or a Service prior to the expiry of the paid period, the Contractor shall refund the cost of the unused Resource or Service to the Client Account. Money shall only be refunded for complete unused months.

4. CLOUD SERVERS

Terms and Definitions

Cloud Server — a virtualized server composed of a set of Resources selected by the User.  

Load Balancer — a Resource responsible for the distribution of incoming traffic across Cloud Servers. 

Backup Copy (Cloud Backups) — a Resource that makes it possible to copy and store network drive data according to a schedule set by the Client.

Preemptible Cloud Server – a Cloud Server that runs without interruptions for 24 hours maximum and can be stopped by the Contractor at any time.

4.1. Service Provision Procedure

4.1.1. The Contractor shall provide to the Client access to the management of Resources of Cloud Servers hosted on the infrastructure of the Contractor or the Contractor’s partner in one of the technical Pools, at the discretion of the Client.

4.1.2. The Client may change characteristics of Resources of Cloud Servers at any moment of time given available Resources according to established Quotas and Limit.

4.1.3. Internet access shall be provided through connection of the Cloud Server or the Load Balancer, to which the Cloud Sever is connected, to public IP addresses or public subnetworks. All incoming and outgoing Internet traffic shall be payable; traffic between the Services within the Region shall not be billable.

4.1.4. Equipment, on which the Client’s Cloud Server is hosted, shall be connected to the network at the maximum access speed set for the Pool.

4.2. Billing Procedure

4.2.1 The Service shall be paid according to the postpaid billing model.

4.3. Service Level

4.3.1. Guaranteed availability: 99.98%

4.3.2. Unavailability of the Cloud Server due to failure of the infrastructure of the Contractor or its partner shall be compensable. Such downtime shall be compensable according to Resources that could not be used during downtime due to failure.

4.3.3. 0.5% of the cost of unavailable Resources shall be compensated for every 30 minutes of compensable unavailability of the Cloud Server up to 100% of the cost of unavailable Resources for a month.

4.3.4. Unavailability of the Preemptible Cloud Server shall not be compensable.

4.3.5. Load Balancer:

• Guaranteed availability of the Load Balancer: 99.98% of availability a month. 
• 0.5% of the cost of the Load Balancer shall be compensated for every 30 minutes of compensable unavailability.
• In case of unavailability of the Load Balancer and/or loss of the Load Balancer functionality through the fault of the Contractor, when all Cloud Servers connected to the Load Balancer are in good operating condition and ready to process incoming requests, only the cost of the Load Balancer shall be compensable. The cost of Resources outside the Load Balancer shall not be compensable.

4.3.6. Backups:

• Unavailability of correct backup restoration due to loss of all or part of Backup data shall be compensable. 
• To receive compensation, the Client shall communicate to the Contractor in the Ticket System a confirmation of the incorrectness of a restored backup or of the impossibility of backup restoration.
• 100% of the cost of broken Cloud Backup shall be compensable.

5. KUBERNETES CLUSTERS

Terms and Definitions

Basic Kubernetes Cluster — a Resource that manages the Kubernetes platform and consists of one Kubernetes Master Node 

Failover Kubernetes Cluster — a Resource that manages the Kubernetes platform and consists of three Master Nodes. 

Master Node — a Cloud Server that manages the Kubernetes Cluster. 

Node — a virtual node that is within the area of the Client’s responsibility and is a Cloud Servers control object on the Kubernetes platform.Pod — a basic unit that is within the area of the Client’s responsibility and is a container control object on the Kubernetes platform.

5.1. Service Provision Procedure

5.1.1. The Contractor shall provide to the Client access to the management of Resources of the Basic and/or Failover Kubernetes Clusters.

5.1.2. The Client may change characteristics of Resources of the Kubernetes Clusters at any moment of time given available Resources according to established Quotas and Limit.

5.2. Billing Procedure

5.2.1. The Service shall be paid according to the postpaid billing model.

5.2.2. Payable shall be the cost of the Kubernetes Cluster. Cloud Servers automatically created by the Kubernetes Cluster on the basis of characteristics set by the Client at the time of the Cluster creation shall be billable in the manner established for the “Cloud Server” Service.

5.3. Service Level

5.3.1 Guaranteed Service availability: 99.98%. 

5.3.2 In case of unavailability, 0.5% of the cost of the Failover Kubernetes Cluster shall be compensated for every 30 minutes up to 100% of the cost of this Kubernetes Cluster, except in the following cases: 

• Unavailability of Master Nodes of the Failover Kubernetes Cluster over the Internet and from within the Failover Kubernetes Cluster, if the unavailability interval is less than 5 minutes 
• Unavailability of the Basic Kubernetes Cluster
• Unavailability of Master Nodes due to individual configuration of the routing rules applied by the Client;
• Unavailability due to installation of a third-party application or other service within the Kubernetes Cluster;
• Unavailability of the Kubernetes Cluster during update or re-configuration;
• Unavailability of Nodes and Pods running as part of the Kubernetes Cluster.

5.4. Special Restrictions on the Use of the Service

5.4.1. Other services, namely, the Global Router and the Cloud Server, shall be used in the Service. All restrictions under the said Services shall apply to the Kubernetes Cluster.

6. DATABASE CLUSTER

Terms and Definitions

Database Cluster — a Resource created by the Client. The Database Cluster consists of one or several Cloud Servers, with a database version installed at the discretion of the Client, between which replication is set up.

6.1. Service Provision Procedure

6.1.1. The Contractor shall provide to the Client access to the management of the Database Cluster.

6.2. Billing Procedure

6.2.1. The Service shall be paid according to the postpaid billing model.

6.3. Service Level

6.3.1. Guaranteed availability:

• for write operations in the Database Cluster: 99.95%;
• for read operations in the Database Cluster: 99.99%.

6.3.2. Unavailability of the Database Cluster during read and/or write operations due to failure of the infrastructure of the Contractor or its partners shall be compensable. Total compensation may not exceed 30% of the cost of the Database Cluster for a month. 0.5% of the cost of the Database Cluster shall be compensated for every 30 minutes, except in the following cases:

• the Database Cluster consists of one Cloud Server;
• Unavailability of the Database Cluster for write operations if the disk space of the Cloud Server is full.
• Unavailability of the Database Cluster for write and read operations in case of recovery of data from a backup, scaling and update by the Client. 

7. DEDICATED SERVERS

Terms and Definitions

Dedicated Server — a Resource – a physical server owned by the Contractor or the Contractor’s partner and provided to the Client for remote use.

Dedicated Predefined Configuration Server — a Dedicated Server that is already built and ready for order, with no option to change components at the time of ordering.

Dedicated Random Configuration Server — a Dedicated Server with an option to choose configuration of components at the time of ordering.

Dedicated Chipcore Server — a Dedicated Predefined Configuration Server, without a local network, with a limited bandwidth and lower availability requirements.

7.1. Service Provision Procedure

7.1.1. The Contractor shall provide to the Client access to the management of a Dedicated Server in one of the technical Pools, at the discretion of the Client.  

7.1.2. The Client may change characteristics of the Dedicated Predefined Configuration Server at any moment of time given available Resources in the selected Pool.

7.1.3. The Dedicated Predefined Configuration Server shall be made available: if technically feasible, within two (2) hours after the Service is ordered in the Account and money is debited from the Balance.

7.1.4. The Dedicated Random Configuration Server shall be made available: if technically feasible, within five (5) business days after the Service is ordered in the Account and money is debited from the Balance.

