Lost Password ‹ The Drive Cleaner

Dear Administrator,

Please note we have made an update to our Terms and conditions on May 29th, 2026.
Can you read through and click to accept them to enter the CMS.

INNERMEDIA TERMS & CONDITIONS

MASTER TERMS AND CONDITIONS

INNERMEDIA LIMITED

Master Terms & Conditions

Standard Terms and Conditions for the Supply of Services

Version 4.0 | May 2026

Classification: Commercial — Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

1. INTERPRETATION

1.1 The following definitions apply throughout these Standard Terms and Conditions and all Schedules:

Term Definition

Agreement These Standard Terms and Conditions together with the Quotation, all applicable Schedules, the Project Plan, and any written amendments signed by both parties. The documents listed in clause 1.3 are incorporated into and form part of this Agreement.

Business Day Any day other than Saturday, Sunday or a public holiday in England when banks in London are open for business.

Charges The fees and charges set out in the relevant Schedule and Project Plan, together with any additional charges arising under this Agreement.

Client The entity or person named as the Client in the relevant Schedule.

Client Data / All information, data, content, images, Materials documents, and materials provided by the Client to the Supplier for use in connection with the Services.

Confidential All technical or commercial information Information disclosed by either party, whether in writing, digitally, orally or by inspection, that is identified as confidential or that ought reasonably to be considered confidential.

Data Protection Laws The UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any successor legislation.

Effective Date The date stated as the Effective Date in the relevant Schedule.

Force Majeure Event Any event beyond a party's reasonable control including industrial disputes affecting third parties, governmental action, fire, flood, pandemic, civil riot or war.

Go Live Date The date on which the Services or deliverable is formally accepted and made live or operational.

Initial Term Twelve (12) calendar months from the Go Live Date.

Intellectual Property Patents, utility models, copyright and related Rights (IPR) rights, trademarks, service marks, business and domain names, design rights, database rights, know-how, trade secrets, and all other intellectual property rights, whether registered or unregistered, worldwide.

Personal Data Has the meaning given in the Data Protection Laws.

Quotation The written quotation issued by the Supplier to the Client setting out the scope of Services, applicable Charges, and any project-specific terms. The Quotation forms part of this Agreement. Where there is any inconsistency between the Quotation and these Terms or the Schedules, these Terms and the Schedules shall prevail.

Schedule A schedule appended to this Agreement and incorporated into it by reference. The Schedules forming part of this Agreement are listed in clause 1.3.

Services The IT, website, design, marketing, AI and ancillary services described in the relevant Schedule and Project Plan.

Supplier Inner Media Limited, registered in England and Wales (Company No. 04818830), Enterprise Centre, Cranborne Road, Potters Bar, Hertfordshire EN6 3DQ.

1.2 Clause headings do not affect interpretation. References to 'including' mean 'including without limitation'. If there is inconsistency between a Schedule and these Terms, the Schedule shall prevail.

1.3 The following documents are incorporated into and form part of this Agreement. By signing this document the Client confirms it has read, understood and agrees to be bound by all of them. Only this Master Terms & Conditions document requires signature — all Schedules and Policies below take immediate effect upon signature of this document.

• Schedule A — Website Project Terms (governs all website design, development and hosting services)

• Schedule B — Project Plan (sets out project milestones, timings, client dependencies and the project hold provisions)

• Schedule C — Service Level Agreement (SLA) (sets out hosting uptime commitments, support response times and escalation procedures)

• Schedule D — AI Product Terms (governs all AI-powered products and services)

• Data Processing Agreement (DPA) (governs the processing of personal data by InnerMedia on behalf of the Client under UK GDPR Article 28)

• Privacy Policy (explains how InnerMedia collects, uses, stores and protects personal data; published at innermedia.co.uk/privacy)

• AI & Data Transparency Statement (explains how InnerMedia’s AI products operate, what data they use, and the safeguards in place including the prohibition on using client data for AI model training)

1.4 Not all Schedules will apply to every client. The applicable Schedules are those corresponding to the Services described in the Quotation. Schedules that do not apply to the Services in the Quotation are attached for information and do not create obligations unless Services are subsequently added by written agreement.

2. THE SERVICES

2.1 In consideration of the Charges, the Supplier shall provide the Services in accordance with the applicable Schedule and Project Plan.

2.2 The Supplier shall use reasonable skill and care in delivering the Services. Where the Supplier uses sub-contractors, it remains responsible for their performance.

2.3 Any deliverable described in a Client Questionnaire or brief is aspirational only; the binding scope is as set out in the Project Plan.

2.4 The Supplier may make minor modifications to its standard services or processes without notice, provided they do not materially diminish the quality or functionality of the Services.

3. CLIENT RESPONSIBILITIES

3.1 The Client acknowledges that the Supplier's ability to deliver the Services depends on the full and timely co-operation of the Client, including:

• Providing accurate, complete and legally compliant Client Data and Materials;

• Appointing a named contact with appropriate authority to make decisions;

• Responding to requests for approvals, feedback, or sign-off within the timescales set out in the Project Plan;

• Providing access to systems, premises or data as reasonably required;

• Ensuring that any third-party providers (e.g. domain registrars, existing hosting providers) co-operate with the Supplier.

3.2 Where the Client's failure to meet its responsibilities causes delay or additional cost, the Supplier may:

• Adjust the Project Plan timetable accordingly;

• Invoke the Project Hold provisions set out in Schedule A (where applicable); and/or

• Charge for additional time at the Supplier's then-current day rate.

4. MANAGEMENT

4.1 Each party shall appoint a named account manager with the authority to make day-to-day decisions and act as the primary point of contact.

4.2 Either party may change its account manager by giving written notice to the other.

5. CHARGES AND PAYMENT

5.1 All Charges are as set out in the relevant Schedule and Project Plan. All amounts are exclusive of VAT, which will be charged at the applicable rate.

5.2 The Supplier shall issue VAT invoices in accordance with the payment schedule in the Project Plan, or monthly in advance for ongoing services.

5.3 The Client shall pay each invoice in full and in cleared funds within thirty (30) days of the invoice date.

5.4 The Supplier reserves the right to increase Charges for ongoing services on giving not less than ninety (30) days' written notice, provided that any increase shall not exceed eight per cent (8%);

5.5 If the Client fails to pay any undisputed sum by the due date, the Supplier may:

• Charge interest at 4% per annum above the Bank of England base rate, accruing daily from the due date;

• Suspend the Services on giving three (3) Business Days' written notice to the Client's Director of Finance (or equivalent); and/or

• Withhold delivery of any further work until all outstanding sums are paid.

5.6 All sums are payable without set-off, counterclaim, deduction or withholding (except tax required by law).

5.7 All payments become due immediately on termination of this Agreement, notwithstanding any other provision.

6. CHANGE CONTROL

6.1 Any change to the scope of Services must be agreed in writing by both parties before work commences. The Supplier will issue a written Change Request confirming any additional Charges and timeline impact.

6.2 The Supplier may update these Standard Terms and Conditions to reflect changes in applicable law on giving written notice to the Client.

7. WARRANTIES

7.1 Each party warrants that it has full authority to enter into this Agreement.

7.2 The Supplier warrants that it will perform the Services with reasonable care and skill.

7.3 The Supplier warrants that any deliverable will be free of material defects and viruses upon handover.

7.4 If the Supplier breaches clause 7.2 or 7.3, the Client must give written notice within thirty (30) days of discovery. The Supplier shall then be given a reasonable opportunity to investigate and, where appropriate, re-perform the relevant part of the Services at no additional charge.

7.5 The warranty in clause 7.3 is conditional upon the Client: (a) not modifying the deliverable without the Supplier's consent; (b) using the deliverable in accordance with the Supplier's instructions; and (c) not introducing malicious code or unsuitable third-party content.

7.6 All other conditions, warranties or terms implied by statute or otherwise are excluded to the fullest extent permitted by law.

8. LIMITATION OF LIABILITY

8.1 Nothing in this Agreement limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded by law.

8.2 Neither party shall be liable for any: loss of revenue; loss of profit; loss of contracts; loss of anticipated savings; loss of goodwill or reputation; loss of, damage to or corruption of data; or any indirect or consequential loss, however arising.

8.3 Subject to clause 8.1, each party's maximum aggregate liability under or in connection with this Agreement in any twelve-month period shall not exceed:

• In the first year: the total Charges paid or payable under all active Schedules in that year;

• In subsequent years: the total Charges paid or payable in the relevant calendar year.

8.4 The Supplier maintains appropriate professional indemnity and public liability insurance and shall provide evidence of cover on reasonable request.

9. INTELLECTUAL PROPERTY RIGHTS

9.1 All IPR in the Client Data and Materials shall remain the property of the Client.

9.2 Subject to payment of all Charges, the Supplier shall assign to the Client all IPR in bespoke deliverables created specifically for the Client (including custom website design and content) upon the Go Live Date. This assignment takes effect at Go Live, not at termination.

9.3 The Supplier retains all IPR in: (a) its pre-existing proprietary software, tools, frameworks and CMS; (b) pre-built functionality and templates; (c) AI models, workflows and configurations (governed by Schedule D). The Supplier grants the Client a non-exclusive licence to use such materials for the duration of this Agreement, conditional on payment of all Charges.

9.4 On termination, if the Client has paid all outstanding Charges, the licence in clause 9.3 shall continue for a period of three (3) months to enable the Client to migrate. The Supplier will provide reasonable migration assistance at its standard day rate.

9.5 The Client grants the Supplier a non-exclusive, royalty-free licence to use the Client's IPR solely to perform the Services.

9.6 The Client shall indemnify the Supplier against all claims arising from any allegation that the Client Data or Materials infringe a third party's IPR, subject to the Supplier: (a) promptly notifying the Client; (b) making no admissions without the Client's consent; and (c) giving the Client conduct of any claim.

9.7 The Supplier shall indemnify the Client against claims that Supplier-created content infringes a third party's IPR, on equivalent terms.

10. DATA PROTECTION

10.1 Both parties shall comply with all applicable Data Protection Laws in connection with this Agreement.

10.2 As between the parties, the Client is the Data Controller and the Supplier is the Data Processor in respect of any Personal Data processed by the Supplier on the Client's behalf.

10.3 The detailed terms governing the Supplier's processing of Personal Data are set out in the Data Processing Agreement (DPA) which forms part of this Agreement and must be executed alongside any Schedule involving the processing of Personal Data.

10.4 The Supplier is registered with the Information Commissioner's Office (ICO) under registration number ICO:00010252104 and shall maintain that registration throughout the term of this Agreement.

10.5 The Supplier shall notify the Client without undue delay (and in any event within 72 hours) of becoming aware of any Personal Data breach or security incident affecting Client Data.

11. CONFIDENTIALITY

11.1 Each party shall keep the other's Confidential Information strictly confidential and not disclose it to any third party without prior written consent, except: (a) to its own employees and professional advisers on a need-to-know basis (who are bound by equivalent obligations); or (b) as required by law or regulatory authority.

11.2 Confidentiality obligations survive termination of this Agreement indefinitely.

11.3 The Supplier shall not use the Client's name, logo or relationship in any marketing, press release or case study without prior written consent.

12. TERM AND TERMINATION

12.1 This Agreement commences on the Effective Date and continues for the Initial Term (twelve months from Go Live Date), then automatically renews for successive twelve-month periods unless terminated in accordance with this clause.

12.2 Either party may terminate this Agreement or a Schedule on the following notice periods:

• Website build and design services: not less than twelve (12) months' written notice;

• Hosting, SLA and maintenance services: not less than three (3) months' written notice;

• AI Product services (Schedule D): not less than three (3) months' written notice;

• SEO, PPC, social media management and email marketing: not less than three (3) months' written notice.

12.3 Either party may terminate immediately by written notice if the other:

• Fails to pay any undisputed sum within 7 days of written notice of default;

• Commits a material breach that is incapable of remedy, or fails to remedy a remediable breach within 14 days of written notice;

• Becomes insolvent, enters administration, receivership, liquidation, or makes a general arrangement with creditors;

• Ceases or threatens to cease to carry on all or a substantial part of its business.

12.4 On termination by the Supplier for Client default, all Supplier licences terminate immediately.

12.5 On expiry or termination for any other reason, the Supplier shall within 30 days: (a) return all Client Data and Materials; (b) provide an electronic copy of all deliverables (subject to payment of outstanding Charges); and (c) provide reasonable transition assistance at the Supplier's standard day rate.

