These Stowlog Customer Terms and Conditions ("Terms"), regulate the access and use of Services by the Customers. These Terms and its annexes, the Annex 1 - Service Order (SO), and any other terms or documents incorporated by reference herein, constitute a single, binding agreement ("Agreement") between the person who has entered into the Agreement ("Customer"), whose denomination and contact details are included in the Annex 1 - Service Order ("SO"), and Estudio Cactus Media S.L., a company incorporated in Spain, registered at Rda Circunvalación 188, Castellón de la Plana, Spain ("Provider" or "Stowlog").

The Customer can consulate and download these Terms at https://stowlog.com/legal/terms-and-conditions. This link is provided to the Customer in the SO for this purpose. By accepting an SO, issuing a Purchase Order ("PO") or registering for an account to access the Services, the Customer acknowledges and agrees that has read and understood these Terms and agrees to be bound by them without reservation. These Terms shall apply to all Services ordered by the Customer from Stowlog. Any general terms and conditions of the Customer, or any proposed amendments by the Customer relating to these Terms, shall not apply, even if they have not been expressly rejected by Stowlog. If the Customer does not agree to these Terms, they have no right to access or use the Services.

If Customer accepts or agrees to these Terms on behalf of a company (such as Customer's employer, representative or proxy ) or another legal entity, Customer represents and warrants that (i) Customer has full legal authority to bind such entity to these Terms, (ii) Customer has read and understands these Terms, and (iii) Customer agrees to these Terms on behalf of the entity that Customer represents. In such an event, "Customer" will mean the legal entity Customer represents.

Once the Agreement has been formalized through acceptance of the corresponding Annex 1 - Service Order (SO) subject to these Terms, the Customer shall issue a Purchase Order which shall be incorporated as part of this Agreement.

1. Definitions

Admin Dashboard: Website where Facility Members access with their credentials to manage all the information collected by Stowlog App on their facility.

External User: An individual (e.g., contractor, driver, visitor) who interacts with the Facility via the App and Website Version and provides information and/or data specified by the Customer.

Device Requirements: The document detailing the minimum hardware and device specifications necessary for the operation of certain Modules, including kiosk tablets and App user mobile devices, publicly available at Annex 4 – Minimum Device Requirements.

Effective Date: means the Subscription Term start date, as indicated on the Annex 1 - Service Order (SO); if no such date is indicated, the date of last signature of the Annex 1 - Service Order (SO).

Facility: A workspace within the Platform representing a physical site or operation managed by the Customer.

Facility Admin: Facility Member with permissions to manage Facility settings, invite other Facility Members, and allocate Seats.

Facility Member: Seat with access to the Admin Dashboard to manage data generated by App Users.

Intellectual Property Rights: means any and all registered and unregistered rights granted, applied for or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.

Module: A functional component within the Platform (e.g., Safety Induction, Control of Contractors, Control of Visitors), each with its own pricing and features. The detailed description of each Module's functionality and limitations is publicly available at Annex 2 - Services.

Service Order (SO): The document that outlines the Customer's selected Modules, Seat quantities, applicable pricing, discounts (if any), and total commercial conditions agreed upon between the parties. The SO is included as Annex 1 and represents the binding commercial summary of the Customer's PO.

Platform: The Stowlog software-as-a-service (SaaS) platform consisting of a mobile and web application ("Stowlog App"), an Admin Dashboard, and a Public API.

Purchase Order or PO: The document (digital or physical) that specifies Services contracted by the Customer, as well as, the price and other specifications, which must match the provisions of the SO to which it is linked.

Provider IP: means (i.) the Platform, API, Documentation, and all Intellectual Property Rights provided to Customer or Seat by Supplier in connection with the Platform, as well as (ii.) any Customer- or Facility Admin or Facility Member or Seat -made suggestions for improvements, enhancements, recommendations, corrections, or other feedback relating to the Services ("Feedback"). For the avoidance of doubt, Provider IP includes aggregated statistics and any information, data, or other content derived from Provider's monitoring of Customer's access to or use of the Platform.

Seat: Customer's employee or consultant who are authorized by the Customer to access and use a Module under the rights granted to Customer pursuant to this Agreement.

Services: Specific products, services, Modules, Seats and use of the Platform indicated in the Annex 1 - Service Order (SO).

SLA Agreement: The document that defines service level targets, including uptime, response times, and maintenance procedures, publicly available at Annex 3 - SLA.

Subscription Term: The duration of the subscription (monthly or annual) as specified in the Annex 1 - Service Order (SO).