7.1.5. The Dedicated Server shall be set up and built by the Contractor; all Dedicated Server components, not mentioned in the order but necessary for the server, shall be selected at the discretion of the Contractor.

7.1.6. In case of breakdown of the Dedicated Server components, the Contractor shall, within 3 hours from the Client’s request via the Ticket System, replace at its expense all broken components with equivalent ones. If the required spare parts are not available with the Contractor, more capacious/faster spare parts may be temporarily used. If more than 3 hours have passed from the breakdown of the Dedicated Server to the completion of repairs, the Client shall be entitled to compensation.

7.1.7. In case of any technical problems during operation of the Dedicated Server, with no express confirmation from the Client of the breakdown of the Dedicated Server components, the Contractor may propose free-of-charge Dedicated Server diagnostics, and if such is run successfully, the broken component shall be replaced. The diagnostics time shall not be compensable and shall be 12 hours maximum.

7.1.8. Internet access shall be provided through connection of the Dedicated Server to a public IP address or public subnetworks, if technically feasible. Dedicated Servers, except for Dedicated Chipcore Servers, may be jointed in a local network within the Pool.

7.2. Billing Procedure

7.2.1. The Service shall be paid according to the prepaid billing model. 

7.2.2. All incoming and outgoing Internet traffic above provided free volumes shall be payable at the rates published on the Contractor’s Website.

7.3. Service Level

7.3.1. Guaranteed availability of Dedicated Servers: 100% a month. Guaranteed availability of Dedicated Chipcore Servers: 99.8% a month. 

7.3.2. Unavailability of the Dedicated Server due to failure of the infrastructure of the Contractor or its partners shall be compensable. Such unavailability shall be compensated based on the cost of the Dedicated Server, with respect to which downtime has been recorded. 

7.3.3. If the Dedicated Server Availability for one calendar month fails to correspond to the specified availability, the Contractor shall provide compensation as follows:

For the Dedicated Server (except for the Dedicated Chipcore Server):

Service availability per month	Service unavailability time	Compensation amount (in %)
up to 99.80 %	up to 1 hour 30 minutes	3 %
from 99.79 to 99.58 %	from 1 hour 31 minutes to 3 hours	10 %
from 99.57 to 98.62 %	from 3 hours 1 minute to 10 hours	30 %
from 98.61 to 96.7 %	from 10 hours 1 minute to 23 hours 59 minutes	70 %
up to 96.6 %	more than 24 hours	100 %

For the Dedicated Chipcore Server:

Service availability per month	Service unavailability time	Compensation amount (in %)
up to 99.8 %	up to 1 hour 30 minutes	non-compensable
from 99.79 to 99 %	from 1 hour 31 minutes to 7 hours 18 minutes	10 %
from 98.99 to 98 %	from 7 hours 19 minutes to 14 hours 36 minutes	30 %
from 97.991 to 96.7 %	from 14 hours 37 minutes to 23 hours 59 minutes	70 %
up to 96.6 %	more than 24 hours	100 %

7.4. Special Restrictions on the Use of the Service

7.4.1. Dedicated Chipcore Servers may not be connected to a private network, and no additional IP addresses may be connected.

7.4.2. The Client shall use the Dedicated Server in a standard operating mode that causes no damage to the Dedicated Server components, specifically, without limitation:

• according to the characteristics set by the manufacturers of the Dedicated Server components;
• it shall be prohibited for the Client to change the Dedicated Server characteristics – voltage, frequency, temperature;
• it shall be prohibited for the Client to modify the software pre-installed on the Dedicated Server components (to replace firmware);
• the Client may not breach instructions for the use of the Dedicated Server, published on the Contractor’s Website and provided by the Contractor to the Client via the Ticket System.

7.4.3. Upon detection of damage to the Dedicated Server components due to the Client’s illegal actions, the Contractor shall notify the Client in the Ticket System, and the Client shall reimburse for the Contractor’s costs on the repair of such damage.

8. S3 OBJECT STORAGE

Version dated August 7, 2025,

will come into effect from August 22, 2025

Terms and Definitions

Object Storage, S3 is a service used to store and distribute an unlimited amount of data.

Bucket is a Level One resource that enables the arrangement of the upload of objects to S3, downloading of objects, binding of domain names and certificates. Buckets are characterized by the type determining restrictions of access to the data contained therein.

Storage Class is a characteristic that defines the Buckets type and allows implementing different storage options.

Standard Storage is a Storage Class requiring high-capacity fast-response S3.

Cold Storage is a Storage Class that is used for less active workload than in Standard Storage and it requires immediate access to rarely used data.

Ice storage is a storage class designed for archived data and backups that are rarely needed. Provides a significant reduction in the cost of the Service with increased response time when accessing facilities.

8.1. Service Provision

8.1.1. The Contractor shall provide to the Customer access to the service related to the organization of cloud S3 Object Storage and making its resources available to the Customer.

8.1.2. All files uploaded by the Customer to the storage shall be automatically relocated by the Contractor to three independent servers in available Regions.

8.1.3. Technically, the instant automatic deletion of files or Buckets after the expiration of the storage time is not guaranteed. Storing files or Buckets for longer than the prescribed period is not a violation on the part of the Contractor and is not subject to compensation.

8.2. Billing Mode

8.2.1. The Service shall be provided according to the post-paid model.

8.2.2. The price shall be calculated based on the actually occupied storage space, the outbound traffic, and the number of the executed data requests, according to the selected Storage Class.

8.2.3. The term set in Clause 3.5 of the Terms of Use of Individual Services for S3 may be extended by the Contractor to 30 (thirty) calendar days.

8.3. Service Level

8.3.1. Guaranteed availability of S3 with Standard Storage: 99.98% a month, of S3 with Cold Storage and Ice Storage: 99.8% a month.

8.3.2. The Contractor shall provide compensation as follows:

Standard Storage:

Service availability per month	Service unavailability time	Compensation (%)
from 99.98% to 99.8%	from 7.5 minutes to 35 minutes a month	3%
from 99.8% to 99.7%	from 35.5 minutes to 95 minutes a month	6%
from 99.7% to 99.3%	from 95.5 minutes to 140 minutes a month	10%
from 99.3% to 98.8%	from 140.5 minutes to 256 minutes a month	15%
from 98.8% to 96.5%	from 256.5 minutes to 12 hours	50%
from 96.5% to 90%	from 12 hours to 36 hours	90%
Less than 90%	More than 36 hours	100%

Cold Storage and Ice Storage:

Service availability per month	Service unavailability time	Compensation (%)
from 99.8% to 99.7%	from 35.5 minutes to 95 minutes a month	6%
from 99.7% to 99.3%	from 95.5 minutes to 140 minutes a month	10%
from 99.3% to 98.8%	from 140.5 minutes to 256 minutes a month	15%
from 98.8% to 96.5%	from 256.5 minutes to 12 hours	50%
from 96.5% to 90	from 13 hours to 36 hours	90%
Less than 90%	More than 36 hours	100%

8.4. Special service limitations

8.4.1. Entity limits:

Limit	Value
Maximum number of Buckets	2,000
Maximum Bucket name length	128 characters UTF-8
Maximum size of all headers/metadata per account/Bucket/object in the request body	8 Kb
Maximum size of all X-[Account/Container/Object]-Meta-$Name type headers/metadata	4 Kb
Maximum number of headers per account/Bucket/object	90
Maximum header name length	64 characters UTF-8
Maximum number of characters in the client header value	256 characters UTF-8
Maximum object name length	1,024 characters UTF-8

8.4.2. API request limits:

S3 API

Request type	Limit (requests per second)	Server message
All requests	2,000	Too many authorized requests
GET + HEAD	1,000	Too many GET requests
POST	200	Too many POST requests
PUT	300	Too many PUT requests
DELETE	300	Too many DELETE requests

Swift API

Request type	Limit (requests per second)	Server message
All requests	2,000	Too many authorized requests
GET + HEAD	1,000	Too many GET requests
POST	300	Too many POST requests
PUT (без X-Copy-Form)	300	Too many PUT requests
PUT (c X-Copy-Form)	200	Too many PUT requests
COPY	200	Too many COPY requests
DELETE	300	Too many DELETE requests

9. GLOBAL ROUTER

Version of 16 October 2023

Terms and Definitions

The Bandwidth is the maximum data transfer rate within the network, limited by the maximum Internet access speed of the Region.