12.6 Due to the proprietary nature of the Supplier's CMS and AI configurations, these cannot be transferred to a direct competitor of the Supplier.

13. NON-SOLICITATION

13.1 Neither party shall, during the term and for twelve (12) months after termination, solicit or attempt to entice away any employee of the other who has been materially involved in the delivery or receipt of the Services, without the other's prior written consent.

13.2 If a party breaches clause 13.1, it shall pay on demand a sum equal to three months' gross salary of the individual concerned, plus reasonable recruitment costs.

14. FORCE MAJEURE

14.1 Neither party shall be in breach of this Agreement for any failure or delay caused by a Force Majeure Event, provided the affected party gives prompt written notice and uses reasonable endeavours to mitigate the impact.

14.2 If a Force Majeure Event continues for more than twelve (12) weeks, either party may terminate the affected Schedule on seven (7) days' written notice, without liability (save for accrued payment obligations).

15. DISPUTE RESOLUTION

15.1 If a dispute arises, the parties shall first attempt to resolve it informally through escalation to a senior representative of each party within ten (10) Business Days of written notice.

15.2 If unresolved after twenty (20) Business Days, either party may refer the dispute to mediation under the CEDR Model Mediation Procedure.

15.3 Nothing in this clause prevents either party from seeking urgent injunctive or other equitable relief from the courts.

16. NOTICES

16.1 All notices under this Agreement shall be in writing and delivered by: (a) hand; (b) pre-paid first-class post; (c) email with confirmed receipt. Notices are deemed received on delivery (hand), 48 hours after posting (post), or on transmission (email during Business Hours).

16.2 Notices to the Supplier shall be addressed to the Directors, Inner Media Limited, Enterprise Centre, Cranborne Road, Potters Bar, Hertfordshire EN6 3DQ / hello@innermedia.co.uk.

17. ASSIGNMENT

17.1 The Client may not assign, transfer or subcontract its rights or obligations under this Agreement without the Supplier's prior written consent.

17.2 The Supplier may assign this Agreement in connection with a sale of its business (whether by share sale, asset sale or merger).

18. GENERAL

18.1 Entire Agreement. This Agreement (including all Schedules) constitutes the entire agreement between the parties and supersedes all prior representations, agreements, and understandings.

18.2 Variation. No variation of this Agreement shall be effective unless in writing and signed by authorised representatives of both parties.

18.3 Waiver. No failure to exercise, or delay in exercising, any right under this Agreement operates as a waiver of that right.

18.4 Severance. If any provision is invalid or unenforceable, it shall be modified to the minimum extent necessary to make it valid; if that is not possible, it shall be severed, without affecting the remaining provisions.

18.5 Third Party Rights. No person who is not a party to this Agreement shall have any right to enforce any term of it under the Contracts (Rights of Third Parties) Act 1999.

18.6 Governing Law. This Agreement is governed by the law of England and Wales.

18.7 Jurisdiction. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

AGREED AND ACCEPTED ON BEHALF OF THE SUPPLIER:

Print Name:

Authorisation:

Signature:

Date:

AGREED AND ACCEPTED ON BEHALF OF THE CLIENT:

Print Name:

Authorisation:

Signature:

Date:

SCHEDULE A — WEBSITE PROJECT TERMS

INNERMEDIA LIMITED

Schedule A Website Project Terms

Website Design, Development & Hosting — Service Terms and Conditions

Version 4.0 | May 2026

Classification: Commercial — Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

These terms form part of the InnerMedia Master Terms & Conditions. In the event of any inconsistency between this Schedule and the Master Terms, this Schedule shall prevail in relation to website services.

1. SCOPE OF SCHEDULE A

1.1 This Schedule governs the provision of website design, development, hosting, maintenance and related services by the Supplier to the Client as specified in the Project Plan (Schedule B).

1.2 The services provided are detailed in the Quote

2. DEFINITIONS

In addition to the definitions in the Master Terms, the following apply in this Schedule:

Term Definition

Acceptance Formal acceptance or deemed acceptance of the Site under clause 5.

Acceptance Tests The tests described in clause 5 and the Project Plan.

CMS The Supplier's content management system used to manage the Site.

Phase A key stage of the Project as identified in the Project Plan.

Project Hold A suspension of the Project invoked under clause 7.

Re-initiation Fee The fee payable to restart a Project following a Project Hold, fixed at £2,000 + VAT.

Snagging Round A structured review and correction cycle as defined in clause 6.

Site The website to be developed under this Schedule at the agreed domain name(s).

Site Specification The functional and design specification set out in the Project Plan.

3. CLIENT RESPONSIBILITIES FOR WEBSITE PROJECTS

3.1 The Client's timely participation is essential to maintaining the Project schedule. The Client shall:

• Attend all scheduled meetings and workshops within the timescales set out in the Project Plan;

• Provide all content, images, copy, brand assets and other Materials on or before the dates stated in the Project Plan;

• Provide a single authorised point of contact with decision-making authority for design and content approvals;

• Respond to design sign-off requests, snagging reviews and acceptance notifications within the timescales specified in the Project Plan;

• Ensure that all stakeholders who need to approve the Site are made available during the designated review periods.

3.2 Time is of the essence in relation to the Client's obligations in clause 3.1. Where the Client fails to meet its obligations, the Supplier may invoke the Project Hold provisions in clause 7.

4. DEVELOPMENT PHASES

4.1 The Supplier shall design, develop and deliver the Site in Phases as set out in the Project Plan. Standard Phases include:

• Phase 1 — Brand Workshop, Wireframe Development & Page Navigation (requires Client sign-off);

• Phase 2 — Visual Design (UX/UI), including Home Page, Inner Pages, Mobile, Menu and Alerts (requires Client sign-off);

• Phase 3 — Website Build, Internal QA Checks, and 1st View (Home, Inner Pages, Navigation, Sample Page);

• Phase 4 — Snagging Rounds (see clause 6), Content Population, and Go Live Process.

4.2 Once designs are signed off, the Supplier will provide an updated go-live timeline, typically nine (9) weeks from design sign-off. This timeline is conditional on the Client meeting its obligations in clause 3.

5. ACCEPTANCE

5.1 Acceptance of the Site shall occur when the Client notifies the Supplier in writing that the Site has passed the Acceptance Tests as described in the Project Plan.

5.2 Acceptance shall be deemed to have taken place (even in the absence of formal Client sign-off) upon the earliest of:

• The Client using any part of the Site for live, revenue-earning or public-facing purposes;

• The Client unreasonably delaying the commencement of Acceptance Tests by more than seven (7) Business Days after the Supplier notifies readiness; or

• Fourteen (14) days elapsing from the Client's request for the Site to go live.

5.3 If any failure to pass the Acceptance Tests is caused by a Non-Supplier Defect (i.e. caused by the Client, its agents, or third-party content), the Site shall be deemed to have passed. The Supplier may remedy such defects at its standard day rate.

6. SNAGGING PROCESS

The Project includes two structured Snagging Rounds. These are the only included correction cycles. Additional reviews or work beyond these two rounds are chargeable at £750 per day + VAT.

6.1 Snagging Round 1 — Project Lead Review. Following the 1st View of the built Site, the Client's nominated Project Lead shall review the Site and submit a consolidated list of required corrections. The Supplier will address all valid technical and design issues raised.

6.2 Snagging Round 2 — Stakeholder Sign-Off. Following completion of Round 1 corrections, the Client may circulate the Site to its wider stakeholders (e.g. leadership team, board, marketing team) for final review. A consolidated list of corrections shall be submitted to the Supplier. The Supplier will address all valid issues and prepare the Site for go live.

6.3 Both Snagging Rounds must be conducted within the timescales set out in the Project Plan. Where the Client exceeds these timescales, the Project Hold provisions in clause 7 may apply.

6.4 Snagging corrections must be submitted as a single consolidated document per round. The Supplier is not obliged to action piecemeal or sequential lists between submission dates.

6.5 Any request for a third snagging review, additional design changes after Round 2 sign-off, or scope changes after design sign-off shall be treated as a change to the Project scope and will be charged at the Supplier's day rate of £750 + VAT per day.

7. PROJECT HOLD AND RE-INITIATION

Where Client delays prevent reasonable progress, the Supplier may place the Project on hold, invoice for remaining project fees, and commence hosting charges. Restarting the project incurs a Re-initiation Fee of £2,000 + VAT.

7.1 The Supplier may place the Project on hold (Project Hold) if the Client fails to:

• Provide required Materials, approvals or sign-offs within Thirty (30) Business Days of the date specified in the Project Plan;

• Provide materials and respond to a formal written reminder from the Supplier, requesting action to progress, within a further five (5) Business Days; or

• Meet any other deadline identified in the Project Plan as a Client dependency.

7.2 Before invoking a Project Hold, the Supplier shall send a written notice to the Client's nominated contact (copied to a Director or equivalent) stating the specific outstanding obligation(s), the deadline for compliance, and the consequences of non-compliance.

7.3 If the Client fails to remedy the default within the notice period, the Supplier may:

• Formally place the Project on hold by written notice;

• Invoice the Client for all remaining project instalments as set out in the Project Plan (which shall become immediately due and payable as a legitimate cost incurred by the Supplier in reserving capacity);

• Commence the monthly hosting and SLA charges as set out in this Schedule, as the Supplier will be holding the part-built Site and associated resources on behalf of the Client; and

• Release the Project slot in the Supplier's workflow for reallocation to other clients.

7.4 The Site and all work completed to date will be preserved by the Supplier for a period of twelve (12) months from the Project Hold date.

7.5 To restart a Project following a Project Hold, the Client must:

• Pay all outstanding invoices in full (including any invoices issued under clause 7.3);

• Pay the Re-initiation Fee of £1250 + VAT; and

• Confirm in writing its readiness to meet all future Project Plan obligations.

7.6 On receipt of the above, the Supplier will allocate the Project to the nearest available slot in its workflow and provide a revised Project Plan. Due to scheduling constraints, the Supplier cannot guarantee any specific restart date.

7.7 If the Client does not restart the Project within twelve (12) months of the Project Hold date, the Supplier may treat the Agreement as terminated by the Client for convenience. All invoices issued under clause 7.3 shall remain payable. The Supplier shall retain all completed work but is under no obligation to deliver it.

8. HOSTING AND ONGOING SERVICES

8.1 Following Go Live (or the commencement of hosting under clause 7.3), the Client shall pay the monthly ongoing charges set out in this Schedule, payable by direct debit monthly in advance or annually in advance (September to August).

8.2 Monthly ongoing services may include (as specified in the Quotation): website hosting, service level agreement (SLA) support, SSL certificate, speed accelerator, GDPR policy management, and CMS group management.

8.3 Hosting services are subject to Schedule C (SLA), which sets out the Supplier's service level commitments and escalation procedures.

9. CHARGES AND PAYMENT

9.1 Project payments shall be made in instalments as set out in the Project Plan, due on the earlier of the specified milestone date or the number of weeks from the Effective Date stated in the Project Plan:

Payment Phase Amount / Timing

Phase 1 Deposit 50% — Due at project start

Phase 2 — Design 25% — Due on design sign-off or 8 weeks from Sign-Off Effective Date (whichever is sooner)

Phase 3 — 1st Build 15% — Due on 1st website build view or 12 weeks View from Effective Date (whichever is sooner)

Phase 4 — Go Live 10% — Due on go live Sign-Off

9.2 For Project Extras, separate payment terms are set out in the relevant Change Request.

9.3 The Supplier reserves the right to adjust payment schedules if the Client causes delays that affect the Project Plan timetable.

10. INTELLECTUAL PROPERTY

10.1 Subject to payment of all Charges, the Supplier shall assign to the Client all bespoke IPR in the Site design and content upon the Go Live Date.

10.2 The Supplier retains all IPR in its pre-built CMS, proprietary frameworks, templates and tooling. These are licensed (not assigned) to the Client on the terms of the Master Agreement.

10.3 On termination: due to the competitive sensitivity of the Supplier's modified CMS, it cannot be transferred to a direct competitor. If the Client migrates to a direct competitor, the Supplier will provide a quotation to produce a portable version of the Site with proprietary components removed.

11. WARRANTY

11.1 The Supplier warrants that the Site will perform materially in accordance with the Site Specification for twelve (12) months from Acceptance. Defects must be reported in writing within thirty (30) days of discovery. The Supplier shall remedy confirmed defects at no charge within a reasonable period.

11.2 This warranty does not apply to defects caused by: Client-supplied content; unauthorised modifications; third-party plugins; or failure to follow the Supplier's guidance.