2. Use of the Services

2.1. Subject to the terms and conditions of the Agreement Provider Gants Customer a non-exclusive, revocable, worldwide, non-transferable, non-sublicensable right to access and use of the Services during the Subscription Term only for the Customer's internal business operations. The Platform is a standardized SaaS product, not a custom software development service.

2.2. Each Module has a distinct Module Price and Price per Seat as detailed in the Annex 1 - Service Order.

2.3. Each Facility operates as an independent workspace; Modules and Seats are specific to that Facility. Facility Admins can invite Facility Members up to the Seat limit defined per Module.

2.4. The Customer acknowledges and accepts that:

• The features and limitations of each Module are publicly detailed at Annex 2 - Services, which forms an integral part of this Agreement.
• Service performance levels are governed by the SLA Agreement available at Annex 3 - SLA.
• Hardware and device prerequisites are defined in the Device Requirements available at Annex 4 - Minimum Device Requirements, and it is the Customer's responsibility to comply with them to ensure full system functionality.
• The specific commercial terms, modules subscribed, quantities, and pricing are set out in the Annex 1 – Commercial Service Order (SO), which forms part of this Agreement.

2.5. Stowlog may change the features and functions of the Platform, over time. It is Customer's responsibility to ensure that its use of the Platform is compatible with the then-current configuration, including APIs. Provider will endeavour to avoid changes to its APIs that are not backward-compatible. If any such changes become necessary, Provider will use reasonable efforts to notify Customer prior backward compatible.

3. Access and Use

3.1. To use or access the Platform, each Seat must register for a user account. Customer agrees to provide Stowlog with accurate, complete, and up-to-date information with respect to its user accounts. Upon registration, Provider shall provide Customer with the necessary credentials and network links or connections to allow Customer and its Seat to access the Services. For the External Users the access is provided through the Stowlog App (mobile or web). Login credentials are personal and must not be shared.

3.2. For each Seat, Customer shall obtain and maintain all required consents, acknowledgments, and agreements from such individuals for (i) Customer's access to Seat accounts and data and (ii) Seat' agreement to comply with the applicable terms of this Agreement. The Customer is responsible for all actions taken under its accounts. Stowlog is not liable for any acts or omissions by Customer in connection with its user accounts. Customer agrees to notify Provider immediately if it knows or has any reason to suspect that its user accounts have been accessed without Customer's authorization, or that any of the associated usernames or passwords have been stolen, misappropriated, or otherwise compromised. If Customer's user accounts are so compromised, Customer agrees to comply with all reasonable requests Stowlog may make to change Customer's usernames and/or passwords, and to otherwise secure Customer's user accounts. The Customer is responsible for complying with its legal obligations, especially with regard to data protection in relation to the information required from External Users.

3.3. The Provider may suspend access for security reasons, for Customer or its Seat violation of this Agreement, or non-payment as indicated in this Terms.

3.4. All licenses granted in this Agreement are subject to the limitations specified in Customer's Annex 1 - Service Order (SO). In addition, Customer shall not, and shall not permit any other person to, access or use any Services except as expressly permitted by this Agreement. For purposes of clarity and without limiting the generality of the foregoing, Customer shall not, and shall not permit:

• interfere with or disrupt the Services or servers, networks or devices connected to the Services, including by transmitting any worms, viruses, spyware, malware or any other code of a destructive or disruptive nature;
• inject content or code or otherwise alter or interfere with the way any of the Services are rendered or displayed in a user's browser or device;
• reverse engineer, disassemble, decompile, decode, or otherwise attempt to derive or gain access to the source code of the Platform or any part thereof;
• take any action that imposes an unreasonable load on Provider's infrastructure;
• access, tamper with or use non-public areas or parts of the Services, or shared areas of the Services that Stowlog has not invited Customer to access;
• access, search or create accounts for the Services by any means (for example, scraping, spidering or crawling) other than our publicly supported interfaces;
• copy, modify, or create derivative works or improvements of the Services;
• rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services to any other person, including through or in connection with any time-sharing, service bureau, software as a service, cloud or other technology or service;
• remove, delete, alter, or obscure any trademarks or any copyright, trademark, patent, or other intellectual property or proprietary rights notices from any Services, including any copy thereof;
• use any Services in a manner or for any purpose that infringes, misappropriates, or otherwise violates any law or intellectual property right;
• dissenminate or transmit material that, to a reasonable person, may be abusive, obscene, pornographic, defamatory, harassing, grossly offensive, vulgar, threatening, or malicious;
• creating a false identity or otherwise attempting to mislead any person as to the identity or origin of any communication;
• use the Services for purposes of competitive analysis or the development of a competing software product or service, or otherwise extract information from the Services in furtherance of competing with Provider;
• access or use the Services in a manner intended to avoid incurring Fees (e.g., creating multiple accounts to simulate or act as a single account) or to circumvent Service-specific usage limits or quotas; or
• otherwise use the Services beyond the scope of the licenses granted in this Agreement.