9.1. Service Provision

9.1.1. The Contractor shall provide the Customer with access to an increased Bandwidth to organize network connectivity between the Customer’s services in one or more Regions (hereinafter referred to as the Global Router).

9.1.2. The Global Router is an additional service; basic services shall be provided under the relevant Terms of Use of individual services.

9.1.3. If technically possible, the network connectivity between the Customer’s services in one or more Regions without exceeding the Bandwidth shall be organized within the framework of the Customer’s services and shall not be subject to additional payment.

9.1.4. To order the Global Router, the Customer shall order in the Account the organization of the network connectivity between the Customer’s services in one or more Regions without exceeding the Bandwidth and send a notification on the need to increase the Bandwidth to the Contractor in the Ticket System.

9.1.5. In the notification the Customer shall specify the following:

• Regions of networks to be connected to the Global Router;
• Bandwidth between two Regions to be connected;
• Selected tariff of the Global Router.

If necessary, the Contractor may also clarify other information.

9.1.6. If technically possible, the Contractor shall connect the Global Router.

9.1.7. When using the organization of network connectivity between the Customer’s services in one or more Regions without exceeding the Bandwidth or the Global Router, the Customer may not permit:

• full utilization of the Bandwidth for more than 10% of the usage time in the accounting period according to the Contractor’s data;
• average load rates of more than 70% of the maximum value of the Bandwidth Limit or the Global Router at the selected tariff in the accounting period according to the Contractor’s data;

In case of violation of the specified conditions the Customer undertakes to change the tariff upwards, and if there is no technical possibility to reduce the load, the Contractor also has the right to limit the parameters of the Global Router.

9.2. Billing Mode

9.2.1. The Service shall be paid according to the postpaid billing model.

9.3. Service Level

9.3.1. The Global Router is guaranteed to be available 99.98% per month.

9.3.2. If the Global Router Availability for one calendar month is not as specified, the Contractor shall compensate as follows: 

Service availability per month	Service unavailability time	Compensation in %
up to 99.80 %	up to 1 hour 30 minutes	3 %
99.79 – 99.58 %	from 1 hour 31 minutes to 3 hours	10 %
99.57 – 98.62 %	from 3 hours 1 minute to 10 hours	30 %
98.61 – 96.7 %	from 10 hours 1 minute to 23 hours 59 minutes	70 %
up to 96.6 %	from 24 hours	100 %

10. ADMINISTRATION

Date March 21, 2024

Terms and definitions

System means a collection of software and/or hardware.

Incident means unscheduled interruptions of the System’s operation or deterioration in the quality of its operation.

Service Request means the Customer’s request for information or for the Contractor’s expert consultation. Service requests do not require System configuration changes.

Change Request means the Customer’s request for changes in the System configuration. This request shall include a detailed description of the requested change in the System configuration and shall be separately agreed upon by the Contractor.

Response Time means the time between the registration of the Customer’s request and the Contractor’s first feedback.

Solution Time means the time between the registration of the Incident and the System recovery and/or the provision of consultation to the Customer.

8×5 Mode means providing the Administration from Monday to Friday, on weekdays (except for the following periods: from 30 December to 8 January, from 9 May to 12 May.) from 7:00 a.m. to 3:00 p.m. on Coordinated Universal Time (UTC).

24×7 Mode means providing the Administration around the clock, including on weekends and holidays.

10.1. Service Provision

10.1.1. The Contractor shall render technical support services for the Customer’s Systems, including:

• Incident Management Services;
• The Customer’s System Monitoring;
• Making changes to the System configuration;

(hereinafter referred to as Administration).

10.1.2. The Administration shall be an additional service, the main services shall be rendered under the respective Terms of Use of individual services.

10.1.3. The Administration shall be ordered by the Customer through the Ticket System.

10.1.4. After ordering the Administration, the Customer shall complete a questionnaire to specify the System characteristics and the contacts of the Customer’s responsible persons. The questionnaire is the basis for rendering the Administration, calculating the volume, cost and timing of the Administration.

10.1.5. The Contractor has the right to initiate a kick-off meeting of representatives of the Parties to agree on all terms and conditions of the Administration. The representatives of the Parties attending such meetings shall be deemed to be authorized by the Parties to make decisions on the rendering of the Administration. The results of the kick-off meeting, including information about the timing, cost and scope of the Administration shall be recorded by the Contractor in the Ticket System.

10.1.6. The Administration starts to be rendered no later than five (5) calendar days from the date of payment after the Parties have finally agreed on all terms and conditions.

10.1.7. A Service Request shall be processed by the Contractor in the 8×5 Mode no later than 40 hours from the date of receipt of the request.

10.1.8. The Administration shall not deal with issues related to web development, programming, setting up contextual advertising and mail servers.

10.1.9. The Customer may opt out of the Administration in the Ticket System no later than ten (10) calendar days prior to the time of the scheduled disconnection.

10.1.10. Rendering procedure for the Incident Management Services:

10.1.10.1. An Incident shall be prioritized by the Contractor based on the criticality and extent of the damage to the System described by the Customer and shall be reported by the Contractor in the Ticket System. By agreement of the Parties, the Priority may be changed.

10.1.10.2. Priorities shall be categorized as follows:

• Priority 1 — Cessation of operation or significant deterioration in the quality of the System (for example, complete inaccessibility of the site); 
• Priority 2 — Significant malfunctions resulting in reduction of the stated capabilities, security level or violation of the controllability of the System (for example, long response time of the site or inaccessibility of the site for some users);
• Priority 3 — Malfunctions that do not affect the quality of services, the set of functions performed, or the normal functioning of the Customer’s administration facilities (for example, backup server malfunction).

10.1.10.3. Incident management timeframes:

Priority	Service Mode	Response Time	Solution Time
Priority 1	Mode: 24×7	1 hour	4 hours
Priority 2	Mode: 8×5	1 hour	8 hours
Priority 3	Mode: 8×5	1 hour	24 hours

10.1.10.4. The Contractor shall perform diagnostics and collecting data about the Incident using remote access tools including:

• Incident simulation;
• Collecting data from the logs of the System and the monitoring system;
• Incident network diagnostics;
• Collecting additional information about the Incident (scenario of occurrence, screenshots, etc.);
• Performing actions to eliminate the Incident after finding a solution;
• Recovery of the System using backups.

10.1.10.5. Having performing the Incident Management Services, the Contractor shall inform the Customer in the Ticket System about the elimination of the Incident or the impossibility of its elimination, in connection with the actions necessary on the part of the Customer. The Customer shall, within three (3) working days, confirm the closure of the request or clarify the required information. If there is no response from the Customer within the prescribed period, the request shall be closed automatically, and the services shall be considered accepted.

