1. Application of Terms

1.1 These Terms apply to your access to and use of the Service.

1.2 By signing, accepting, or otherwise agreeing to a proposal, order form or contract referencing these Terms, or by creating an account or using the Service:

1. you agree to be bound by these Terms; and

2. if you are acting on behalf of another person or entity, you warrant that you are authorised to bind that person or entity, and these Terms bind them.

1.3 If you do not agree to these Terms, you must not access or use the Service.

2. Changes To Terms

2.1 We may change these Terms by giving you at least 30 days' notice by email or by posting a notice on the Website.

2.2 If a change materially and adversely affects you, you may notify us in writing before the change takes effect that you do not accept the change. In that case:

1. the version of the Terms in effect immediately before the change will continue to apply to you until the end of your then-current Term; and

2. the updated Terms will apply from the commencement of any renewal Term.

2.3 If you do not notify us in accordance with clause 2.2, your continued access to or use of the Service after the change takes effect constitutes acceptance of the updated Terms.

2.4 Nothing in this clause obliges us to renew the Service if you elect not to accept updated Terms.

3. Interpretation

In these Terms:

Analytical Data means anonymised and aggregated statistical or analytical data derived from use of the Service.

Confidential Information means non-public information disclosed by one party to the other in connection with the Service. Our Confidential Information includes the Service, Cradle Software, and Underlying Systems. Your Confidential Information includes the Data.

Cradle Software means the software owned or licensed by us and used to provide the Service, including client applications.

Data means all data, content, and information (including personal information) submitted to or generated through the Service by or on your behalf.

DPA means the Data Processing Agreement referenced in clause 7.6.

Fees means the fees specified in the applicable proposal or order form.

Permitted Users means your personnel authorised to access the Service on your behalf.

Privacy Policy means our privacy policy available on the Website, as updated from time to time.

Service means the Cradle cloud-based business phone service described on the Website.

Term means the initial subscription term and any renewal terms specified in the applicable proposal.

Underlying Systems means the systems, infrastructure, networks and third-party services used to provide the Service.

Website means www.cradle.io and related Cradle domains.

4. Provision Of The Service

4.1 We will use reasonable efforts to provide the Service:

1. in accordance with these Terms and applicable law;

2. with reasonable care, skill and diligence; and

3. using suitably skilled personnel.

4.2 The Service is provided on a non-exclusive basis.

4.3 We aim to provide the Service on a continuous basis but do not guarantee uninterrupted availability. The Service may be unavailable due to maintenance, third-party dependencies or events beyond our reasonable control.

4.4 The Service interoperates with third-party platforms and telecommunications carriers. We do not warrant the availability, continuity or performance of any third-party services. If a third party ceases to provide services or imposes conditions we cannot reasonably meet, we may modify or discontinue the affected features without liability.

4.5 Where reasonably practicable, we will provide assistance to enable porting of phone numbers to an alternative provider, but we do not warrant that porting will be successful.

5. Your Obligations

5.1 You and your personnel must:

1. use the Service only for lawful internal business purposes;

2. not resell, sublicense or commercially exploit the Service;

3. comply with all applicable telecommunications, privacy, anti-spam and marketing laws;

4. not use the Service for unsolicited, deceptive, harassing or unlawful communications; and

5. comply with all usage limits and policies described on the Website.

5.2 You must ensure that only Permitted Users access the Service and that all Permitted Users comply with these Terms.

5.3 You are responsible for obtaining all licences, consents and authorisations required to use the Service and to provide the Data.

6. Emergency Calling

Emergency calling is addressed in Schedule 1 (Emergency Calling Disclosure), which forms part of these Terms.

7. Data, Privacy And Security

7.1 As between the parties, you retain all rights in the Data.

7.2 You grant us a worldwide, non-exclusive, royalty-free licence to use, store, transmit and otherwise process the Data solely as necessary to:

1. provide and support the Service;

2. comply with applicable law;

3. enforce these Terms; and

4. improve and develop our products and services (including through Analytical Data).

7.3 We may generate and use Analytical Data for internal purposes and may disclose Analytical Data to third parties. Analytical Data does not identify you or any individual.

7.4 Each party must comply with applicable privacy and data protection laws.

7.5 Our collection, use and disclosure of personal information for our own purposes is described in the Privacy Policy, which is incorporated by reference.

7.6 Where we process personal information on your behalf in connection with providing the Service, the Data Processing Agreement available on the Website forms part of these Terms and applies in addition to the Privacy Policy.

7.7 If there is any inconsistency between these Terms and the DPA, the DPA prevails in relation to the processing of personal information on your behalf.

8. Fees And Payment

8.1 You must pay the Fees specified in the applicable proposal.

8.2 Unless otherwise agreed:

1. subscription Fees are payable in advance;

2. variable usage charges are payable in arrears; and

3. payment is by approved automatic payment method.