4. Subscription Model and Activation

4.1. Subscriptions are based on a combination of Module Price (fixed fee per module per term) and Seat Price (per-user fee). Additional Seats may be added mid-term and billed prorated. Seat reductions or cancellations apply only at renewal. If there is a reduction in seats during an annual contract, there will be no pro-rated financial compensation for the reduction in those seats.

4.2. The Subscription Term (monthly or annual) shall commence on the date the Provider receives a valid PO or full payment, whichever occurs first. If, during an annual subscription, the Customer increases the number of Seats, these Seats will be invoiced on a pro rata basis until the annual renewal date. Upon receipt of a valid Purchase Order, the Provider will activate the contracted Modules, enable the Customer's Facility in the Platform, and issue initial access credentials to the Facility Admin. The Customer acknowledges that activation constitutes the start of the subscription period.

5. Payment Terms

5.1. The Customer may select either monthly or annual billing, as specified in the Annex 1 – Service Order (SO). Customer shall pay all fees set forth on SO. Prices exclude applicable taxes (VAT or equivalent), which will be added where required.

5.2. Invoices will be issued immediately upon receipt of the PO or upon renewal.

5.3. Payment is due within the period stated in the Annex 1 – Service Order (SO). If Customer fails to make any payment when due then, in addition to all other remedies that may be available, if such failure continues for thirty (30) days following written notice thereof, Stowlog may suspend performance of the Services until all past due amounts and interest thereon have been paid, without incurring any obligation or liability to Customer by reason of such suspension. Once the amounts owed have been paid, Stowlog will restore the suspended Service.

5.4. All fees are non-refundable except as required by law.

6. Term and Termination

6.1. This Agreement begins upon the Provider's receipt of a valid Purchase Order (PO) and continues for the Subscription Term defined in the Annex 1 – Commercial Service Order (SO).

6.2. The Provider may suspend the Service for the reasons indicated in clause 5.3 above. If the unpaid amounts are not settled within the specified period, after an additional 30 days, Stowlog may unilaterally terminate the Agreement by notifying the Customer, without this giving rise to any compensation in favor of the Customer and without prejudice to the Provider's right to take legal action to seek compensation for damages caused by the Customer's breach of contract.

6.3. Annual plans renew automatically unless canceled with 30 days' notice. Monthly plans renew automatically unless canceled before the next billing cycle. Upon termination, all Customer access will be revoked, and data handled in accordance with the Provider's data retention policy described in Annex 5 - Data Processing Agreement (DPA).

7. Service Levels and Support

7.1. The Provider maintains an ISO 27001:2023-certified information security management system. The Platform is hosted on Cloud infrastructure.

7.2. Support is provided via:

• https://support.stowlog.com
• support@stowlog.com

7.3. Specific SLA metrics and commitments are detailed in the SLA Agreement available at Annex 3 - SLA. Status services monitor available at https://status.stowlog.com. Customer acknowledges that customer support services shall not apply to its own hardware and/or software, or to any modifications requested by Customer for the Platform, nor does it apply to third parties' hardware and/or software, even if it has been installed along with the Platform.

7.4. Customer agrees that Stowlog may collect and use technical information gathered as part of the support Services provided to Customer. Provider may use this information to improve Stowlog's products, but for no other purpose. Provider will not disclose this information in a form that identifies Customer to any third parties.

8. Data Protection

8.1. Stowlog's Privacy Policy, located at https://www.stowlog.com/legal/privacy, forms part of the Agreement. By using the Services, Customer agrees to the terms specified in the Privacy Policy.

8.2. The Provider acts as a Data Processor and the Customer as Data Controller under the EU GDPR. Personal data processing terms are detailed in Annex 5 - Data Processing Agreement (DPA).

8.3. Customer agrees and acknowledges that Customer determines, at its own discretion, the means by which and scope according to which it acquires any Personal Data—as well as the nature and origins of any Personal Data—and which Customer or its Seat or External Users make available to Stowlog for processing by Stowlog or its subprocessors in order to perform the Services. Stowlog does not determine the means by which and scope according to which Customer acquires any Personal Data, nor the nature and origins of any such Personal Data. Provider shall comply with the requirements of laws and regulations applicable to Provider in its capacity as a Processor, as this term is defined in the DPA, when it processes Personal Data as part of the Services. Customer is solely responsible for ensuring that it complies with any legal and regulatory requirements.