10.1.10.6. In case of disagreement with the closing of the request, the Customer shall send a motivated refusal to close the request in the Ticket System within the specified period. By agreement of the Parties, the request can be reopened.

10.1.11. Rendering procedure for the service of the Customer’s System Monitoring:

10.1.11.1. The Contractor shall install and configure a proactive monitoring system on the System located on the Contractor’s or its partner’s equipment in accordance with the main service.

10.1.11.2. The Customer’s System monitoring includes checks of the availability and quality of the System’s operation in the 24×7 Mode.

10.1.11.3. The Contractor shall notify the Customer in the Ticket System in case of detection of incorrect operation of the System, which may affect its availability.

10.1.11.4. When using the Customer’s System Monitoring service, the Customer undertakes to notify the Contractor of the preventive maintenance work being performed, no later than twenty-four (24) hours prior to its commencement. The Contractor shall not respond to the monitoring system reports and shall not proceed to eliminate Incidents while the Customer is performing preventive maintenance.

10.1.12. Rendering procedure for the service of Making Changes to the System Configuration

10.1.12.1. Without limitation, the Contractor shall address the following typical tasks:

• Configuring data backups;
• Configuring the collection and storage of system and application logs;
• Software updating;
• Adding, deleting, and editing firewall rules;
• Monitoring for vulnerabilities and applying security updates.

10.1.12.2. Making changes to the System configuration includes a certain number of hours of scheduled work per calendar month approved by the Parties in the Ticket System. Scheduled work shall be performed by the Contractor in the 8×5 Mode. In the event that the number of hours is exhausted by the Customer or the Customer needs to perform unscheduled work, payment can be made using the Administration hourly rate.

10.2. Billing Procedure

10.2.1. The Service shall be paid according to the prepaid billing model. 

10.2.2. The cost of Administration shall be agreed upon and set by the Parties in the Ticket System depending on the number of services, scope and assigned tasks. The cost set in the Ticket System shall be the basis for billing.

10.2.3. The cost of Administration may include a one-time installation payment for the initial configuration of the System, connection of the monitoring system and backup configuration, as well as other actions of the Contractor agreed with the Customer and requiring one-time actions.

10.3. Service level

10.3.1. In the case of Priority 1, Administration availability is guaranteed at 99.4% per month, no availability is provided for other Priorities or situations without Priorities.

10.3.2. If the availability of Administration for Priority 1 for one calendar month is not as specified, the Contractor shall compensate as follows:

Time of unavailability	Compensation (%)
From 4 hours to 8 hours	10%
From 8 hours 1 minute to 12 hours	30%
From 12 hours 1 minute to 23 hours 59 minutes	70%
From 24 hours	100%

10.4. Limitations

10.4.1. The terms and conditions shall not apply to performance or availability problems in the following cases:

• if the problem is due to the use of services, hardware or software not provided by the Contractor or its partner;
• if the Contractor has recommended to the Customer to change the System parameters, but the recommendations have not been complied with;
• if the problem has resulted from unauthorized acts or omissions by the Customer or by agents, contractors, suppliers, or anyone who has gained access to the Contractor’s network through the use of the Customer’s passwords or hardware, or from the Customer’s failure to ensure proper security practices.

10.5. Non-competition clause

10.5.1. The Customer undertakes not to hire any employees of the Contractor and/or its partner involved in the rendering of the service during the whole period of the Administration rendering, as well as for 12 months after completion of the rendering.

10.5.2. If the Customer violates this prohibition, the Contractor shall be entitled to recover compensation from the Customer, including the cost of hiring and training a new employee.

Compensation shall be calculated according to the formula:

Compensation = X * 6

where

X is the highest monthly cost of the Service rendered to the Customer in the last six (6) months prior to the Customer’s actions violating the prohibition.

11. MAIL SERVICE

Version dated May 20, 2025.

Terms and definitions

Graylisting is one of the technologies of protection against unauthorized correspondence in the form of automatic filtering of incoming spam at the SMTP protocol level.

SMTP, SMTP (Simple Mail Transfer Protocol) is a simple mail transfer protocol used to send and receive e-mail messages over the Internet. Mail servers use SMTP to send, receive, and relay mail messages.

SMTP relay server is a mail relay, an intermediary server that accepts e-mail from senders and delivers it to recipients.

Partner – mailganer.com, the Contractor’s partner, providing the software complex for the Service provision.

11.1. Procedure for providing the service

11.1.1. The Contractor shall provide the Customer with access to the service of forwarding mail messages (e-mail) via SMTP relay server (hereinafter referred to as the Mail Service).

11.1.2. The service is provided by the Contractor with involvement of the Partner, who also has access to the forwarded messages.

11.1.3. When providing the Service, the Customer independently generates the text of mail messages and sends them to the SMTP relay server for automatic checking by filtering rules and further forwarding to recipients.

11.1.4. The Contractor:

• does not censor the text of mail messages;
• does not organize the storage of mail messages beyond the time required for their automatic verification before forwarding;
• does not ensure functioning of information systems and (or) programs for electronic computers, which are designed and (or) used for receiving, transmitting, delivering and (or) processing electronic messages of Internet users.

11.1.5. In order to use the Mail service, the Customer must own a domain name from which mail messages will be sent.

11.1.6. The moment when the Mail service provision starts is when the Customer sends the text of a mail message to the SMTP relay server.

11.1.7. After the Customer sends the text of a mail message to the SMTP relay server, it automatically becomes a queue for processing, the duration of which cannot exceed 24 hours.

11.1.8. If the recipient servers of a mail message use Graylisting, the time to deliver messages to such a recipient server may be increased according to the length of the time delay on the recipient server.

11.1.9. The Customer assures and guarantees the Contractor that forwarding of mail messages is carried out by the Customer only if there is a recipient’s consent to receive such messages. In case the recipient refuses to receive mail messages, the Customer is obliged to remove the recipient’s e-mail address from the mailing list.

11.1.10. In case the Contractor receives complaints about the Customer sending spam, illegal information or lack of consent of the recipients, the Contractor has the right to unilaterally refuse to provide the Service to the Customer with notification in the Ticket system.

11.2. Charging procedure

11.2.1. The Service is billed on a postpaid model.

11.2.2. The tariffs depend on the total number of mail messages sent within a calendar month. Within a calendar month, if the range determining the Service tariff is exceeded, the tariff of the subsequent range is used for the following mailings.

11.2.3. Every mail message sent, including those blocked on the recipient’s side, is subject to payment.

11.2.4. Sending the first 1000 mail messages is a Beta Service and is not charged.

11.3. Service level agreement

11.3.1. Mail service availability is guaranteed at 99.99% for the month.

11.3.2. Compensation for Mail service unavailability in case of SMTP relay server unavailability during a continuous 5-minute interval due to failure of the Contractor’s infrastructure. Compensated 0.5% of the cost of the Mail service for the previous 30 calendar days for each 30 minutes.

Annex No 1 to User Agreement

ABOUT SERVERCORE GROUP

This exhibit constitutes an integral part of the User Agreement (the “Agreement). Capitalized terms used but not defined herein shall have the meanings assigned to them in the Agreement. The Exhibit shall specify:

1. the Servercore Group company that is the Contractor according to the country of your Account;
2. its applicable laws;
3. Agreement clauses conditioned on the Contractor’s applicable laws.