12. ATTRIBUTION

12.1 The Supplier may include a discreet link to the Supplier's website (e.g. 'Website by InnerMedia') in the footer of the Site during the build and design phase. The Client may request removal of this link at any time.

SCHEDULE B — PROJECT PLAN

INNERMEDIA LIMITED

Schedule B Project Plan

Website Design, Development & Hosting — Project Milestones and Responsibilities

Version 4.0 | May 2026 (process alignment update)

Classification: Commercial — Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

This Schedule forms part of the InnerMedia Master Terms & Conditions and Schedule A (Website Project Terms). In the event of any inconsistency between this Schedule and the Master Terms or Schedule A, this Schedule shall prevail in relation to project timings and milestones.

1. PROJECT DETAILS

Detail Value

Commencement Date The date of contract signature by both parties, or as otherwise specified in the Quotation. All milestone timings in this Schedule are expressed relative to this date.

Estimated Go Live Approximately 9–10 weeks from Design Sign-Off (10 weeks where Website Build runs to the upper bound), subject to all client dependencies being met on time (see clause 3).

All timings in this Schedule are expressed in weeks or Business Days relative to the Commencement Date. No date calculations or formula updates are required when this Schedule is issued — timings are fixed relative references that apply to every project.

2. HOW TO READ THIS PLAN

Column / Colour Meaning

WHO — IM InnerMedia is responsible for completing this item.

WHO — CL The Client is responsible. These are Client Dependencies (highlighted). If missed, the Project Hold provisions in Schedule A clause 7 may be invoked.

WHO — IM / CL Joint responsibility. Both parties must act.

CLIENT ✓ Client to confirm completion of their action in writing.

⚑ CLIENT DEPENDENCY The client must act by the stated timing. rows Failure to respond within 30 Business Days of the due date, following a written reminder, may trigger a Project Hold.

NOTES column Requirements, conditions and important context for each milestone.

3. CLIENT DEPENDENCIES AND PROJECT HOLD

Time is of the essence for all Client Dependencies marked ⚑ in this Schedule. If the Client fails to meet a dependency within 30 Business Days of the stated due date, and fails to remedy this within a further 5 Business Days of a written reminder from InnerMedia, InnerMedia may invoke a Project Hold. Full terms in Schedule A, clause 7.

4. PROJECT MILESTONES

PHASE ONE — Visual Brand & Discovery

MILESTONE / DELIVERABLE TIMING WHO CLIENT ✓ NOTES

Kick-Off Meeting / Commencement IM / Attend Client to prepare Project Tour / Meet The Date (Week 1) CL key contacts, Team existing brand assets and any access credentials needed. The Design Kick-Off is normally combined with this meeting (or held within the following week) — IM will discuss overall feel, a rough wireframe, and request all assets needed for the home page (branding, images, etc.). A brief sheet is circulated to the project team; no separate design questionnaire is required. IM will issue the first milestone date within 3 Business Days of the Kick-Off.

Visual Brand Workshop 1–2 weeks IM / Attend Required only (if in scope) after Kick-Off CL where a visual brand refresh or new identity is included in the agreed scope. Where Visual Brand Assets (VBAs) are in scope, the Visual Brand Workshop is the starting point for VBA design — see Phase Two.

Page Navigation Review Week 2 IM IM reviews (12-month analytics existing site review) analytics to inform new site architecture.

⚑ CLIENT DEPENDENCY: Within 5 CL SUPPLY No written Visual Brand Assets Business Days sign-off is Supplied of Visual required at this Brand Workshop stage; instead, all visual brand assets needed for Phase Two must be received before VBA / home page design can advance. Failure to supply within 30 Business Days of due date may trigger Project Hold.

PHASE TWO — Design (UX / UI)

MILESTONE / DELIVERABLE TIMING WHO CLIENT ✓ NOTES

Visual Brand Assets 1–2 weeks IM Where VBAs are in (VBAs) — Design (if in after Visual scope, the Visual scope) Brand Workshop Brand Workshop is the starting point. VBA design must be complete and signed off before commencing home page design.

Home Page Design 1–2 weeks IM Desktop visual (Desktop) — UX / UI after Kick-Off design of the home (or after VBA page. All client sign-off if in brand assets must scope) be supplied before this starts (collected at Design Kick-Off).

Home Page Design 1–2 weeks IM Responsive mobile (Mobile) — UX / UI after Home layout of the home Page (Desktop) page. sign-off

Inner Page Designs — UX 1–2 weeks IM Design of key / UI after Home inner page Page (Mobile) templates. sign-off

Menus & Alert Designs 1–2 weeks IM Navigation after Inner elements, menus Page sign-off and alert templates.

Additional Templates — Runs alongside IM Any additional UX / UI (if in scope) Menus & Alerts page templates included in the agreed scope (e.g. landing pages, news/article templates).

⚑ CLIENT DEPENDENCY: Full and CL SIGN OFF Triggers Phase 2 Design Sign-Off concise invoice (25%). feedback on Scope is fixed at each iteration sign-off — changes of each design after this are milestone chargeable at within 1 week £750 + VAT/day. of receipt Failure to sign off within 30 Business Days of due date may trigger Project Hold.

PHASE THREE — Build, Content & Snagging

MILESTONE / DELIVERABLE TIMING WHO CLIENT ✓ NOTES

Website Build + 2–3 weeks IM IM builds and Internal QA Checks following internally Design QA-tests the site Sign-Off before client review.

⚑ CLIENT DEPENDENCY: By end of CL SUPPLY All copy, images, Content Deadline Build (approx. documents and 2 weeks after media must be Design supplied in line Sign-Off) with IM's content guidelines. Content will not be added to the CMS until all content has been received and IM has confirmed it is complete and ready to add. Late or non-compliant content delays go live.

1st View — Home, Inner 1 week IM / Review Client is given Pages, Navigation & following CL access to review Sample Page build the built site for completion the first time. Triggers Phase 3 invoice (15%).

⚑ CLIENT DEPENDENCY: 1 week CL SUBMIT Layout review Snagging Round 1 — following 1st LIST covering design Project Lead Review View and structure. The Client's nominated Project Lead, IM Project Manager and build team review the site together. A single consolidated snag list is submitted — piecemeal or sequential feedback will not be actioned. This is Round 1 of 3 included rounds.

IM resolves Round 1 1 week IM IM addresses all Snags following valid items from receipt of the Round 1 Round 1 snag consolidated list. list (or snag list meeting if required)

Adding Content to CMS 1 week, IM IM populates the starting on CMS with all receipt of client-supplied Round 1 snag content from list — runs in receipt of the parallel with Round 1 snag list. IM Round 1 Content addition resolution runs in parallel with IM's Round 1 fixes (Round 1 covers layout and structure only, so content edits will not conflict). At the end of this week, IM presents the site to the Client with content populated.

⚑ CLIENT DEPENDENCY: Round 2 snag CL SUBMIT Content review Snagging Round 2 — list to be LIST with all content Content Review received populated in the within 1 week CMS. Client of content circulates to addition wider stakeholders completing (leadership, SLT, board, marketing) for sign-off. A single consolidated snag list is required. This is Round 2 of 3 included rounds.

IM resolves Round 2 1 week IM IM addresses all Snags following valid items from receipt of the Round 2 Round 2 snag consolidated list. list (or snag list meeting if required)

⚑ CLIENT DEPENDENCY: 1 week CL SUBMIT Final pre-launch Snagging Round 3 — following LIST review to capture Final Pre-Launch Review Round 2 last-minute tweaks resolution, in before go live. A the run-up to single go live consolidated snag list is submitted. This is Round 3 of 3 included rounds. Additional rounds beyond this are chargeable at £750 + VAT/day.

IM resolves Round 3 1 week IM IM addresses all Snags following valid items from receipt of the Round 3 Round 3 snag consolidated list. list (or snag Where Client list meeting content is still if required) missing at this point, the relevant pages will be hidden at launch (or temporarily populated by IM's AI agents) until Client content is supplied.

Extra Content & Meta Concurrent — IM SEO meta data and Data before go live any additional content populated.

CMS Training Scheduled IM Attend IM delivers CMS after Round 3 training snags are session(s) to resolved nominated client staff.

⚑ CLIENT DEPENDENCY: Runs in CL TEST & Client completes Acceptance Testing parallel with APPROVE final acceptance IM Round 3 testing in resolution — parallel with IM's full AT Round 3 fix work. (including Both AT and Round functional, 3 resolution CMS and complete in the integration same week. Deemed items) accepted if client completes delays by more alongside R3 than 7 Business fixes Days or if 14 days elapse after go-live request (Schedule A, clause 5).

PHASE FOUR — Go Live & Post-Launch Review

MILESTONE / DELIVERABLE TIMING WHO CLIENT ✓ NOTES

Go Live Process Within 5 IM / Approve DNS transfer, Business Days CL final checks and of Acceptance site launch. Testing Client must sign-off and confirm DNS access Round 3 is available. resolution (both complete in parallel)

⚑ ESTIMATED GO LIVE Approx. 9–10 IM / SIGN OFF Go live is weeks after CL contingent on all Design client Sign-Off dependencies being (subject to met. Client delays all milestones will push this being met on date. Triggers time) Phase 4 invoice (10%).

1 Month Post-Launch 4 weeks IM / Attend IM reviews site Review following Go CL performance, Live analytics and addresses any post-launch queries.

5. SNAGGING — INCLUDED ROUNDS AND CHARGEABLE EXTRAS

Three Snagging Rounds are included within the project fee. Round 1 is the layout review (held immediately after the 1st View). Round 2 is the content review (with wider stakeholders, including SLT, once content has been populated). Round 3 is the final pre-launch review (held in the run-up to go live to capture last-minute tweaks). These are the only included correction cycles. All additional snagging reviews, post-sign-off design changes, or scope changes are chargeable at £750 + VAT per day. Snag lists must be submitted as a single consolidated document per round — piecemeal or sequential lists will not be actioned between submission dates. Where Client content is still missing at the end of Round 3, the affected pages will be hidden at launch (or temporarily populated by IM's AI agents) until the Client supplies the content.

Snagging Round Description

Round 1 — Layout Following the 1st View, a layout review is held Review with the Client's nominated Project Lead, the IM Project Manager and the build team. A single consolidated list of corrections is submitted. IM addresses all valid technical and design issues.

Round 2 — Content Once content is populated in the CMS, the Client Review circulates to wider stakeholders (leadership, SLT, board, marketing) for sign-off. A single consolidated list is submitted. IM addresses all valid issues.

Round 3 — Final In the run-up to go live, the Client submits a Pre-Launch Review final consolidated snag list capturing any last-minute tweaks. IM addresses all valid items and prepares the site for launch. Where Client content is still missing at this stage, the affected pages will be hidden at launch (or temporarily populated by IM's AI agents) until the Client supplies the content.

Additional rounds / Chargeable at £750 + VAT per day. A Change out-of-scope changes Request will be issued and must be signed before work commences.

6. PAYMENT PLAN — WEBSITE PROJECT

6.1 Standard Website Project

Phase Payment Amount Trigger / Due Date Rule

Phase 1 Deposit 50% Due at project commencement (Commencement Date).

Phase 2 Design 25% Due on Design Sign-Off or 8 weeks from Sign-Off Commencement — whichever is sooner.

Phase 3 1st Build View 15% Due on 1st website build view or 12 weeks from Commencement — whichever is sooner.

Phase 4 Go Live 10% Due on go live. Sign-Off

6.2 Project Extras

Phase Payment Amount Trigger / Due Date Rule

Phase 1 Deposit 50% Due when the Change Request is signed by both parties.

Phase 2 1st Build View 25% Due on design sign-off for the extra item or 8 weeks after the Change Request is signed — whichever is sooner.

Phase 3 Go Live 25% Due on go live of the extra item or 12 weeks after the Change Request is signed — whichever is sooner.

7. SCHEDULE NOTES

Note Detail

Commencement Date The date of contract signature by both parties, or as otherwise specified in the Quotation. This is the reference point for all timings in this Schedule.

Estimated Go Live The estimated go live of 9–10 weeks from Design Sign-Off is conditional on all client dependencies being met on time. Phase One and Phase Two durations vary by scope (Visual Brand Workshop, VBAs and number of design milestones), so the contract anchors go live to Design Sign-Off rather than Commencement. Where Website Build runs to its upper bound (3 weeks), go live shifts to 10 weeks. Client delays after Design Sign-Off will extend this timeline further.