In this regard: (i) Customer agrees that Stowlog acts solely as a Processor, as this term is defined in the DPA, with respect to such Personal Data; (ii) Customer represents and covenants that Customer has obtained, or will obtain prior to processing by Provider or its subprocessors, all necessary approvals, consents, and/or licenses—or otherwise has a valid legal basis under applicable law(s)—for the processing of any Personal Data made available to Provider by Customer or External Users as part of the Services; and, (iii) Customer shall not cause Stowlog to process Sensitive Personal Data without the prior written approval of Stowlog, unless such Sensitive Personal Data has been converted into information which does not relate to an identified or identifiable person, or information that is rendered anonymous in such a way that a natural person is not or no longer identifiable ("Anonymous Data") prior to such upload.

9. Confidentiality

9.1. "Confidential Information" means information belonging to or in the possession or control of a Party (the "Disclosing Party"), its customers or its suppliers which is of a confidential, proprietary, or trade secret nature, including without limitation all business information, technological information, intellectual property, training materials, software, and other information related to Disclosing Party's business, technology, products, customers, personnel or finances, that the other Party (the"Receiving Party") has access to under this Agreement and that are not readily available to the general public (collectively, "Confidential Information"). As between the Disclosing Party and Receiving Party, Confidential Information will remain the property of the Disclosing Party. Receiving Party will preserve and protect all Disclosing Party Confidential Information and Receiving Party will not disclose the existence, source, or content of Confidential Information, except to its employees or contractors with a need to know and under obligation of confidentiality at least as stringent as under this Agreement.

9.2. Confidential Information will not include information that (a) is already known to Receiving Party, free of any obligation to keep it confidential; (b) is or becomes publicly known through no wrongful act of Receiving Party; (c) is received by Receiving Party from a third party without any restriction or confidentiality; (d) is independently developed by Receiving Party without reference to Disclosing Party's Confidential Information; or (e) is disclosed to third parties by Disclosing Party without any obligation of confidentiality.

9.3. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.

10. Intellectual Property

10.1. Customer acknowledges that Provider owns all right, title and interest, in and to the Providers IP, including all Intellectual Property Rights. No ownership or source code access is transferred to the Customer. Customer further agrees that with respect to Feedback, Stowlog will have the irrevocable, non-exclusive, worldwide right (without any obligation to Customer) to use, publish, and disclose, and to develop, supply, and exploit those of its services which incorporate or are based on any Feedback, in each case as Provider so chooses.

Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.

10.2. The Provider will defend and indemnify the Customer against third-party claims alleging that the Stowlog Platform, used as authorized under this Agreement, infringes any intellectual property rights, when finally awarded by a court of final appeal attributable to such a claim provided that: (a) The Customer notifies in writing the Provider of any claim as soon as reasonably practicable; and (b) allows Provider to control and reasonable cooperates with Provider in the defense of, any such claim and related settlement negotiations.

10.3. This obligation does not apply to claims arising from (i) modifications made by the Customer or third parties, (ii) combinations with systems not provided by the Provider, or (iii) use contrary to documentation, (iii) Customer's failure to use updated or modified versions of the Services that have been made available to Customer; (iv) the combination, operation or use of the Services with equipment, devices, software, systems, or data that were not supplied by Provided if a claim would not have occurred but for such combination, operation, or use.

10.4. In such an event, the Provider may (1) procure the right for the Customer to continue using the Platform, (2) modify the Platform to make it non-infringing, or (3) terminate the affected service and refund any prepaid, unused fees.

10.5. This clause sets out the Customer's sole and exclusive remedy and the Provider's entire liability with respect to any claim of intellectual property infringement.

11. Warranties and Disclaimers

11.1. Each party represents and warrants to the other that: (i) Such party is duly organized and in good standing under the laws of its jurisdiction of organization and in each other jurisdiction where such organization or good standing is required for the performance of this Agreement; (ii) Such party's entry into and performance under this Agreement has been duly approved by all necessary corporate action, and does not violate any constituent instrument of such party; and, (iii) Such party's entry into and performance under this Agreement does not violate any law or regulation, judicial or executive order, or contractual commitment by which such party is bound.

11.2. The Platform is provided on an “as is” basis without warranty of uninterrupted operation or error-free performance and without warranties or representations of any kind, either express or implied. The Customer acknowledges that the Platform is a multi-tenant SaaS product and not custom software.