You must give valid data on the country relating to your tax registration. You can change the country, in which case the country of your Account will change, too. No change currency option is available.

Last updated 17.04.2023

About this Policy

This Cookie Policy (“Policy“) explains how we use cookies and other similar technologies to recognise you when you visit our website https://servercore.com (“Website“). It explains what these technologies are and why we use them, as well as your rights to control our use of them. Please take the time to read this Policy carefully. If you have any questions or comments, please contact us via email at privacy@servercore.com

What are cookies?

Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are used by website owners in order to make their websites work, or to work more efficiently, as well as to provide reporting information.Cookies have many different features, such as allowing you to navigate between pages efficiently, remembering your preferences, and generally improving your user experience. They can also help ensure that the advertisements you see online are more relevant to you and your interests.

Cookies set by the website (in this case, by servercore.com) are called “first party cookies“. Cookies set by parties other than the website owner are called “third party cookies“. Third party cookies enable third party features or functionality to be provided on or through the website (e.g. like advertising, interactive content and analytics). The parties that set these third party cookies can recognise your computer or mobile device both when it visits the websites in question and also when it visits certain other websites.

How do we use cookies?

When you visit our Website, we may place the following types of cookies:

Third party cookies

How can I control cookies?

You have the right to decide whether to accept or reject specific types of cookies.
You can exercise your cookie preferences on the cookie banner.

You can set or amend your web browser controls to accept or refuse some cookies. If you choose to reject cookies, you may still use our Website though your access to some functionality and areas of our Website may be restricted. As means by which you can refuse cookies through your web browser controls vary from browser-to-browser, you should visit your browser’s help menu for more information.

Updates to this Notice

We may update this Policy from time to time in response to changing legal, technical or business developments. You can see when this Policy was last updated by checking the “last updated” date displayed at the top of this Policy.

Who are we and how can you contact us?

This privacy notice aims at giving you information on how your personal data are processed. In this notice, we refer to ourselves as ‘we’, ‘us’ and ‘our’.

Who processes your personal data

Your jurisdiction	Who processes your personal data	Address	Registration number
Kenya, EU and other countries	Servercore Africa Ltd	P.O BOX 2700 – 00606, Nairobi, Studio 16 Workable, Waiyaki Way, Sanlam Towers, 4th floor	PIN: P052153652V
the Republic of Uzbekistan	Servercore, FE LLC Servercore, Foreign enterprise in the form of a limited liability company	100015, Republic of Uzbekistan, Tashkent city, Mirabad district, Turkestan Street, 12A, office No 326	BIN: 306843624
CIS Countries (except the Republic of Uzbekistan), Georgia	MSS LLP Modern Server Solutions LLP	Z10K8H7, Astana, Saryarka district, Beibitshilik Street, building 14, Office 910	BIN: 221140046930

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us using:

• our email: privacy@servercore.com
• our DPO’s email: privacy@servercore.com

The policy extends to:

• our products and services
• our website: https://servercore.com/

our email: privacy@servercore.com and other emails of our company to which data subject may refer.

DPA Standard Contractual Clauses for EU Clients

This Data Processing Clauses, including its Annexes, (“DPC”) forms part of the Terms of Service or other written or electronic agreement between Servercore (Servercore Africa Ltd, P.O BOX 100778, JAMIA, servercore.com) and Client for the use of the online service Servercore (servercore.com). Client enters into this DPC on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates.

Section I

1. Purpose and scope

(a) The purpose of this Data Processing Clauses (the Clauses) is to ensure compliance with Kenya’s Data Protection Act / 2019 No. 24 of 2019 and Data Protection (General) Regulations /2021E No. 263.

(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021.

(c) These Clauses apply to the processing of personal data as specified in Annex II.

(d) Annexes I to IV are an integral part of the Clauses.

(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021.

(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter VI/VII of Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021.

2. Invariability of the Clauses

The parties may incorporate the data processing clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

3. Interpretation

(a) Where these Clauses use the terms defined in Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations / 2021 respectively, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations / 2021.

(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations / 2021 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

4. Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

5. Docking clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.

(b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.

(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

Section II Obligations of the Parties

6. Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

7. Obligations of the Parties

7.1. Instructions

(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Kenya law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.

(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations / 2021 or the applicable Kenya data protection provisions.

7.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6. Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations / 2021. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

(a) GENERAL WRITTEN AUTHORISATION: The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 10 (ten) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.

(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations / 2021.

(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.

(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Kenya law to which the processor is subject and shall take place in compliance with Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations / 2021.

(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021, the processor and the sub-processor can ensure compliance with Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021 by using data processing clauses.

8. Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.

(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions.

(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:

(i) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

(ii) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;

(iii) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated.

(d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

9. Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations, taking into account the nature of processing and the information available to the processor.

9.1. Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

(b) in obtaining the following information which must at least include:

(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(2) the likely consequences of the personal data breach;

(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(c) in complying with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2. Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

(b) the details of a contact point where more information concerning the personal data breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

Section III Final provisions

10. Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

(1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;

(2) the processor is in substantial or persistent breach of these Clauses or its obligations under Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021;

(3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or Kenya’s Data Protection Act / 2019 or Data Protection (General) Regulations /2021.

(с) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.

(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Kenya law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

Annex I

Description of the processing

Categories of data subjects whose personal data is processed
Categories of data subjects are defined by the controller, which is the client of Servercore.

Categories of personal data processed
Categories of personal data are defined by the controller.

Sensitive data processed (if applicable)
Sensitive data is not processed

Nature of the processing
On the client’s request, processor stores data on its servers. The nature of the processing may vary depending on the type of service

Purpose(s) for which the personal data is processed on behalf of the controller
The purpose of the processing is to provide data controller with the service:

• Dedicated servers (fixed configurations)
• Cloud platform
• Cloud storage
• Cloud powered by VMware
• MSSP, managed-services (Security Management as Service)
• Selling Information Security Products
• CDN and Connectivity Services (Direct Connect, Anti-DDoS)
• PaaS services (DBaaS, Kubernetes, Serverless Functions)
• File storage
• Load balancer
• Backup as a service

Duration of the processing
Duration of the processing is defined by the main agreement between data controller and processor.

Annex II

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

• Each Staff member signs a contract, non-disclosure agreement, privacy obligation and list of familiarization with internal corporate confidentiality, information security, privacy policies.
• Each Staff member passes an annual training on Informational Security and Privacy (through online training system) and completes the questionnaire as per internal policy requirements.
• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Upon detection of any suspicious or non-standard event that could be a personal data breach or information security incident, the Staff is required by internal policy to report it in respective corporate ticket-system. The report is automatically assigned to an Incident Response Team (DPO, ISO, CTO, legal).
• Further incident handling activities are carried out by the Incident Response Team, including communication, initial support, registration, recovery, and incident closure.
• Implementation of log access management and data breach reporting processes to timely define, manage and report all personal data breaches in accordance with respective corporate policies.
• Regular data backups in electronic form on a daily basis.
• Storage of backups on an external secure server.
• Protection of backed up data with the same security level as data stored on corporate servers by organising storage by contractually regulating an outsourced backup service.
• Staff is instructed to store users’ data in corporate backed-up systems and storages.

Measures for user identification and authorisation

• The is instructed not to store its access credentials (login/password) in an easily accessible form (unencrypted file, paper, sticker, etc.).
• The requirements to complexity of passwords.
• An automatic logout procedure of locking the workstations not-used for a given period of time.
• An access control policy, which includes:
• the procedures to be applied automatically upon arrival and departure or a change of role for an individual with access to personal data;
• the planned consequences for individuals with legitimate access to data in the event of non-compliance with security measures;
• the measures allowing to restrict and control the granting and use of access to processing.