Build slot The build slot is scheduled — not reserved — once Design Sign-Off has been received in writing. Because designs frequently change in the run-up to sign-off, IM does not hold a build slot in advance and cannot guarantee a specific build start date prior to Design Sign-Off. Once a build slot has been scheduled, it is held as long as project milestones are met; if client dependencies are not met, the slot may be released and reallocated, and IM cannot guarantee a specific restart date where the slot has been released.

Change Control Any item not in the original Site Specification is out of scope. IM will issue a written Change Request with cost and timeline impact. Work does not commence until the Change Request is signed.

Project Hold & See Schedule A clause 7 for full terms. Key Re-initiation consequences: all remaining project invoices immediately due; monthly hosting charges commence; Re-initiation Fee of £1,250 + VAT payable before restart.

Deemed Acceptance Acceptance of the Site is deemed if the Client: uses the site for live purposes; delays Acceptance Tests by more than 7 Business Days; or allows 14 days to elapse after requesting go live (Schedule A, clause 5).

SCHEDULE C — SERVICE LEVEL AGREEMENT

INNERMEDIA LIMITED

Schedule C Service Level Agreement

Hosting, Support and Service Level Commitments

Version 4.0 | May 2026

Classification: Commercial — Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

This Schedule forms part of the InnerMedia Master Terms & Conditions. In the event of any inconsistency between this Schedule and the Master Terms, this Schedule shall prevail in relation to support and hosting services.

1. INTERPRETATION

1.1 The following definitions apply in this Schedule in addition to those in the Master Terms & Conditions:

Term Definition

Commercially The same degree of priority and diligence with Reasonable Efforts which the Supplier meets the support needs of its other clients of a similar size and complexity.

Client Cause Any of the following: (a) improper use, misuse or unauthorised alteration of the Site or Software by the Client; (b) use of the Site or Software in a manner inconsistent with the then-current supporting materials; (c) use of hardware or software not provided or approved by the Supplier; or (d) use of a non-current version or release of the Site or Software.

Fault Any failure of the Site or Software to operate in all material respects in accordance with the Site Specification and Materials, including any failure or error referred to in the Service Level Table.

Help Desk Support Support provided by help desk technicians sufficiently qualified and experienced to identify and resolve issues relating to the Site or Software.

Hosting Services The hosting of the Client's website, provided by the Supplier via a third-party hosting provider on infrastructure within AWS UK or EU regions.

Out-of-Scope Services Services provided in connection with any apparent problem: (a) reasonably determined by the Supplier not to have been caused by a Fault but rather by a Client Cause or a cause outside the Supplier's control (including third-party plugins); or (b) required outside of Support Hours.

Service Level Table The table set out in clause 5.1 of this Schedule.

Service Levels The response and resolution times specified in the Service Level Table.

Software The software agreed to be provided as part of the Services, if any, as specified in the Project Plan.

Solution (a) Correction of a Fault; or (b) a workaround in relation to a Fault (including reversal of changes to the Site or Software if appropriate) that is reasonably acceptable to the Client.

Support Fees A minimum charge of one hour applies to all Support Services unless a Service Level Agreement is in place. Where an SLA is in place, support time is accumulated throughout the month. Additional hours may be purchased as required.

Support Hours Monday to Friday, 9:00am to 5:00pm, excluding weekends, Bank Holidays and the period from Christmas Day to New Year's Day inclusive.

Support Period The term of the Agreement and, if requested by the Client, any period during which the Client transfers the Services to an alternate service provider.

Support Request A request made by the Client in accordance with this Schedule for support in relation to the Site or any Software supplied, including the correction of a Fault.

Support Services Maintenance of the then-current version or release of the Site and/or Software, including Help Desk Support and the supply of Hosting Services, but excluding any Out-of-Scope Services.

1.2 All initially capitalised terms used in this Schedule but not defined above shall have the meaning given to them in the Master Terms & Conditions.

2. SUPPORT SERVICES

2.1 During the Support Period, the Supplier shall perform the Support Services during Support Hours in accordance with the Service Levels.

2.2 As part of the Support Services, the Supplier shall:

• Provide Help Desk Support via telephone: 01707 875 721 and email: support@innermedia.co.uk;

• Use Commercially Reasonable Efforts to correct all Faults notified under clause 4.3(a); and

• Provide technical support for the Site or Software in accordance with the Service Levels.

2.3 The Supplier may reasonably determine that any services requested constitute Out-of-Scope Services. If it does so, it shall promptly notify the Client.

2.4 Where the Client requires Out-of-Scope Services, it shall complete the Emergency Support Form available at: https://www.innermedia.co.uk/emergency/

2.5 The Client acknowledges that the Supplier is not obliged to provide Out-of-Scope Services. If the Supplier does so, the Service Level response times shall apply and Support Fees shall be payable for such services.

3. FEES

3.1 The provision of Support Services on a remote, off-site basis (such as by telephone or email) within the Support Period shall be included within the Support Fees set out in the applicable Schedule.

3.2 The following shall be charged at the Support Fees rate in addition to any included allowance:

• Support Services provided outside Support Hours;

• Support Services provided at the Client's site;

• Out-of-Scope Services; and

• Any investigational work where the investigation determines the cause to be a Client Cause.

3.3 The Supplier's standard day rate for chargeable support and out-of-scope work is £750 + VAT per day (or pro-rata for shorter periods), unless otherwise agreed in writing.

4. SUBMITTING SUPPORT REQUESTS

4.1 The Client may request Support Services by submitting a Support Request via the channels specified in clause 2.2.

4.2 Each Support Request shall include:

• A clear description of the problem or Fault;

• The date and time the issue was first identified;

• The severity level (if known) based on the Service Level Table; and

• Any error messages, screenshots or other information reasonably useful to the Supplier.

4.3 The Client shall provide the Supplier with:

• Prompt notice of any Faults; and

• Such output, data, Materials, information, assistance and (subject to the Client's security requirements) remote access to the Client's systems as are reasonably necessary to assist the Supplier in reproducing the fault conditions and responding to the Support Request.

4.4 All Support Services shall be provided remotely from the Supplier's offices unless otherwise agreed in writing.

4.5 The Client acknowledges that, to properly assess and resolve certain Support Requests, it may be necessary for the Supplier to access the Client's systems directly. The Client shall provide such access promptly, provided the Supplier complies with the Client's reasonable security requirements and relevant policies.

5. SERVICE LEVELS

5.1 The Supplier shall prioritise all Support Requests based on a reasonable assessment of the severity level of the problem reported and shall respond in accordance with the following Service Level Table:

SEVERITY — DEFINITION — RESPONSE & RESOLUTION TIMES

Level 1 — BUSINESS CRITICAL

An error or failure of the Site or Software that:

• Materially impacts the operations of the Client's business or the marketability of its service or product;

• Prevents necessary work from being performed; or

• Disables major functions of the Site or Software.

Acknowledgement: Within 2 working hours of receipt of Support Request.

Resolution: The Supplier shall restore the Site or Software to full operational status within 24 hours of the Level 1 acknowledgement time.

The Supplier shall work continuously until full restoration is achieved.

If a workaround is delivered that is reasonably acceptable to the Client, the severity level may be reduced to Level 2 or lower.

Level 2 — SYSTEM DEFECT WITH WORKAROUND

A critical error in the Software for which a workaround exists; or

A non-critical error that affects the operations of the Client's business or the marketability of its service or product.

Acknowledgement: Within 4 working hours of receipt of Support Request.

Interim fix: An emergency software fix, workaround, or temporary release shall be provided within 2 Business Days of the acknowledgement time.

Permanent fix: A permanent fault correction shall be provided as soon as practicable and no later than 2 Business Days after receipt of the Support Request.

Level 3 — MINOR ERROR / INVESTIGATION

An isolated or minor error in the website or general service request that:

• Does not significantly affect website functionality;

• May disable only certain non-essential functions; or

• Does not materially impact the Client's business performance.

Acknowledgement: Within 4 working hours of receipt of Support Request.

Permanent fix: A permanent fault correction shall be provided within 3 Business Days after the Level 3 acknowledgement time.

5.2 The parties may, on a case-by-case basis, agree in writing to a reasonable extension of the Service Level response times where the nature or complexity of the Fault reasonably requires it.

5.3 The Supplier shall provide the Client with regular updates on the nature and status of its efforts to correct any Fault until a Solution is delivered.

5.4 Hosting Uptime Guarantee

The Supplier provides a 100% connectivity guarantee in respect of the Hosting Services. When not undergoing scheduled maintenance, the network infrastructure shall be available 100% of the time. In the event of unplanned network failure, the Supplier shall apply a service credit of 24 hours' hosting charge for every 60 minutes of lost connectivity, up to a maximum credit equal to the Client's monthly Hosting Services subscription charge in the affected month.

5.5 Scheduled maintenance windows will be communicated to the Client with not less than 48 hours' notice wherever reasonably practicable. Scheduled maintenance shall not count against the uptime guarantee.

5.6 The uptime guarantee does not apply where unavailability is caused by: (a) a Client Cause; (b) a third-party provider failure outside the Supplier's reasonable control (such as upstream internet connectivity); or (c) force majeure events as defined in the Master Terms.

6. ESCALATION

6.1 If a Solution is not provided within the applicable Service Level response time, the Client may escalate the Support Request through the following process:

Step Action

Step 1 — Account Escalate the Support Request directly to the Client's Manager named InnerMedia account manager, referencing the original ticket reference and the time elapsed.

Step 2 — If unresolved within a further 4 working hours at Step Relationship 1, escalate to the InnerMedia Relationship Manager as Manager identified in the Project Plan.

Step 3 — Senior If unresolved within a further Business Day at Step 2, Management escalate to InnerMedia senior management as notified to the Client in writing.

6.2 The Supplier shall acknowledge all escalations within 2 working hours and provide a written update on the resolution plan.

7. TRANSFER AND TERMINATION

7.1 In the event of termination of the Agreement or the Hosting Services, the Supplier will (on request) provide the Client with:

• A copy of all website files and databases;

• A copy of the project file including all design files, images, CSS, technical templates and other files supplied during the course of the project; and

• Reasonable assistance to facilitate a smooth transition to an alternative provider, charged at the Supplier's standard day rate (£750 + VAT per day).

7.2 All files and materials referred to in clause 7.1 will only be released once all outstanding invoices have been paid in full and any reasonably disputed charges have been settled between the parties.

7.3 The Hosting Services are subject to a minimum three (3) months' notice period as set out in the Master Terms. To ensure continuity of service following notification of termination, the Supplier will continue to host the Site for as long as the Client requires, subject to payment of the agreed Hosting Fees.

7.4 If the Client wishes to transfer the Site to an alternative provider before the expiry of the three-month notice period, it may do so on payment of the equivalent of three months' Hosting Fees, which shall cover:

• Hosting services for the three-month notice period;

• A server backup; and

• The collation and supply of all website files and databases.

Transfer fees do not include assistance in uploading the website to the new hosting provider. The Supplier can provide upload assistance at its standard day rate of £750 + VAT per day if required.

7.5 If the project is terminated before the website goes live, for any reason, all sums due for time consumed on the project plus any uninvoiced expenses shall become immediately due and payable.

8. LIMITATION OF LIABILITY

8.1 The Supplier's liability for failure to meet the Service Levels is limited to the service credits set out in clause 5.4. These credits represent the Client's sole and exclusive remedy for any breach of the hosting uptime guarantee.

8.2 In all other respects, the liability provisions in the Master Terms & Conditions clause 8 shall apply to this Schedule.

SCHEDULE D — AI PRODUCT TERMS

INNERMEDIA LIMITED

Schedule D AI Product Terms

AI Products & Services — Service Terms and Conditions

Version 4.0 | May 2026

Classification: Commercial — Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

These terms form part of the InnerMedia Master Terms & Conditions and must be read alongside the Data Processing Agreement (DPA). In the event of any inconsistency between this Schedule and the Master Terms, this Schedule shall prevail in relation to AI services.

1. SCOPE

1.1 This Schedule governs the provision of InnerMedia's suite of AI-powered products and services, including in imHUB, and any future AI-based tools developed by the Supplier.

1.2 The services provided are detailed in the Quote

2. DEFINITIONS

Term Definition

AI Configuration The specific prompts, workflows, datasets, routing logic and settings applied by the Supplier to configure the AI Product for the Client's requirements.

AI Product The Supplier's suite of AI-powered tools described in clause 1.1 and the Project Plan.

Client Data All data, content, text, images, documents, records and other information supplied or made available to the Supplier by the Client for the purpose of configuring or operating the AI Product. Client Data does not include data that the Supplier independently generates or that arises solely from the Supplier's AI models.