11.3. The Customer further acknowledges that the scope of each Module is exhaustively defined at Annex 2 - Services, and no implied functionalities are included beyond those specified.

11.4. To the fullest extent permissible pursuant to applicable law, Stowlog disclaims all warranties, statutory, express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose and title. No advice or information, whether oral or written, obtained by Customer from Stowlog or through the services, will create any warranty not expressly stated herein.

12. Limitation of Liability

12.1. Neither party is liable for indirect, consequential, or special damages, including data loss or lost profits.

12.2. The Provider's total liability under this Agreement shall not exceed the total fees paid by the Customer in the 12 months priorto the claim. These limitations do not apply to liability arising from gross negligence or willful misconduct.

12.3. Customer and Provider agree that any cause of action arising out of or related to this agreement must commence within one (1) year after the cause of action accrues. otherwise, such cause of action is permanently barred.

13. Miscellaneous

13.1 Governing Law and Jurisdiction: This Agreement shall be governed by and construed under the laws of Spain, and the parties submit to the exclusive jurisdiction of the courts of Castellón de la Plana, Spain.

13.2 Conflicts: If there is any conflict between the terms of these T&Cs and its Annex, the Annex 1 - Service Order (SO) and the PO, the documents will control in the following order: the Annex 1 - Service Order (SO), these T&Cs and its annexes, and PO.

13.3 Publicity. Stowlog is proud that Customer is a part of its community. Customer grants Stowlog a worldwide, non-exclusive, royalty-free, non-transferable license to use Customer's trademarks, service marks, and logos for the purpose of identifying Customer as a Provider customer in order to market or otherwise promote Provider.

13.4 Non-solicitation. During the term of this Agreement and for a period of two (2) years after its expiration or termination, Customer will not, either directly or indirectly, solicit for employment any person employed by Provider.

13.5 Force Majeure: Each party's failure in its obligation of performance hereunder (except payment obligations) shall be excused or delayed to the extent that such failure is caused by events beyond such party's reasonable control (an event of force majeure). Such events include, without limitation, casualties, natural disasters, terrorism, cyberattacks, acts of God, civil disturbance, labor disputes, strikes, riots, but expressly exclude market conditions and obligations to pay money. A party claiming the occurrence of such an event shall promptly notify the other party thereof.

13.6 Waiver. A provision of any of the terms in this Agreement may be waived only by a written instrument executed by the party entitled to the benefit of such provision. The failure of either party to assert a right hereunder or to insist upon compliance with any term or condition will not constitute a waiver of that right or excuse any subsequent non-performance of any such term or condition by the other party.

13.7 Severability. If any provision of this Agreement shall be unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from this Agreement and shall not affect the validity and enforceability of any remaining provisions.

13.8 Survival. The following Sections will survive expiration or termination of this Agreement: 1 (Definitions) 5 (Payment terms), 9 (Confidentiality) 10 (Intellectual Property) 11 (Warranties and disclaimers), 12 (Limitation of Liability and Damages).

13.9 Relationship of the parties. Nothing contained in this Agreement will be construed as creating any agency, partnership, joint venture, or other form of joint enterprise, employment, or fiduciary relationship between the parties, and neither party shall have authority to contract for or bind the other party in any manner whatsoever.

13.10 Assignment: The Customer may not assign this Agreement without written consent.

13.11 Notices: Notices shall be sent via email or registered mail to the addresses in the Annex 1 - Service Order (SO).

13.12 Amendments: Provider may update these terms with 30 days' notice; continued use implies acceptance.

Revised version November 2025.

Annex 2 - Software Modules Services

Type of Users

Seat: Customer's employee or consultant who are authorized by the Customer to access and use a Module under the rights granted to Customer pursuant to this Agreement.

Facility Member: Seat with access to the Admin Dashboard to manage data generated by External Users.

Facility Admin: Facility Member with permissions to manage Facility settings, invite other Facility Members, and allocate Seats.

External Users: The external user (Truck driver, contractor, visitor, passenger, provider, etc.) that access the App, Kiosks and Website version of Stowlog to carry out all the different procedures through the modules.

General aspects of the system

Admin Dashboard: Website where Facility Members access with their credentials to manage all the information collected by Stowlog App on their facility.

App / Website version: Mobile App or Website Version Where App Users can register and use Stowlog. The App is available at Google Play and Apple Store or https://app.stowlog.com.