8.3 Interest may be charged on overdue amounts at an annual rate equal to the Official Cash Rate published by the Reserve Bank of New Zealand plus 10%, calculated daily from the due date until payment is received.

9. Intellectual Property

9.1 We own all Intellectual Property Rights in the Service, Cradle Software, Website and Underlying Systems.

9.2 Except as expressly permitted, you must not copy, modify, reverse engineer or create derivative works of the Service.

10. Warranties And Consumer Law

10.1 Each party warrants that it has authority to enter into these Terms.

10.2 To the maximum extent permitted by law, the Service is provided "as is" and all other warranties are excluded.

10.3 You confirm that you acquire the Service for the purposes of trade. The Consumer Guarantees Act 1993 and equivalent consumer laws do not apply to the extent permitted by law.

11. Liability

11.1 Our total aggregate liability in any Year is capped at the Fees paid by you in the 12 months preceding the event giving rise to liability.

11.2 Neither party is liable for indirect or consequential loss, including loss of profits, revenue, goodwill or data.

11.3 Clauses 11.1 and 11.2 do not limit liability for:

1. death or personal injury;

2. fraud or wilful misconduct;

3. breach of confidentiality; or

4. our breach of applicable privacy or data protection laws caused by our failure to comply with those laws.

11.4 Our total liability under clause 11.3(d) is capped at the lesser of:

1. NZD 100,000; or

2. two times the Fees paid by you in the 12 months preceding the event.

12. Suspension, Termination And Data Deletion

12.1 We may suspend access to the Service if:

1. Fees are more than 14 days overdue; or

2. you materially breach these Terms and fail to remedy the breach within 10 days of notice.

12.2 During suspension, Data will not be deleted and may be restored on remedy.

12.3 If suspension continues for more than 60 days due to non-payment or lack of response, we may terminate these Terms by notice.

12.4 On termination:

1. all outstanding Fees become immediately payable;

2. you may request a copy of your Data within 30 days (subject to reasonable costs); and

3. after that period, we may delete the Data, subject to legal retention obligations.

13. Term And Renewal

13.1 These Terms take effect on acceptance of the applicable proposal.

13.2 The Term, renewal mechanics and pricing are as specified in the proposal.

13.3 Unless otherwise stated, subscriptions renew automatically for successive 12-month terms.

13.4 The billing anniversary, renewal dates and notice periods are calculated by reference to the date of the first invoice issued for the subscription.

13.5 To avoid renewal, you must give at least 30 days' written notice before the billing anniversary.

14. Order Of Precedence

If there is any inconsistency between:

1. a proposal or order form;

2. these Terms;

3. the DPA; and

4. any Schedule,

the documents apply in that order, but only to the extent of the inconsistency.

15. General

15.1 Force Majeure applies.

15.2 These Terms are governed by the laws of New Zealand and the courts of New Zealand have non-exclusive jurisdiction.

15.3 These Terms constitute the entire agreement relating to the Service.

---

Schedule 1 – Emergency Calling Disclosure

1. The Service is not a replacement for a traditional fixed-line or mobile telephone service.

2. You must not rely on the Service for making emergency calls. Calls to emergency services (including 111, 000, 999, 911 or equivalent numbers) may not connect, may be delayed, may be misrouted, or may not provide accurate location or caller information, depending on jurisdiction, configuration, network conditions and third-party carrier capabilities.

3. Emergency calling availability varies by country and carrier and may change over time.

4. We strongly recommend that all users use a mobile phone or other alternative telephone service to contact emergency services wherever possible.

5. You are solely responsible for ensuring that reliable alternative means of contacting emergency services are available and for informing all users of the Service of the nature and limitations of emergency calling using VoIP services.

---

Data Processing Agreement

This Data Processing Agreement ("Agreement") forms part of the contract for services under the Cradle Terms of Use ("Principal Agreement") between Your Company ("Controller") and Cradle Limited ("Processor").

In the course of providing the Services under the Principal Agreement, the Processor may Process Personal Data on behalf of the Controller. This Agreement reflects the parties' agreement with regard to the Processing of Personal Data.

1. Background

A. The Controller acts as a Data Controller in respect of Personal Data Processed in connection with the Services.

B. The Controller wishes to subcontract certain Services to the Processor which involve the Processing of Personal Data.

C. The parties wish to implement a data processing agreement that complies with applicable Data Protection Laws.

D. The parties agree as follows.

2. Definitions And Interpretation

Unless otherwise defined in this Agreement, capitalised terms have the meanings given in the Principal Agreement.

2.1 Definitions

Agreement means this Data Processing Agreement and its Schedules.

Company Personal Data means any Personal Data Processed by the Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement.