End-User A person who interacts with the AI Product via a client-facing interface (e.g. a website chatbot, enquiry tool or staff assistant).

Interaction Data Data generated when an End-User interacts with the AI Product, including conversation logs and inputs.

Personal Data Has the meaning given in the Data Protection Laws as defined in the Master Terms.

Sub-Processor A third party engaged by the Supplier to process Personal Data in connection with the AI Products, as listed in Schedule D Appendix 1.

3. AI PRODUCT DELIVERY

3.1 The Supplier shall configure, integrate and deliver the AI Products as set out in the Quotation

3.2 Acceptance of the AI Product shall occur when it passes the KDQ Acceptance Tests or is deemed accepted under clause 3.3.

3.3 Acceptance is deemed to have occurred upon the earliest of: (a) the Client using the AI Product for live, customer-facing or operational purposes; (b) the Client delaying Acceptance Tests by more than seven (7) Business Days after notification of readiness; or (c) fourteen (14) days after the Client's request for the AI Product to go live.

3.4 If the AI Product fails Acceptance Tests due to incorrect or incomplete Client Data, unsuitable inputs, or Client/agent actions (Non-Supplier Defects), the AI Product shall be deemed to have passed. The Supplier may assist in remedying Non-Supplier Defects at its standard day rate.

4. WARRANTIES AND AI LIMITATIONS

4.1 The Supplier warrants that the AI Product will operate materially in accordance with the specification during the Supplier's management. If it does not, the Supplier will remedy confirmed defects at no additional charge.

4.2 This warranty does not apply where failures arise from Client Data, Client misuse, unauthorised modifications, or operation contrary to the Supplier's instructions.

Important: AI outputs are probabilistic, not deterministic. The Supplier does not warrant the accuracy, completeness or suitability of any AI-generated content. Clients are responsible for reviewing AI outputs used in consequential decisions (e.g. admissions responses, staff communications). The Supplier recommends human-in-the-loop review for all high-stakes or regulatory contexts.

4.3 The Client acknowledges that AI technology is evolving and that the Supplier may update or improve the underlying AI Product from time to time. Where such updates materially alter the Client's AI Configuration, the Supplier will provide thirty (30) days' notice.

5. DATA PROTECTION AND AI PROCESSING

This section governs how the Supplier handles Personal Data in connection with the AI Products. It must be read alongside the separately executed Data Processing Agreement (DPA), which contains the full Article 28 UK GDPR provisions.

5.1 Roles

The Client is the Data Controller. The Supplier is the Data Processor. All processing of Personal Data by the Supplier is governed by the DPA.

5.2 Prohibition on AI Training with Client Data

Client Data and Interaction Data shall not be used to train, fine-tune, benchmark or otherwise improve any AI model, whether proprietary to the Supplier or provided by a third party, beyond the scope of the Client's own specific AI Configuration. This prohibition applies absolutely and survives termination of this Agreement.

5.2.1 The Supplier confirms that:

• All AI model inference runs on the Client's AI Configuration are performed within the Client's environment;

• Conversation logs and Client Data are logically isolated per client and are not accessible to other clients;

• No Client Data is used to improve the Supplier's general AI capabilities or shared with any third party for model improvement purposes.

5.3 Sub-Processors

5.3.1 The Supplier uses the following approved Sub-Processors in connection with the AI Products. All Sub-Processors are contractually bound to process Personal Data only on the Supplier's instructions and to maintain appropriate security standards:

Sub-Processor Role / Purpose

Amazon Web Services Primary cloud infrastructure, hosting, compute (AWS) — UK/EU Regions and storage for all AI Products. All data is processed within AWS UK or EU regions.

Anthropic Claude (via Large Language Model (LLM) inference engine AWS Bedrock) powering AI Products. Accessed exclusively via AWS Bedrock, meaning data does not leave the AWS environment and is not used by Anthropic for model training.

WordPress (Automattic CMS platform used for client website Inc.) integrations. Data handling governed by WordPress.com Data Processing Agreement.

SendGrid (Twilio Inc.) Transactional and marketing email delivery for aiMarketeer and notification services.

Google LLC — Analytics Website analytics (GA4) and tag management on & Tag Manager client websites. May process end-user IP addresses and behaviour data.

Meta Platforms Inc. Advertising pixel services (Meta Pixel) on client websites where enabled. May process end-user interaction data for advertising purposes.

Google LLC — Ads Google Ads conversion tracking on client websites where enabled.

Access Paysuite Payment processing and direct debit collection for client billing.

Xero (Xero Limited) Accounting and invoicing platform. Processes client business and contact information.

5.3.2 The Supplier shall provide the Client with at least thirty (30) days' written notice before engaging any new Sub-Processor or replacing an existing one. The Client may object to a new Sub-Processor on reasonable grounds within fourteen (14) days of notice. If the parties cannot agree, the Client may terminate the AI Product service on thirty (30) days' notice without penalty.

5.4 Data Residency

5.4.1 All Client Data and Interaction Data is stored and processed exclusively within AWS UK or EU regions. No Personal Data is transferred outside the United Kingdom or the European Economic Area unless the Client provides prior written consent.

5.4.2 The use of Anthropic Claude via AWS Bedrock ensures that LLM inference occurs within the AWS environment without data being transmitted to Anthropic's external systems.

5.5 Children's Data

Where the Client operates in a sector involving children (e.g. schools, nurseries, early years settings), additional obligations apply under this clause. The Supplier's AI Products may process data relating to prospective pupils, current pupils, or their parents and guardians.

5.5.1 The Client warrants that it has obtained all necessary consents and has appropriate lawful bases for sharing any data relating to individuals under the age of 18 with the Supplier.

5.5.2 The Supplier shall not process data identifiable as relating to a child under 18 for any purpose other than the delivery of the specific AI Product configuration for that Client.

5.5.3 Interaction Data involving children shall be subject to a maximum retention period of three hundred and sixty (360) days, after which it will be automatically deleted from the Supplier's systems, unless the Client instructs a shorter period.

5.5.4 The Client is responsible for ensuring that any AI Product used in contexts involving children complies with applicable safeguarding requirements, DfE guidance and the ICO's Age Appropriate Design Code.

5.6 Interaction Data Retention

5.6.1 Interaction Data (conversation logs, End-User inputs and AI outputs) will be retained for a maximum of three hundred and sixty (360) days following the end of the applicable session, unless the Client requests a shorter period or extended retention for a specific operational purpose.

5.6.2 On termination, all Interaction Data will be deleted within Sixty (60) days of the termination date, unless the Client requests an export before deletion.

5.7 Security

5.7.1 The Supplier implements the following security measures in connection with AI Products:

• AES-256 encryption of data at rest within AWS;

• TLS 1.2 or higher encryption of data in transit;

• Logical isolation of each Client's data and AI Configuration;

• Role-based access controls limiting Supplier personnel access to Client Data;

• Multi-factor authentication (MFA) for all internal systems accessing Client Data;

• Annual security review of AI infrastructure.

6. CLIENT DATA AND ACCEPTABLE USE

6.1 The Client warrants that all Client Data: (a) does not infringe any applicable law or third-party rights; (b) does not contain inappropriate content; (c) is provided with a valid lawful basis under Data Protection Laws.

6.2 The Supplier does not monitor Client Data or AI outputs in real time, but shall notify the Client promptly if it becomes aware of any apparent legal issue or inappropriate content.

6.3 The Client shall indemnify the Supplier against all claims arising from: (a) Client Data constituting inappropriate content; or (b) alleged third-party IPR infringement arising from the Supplier's use of Client Data.

6.4 The Client is responsible for publishing appropriate privacy notices to its End-Users explaining that AI is used to process their enquiries and that their interactions may be stored. The Supplier can provide template wording on request.

7. CHARGES AND PAYMENT

7.1 Charges shall be paid in accordance with the quotation

7.2 Ongoing subscription, hosting and AI runtime charges shall be collected by monthly direct debit in advance or annually in advance.

7.3 VAT invoices shall be issued accordingly. The Client shall pay each invoice within thirty (30) days of issue.

7.4 If Client-caused delays affect the Project timeline, the Supplier may revise the payment schedule accordingly.

8. INTELLECTUAL PROPERTY

8.1 All IPR in Client Data remains the property of the Client.

8.2 The Supplier retains all IPR in: (a) the AI Products; (b) all AI templates, pre-built models, system prompts and workflows; (c) the AI Configuration architecture and methodology.

8.3 Any custom AI Configuration created for the Client is licensed to the Client for their use only during the term of this Agreement. It shall not be assigned without the Supplier's express written consent.

9. CONSEQUENCES OF TERMINATION

9.1 On termination, all unpaid invoices become immediately due and payable.

9.2 Within thirty (30) days of payment of all outstanding sums, the Supplier shall: (a) return all Client Data in a structured, machine-readable format; (b) provide an export of any custom configuration or content created for the Client, excluding proprietary AI functionality; and (c) delete all Client Data from Supplier systems and confirm deletion in writing.

9.3 The prohibition on AI training in clause 5.2 survives termination indefinitely.

10. ATTRIBUTION

10.1 Where AI Products are deployed in client-facing interfaces, the Supplier may include a discreet 'Powered by InnerMedia' attribution. The Client may request removal of this attribution at any time.

DATA PROCESSING AGREEMENT

INNERMEDIA LIMITED

Data Processing Agreement

UK GDPR Article 28 — Processor Agreement

Version 4.0 | May 2026

Classification: Commercial — Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

This Data Processing Agreement (DPA) is incorporated into and forms part of the Master Terms & Conditions between InnerMedia Limited (Processor) and the Client (Controller). It applies wherever the Supplier processes Personal Data on behalf of the Client in connection with any Service.

This DPA is entered into between:

Party Details

Data Controller The Client as named in the relevant Schedule. ("Controller")

Data Processor Inner Media Limited, Company No. 04818830, ("Processor") Enterprise Centre, Cranborne Road, Potters Bar, Hertfordshire EN6 3DQ. ICO Registration: ICO:00010252104.

1. DEFINITIONS

1.1 In this DPA, the following terms have the meanings given in the UK GDPR and the Data Protection Act 2018: 'Controller', 'Data Subject', 'Personal Data', 'Personal Data Breach', 'Processing', 'Processor', 'Special Category Data', 'Supervisory Authority'.

1.2 'Services' means the services described in the applicable Schedule to the Master Terms.

1.3 'Sub-Processor' means any third party engaged by the Processor to carry out Processing activities on behalf of the Controller.

2. SCOPE AND PURPOSE OF PROCESSING

Processing Detail Description

Subject matter Personal Data provided by the Client in connection with the Services, including website visitor data, enquiry data, staff data, and AI interaction data.

Duration For the term of the Agreement and as required by applicable law.

Nature of processing Collection, storage, structuring, retrieval, use, transmission, deletion and destruction of Personal Data as necessary to deliver the Services.

Purpose of processing To enable the Processor to deliver the Services as described in the Schedules, including website hosting, content management, AI product operation, and related technical services.

Type of Personal Data Names, email addresses, telephone numbers, IP addresses, website interaction data, enquiry content, conversation logs, and any other data provided by or on behalf of the Client.

Categories of Data Website visitors, prospective Subjects clients/pupils/parents, existing clients/pupils/parents, staff members, and End-Users of AI Products.

Special Category Data Not anticipated. The Client must notify the Processor in writing before providing any Special Category Data.

3. CONTROLLER OBLIGATIONS

3.1 The Controller warrants and undertakes that:

• It has a valid lawful basis under UK GDPR for each Processing activity;

• It has provided Data Subjects with all required privacy notices;

• It is entitled to transfer Personal Data to the Processor for Processing under this DPA;

• Where required, it has obtained valid consent from Data Subjects (including parents/guardians of children under 13);

• It will ensure that any instructions given to the Processor comply with UK GDPR.

4. PROCESSOR OBLIGATIONS

The Processor shall, in relation to any Personal Data processed on behalf of the Controller:

4.1 Process Only on Instructions

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall notify the Controller unless prohibited by law).

4.2 Confidentiality

Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and have received appropriate data protection training.

4.3 Security

Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, including:

• AES-256 encryption of Personal Data at rest;

• TLS 1.2 or higher encryption of Personal Data in transit;

• Role-based access controls and least-privilege principles;

• Multi-factor authentication (MFA) for all systems accessing Personal Data;

• Regular security testing and review of AI infrastructure;

• Physical security controls at all data centre locations (managed by AWS).