User Types: These are the types of users that each facility decides will use the App/Website Version. For example: Truck Drivers, contractors, visitors, etc.

Custom Fields: Each facility can request all the documentation and information it needs for each type of visitor. This information can be collected with attachments, free text, multiple choice options, and expiry dates.

Login/Sign-up system: Users can register with their email address, Google/Microsoft account, or a username.

QR Authorization Pass: With the registration, the App User has a QR on the main screen of his profile in the App / Website Version that they can access during their visits to the facility and be identified quickly through the QR Scan reader from the Admin Dashboard.

Multilingual: The App / Website Version is available in different languages and can be adapted to any desired language. The Admin Dashboard is in English.

SOS number: In the App / Website Version there is an emergency button that, by pressing it, calls directly to the emergency telephone number of the port logistic facility where you are registered at that moment. This SOS number is managed by the Facility Admin through Stowlog's Admin Dashboard.

Push Notifications: App Users can receive messages from the facility and they are stored in the notifications section of the App, with a history of all messages. Module Users can send notifications from the Admin Dashboard to the appropriate App Users based on the content of the message; E.g. they can send notifications only to truck drivers, only to contractors, or to the entire port-logistics community.

In addition, from the Admin Dashboard the customer can decide what action the App should perform when the notification is clicked: Open the App, redirect to an external URL decided by the Module Users, call a phone number decided by the Module Users or attach a file.

User profile page: From the Admin Dashboard, you can view all the information corresponding to each Application User.

Data Dashboard and Reports: All the data collected from the different modules can be downloaded on a .csv file from the Admin Dashboard, allowing the customer to create their own reports. Moreover, the most important data is displayed in a graphical dashboard in the customer's Admin Dashboard.

Email Workflows notifications: most of the events related with the workflows of each specific module sends automatic emails to all the users. Email notifications are sent in English.

Public API: All the modules of Stowlog have an open public Rest API exposed for 3rd party requests through an API Token. The costs will depend on the number of requests.

Modules of Stowlog

The functionalities of the different modules available in Stowlog are described below.

Safety Induction

This module manages safety training for each type of Application User, consisting of two parts:

Part 1: Viewing the induction content from the App/Web Version.
This consists of content (video, images or PDF) explaining the safety and security recommendations that different types of visitors must follow when accessing port facilities. This content is provided by the customer through the Admin Dashboard.

Part 2: Taking the exam from the App/Web Version.
After viewing the induction content, Application Users must pass a multiple-choice test in order to pass the training. Once users pass the test, they are granted access to the facility and receive a PDF certificate through email. The questions are created and edited from the Admin Dashboard by the customer.

In addition, an external URL (Safety Kiosk) is generated so that safety inductions can also be carried out on site at the facilities.

These are all the features that can be performed from the Admin Dashboard:

• View all data regarding completed or expired Safety Inductions
• Filter the displayed data in the Inductions table
• Export the data in CSV format
• Create the questions based on the lessons
• Upload the lesson multimedia (videos, PDFs or images)
• Define the expiration of by user type
• Define mandatory / optional lessons for each user type
• Define the number of questions displayed in the exams for each lesson
• Set the passing score for the exam
• Download the Safety Induction

These are all the features that can be performed from the App / Website Version / Safety Kiosk:

• View the safety induction
• Take the exam
• Obtain the safety induction certificate via email

Visits Management

This module digitises the entire flow of external visitors to the facility.

Admin Users of the facility can schedule individual or group visits. Likewise, the Application Users will be able to register and request visits through the App / Website Version.

An URL is generated (Visits Kiosk) to check in and check out the visitors in the different entrances of the facilities. This URL is displayed in a device provided by the customer.

These are all the features that can be performed from the Admin Dashboard:

Access all data related to visits at any time.

Access all data related to visit requests at any time.

Create, Accept, Deny, Delete or Edit individual or group visits

Configure custom visit questions with the following options:
• Based on user type
• Open-ended
• File attachment
• Dropdown selection
• Pre-visit (to be answered when requesting a visit)
• On-site (to be answered during checking-in at the Visit Kiosk)
• Optional
• Required

Configure custom visit questions with the following options:
• Enable mandatory completion of the Safety Induction before a visit request can be submitted.
• Send an Emergency Push Notification to all users currently checked-in
• Export visits report in CSV format
• Enable a security validation as a requirement for visit approval
• Create recurrent visits
• Print the visit badge
• Add the visit to their calendar
• Resend the visit confirmation email to the user with the visit information

These are all the features that can be performed from the App / Website Version:

• Request Visits
• See the status of their visits
• Cancel a visit request while the its status it's pending

3D Geoposition Map

This module consists of the design and development of an interactive 3D map of the facilities, which is displayed on the Web Version/App and on a URL that the client can publish wherever they wish. The 3D map of the facilities offers 360º rotation, zoom functions and various interactive features.