Measures for the protection of data during transmission

• Encryption of data before sending it on a physical medium (DVD, USB stick, portable hard drive) or to a third party.
• External networks are used exclusively (VPN, dedicated line).
• When sending data through network:
• encryption of sensitive data before sending, if this transmission uses electronic messaging.
• use of a protocol guaranteeing the confidentiality and authentication of the recipient server for file transfers, for example SFTP or HTTPS, by using the most recent version of protocols.
• ensuring the confidentiality of secrets (encryption keys, passwords, etc.) by sending them via a separate channel (for example, sending an encrypted file by email and communicating the password by phone or SMS).

Measures for ensuring physical security of locations at which personal data are processed

• All entrance doors to the physical perimeter are connected to the Access Control System (ACS). Unauthorized doors opening that are under control of the ACS is always registered.
• The Staff is visually identified by badges. They use personal access cards to obtain access to work premises.
• There is a mandatory registration of all visitors, with a record of the time and purpose of the visit, as well as information about the host person.
• When exchanging information inside and outside the companies using any means of communication (email, messenger, internet, voice, media, etc.), the Staff follows the rules preventing unauthorized information distribution (e.g. prohibiting store confidential information outside of corporate infrastructure).
• For sensitive information an additional security measures are applied like secure storage place, encrypted channels etc.
• Information stored on USB/HDD/SSD and other read/write drives should be deleted by utilizing the wipe functions (through the file manager, system formatting utilities).
• Paper documents are required to be destroyed through paper shredding machine.

Measures for ensuring events logging

• Corporate system of logging (i.e. storing events in “log files”) and recording of users’ activities, abnormalities and events related to information security.
• Procedures detailing the monitoring of processing use and periodically carrying out a review of the logged information to detect possible anomalies.
• All anomalies and incidents to be investigated by information security team.

Measures for internal IT and IT security governance and management

• It is prohibited by corporate policy to use illegal software, particularly: unlicensed software, hacked/pirated software, software unrelated to company business (for example, crypto miners), etc.
• All workplaces (workstations, laptops, etc.) of the Staff are antivirus protected.
• All valuable information assets are regularly backed up. Corporate network is protected with Firewall. Regular monitoring of network activities is established.
• Vulnerability assessment and regular software updating for most critical infrastructure is established.
• The security updates are carried out automatically and regularly.
• The connection of mobile media (USB sticks, external hard drives, etc.) is limited to what is essential.

Measures for ensuring data minimisation

• Internal Corporate privacy policy and Retention policy are specifying the requirements for data minimization.
• Corporate systems and websites/Apps are structured to collect only minimum of necessary data.
• Measures for ensuring system configuration, including default configuration
• Implementation by default of standard settings, software and equipment for all corporate systems and of Staff Members’ devices, including antivirus software and vulnerability scanning and control.

Measures for ensuring limited data retention

• Corporate Retention policy defines what data must be archived, how and where is it stored, how is descriptive data managed.
• Implemented specific access methods to archived data, due to the fact that the use of an archive is made in a specific and exceptional manner.
• With regard to the destruction of archives, there is a procedure guaranteeing that the archive has been destroyed in its entirety.

Please take the time to carefully read and review our Data Protection Agreement. This agreement is designed to protect the personal data you process with our service and ensure that it is used responsibly and in accordance with all applicable laws and regulations, including Article 28(3) of the GDPR.

If you are located in Kenya, please note that we have also prepared Data Processing Clauses that comply with Kenyan data protection legislation. We kindly ask that you carefully read and accept these clauses before proceeding.

By accepting our Data Protection Agreement or Data Processing Clauses, as applicable, you are acknowledging that you have read and understood all of the terms and provisions contained therein. If you have any questions or concerns about our data protection practices, please do not hesitate to contact us for further information.

Standard contractual clauses

Section I

Clause 1
Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

(c) These Clauses apply to the processing of personal data as specified in Annex II.

(d) Annexes I to IV are an integral part of the Clauses.

(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2
Invariability of the Clauses

(a) The parties may incorporate the data processing clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3
Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.

(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679/ Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4
Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5
Docking clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.

(b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.

(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

Section II Obligations of the Parties

Clause 6
Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7
Obligations of the Parties

7.1. Instructions

(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.

(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6. Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

(a) OPTION 1: PRIOR SPECIFIC AUTHORISATION: The processor shall not subcontract any of its processing operations performed on behalf of the controller in accordance with these Clauses to a sub-processor, without the controller’s prior specific written authorisation. The processor shall submit the request for specific authorisation at least 10 (ten) days prior to the engagement of the sub-processor in question, together with the information necessary to enable the controller to decide on the authorisation. The list of sub-processors authorised by the controller can be found in Annex IV. The Parties shall keep Annex IV up to date.

(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.

(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8
Assistance to the controlle

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.

(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions.

(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:

(i) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

(ii) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;

(iii) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;

(iv) the obligations in Article 32 of Regulation (EU) 2016/679.

(d) The Parties shall set out in Annex III the appropriate technical and organizational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9
Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.

9.1. Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons)

(b) in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:

(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(2) the likely consequences of the personal data breach;

(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(c) in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2. Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

(b) the details of a contact point where more information concerning the personal data breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

Annex I

List of parties

Controller(s) – the Client

Processor(s):

Name: HAICOM LIMITED

Address: Diagorou 4, Kermia Building, 6th floor, office 601, 1097, Nicosia, Cyprus

Contact person’s name, position and contact details:
Director Erasmia Aristodemou, privacy@servercore.com

Annex II

Description of the processing

Categories of data subjects whose personal data is processed
Categories of data subjects are defined by the controller, which is the client of Servercore.

Categories of personal data processed
Categories of personal data are defined by the controller.

Sensitive data processed (if applicable)
Sensitive data is not processed

Nature of the processing
On the client’s request, processor stores data on its servers. The nature of the processing may vary depending on the type of service

Purpose(s) for which the personal data is processed on behalf of the controller
The purpose of the processing is to provide data controller with the service:

• Dedicated servers (fixed configurations)
• Cloud platform
• Cloud storage
• Cloud powered by VMware
• MSSP, managed-services (Security Management as Service)
• Selling Information Security Products
• CDN and Connectivity Services (Direct Connect, Anti-DDoS)
• PaaS services (DBaaS, Kubernetes, Serverless Functions)
• File storage
• Load balancer
• Backup as a service

Duration of the processing

Duration of the processing is defined by the main agreement between data controller and processor.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

Annex III

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

• Each Staff member signs a contract, non-disclosure agreement, privacy obligation and list of familiarization with internal corporate confidentiality, information security, privacy policies.
• Each Staff member passes an annual training on Informational Security and Privacy (through online training system) and completes the questionnaire as per internal policy requirements.
• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Upon detection of any suspicious or non-standard event that could be a personal data breach or information security incident, the Staff is required by internal policy to report it in respective corporate ticket-system. The report is automatically assigned to an Incident Response Team (DPO, ISO, CTO, legal).
• Further incident handling activities are carried out by the Incident Response Team, including communication, initial support, registration, recovery, and incident closure.
• Implementation of log access management and data breach reporting processes to timely define, manage and report all personal data breaches in accordance with respective corporate policies.
• Regular data backups in electronic form on a daily basis.
• Storage of backups on an external secure server.
• Protection of backed up data with the same security level as data stored on corporate servers by organising storage by contractually regulating an outsourced backup service.
• Staff is instructed to store users’ data in corporate backed-up systems and storages.