4.4 Sub-Processors

4.4.1 The Controller provides general written authorisation to use the Sub-Processors listed in Schedule D Appendix 1 (the Approved Sub-Processor List).

4.4.2 The Processor shall: (a) give at least thirty (30) days' written notice before engaging any new Sub-Processor or replacing an existing one; (b) impose data protection obligations on each Sub-Processor equivalent to those in this DPA; and (c) remain fully liable to the Controller for the acts and omissions of each Sub-Processor.

4.4.3 The Controller may object to a new Sub-Processor within fourteen (14) days of notice. If the parties cannot resolve the objection, the Controller may terminate the affected Service on thirty (30) days' notice without penalty.

4.5 Data Subject Rights

Without undue delay, and in any case within seventy-two (72) hours, assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) by providing all information the Controller reasonably requires. Such assistance shall be at the Processor's cost where it relates to a security or processing failure by the Processor, and at the Controller's cost otherwise.

4.6 Data Protection Impact Assessments (DPIAs)

Assist the Controller with any Data Protection Impact Assessment required by Article 35 UK GDPR and with any consultation with the ICO.

4.7 Personal Data Breach Notification

Notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting Controller Personal Data. Such notification shall include:

• A description of the nature of the breach;

• The categories and approximate number of Data Subjects and Personal Data records affected;

• The name and contact details of the Data Protection contact;

• The likely consequences of the breach;

• Measures taken or proposed to address the breach.

Where it is not possible to provide all information within 72 hours, the Processor shall provide information in phases without undue further delay.

4.8 Audit

Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections by the Controller or a mandated auditor, at the Controller's cost, on not less than thirty (30) days' written notice. The Processor may refuse unreasonable audit requests or impose reasonable conditions to protect third-party confidentiality.

4.9 No Training on Client Data

The Processor shall not use Personal Data or any other Client Data to train, fine-tune, benchmark or otherwise develop or improve any AI model, whether proprietary or third-party. This obligation survives termination of the Agreement.

4.10 International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom or the European Economic Area without the prior written consent of the Controller, except where a valid transfer mechanism under UK GDPR exists (such as adequacy regulations or Standard Contractual Clauses).

The use of AWS UK/EU regions and Anthropic Claude accessed exclusively via AWS Bedrock ensures that AI processing does not constitute an international transfer of Personal Data.

4.11 Deletion and Return

On termination of the Agreement or on written request by the Controller: (a) return all Personal Data in a structured, machine-readable format; and (b) securely delete all Personal Data from Supplier systems within thirty (30) days, unless retention is required by applicable law. The Processor shall confirm deletion in writing.

5. DATA RETENTION

Data Type Retention Period

AI Interaction Data 360 days from session end (or shorter if (conversation logs) instructed by Controller)

Children's Interaction 360 days maximum (automatic deletion) Data (under 18)

Website analytics data As configured in the analytics platform (typically 26 months — GA4 default)

Client business Duration of Agreement + 30 days post-termination information (for AI configuration)

Billing and financial 7 years (UK statutory requirement) records

Security logs and 12 months access records

6. GOVERNING LAW

This DPA is governed by the laws of England and Wales. Any dispute arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

PRIVACY POLICY

INNERMEDIA LIMITED

How InnerMedia Collects, Uses and Protects Personal Data

Version 4.0 | May 2026

Classification: Public — Website & Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

1. ABOUT THIS POLICY

1.1 Inner Media Limited ('InnerMedia', 'we', 'us', 'our') is committed to protecting the privacy and security of personal information. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have in relation to it.

1.2 InnerMedia is registered with the Information Commissioner's Office (ICO) under registration number ICO:00010252104 as both a Data Controller (for data we collect directly) and a Data Processor (for data we process on behalf of our clients).

1.3 This policy applies to: visitors to our website (innermedia.co.uk); prospective and existing clients; personnel of our clients; and End-Users of AI-powered products we deploy on behalf of our clients.

1.4 We handle four categories of data, each described in detail below:

• Website Information — data collected through website visits and cookies;

• Contact and Relationship Information — data provided when you contact us or become a client;

• Client Configuration Information — data provided by clients to configure our services;

• AI Interaction Information — data generated when End-Users interact with our AI products.

2. WHO WE ARE

Detail Information

Company Name Inner Media Limited

Company Number 04818830

Registered Address Enterprise Centre, Cranborne Road, Potters Bar, Hertfordshire EN6 3DQ

ICO Registration ICO:00010252104

Data Protection hello@innermedia.co.uk Contact

Telephone 01707 875 721

3. WHAT DATA WE COLLECT AND WHY

3.1 Website Information

When you visit innermedia.co.uk, we may automatically collect:

• Your IP address and approximate geographic location;

• Browser type, version and operating system;

• Pages visited, time on page, referral source and navigation paths;

• Date and time of visits.

We use this data to analyse website performance and improve user experience. The legal basis is our legitimate interests (Article 6(1)(f) UK GDPR). This data is collected via Google Analytics (GA4) and Google Tag Manager. Please see our Cookie Policy (Section 13) for details.

3.2 Contact and Relationship Information

When you contact us, complete a form, request a quote, or enter into a contract with us, we collect:

• Name, job title and organisation;

• Email address and telephone number;

• The content of your communications with us;

• Billing and payment information (processed by Access Paysuite and Xero).

We use this data to manage our client relationships, deliver our services, send relevant communications, and comply with legal obligations. The legal basis is: (a) performance of a contract (Article 6(1)(b)); (b) legitimate interests in managing our business (Article 6(1)(f)); or (c) legal obligation (Article 6(1)(c)).

3.3 Client Configuration Information

Clients provide us with information to configure our services, including:

• School or business information, branding assets, copy and content;

• Documents, FAQs, policies and procedures used to train AI models;

• Staff names and contact details for account management purposes.

We act as a Data Processor for this information. The Client remains the Data Controller. Our processing is governed by the Data Processing Agreement (DPA) executed with each client.

We do not use Client Configuration Information to train, fine-tune or improve any AI model beyond the specific configuration created for that client. This is an absolute commitment.

3.4 AI Interaction Information

When End-Users interact with AI products we have deployed on a client's behalf (e.g. an admissions chatbot or reception assistant), we store:

• The content of conversations between the End-User and the AI;

• Timestamp and session metadata;

• Any information the End-User volunteers during the conversation.

This data is stored securely and made available to the client (the Data Controller) to review. We process this data on behalf of the client under the DPA. Interaction data is automatically deleted after ninety (90) days (or thirty days for interactions identified as involving individuals under 18).

End-Users should be informed by the deploying client that AI is processing their enquiry. If you have questions about how your data has been handled by a specific AI product, please contact the organisation that deployed it.

4. HOW WE SHARE YOUR DATA

4.1 We do not sell personal data to third parties.

4.2 We may share personal data with the following categories of recipients:

• Sub-Processors: third-party service providers who process data on our behalf, as listed in Section 5;

• Professional advisers: lawyers, accountants and insurers, where necessary;

• Regulatory bodies: the ICO or other authorities, where required by law;

• Acquirers: in connection with a sale of InnerMedia's business (clients will be notified in advance).

5. OUR SUB-PROCESSORS

We use the following third-party sub-processors in connection with our services. All are contractually bound to process data only on our instructions and to maintain appropriate security standards:

Sub-Processor Purpose and Data Location

Amazon Web Services Cloud hosting and infrastructure. All data (AWS) stored in UK or EU regions. AES-256 encryption.

Anthropic Claude (via AI language model powering our AI Products. AWS Bedrock) Accessed via AWS Bedrock — data does not leave the AWS environment and is not used by Anthropic for training.

WordPress / Automattic CMS platform for client websites.

SendGrid (Twilio) Email delivery for marketing and transactional communications.

Google LLC (Analytics, Website analytics, tag management and Tag Manager, Ads) advertising services on client websites.

Meta Platforms Inc. Advertising pixel services on client websites where enabled.

Access Paysuite Direct debit and payment processing.

Xero Accounting and invoicing.

Microsoft 365 / Internal document management and communication. OneDrive

We will notify you of any material changes to our sub-processor list with at least thirty (30) days' notice.

6. INTERNATIONAL DATA TRANSFERS

6.1 All Client Data and AI Interaction Data is stored and processed within AWS UK or EU regions. We do not transfer this data outside the UK or EEA.

6.2 Some sub-processors (such as Google and Meta) may process limited analytics or advertising data outside the UK/EEA under Standard Contractual Clauses or UK adequacy decisions. Where we rely on SCCs, copies are available on request.

6.3 We do not transfer Personal Data to countries without an adequate level of data protection without a valid legal mechanism in place.

7. DATA RETENTION

Data Type Retention Period

AI Interaction Data 360 days from session (auto-deleted)

AI Interaction Data — 360 days maximum (auto-deleted) children under 18

Client configuration Duration of contract + 30 days and content data

Client contact and 7 years (legal requirement) billing records

Website analytics data 26 months (GA4 default)

Marketing enquiry data 3 years from last contact, or until you opt out

Security and access 12 months logs

8. YOUR RIGHTS

Under UK GDPR, you have the following rights in relation to your personal data:

Right What it means

Access Request a copy of the personal data we hold about you.

Rectification Ask us to correct inaccurate or incomplete data.

Erasure ('right to be Ask us to delete your data where there is no forgotten') legitimate reason for us to continue processing it.

Restriction Ask us to restrict processing of your data in certain circumstances.

Data Portability Receive your data in a structured, machine-readable format where processing is based on consent or contract.

Object Object to processing based on legitimate interests or for direct marketing purposes.

Withdraw Consent Where processing is based on consent, withdraw that consent at any time.

Automated Not be subject to decisions made solely by Decision-Making automated means that significantly affect you.

To exercise any of these rights, contact us at hello@innermedia.co.uk. We will respond within one calendar month. We may request proof of identity before processing your request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the ICO: ico.org.uk / 0303 123 1113.

9. AI-SPECIFIC RIGHTS

9.1 You have the right to be informed that you are interacting with an AI system. Our AI products do not take automated decisions with legal or similarly significant effects without human oversight.

9.2 If you believe an AI product has processed your data incorrectly or made an error that has affected you, please contact the organisation that deployed the AI product in the first instance. If your concern relates to InnerMedia's processing, contact us directly.

9.3 You have the right to request that your AI conversation history be deleted. Requests will be processed within 72 hours.

10. CHILDREN'S DATA

10.1 InnerMedia works with schools and other education providers. Where our services involve the processing of data relating to children under 18, we apply enhanced protections:

• Children's interaction data is retained for a maximum of 90 days;

• Children's data is never used for AI model training or improvement;

• Children's data is not used for advertising or profiling;

• We require clients to ensure appropriate consents and safeguarding measures are in place.

10.2 InnerMedia does not knowingly collect personal data directly from children under 13 through its own website. If you believe we have inadvertently collected such data, please contact us immediately.

11. SECURITY

11.1 We take the security of personal data seriously and implement appropriate technical and organisational measures including:

• AES-256 encryption at rest for all stored data;

• TLS 1.2+ encryption for all data in transit;

• Multi-factor authentication on all internal systems;

• Role-based access controls;

• Annual security review and testing;

• Staff data protection training.

11.2 In the event of a Personal Data Breach, we will notify affected Controllers within 72 hours and, where required, the ICO within 72 hours of becoming aware.

12. THIRD PARTY WEBSITES

Our website may contain links to third-party websites. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party sites you visit.

13. COOKIES

13.1 Cookies We Use

Cookie Type Purpose

Strictly Necessary Essential for the website to function (session management, security).

Analytics (GA4) Website performance and visitor behaviour analysis. Requires consent.

Marketing (Meta Pixel, Advertising effectiveness tracking. Requires Google Ads) consent.

Preferences Remember your settings and preferences.

13.2 We will ask for your consent before placing non-essential cookies on your device. You can withdraw consent or manage your cookie preferences at any time via our cookie banner or browser settings.

13.3 For more information on cookies, visit ico.org.uk/cookies.

14. UPDATES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our services, technology or legal obligations. We will notify active clients of any material changes by email with at least thirty (30) days' notice. The current version is always available at innermedia.co.uk/privacy.

Last updated: May 2026 (Version 4.0).

AI & DATA TRANSPARENCY STATEMENT

INNERMEDIA LIMITED

AI & Data Transparency Statement

How InnerMedia Builds, Deploys and Safeguards AI Products

Version 4.0 | May 2026

Classification: Public — Client Facing

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

This statement is designed to give our clients and their stakeholders clear, honest information about how InnerMedia's AI products work, what data they use, and the safeguards in place. It complements our Privacy Policy and Data Processing Agreement.