Among the public layers (visible when the URL is shared), the interaction points layer contains virtual points that display pop-ups with HTML content, such as text, images, videos or links, when clicked. The route layers include predefined routes between two points (A to B), and the highlight layer marks specific areas for emphasis.

Private layers (hidden when the URL is shared), which can only be accessed through the Admin Dashboard, include the Stowlog users layer, which displays the real-time geolocation of Stowlog app users. Clicking on a user displays a pop-up window with the user's details, speed, altitude and an option to send a push notification.

The user must download the Stowlog App and enable location permissions for it to be visible from the Admin Dashboard. Accuracy will vary depending on the GPS signal emitted by the mobile device at that time.

These are all the features that can be performed from the Admin Dashboard:

• Interact with the public and private layers of the 3D Map
• Set the facility speed limit
• Enable/disable geoposition tracking for user types
• Send push notifications to Stowlog tracked users

These are all the features that can be performed from the App / Website Version:

• Interact with the public layers of the 3D Map
• See their own position within the facility (only through the App)

Control of Contractors

This module enables the complete digitalization of work permits and provides document control for the required documentation that companies must submit in order to be eligible for work within a facility.

From the Admin Dashboard, the HSSE team will create the companies, upload all the documentation and create the different PTW requests. Moreover, they will have all the PTW information and stats and make the corresponding inspections log.

From the App/ Website Version, the contractor will receive the PTW request from the facility, fill it with additional information and sign it. Then, they will be able to see the summary of their PTWs and the current timeline of their work.

In this module, the key roles of the Admin Dashboard are:

Issuers: usually the head of departments of the facility who fills the PTW forms. Their signature is needed to proceed with the approval of a PTW.

Authorizers: usually the head of HSSE who authorizes the work. Their signature is needed to proceed with the approval of a PTW.

These are all the features that can be performed from the Admin Dashboard:

• Create and manage company profiles
• Track and validate company documentation
• Upload, delete or replace company documents
• Access to document history log
• Authorize or disallow companies to determine their eligibility to work at the facility
• Issue permits to work filling the PTW form
• Filter the data on the Permits table and export it as a CSV file
• Cancel or Close approved permits
• Make inspection logs
• Add observations, which are visible to the contractor in the permit details
• Make PTW extensions
• Sign the PTW
• Access detailed information for each permit to work
• Accept or Deny extension requests submitted by contractors
• Reject the issued permits
• Cancel the issued permits

These are all the features that can be performed from the App / Website Version:

• View assigned permits and their current status
• Sign the permit to work
• Upload attachments to a permit to work
• Edit the “Staff on Site” section of a permit to work
• Notify the issuer upon completion of work
• Request an extension to complete the work

Permit to Work Template and Workflow

The PTW is based in 7 steps and it is filled by Customer on the Admin Dashboard:

• Step 1:
  • Select the Company
  • Select the Department / Area you are issuing the permit from.
  • Select the Contractor in charge
• 
  Step 2:
  • Select the start date and time
  • Select the end date and time
  • You can create a permit from more than one day.
• 
  Step 3:
  • Select the location in which the work is going to take place. Upon selecting the main location, you will need to specify it. E.g: Container yard (main), Block 12 (specific).
  • If you don't see a location, you can create one by clicking on Other.
  • Describe the scope of work.
• 
  Step 4:
  • Select the Contractors on site
• 
  Step 5:
  • Decide whether the permit is a Generic type of work or is a high-risk activity.
    • Generic type of work: General permit to work is used for normal maintenance work and inspections around the operational areas without any hot work, working at height or any high risk activity.
    • High-risk activity
      • Select the types of work you are going to do and the associated high-risks.
      • If you don't see the high-risk you are looking for, you can create a new one.
      • Note: the risks created will be available in future permit issuing processes.
• 
  Step 6:
  • Select the necessary PPEs. By default, some mandatory PPEs can be established per terminal.
  • If you don't see the PPE you are looking for, you can create it.
  • You can view the PPE matrix
  • Note: the PPEs created will be available in future permit issuing processes.
• 
  Step 7:
  • Write some precautions the contractor should be aware of.
  • Upload any relevant attachments related to this work.
  • Ask the contractor to upload any relevant documents for this work; you can ask for specific documents or leave it up to the contractor to upload what they think might be relevant.
  • Note: the documents uploaded will be visible by everyone (including the contractor), and if you don't give permission to the contractor, they won't be able to upload any documents.