Measures for user identification and authorisation

• The is instructed not to store its access credentials (login/password) in an easily accessible form (unencrypted file, paper, sticker, etc.).
• The requirements to complexity of passwords.
• An automatic logout procedure of locking the workstations not-used for a given period of time.
• An access control policy, which includes:
• the procedures to be applied automatically upon arrival and departure or a change of role for an individual with access to personal data;
• the planned consequences for individuals with legitimate access to data in the event of non-compliance with security measures;
• the measures allowing to restrict and control the granting and use of access to processing.

Measures for the protection of data during transmission

• Encryption of data before sending it on a physical medium (DVD, USB stick, portable hard drive) or to a third party.
• External networks are used exclusively (VPN, dedicated line).
• When sending data through network:
• encryption of sensitive data before sending, if this transmission uses electronic messaging.
• use of a protocol guaranteeing the confidentiality and authentication of the recipient server for file transfers, for example SFTP or HTTPS, by using the most recent version of protocols.
• ensuring the confidentiality of secrets (encryption keys, passwords, etc.) by sending them via a separate channel (for example, sending an encrypted file by email and communicating the password by phone or SMS).

Measures for ensuring physical security of locations at which personal data are processed

• All entrance doors to the physical perimeter are connected to the Access Control System (ACS). Unauthorized doors opening that are under control of the ACS is always registered.
• The Staff is visually identified by badges. They use personal access cards to obtain access to work premises.
• There is a mandatory registration of all visitors, with a record of the time and purpose of the visit, as well as information about the host person.
• When exchanging information inside and outside the companies using any means of communication (email, messenger, internet, voice, media, etc.), the Staff follows the rules preventing unauthorized information distribution (e.g. prohibiting store confidential information outside of corporate infrastructure).
• For sensitive information an additional security measures are applied like secure storage place, encrypted channels etc.
• Information stored on USB/HDD/SSD and other read/write drives should be deleted by utilizing the wipe functions (through the file manager, system formatting utilities).
• Paper documents are required to be destroyed through paper shredding machine.

Measures for ensuring events logging

• Corporate system of logging (i.e. storing events in “log files”) and recording of users’ activities, abnormalities and events related to information security.
• Procedures detailing the monitoring of processing use and periodically carrying out a review of the logged information to detect possible anomalies.
• All anomalies and incidents to be investigated by information security team.

Measures for internal IT and IT security governance and management

• It is prohibited by corporate policy to use illegal software, particularly: unlicensed software, hacked/pirated software, software unrelated to company business (for example, crypto miners), etc.
• All workplaces (workstations, laptops, etc.) of the Staff are antivirus protected.
• All valuable information assets are regularly backed up. Corporate network is protected with Firewall. Regular monitoring of network activities is established.
• Vulnerability assessment and regular software updating for most critical infrastructure is established.
• The security updates are carried out automatically and regularly.
• The connection of mobile media (USB sticks, external hard drives, etc.) is limited to what is essential.

Measures for ensuring data minimisation

• Internal Corporate privacy policy and Retention policy are specifying the requirements for data minimization.
• Corporate systems and websites/Apps are structured to collect only minimum of necessary data.
• Measures for ensuring system configuration, including default configuration
• Implementation by default of standard settings, software and equipment for all corporate systems and of Staff Members’ devices, including antivirus software and vulnerability scanning and control.

Measures for ensuring limited data retention

• Corporate Retention policy defines what data must be archived, how and where is it stored, how is descriptive data managed.
• Implemented specific access methods to archived data, due to the fact that the use of an archive is made in a specific and exceptional manner.
• With regard to the destruction of archives, there is a procedure guaranteeing that the archive has been destroyed in its entirety.

By using our services, websites and platforms, you entrust us some personal information about you and your clients. This is a big responsibility for us, and we will do our best to protect your data and keep it under your control. We constantly review new data protection requirements, guidelines, and best practices to stay up to date.

This Data Protection Statement is addressed to our users and to our current and potential clients to discover our privacy rules and standards. For more detailed information on the purposes, terms and other conditions of data processing, please see our Privacy Policy and Cookie Policy.

1. Who we are?

We are the company Servercore (hereinafter referred to as “Servercore” or the “Company”), with registered offices in

• Kenya (P.O BOX 100778, JAMIA),
• Cyprus (Diagorou 4, Kermia Building, 6th floor, office 601, 1097, Nicosia, Cyprus),
• Kazakhstan (Z10K8H7, Republic of Kazakhstan, Astana, Saryarka district, Beibitshilik Street, building 14, Office 909),
• Uzbekistan (100015, Republic of Uzbekistan, Tashkent, Yakkasaray District, Damariq mahalassi, Abdulla Qahhor st., 47).

We own the Servercore electronic portal https://servercore.com/ as well as all the equipment, software, and hardware necessary for its operation.

Servercore is committed to Data Protection compliance, especially the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), and to strictly follow and to protect data subjects under other applicable privacy regulations, depending on the jurisdiction of our business.

According to the GDPR, Kenya’s Data Protection Regulation and other applicable laws, Servercore may act in different roles, depending on our relationships with you.

Servercore acts as:

• data controller for your personal data if you are our user or visitor of our portal or website; subscriber to our news, mailings and social media accounts; current or potential client, vendor or business partner; shareholder or investor; director, manager or representative;
• data processor for personal data of our client’s users;
• data controller for your personal data if you are Servercore companies’ (including affiliates and target companies for acquisition) employee, contractor, applicant, intern, trainee, referral.

2. What are our privacy principles?

We are committed to the privacy principles and rules inherent in the GDPR and other privacy acts, and particularly we aim to ensure:

• your control under your information and transparency with regard to data processing;
• lawfulness, fairness, necessity of any processing for a specific purpose;
• accuracy, keeping up to date and erasure or anonymization when purpose of processing is achieved;
• safely and security of data processing, storage and transmission.

3. How do we register personal data?

We follow the accountability GDPR principle and conduct an audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed. The result of such audit is documented and maintained in records of processing activities.

4. Our Policies and Procedures

The following Policies and Procedures were implemented on corporate and staff levels to meet the requirements and principles of the GDPR and other relevant data protection laws:

• Privacy Policy – our rules and principles for protection of personal data of data subjects outside the company: users, clients, potential clients, visitors, etc.
• Cookie Policy – explaining the types of cookies we use on our website and how we use them to enhance user experience and improve the functionality of our website.
• Internal privacy and security policies – the set of requirements to staff and list of their obligations, procedures of data protection, of response to data subjects, of response to data breach, rules of data retention&erasure, etc.
• Data protection and security trainings – our obligatory awareness course to familiarize our staff with policies and procedures before granting them any access to personal data.
• Vendor management –ensuring that our third-party vendors and service providers protect personal data according to applicable regulations and standards.
• Data Protection Impact Assessment (DPIA) — reviewing processing activities to identify and minimize any potential risks to data subjects and ensure compliance with applicable privacy regulations. Based on the results, we have put in place appropriate controls on data processing and management.
• Regular audits and reviews of our privacy policies and proceduresto ensure they remain up-to-date and effective.