1. OUR APPROACH TO AI

InnerMedia builds AI-powered tools specifically for the education and professional services sectors. Our products — including aiAdmissions, aiReception, aiMarketeer, aiParents, aiStaff and aiSEO — are designed to reduce administrative burden and improve responsiveness for our clients and their communities.

We believe AI should be transparent, controlled and trustworthy. This statement explains how we build and operate our AI products to deliver that promise.

2. WHAT AI POWERS OUR PRODUCTS

2.1 The Model

Our AI products are powered by Anthropic's Claude large language model (LLM). Anthropic is a leading AI safety company whose models are designed with safety and reliability as a core priority.

2.2 How We Access It

We access Claude exclusively through Amazon Web Services (AWS) Bedrock — AWS's managed AI platform. This means:

• All AI inference (the process of generating a response) happens entirely within the AWS environment;

• Client data is never transmitted to Anthropic's external systems;

• Anthropic does not have access to your data and cannot use it to train or improve their models;

• All data remains within AWS UK or EU regions at all times.

Unlike many AI solutions that send data directly to third-party AI providers, InnerMedia's architecture keeps your data within a tightly controlled AWS environment. Anthropic never sees your data.

3. WHAT DATA OUR AI USES

3.1 Configuration Data

To configure an AI product for your organisation, we use information you provide us — such as your FAQs, admissions procedures, school policies, staff directories and brand guidelines. This forms the 'knowledge base' that the AI draws on when answering queries.

3.2 Interaction Data

When End-Users (e.g. prospective parents, enquirers, staff) interact with your AI product, the conversation is stored securely so you can review it. This helps you monitor quality, identify common questions, and improve your configuration.

3.3 What We Do NOT Do With Your Data

We make the following absolute commitments on data use:

• We will NEVER use your data to train any AI model — ours or anyone else's;

• We will NEVER share your data with other InnerMedia clients;

• We will NEVER use your data for advertising or profiling;

• We will NEVER transfer your data outside the UK or EU without your explicit written consent;

• We will NEVER retain your data beyond the agreed retention periods (90 days for interaction data, unless you request otherwise).

4. DATA SECURITY

All data processed by our AI products is protected by:

• AES-256 encryption at rest (industry standard — the same encryption used by banks);

• TLS 1.2 or higher encryption in transit (all data moving between systems is encrypted);

• Logical data isolation — your data is kept entirely separate from other clients' data;

• Role-based access controls — only authorised InnerMedia staff with a legitimate need can access your data;

• Multi-factor authentication (MFA) on all InnerMedia systems;

• AWS-managed physical security at all data centres.

5. CHILDREN'S DATA — ADDITIONAL PROTECTIONS

InnerMedia works with schools and education providers. We recognise that AI products in education settings may process data relating to children. We apply the following enhanced protections as standard.

• Conversation data involving children under 18 is automatically deleted after 3600 days;

• Children's data is never used for AI model training or improvement;

• Children's data is never used for advertising, profiling or commercial purposes;

• Our AI products are configured to avoid requesting sensitive personal information from End-Users;

• Clients are responsible for ensuring their AI deployment complies with DfE safeguarding requirements and the ICO's Age Appropriate Design Code.

If your AI product is deployed in a context where children under 13 may interact with it, please discuss this with your InnerMedia account manager so we can ensure the appropriate configuration and consent mechanisms are in place.

6. HUMAN OVERSIGHT

6.1 InnerMedia's AI products are decision-support tools, not autonomous decision-makers. No AI product we deploy makes final decisions in the following areas without human review:

• Admissions decisions or offers of places;

• Safeguarding or pastoral matters;

• Staff performance or HR matters;

• Financial commitments.

6.2 All AI Products include a handoff mechanism to route enquiries to a human member of staff when the query falls outside the AI's knowledge base or involves a sensitive topic.

6.3 We recommend that all clients designate a named AI Product Manager within their organisation who is responsible for monitoring AI outputs, reviewing interaction logs, and escalating concerns.

7. AI LIMITATIONS AND ACCURACY

7.1 AI language models generate responses based on patterns — they do not 'know' facts in the way a human expert does. Responses may occasionally be incorrect, outdated or incomplete.

7.2 All InnerMedia AI products are configured with your organisation's specific information to maximise accuracy. However, we recommend:

• Reviewing your AI knowledge base regularly (at least every school term or quarterly);

• Monitoring interaction logs to identify and correct any patterns of inaccuracy;

• Including a standard disclaimer in AI responses informing End-Users that information should be verified for critical decisions.

7.3 InnerMedia is not liable for decisions made by End-Users based solely on AI-generated content. Clients are responsible for ensuring that their AI deployment is appropriately supervised.

8. SUB-PROCESSORS

The following third-party sub-processors may process data in connection with our AI products. All are contractually bound to maintain appropriate data protection standards:

Sub-Processor Role

Amazon Web Services Cloud infrastructure, compute, storage and AI (AWS) — UK/EU inference platform

WordPress / Automattic CMS for website integrations

SendGrid (Twilio) Email delivery

We will provide at least thirty (30) days' notice of any changes to our sub-processor list.

9. YOUR RIGHTS

You (and your End-Users) have the right to:

• Know that you are interacting with an AI product;

• Request deletion of conversation history within 72 hours;

• Opt out of interaction data storage (this may limit some features);

• Request a copy of data held about you;

• Lodge a complaint with the ICO if you believe your data has been mishandled.

To exercise any of these rights, contact: hello@innermedia.co.uk

10. QUESTIONS AND CONTACT

If you have questions about how our AI products work or handle data, please contact:

Contact Details

General enquiries hello@innermedia.co.uk

Data protection hello@innermedia.co.uk (mark: FAO Data matters Protection)

Address Enterprise Centre, Cranborne Road, Potters Bar, Hertfordshire EN6 3DQ

Telephone 01707 875 721

ICO Registration ICO:00010252104

DATA PROTECTION POLICY

INNERMEDIA LIMITED

Data Protection Policy

Internal Policy — UK GDPR Compliance Framework

Version 4.0 | May 2026

Classification: Internal — All Staff

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

Policy Detail Information

Policy Owner Board of Directors

Approved By Board of Directors

Review Cycle Annual (or following material regulatory or business change)

Applies To All InnerMedia staff, contractors and sub-processors with access to personal data

Associated Documents Privacy Policy | AI & Data Transparency Statement | Information Security Policy | Data Processing Agreement

Regulatory Framework UK GDPR (retained EU law) | Data Protection Act 2018 | Privacy and Electronic Communications Regulations 2003

1. INTRODUCTION AND PURPOSE

1.1 Inner Media Limited ('InnerMedia') collects and processes personal data about clients, prospective clients, staff, website visitors, and end-users of our AI products. We are committed to handling all personal data lawfully, transparently and securely.

1.2 This policy sets out the framework for how InnerMedia complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all personal data processed by InnerMedia, whether in digital or physical form.

1.3 Compliance with this policy is mandatory for all staff, contractors and any third party granted access to InnerMedia systems or client data.

Failure to comply with this policy may result in disciplinary action, up to and including dismissal, and may also expose individual staff to personal liability under data protection law.

2. ROLES AND RESPONSIBILITIES

2.1 Data Controller

InnerMedia acts as a Data Controller for personal data it collects about its own contacts, prospects and staff. InnerMedia acts as a Data Processor for personal data provided by clients. In both cases, the obligations in this policy apply.

2.2 Board of Directors

• Hold ultimate accountability for data protection compliance;

• Ensure adequate resources are allocated for data protection;

• Approve this policy and any material amendments;

• Receive and act on reports of data breaches or significant compliance issues.

2.3 Data Protection Lead

InnerMedia has designated a Data Protection Lead (currently the Managing Director) who is responsible for:

• Day-to-day oversight of data protection compliance;

• Maintaining the Record of Processing Activities (ROPA);

• Managing data subject requests and breach notifications;

• Liaising with the ICO when required;

• Keeping staff training up to date;

• Reviewing and updating this policy annually.

2.4 All Staff

• Complete data protection induction training before handling personal data;

• Complete annual refresher training;

• Handle personal data only as required for their role and in accordance with this policy;

• Report any suspected data breach or security incident immediately to the Data Protection Lead;

• Not access, share or use personal data for any purpose outside their role;

• Follow the clean desk and screen lock policies in the Information Security Policy.

3. DATA PROTECTION PRINCIPLES

InnerMedia shall ensure that all personal data is:

Principle What This Means in Practice

Lawfully, fairly and We identify a legal basis before processing. We transparently are clear with individuals about how we use processed their data (via our Privacy Policy).

Collected for We do not use data for purposes incompatible specified, explicit with why it was collected. AI products do not and legitimate use client data for model training. purposes

Adequate, relevant and We collect only the data we need. We do not limited to what is request unnecessary information in AI necessary interactions.

Accurate and kept up We take reasonable steps to keep data accurate. to date Clients can request corrections at any time.

Not kept longer than We apply the retention periods set out in the necessary Privacy Policy and DPA. Automated deletion is in place for AI interaction data.

Processed securely We apply the technical and organisational measures set out in the Information Security Policy and DPA.

Accountability We maintain records of our processing activities and can demonstrate compliance on request.

4. LAWFUL BASES FOR PROCESSING

4.1 Before processing any personal data, the relevant team member must confirm that a valid lawful basis exists. InnerMedia's primary lawful bases are:

• Contract (Article 6(1)(b)): processing necessary to deliver services to clients;

• Legitimate Interests (Article 6(1)(f)): managing client relationships, marketing to business contacts, improving our services — subject to a Legitimate Interests Assessment (LIA) where required;

• Legal Obligation (Article 6(1)(c)): compliance with accounting, employment and regulatory requirements;

• Consent (Article 6(1)(a)): newsletter sign-ups, non-essential cookies, certain marketing activities.

4.2 For Special Category Data (health, race, religion, biometric data, etc.), an additional condition under Article 9 UK GDPR must be identified. InnerMedia does not ordinarily process Special Category Data. If a client scenario requires this, the Data Protection Lead must be consulted before any processing begins.

4.3 For children's data, the Data Protection Lead must review the relevant processing activity before it begins to ensure compliance with the ICO's Age Appropriate Design Code and any applicable sector guidance.

5. RECORD OF PROCESSING ACTIVITIES (ROPA)

5.1 InnerMedia maintains a Record of Processing Activities (ROPA) as required by Article 30 UK GDPR. The ROPA is maintained by the Data Protection Lead and reviewed annually.

5.2 The ROPA covers: all categories of personal data processed; the purposes of processing; lawful bases; data subjects; retention periods; recipients and sub-processors; and international transfers.

5.3 Any new processing activity (including new AI product features, new sub-processors or new client sectors) must be notified to the Data Protection Lead before launch so the ROPA can be updated.

6. DATA SUBJECT RIGHTS

6.1 InnerMedia is committed to honouring all Data Subject rights requests within the statutory timescales:

Right Response Timeframe

Subject Access Request One calendar month (extensible to three months (SAR) for complex requests)

Rectification Without undue delay (aim: 72 hours for straightforward corrections)

Erasure Without undue delay (aim: 30 days)

Restriction of Without undue delay processing

Data portability One calendar month

Objection to Must stop processing immediately (unless processing compelling legitimate grounds)

AI conversation 72 hours deletion

6.2 All data subject requests must be directed to hello@innermedia.co.uk and immediately forwarded to the Data Protection Lead.

6.3 We may request proof of identity before processing a request. We will not charge a fee for routine requests.

7. DATA BREACHES

ALL suspected data breaches or security incidents involving personal data must be reported to the Data Protection Lead immediately — and in any event within 2 hours of discovery. Do not attempt to investigate or contain a breach without involving the Data Protection Lead.

7.1 What Constitutes a Breach

A personal data breach is any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes:

• Sending personal data to the wrong recipient (email, post, or file share);

• Loss or theft of a device containing personal data;

• Unauthorised access to systems containing personal data;

• AI product errors resulting in inappropriate disclosure of personal data;

• A sub-processor reporting a breach affecting InnerMedia client data.