Data Protection Laws means all applicable data protection and privacy laws, including:

• Regulation (EU) 2016/679 (General Data Protection Regulation) ("GDPR");
• the GDPR as retained in United Kingdom law pursuant to the Data Protection Act 2018 ("UK GDPR");
• the New Zealand Privacy Act 2020;
• the Australian Privacy Act 1988; and
• any other applicable data protection or privacy laws, as amended or replaced from time to time.

EEA means the European Economic Area.

Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach and Supervisory Authority have the meanings given in the GDPR.

Services means the services provided by the Processor to the Controller as described in the Principal Agreement and Schedule 1.

Subprocessor means any third party appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller.

3. Processing Of Company Personal Data

3.1 The Processor shall:

1. comply with all applicable Data Protection Laws when Processing Company Personal Data; and

2. Process Company Personal Data only on documented instructions from the Controller, including as set out in the Principal Agreement and this Agreement, unless required to do otherwise by applicable law.

3.2 The Controller instructs the Processor to Process Company Personal Data for the purposes of providing the Services.

4. Processor Personnel

4.1 The Processor shall take reasonable steps to ensure the reliability of any employee, contractor or agent who may have access to Company Personal Data.

4.2 Access to Company Personal Data shall be limited to those individuals who require access for the purposes of the Principal Agreement and who are subject to appropriate confidentiality obligations.

5. Security

5.1 Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures referred to in Article 32 of the GDPR.

5.2 In assessing security measures, the Processor shall take account of the risks presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

6.1 The Controller authorises the Processor to engage Subprocessors for the provision of the Services.

6.2 The Processor shall ensure that it enters into a written agreement with each Subprocessor imposing data protection obligations that provide at least the same level of protection as this Agreement and comply with Article 28(3) of the GDPR, where applicable.

6.3 A list of current Subprocessors is set out in Schedule 2.

6.4 The Processor may update the list of Subprocessors from time to time and will give the Controller at least 30 days' written notice of any new Subprocessor, except where an Emergency Replacement is required.

6.5 Emergency Replacement means the sudden replacement of a Subprocessor where the change is outside the Processor's reasonable control. In such cases, the Processor will notify the Controller as soon as reasonably practicable.

6.6 If the Controller objects to a new Subprocessor, the Controller may terminate the Principal Agreement without penalty by written notice, provided the notice is received before the effective date of the new Subprocessor. If the Controller does not terminate, it is deemed to have accepted the Subprocessor.

6.7 The Processor remains liable for the acts and omissions of its Subprocessors to the same extent as if the Processor had performed the services directly, subject to the limitations of liability in the Principal Agreement.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, the Processor shall provide reasonable assistance to the Controller to enable it to respond to requests from Data Subjects exercising rights under Data Protection Laws.

7.2 The Processor shall:

1. promptly notify the Controller if it receives a request from a Data Subject relating to Company Personal Data; and

2. not respond to such request except on the Controller's documented instructions or as required by law.

8. Personal Data Breach

8.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Company Personal Data.

8.2 The notification shall include sufficient information to allow the Controller to meet its obligations under Data Protection Laws.

8.3 The Processor shall reasonably cooperate with the Controller in the investigation, mitigation and remediation of any Personal Data Breach.

9. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and any required consultations with Supervisory Authorities, to the extent required by Data Protection Laws and relating solely to Processing under this Agreement.

10. Deletion Or Return Of Company Personal Data

10.1 Subject to applicable law, the Processor shall delete all Company Personal Data within 30 days of cessation of the Services involving Processing of Company Personal Data.

10.2 The Processor shall confirm deletion in writing upon request.

10.3 The Processor may retain Company Personal Data where required by law, provided such data remains protected in accordance with this Agreement.

11. Audit Rights

11.1 The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this Agreement.

11.2 The Controller may conduct audits on reasonable notice, not more than once per year, and subject to reasonable confidentiality and security requirements.

12. Data Transfers

12.1 The Processor may transfer Company Personal Data outside the EEA or UK.

12.2 Where such transfer is subject to Data Protection Laws, the parties shall ensure appropriate safeguards are in place, including reliance on approved standard contractual clauses where required.

13. Confidentiality

Each party shall keep confidential all information received in connection with this Agreement, except where disclosure is required by law or the information is already public.

14. Notices

All notices under this Agreement must be in writing and sent by email.

Processor notices: privacy@cradle.io

15. Governing Law And Jurisdiction

This Agreement is governed by the laws of New Zealand.

The courts of New Zealand have non-exclusive jurisdiction.

---

Schedule 1 – Description Of Services

Cradle provides a fully cloud-based business phone solution that enables teams to communicate with customers, suppliers and each other using VoIP and public switched telephone networks, supported by client applications, server-side software, integrations, third-party services and customer support.

Schedule 2 – Subprocessors

As published and updated on the Website from time to time.