5. How do we protect personal data?

To protect personal data, we use state-of-the-art security measures, including:

• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
• Measures for user identification and authorisation
• Measures for the protection of data during transmission
• Measures for ensuring physical security of locations at which personal data are processed
• Measures for ensuring events logging
• Measures for internal IT and IT security governance and management
• Measures for ensuring data minimisation
• Measures for ensuring limited data retention
• Measures for ensuring accountability

6. How do we delegate data processing to third parties?

When Servercore is a data controller or processor, we may engage some entrusted data processor or subprocessor who will process your personal data on our behalf and under our documented instructions.

7. How do we transfer personal data?

To the extent that Servercore has offices and organizational structures in third countries outside the EU/EEA, your data may be shared within our international business processes to perform our legal or contractual obligations to you or our business partners. We have a particular intra-group data transfer agreement in place and have conducted a Transfer Impact Assessment (TIA) where it is applicable. When such data transfers involve external data importers, we enter in respective standard contractual clauses with them.

As data processors, we have developed a Data Processing Agreement (DPA) for our clients. The DPA includes provisions for cross-border data transfers.

7. How to contact us?

If you have any questions, please do not hesitate to contact us at privacy@servercore.com

Account Country

Kenya

Contracting Party

Servercore Africa Ltd
PIN: P052153652V

Mailing Address

100778, Kiambu, Kabete district, Kikuyu main road, Eurekatowers.

Bank details

Settlement accounts in Stanbic Bank (Chiromo):
(EUR): 0100011104775-EUR
(KES): 0100011104748-KES
(USD): 0100011104767-USD
SWIFT: SBICKENX

Account Country

Uzbekistan

Contracting Party

Servercore CIS, FE LLC Servercore, Foreign enterprise in the form of a limited liability company
BIN: 306843624

Mailing Address

100015, Republic of Uzbekistan, Tashkent city, Mirabad district, Turkestan Street, 12A, office No 326

Bank details

Settlement accounts in «TRUSTBANK» PRIVATE JOINT-STOCK BANK BRANCH «DARKHAN»:
(RUB): No. 20214643305144346001
(UZS): No. 20214000805144346001
(USD): No. 20214840005144346001
SWIFT: TRSAUZ22

Account Country

Kazakhstan

Contracting Party

MSS LLP Modern Server Solutions LLP
BIN: 221140046930

Mailing Address

Z10K8H7, Astana, Saryarka district, Beibitshilik Street, building 14, Office 910

Bank details

Settlement accounts in Bank CenterCredit JSC:
(RUB): KZ818562203327444230
(KZT): KZ768562203127442251
(USD): KZ898562203227444458
SWIFT: CHASUS33

Promotion rules “Deferred Payment” (hereinafter referred to as the “Rules”)

1. General Provisions

These Deferred Payment Promotion Rules (hereinafter referred to as the “Promotion”) ¹ govern the relationship between Servercore Groups of Companies, (hereinafter referred to as the “Organizer”), and you:

• individuals over 18 (eighteen) years of age who are citizens of the Republic of Kazakhstan or the Republic of Uzbekistan or Kenya;
• individual entrepreneurs (if applicable) and legal entities registered in the territory of the Republic of Kazakhstan or the Republic of Uzbekistan or Kenya

who have accepted the Promotion when activating the Deferred Payment Option and wish to participate in the Promotion (hereinafter referred to as “Participants”)

The Promotion is also an integral part of the User Agreement. 

2. Terms and definitions

This Promotion may use terms not contained in this section. In this case, such term shall be interpreted in accordance with the applicable law and the User Agreement.

Registration data is information entered by a Participant about the country of residence and other data related to Participants that determine the country of residence.

Appendix “About Servercore Group of Companies” – an appendix, an integral part of the Promotion, posted on the Organizer’s website at the link https://servercore.com/legal/ , defining according to the Registration data:

• company from the Servercore Group of Companies, which is the Organizer,
• the legislation under which the Promotion is conducted,
• list of other Servercore Group of Companies.

Deferred payment – a period of services rendering after the expiration of the paid period, when the services are rendered to the Customer in full and are not suspended for non-payment. Deferred payment is 96 hours, excluding weekends (Saturday and Sunday), from the end of the paid period.

Participants of the Promotion

Participants who meet the following requirements are eligible to participate in the Promotion:

• use the Organizer’s services, for which the postpaid charging model is applied;
• have a positive Customer Balance;
• the amount of the Organizer’s services paid in cash for the previous month prior to participation in the Promotion is not less than:
  • for residents of the Republic of Uzbekistan: not less than 3500000 UZS;
  • for residents of the Republic of Kazakhstan: not less than 150000 KZT;
  • for residents of Kenya: at least 40000 KES or at least 270 USD;
• according to the Registration data have citizenship of the Republic of Kazakhstan, the Republic of Uzbekistan, Kenya – for individuals and individual entrepreneurs (if applicable), or are registered in the territory of the Republic of Kazakhstan, the Republic of Uzbekistan, Kenya and have tax residency of these countries – for legal entities.

4. Description of the Promotion

The Participant who meets all the conditions has the right to activate the Deferred payment period in the Account to change the order of tariffication of the Organizer’s services for which the postpaid tariffication model is applied (hereinafter referred to as the Services).

If the Deferred payment is activated, the general rules of charging when the Customer’s Balance reaches zero or insufficient for the next debit for the consumed Resources or Services shall be applied after the expiration of the Deferred payment.

The provision of Services with Deferred payment shall be subject to payment.

In case the Customer’s Balance is replenished during the Deferred payment period by an amount of money sufficient to pay for the rendered Services, the said amount of money shall be debited automatically, and the Services shall continue to be rendered by the Organizer.

If the Customer’s Balance is not replenished during the Deferred payment period by an amount sufficient to pay for the Services rendered, after the expiration of the Deferred payment period, the general rules of tariffication shall apply when the Customer’s Balance reaches zero or insufficient for the next debit for the consumed Resources or Services.

5. Procedure for participation in the Promotion

To participate in the Promotion you need to accept the Promotion in your Account (Billing->Payment Deferral payment-> “Connect Deferral payment” button).

These Promotion is a public offer of the Organizer

By taking actions on acceptance of these Promotion, the Customer confirms his legal capacity and capability, attainment of the age of 18 years by the Customer, as well as compliance with the conditions specified in Section 3 of these Promotion.

The Offer shall be deemed to have been accepted by the Customer upon the Customer’s acceptance of this Promotion in the Account as set forth in paragraph one of this section.

Acceptance of the Offer means full and unconditional acceptance by the Customer of all terms and conditions of the Promotion without any exceptions and/or limitations.

6. Rights and obligations of the participants of the Promotion

Participants are obliged to comply with the terms and conditions of the Promotion, User Agreement.

7. Rights of the Organizer

The Organizer has the right to refuse participation in the Promotion to any person without further notice if the Participant has provided incomplete or incorrect data or uses the Promotion in bad faith.

8. Period of the Promotion

From 01.04.2025 to 31.12.2027.

The period of the Promotion may be changed unilaterally by the Organizer with the placement of
relevant information on the Organizer’s website at the link https://servercore.com.

9. Other terms and conditions of the Promotion

In case of contradiction of the Promotion with the clauses of the User Agreement, the Promotion shall prevail, and other clauses of the User Agreement shall be applied taking into account the Promotion.

The Organizer has the right to unilaterally make changes to the Promotion upon notifying the Participants 15 (fifteen) calendar days before the above changes come into effect.

---

¹ The Promotion is not an incentive lottery and is conducted in accordance with these terms and conditions and the current applicable laws of the Republic of Uzbekistan, the Republic of Kazakhstan and Kenya