7.2 Breach Response Process

On discovery of a suspected breach, the following steps shall be taken:

• Step 1 — Report: Notify the Data Protection Lead immediately (within 2 hours);

• Step 2 — Contain: Take immediate steps to stop ongoing harm (e.g. revoke access, suspend AI service);

• Step 3 — Assess: Data Protection Lead assesses severity, scope and likely consequences;

• Step 4 — Notify Controller: If the breach affects a Client's data, notify the Client within 72 hours;

• Step 5 — ICO Notification: If the breach is likely to result in a risk to individuals' rights and freedoms, notify the ICO within 72 hours of InnerMedia becoming aware;

• Step 6 — Document: Record all details of the breach, the response, and any remedial actions taken.

7.3 Not all breaches require ICO notification, but all breaches must be documented in the Breach Register maintained by the Data Protection Lead.

8. DATA MINIMISATION AND RETENTION

8.1 Staff must only collect the personal data that is genuinely necessary for the relevant purpose. When in doubt, less is more.

8.2 All personal data must be deleted or anonymised when it is no longer needed, in accordance with the retention periods in the Privacy Policy. Staff must not retain personal data in personal email accounts, local drives or unofficial storage.

8.3 AI interaction data is automatically deleted from InnerMedia systems after three hundred and sixty (360) days. Staff must not extract or copy this data beyond the agreed purposes.

9. THIRD PARTIES AND SUB-PROCESSORS

9.1 Before sharing personal data with any third party, the Data Protection Lead must confirm that an appropriate contract or agreement is in place (e.g. a DPA or sub-processor agreement).

9.2 New sub-processors must be approved by the Data Protection Lead before use. Clients must be notified of new sub-processors with at least thirty (30) days' notice.

9.3 Sub-processors must be vetted to confirm they implement appropriate technical and organisational security measures.

10. INTERNATIONAL TRANSFERS

10.1 No personal data may be transferred outside the UK or EEA without the prior written approval of the Data Protection Lead and a valid transfer mechanism (adequacy decision, SCCs, or Binding Corporate Rules).

10.2 The use of AWS UK/EU regions and Anthropic Claude via AWS Bedrock means that AI processing does not constitute an international transfer.

11. TRAINING

11.1 All staff must complete data protection induction training before accessing any personal data.

11.2 All staff must complete annual refresher training, updated to reflect any changes in law or InnerMedia's processing activities.

11.3 Staff working directly with AI products or client data must complete additional AI-specific data handling training.

11.4 Training completion records shall be maintained by the Data Protection Lead.

12. POLICY BREACHES

Any breach of this policy by a member of staff will be investigated and may result in disciplinary action up to and including dismissal. Serious breaches may also be referred to the ICO or other regulatory authorities.

13. POLICY REVIEW

This policy shall be reviewed annually by the Data Protection Lead and approved by the Board. It shall also be reviewed following any material change in UK GDPR, relevant guidance from the ICO, or a significant change to InnerMedia's data processing activities.

INFORMATION SECURITY POLICY

INNERMEDIA LIMITED

Information Security Policy

Internal Policy — Controls, Responsibilities and Incident Response

Version 4.0 | May 2026

Classification: Internal — All Staff

Owner: Board of Directors, InnerMedia Limited

Review Cycle: Annual or following material changes to services or legislation

Policy Detail Information

Policy Owner Board of Directors

Approved By Board of Directors

Review Cycle Annual (or following a significant security incident)

Applies To All InnerMedia staff, contractors and any third party with access to InnerMedia systems

Associated Documents Data Protection Policy | Privacy Policy | AI & Data Transparency Statement | DPA

Regulatory Framework UK GDPR | Data Protection Act 2018 | Computer Misuse Act 1990 | Network and Information Systems (NIS) Regulations 2018

1. INTRODUCTION

1.1 Information security is fundamental to InnerMedia's ability to deliver trusted services to our clients. We hold sensitive data on behalf of schools, businesses and their communities. Protecting that data is a legal obligation and a commercial and ethical responsibility.

1.2 This policy establishes InnerMedia's information security framework, based on the CIA triad:

• Confidentiality — data is accessible only to those with authorised need;

• Integrity — data is accurate, complete and protected from unauthorised alteration;

• Availability — data and systems are available to authorised users when needed.

1.3 Compliance with this policy is mandatory for all staff. Contractors and sub-processors must comply with equivalent standards as a condition of their engagement.

2. SCOPE

This policy applies to all information assets owned, managed or processed by InnerMedia, including:

• Client data and Personal Data;

• AI product infrastructure and configurations;

• InnerMedia's internal systems, networks and devices;

• Third-party systems accessed in connection with InnerMedia services (AWS, WordPress, SendGrid, etc.);

• Physical documents containing sensitive information.

3. RESPONSIBILITIES

3.1 Board of Directors

The Board holds ultimate accountability for information security. The Board shall ensure that appropriate resources are allocated, that this policy is reviewed annually, and that significant incidents are escalated appropriately.

3.2 Information Security Lead

The Information Security Lead (currently the Managing Director) is responsible for:

• Day-to-day oversight of security controls and compliance;

• Maintaining the risk register and reviewing it quarterly;

• Approving new information systems before deployment;

• Managing security incidents and coordinating response;

• Overseeing staff security training.

3.3 All Staff

• Follow all security controls and procedures in this policy;

• Report suspected security incidents or breaches immediately to the Information Security Lead;

• Complete security training at induction and annually;

• Not share passwords, access credentials or security tokens;

• Lock screens when away from their workstation;

• Not install unapproved software on company or client systems.

4. ACCESS CONTROLS

4.1 Principles

Access to InnerMedia systems and client data shall be granted on the principle of least privilege — each user shall have access only to the information and systems necessary for their role, and no more.

4.2 User Access Management

• All user accounts must be individually assigned — shared accounts are prohibited;

• Access rights must be reviewed quarterly and when roles change;

• Access must be revoked within 24 hours of a staff member leaving or changing role;

• Privileged access (admin rights, database access, AI configuration access) requires explicit approval from the Information Security Lead and must be logged.

4.3 Passwords

• All passwords must be a minimum of 12 characters, combining upper and lower case letters, numbers and symbols;

• Passwords must not be reused across systems;

• Staff are required to use Last Pass a company-approved password manager;

• Passwords must be changed immediately if compromise is suspected.

4.4 Multi-Factor Authentication (MFA)

MFA is mandatory for all InnerMedia systems and all systems where client data is accessible. There are no exceptions. If a system does not support MFA, it must not be used to access or store personal data without explicit Board approval.

• MFA must be enabled on: all cloud systems (AWS, Microsoft 365, Google Workspace); CMS and hosting management portals; email accounts; AI configuration platforms; any system containing client or personal data.

5. DEVICE AND EQUIPMENT SECURITY

5.1 Company and Personal Devices

• All company-issued devices must have full-disk encryption enabled;

• Personal devices (BYOD) used for work must have screen lock, encryption, and remote wipe capability enabled;

• Screens must be locked when unattended (maximum idle lock: 5 minutes);

• Devices must not be left unattended in public places without being locked or stored securely.

5.2 Remote Working

• Public Wi-Fi networks must not be used to access client data or InnerMedia systems without VPN;

• Staff must ensure their home networks are secured with WPA2 or WPA3 encryption;

• Video calls involving client data must not be conducted in public spaces.

5.3 Device Disposal

All storage media (hard drives, USB drives, mobile devices) must be securely wiped or physically destroyed before disposal. The Information Security Lead must confirm disposal and maintain a record.

6. NETWORK AND CLOUD SECURITY

6.1 AWS Infrastructure

• All InnerMedia production systems run on Amazon Web Services (AWS) UK or EU regions;

• Data at rest is encrypted using AES-256;

• Data in transit is encrypted using TLS 1.2 or higher;

• AWS security groups and IAM policies restrict access to authorised services and users only;

• AWS CloudTrail and logging are enabled to record all API activity;

• Regular review of AWS IAM permissions to remove stale or overprivileged roles.

6.2 AI Infrastructure Security

• Anthropic Claude is accessed exclusively via our company account, not personal accounts

• Each client's AI configuration is logically isolated and not accessible to other clients;

• Prompt injection attack mitigation is implemented in all AI product configurations;

• AI conversation logs are stored in encrypted form and automatically deleted after360 days.

6.3 Third-Party Systems

System Security Controls

AWS (UK/EU) AES-256 at rest, TLS 1.2+ in transit, MFA, IAM, CloudTrail logging

Microsoft 365 / MFA required, UK/EU data residency, conditional OneDrive access policies

WordPress Plugin updates maintained, admin access restricted to named users, MFA enabled

SendGrid API key rotation every 90 days, restricted sending permissions

Google Workspace MFA required, EU data processing terms

Xero / Access Paysuite MFA required, access limited to finance staff only

7. SOFTWARE AND PATCH MANAGEMENT

• All software must be kept up to date with security patches applied within 14 days of release for critical patches and 30 days for standard patches;

• Software must be sourced from official, verified sources only;

• No software may be installed on company devices or InnerMedia systems without approval from the Information Security Lead;

• WordPress plugins and themes must be reviewed and updated monthly; unused plugins must be deactivated and removed;

• End-of-life software must be replaced before vendor security support ends.

8. MALWARE AND THREAT PROTECTION

• Anti-malware software must be installed and kept up to date on all company devices;

• Email filtering and anti-phishing controls must be active on all email accounts;

• Staff must not click links or open attachments from unknown or suspicious sources;

• Removable media (USB drives) from external sources must not be used on InnerMedia systems without explicit approval and virus scanning;

• Staff must report phishing attempts to the Information Security Lead immediately.

9. PHYSICAL SECURITY

• Physical access to any workspace containing sensitive data must be controlled;

• Sensitive documents must not be left unattended;

• Printed documents containing personal data must be shredded (cross-cut) before disposal;

• Clean desk policy applies — sensitive information must be secured at end of working day.

10. SECURITY INCIDENT MANAGEMENT

ANY suspected security incident — however minor — must be reported to the Information Security Lead immediately. Do not investigate or attempt to resolve an incident independently.

10.1 What to Report

• Suspected or confirmed unauthorised access to any system or account;

• Loss or theft of any device containing business data;

• Receipt of suspicious emails (phishing, malware);

• Unexpected system behaviour that may indicate a breach;

• Accidental disclosure of personal data;

• AI product anomalies (unexpected outputs, data exposure).

10.2 Incident Response Process

• Contain: Immediately isolate affected systems or accounts to prevent further harm;

• Report: Notify the Information Security Lead within 1 hour;

• Assess: Information Security Lead assesses scope, severity and whether personal data is affected;

• Escalate: If personal data is affected, activate the Data Breach Response in the Data Protection Policy;

• Recover: Restore systems from clean backups where necessary;

• Review: Conduct a post-incident review within 5 Business Days and update controls as required;

• Document: Record all incidents in the Security Incident Register.

11. BUSINESS CONTINUITY AND DISASTER RECOVERY

11.1 InnerMedia's primary infrastructure is hosted on AWS, which provides built-in redundancy, automated backups and geographic resilience within UK/EU regions.

11.2 The following recovery objectives apply:

System Recovery Point Objective (RPO)

Client website hosting 24 hours

AI product 1 hour infrastructure

Internal systems 24 hours (email, documents)

11.3 Business continuity plans shall be tested at least annually by the Information Security Lead and reviewed following any significant incident.

12. RISK MANAGEMENT

12.1 The Information Security Lead maintains a Security Risk Register, reviewed quarterly. Risks are assessed by likelihood and impact and assigned to an owner for remediation.

12.2 Any new information system, AI feature or sub-processor must undergo a security risk assessment before deployment, including a Data Protection Impact Assessment (DPIA) where required under UK GDPR.

13. SUPPLIER AND SUB-PROCESSOR SECURITY

13.1 All suppliers and sub-processors with access to InnerMedia systems or client data must:

• Sign a Data Processing Agreement (DPA) or equivalent sub-processor agreement;

• Demonstrate compliance with appropriate security standards (ISO 27001, SOC 2, or equivalent);

• Report any security incident affecting InnerMedia data within 24 hours;

• Allow InnerMedia to audit their security controls on reasonable notice.

13.2 Supplier security shall be reviewed annually. Suppliers who cannot demonstrate adequate security shall be replaced.

14. STAFF TRAINING AND AWARENESS

• Security awareness training is mandatory at induction and annually;

• Staff working with AI products or client data must complete additional training;

• Phishing simulation exercises shall be conducted at least twice per year;

• Training completion records are maintained by the Information Security Lead.

15. POLICY REVIEW

This policy shall be reviewed annually by the Information Security Lead and approved by the Board. It shall also be reviewed following any significant security incident or material change to InnerMedia's systems or services.

Lost Password

Powered by WordPress