Extensions of PTW

Contractors or Customer personnel can request for extension of the PTW:

Step 1: Person in Charge

• The contractor can ask for an extension through the App / Web:
  • Provide a reason
  • Select the date
  • Select the extra time
• Note: By default the date is selected to the original end date of the permit and we extend the time in one hour. The permit can only be extended to a maximum of 12h from the original end date and time.

Step 2: Customer

• Generic type of work:
  • Does the area remain the same?
  • Does the scope of the work remain the same?
  • If the answer to both questions is affirmative, the permit can be extended.
  • If the answer to both questions is negative, the permit cannot be extended and a new one must be created.
• High-risk type of work:
  • Do the risks remain the same?
  • Does the area remain the same?
  • Does the scope of the work remain the same?
  • If the answer to all questions is affirmative, the permit can be extended.
  • If the answer to all questions is negative, the permit cannot be extended and a new one must be created.

Risk Assessment

This module allows facility staff to digitize the risk assessment process, monitor terminal risks, and take proactive measures to mitigate them. To access this specific module, the login is the same as the Admin Dashboard.

These are the functionalities of the module:

• Configure the facility's information such as the Locations, Stakeholders, Departments, Functions, and Who is at risk
• Create new statuses for Risk Assessments
• Create a Risk Assessment
• Review a Risk Assessment
• Approve a Risk Assessment
• Change the status of a Risk Assessment
• Delete a Risk Assessment
• Export a Risk Assessment to PDF
• View and filter the Risk Assessment Directory
• Access and export the data on the Dashboard
• Add comments and attachments to a Risk Assessment

Risk Assessment Process Details

• Step 1: Risk Details
  • Function
  • Activity
  • Risk Owner
  • Employees Involved
  • Departments Included
  • Stakeholders Included
  • Location
• 
  

  Step 2: Task and Controls

  Tasks: you can add as many as you want

  • Task
  • Who is at risk
  • Hazard
  • Unwanted Event
  Controls: you can add as many as you want
  • Existing Controls
    • Description
    • Hierarchy of Control
    • Risk score
  • Proposed Controls
    • Description
    • Hierarchy of Control
    • % of implementation
    • Risk score

Suspensions

Through the Admin Dashboard, the Admin Users will be able to suspend the misconduct and behaviour of the different Application Users who break the rules within the port facility, banning the access.

In the App, Application Users receive push notifications once they are suspended with the suspension information and the next steps to follow, such as reset the safety induction. Moreover, Application Users have the chance to submit an appeal to the suspension.

These are all the features that can be performed from the Admin Dashboard:

• Suspend the user directly
• Ban the user's entrance permanently
• Determine the outcome of a suspension, including whether the user is banned permanently or for a fixed duration, and if they are required to retake the safety induction test
• Accept or deny the suspension proposals
• Overrule an active suspension
• View all data
• Create a suspension proposal
• Propose the suspension outcome including whether the user is banned permanently or for a fixed duration, and if they are required to retake the safety induction test

These are all the features that can be performed from the App / Website Version:

• See the status of your suspensions
• Submit an appeal

Public API Services

Stowlog has a Public REST API platform to interact with its different modules. The API is organized around REST, using HTTP responses code to keep you informed about what's going on.

Our endpoints will return metadata in JSON format. All requests are validated against an API key. All documentation can be found at: https://stowlog.readme.io

Stowlog also has the availability to request information to 3rd Public API to show in Stowlog modules. This functionality will always be under the study of additional costs.

Important Note: Any other functionality not detailed in this document shall not be considered part of the software.

Annex 3 - Service Level Agreement (SLA)

During the Term of the agreement under which Estudio Cactus Media SL has agreed to provide Stowlog to Customer (as applicable, the "Agreement"), the Covered Service will provide a Monthly Uptime Percentage to Customer as follows (the "Service Level Objective" or “SLO”):

During the Term of the agreement under which Estudio Cactus Media SL has agreed to provide Stowlog to Customer (as applicable, the "Agreement"), the Covered Service will provide a Monthly Uptime Percentage to Customer as follows (the "Service Level Objective" or “SLO”):

If Estudio Cactus Media SL does not meet the SLO, and if Customer meets its obligations under this SLA, Customer will be eligible to receive the Service Credits described below. This SLA states Customer's sole and exclusive remedy for any failure by Estudio Cactus Media SL to meet the SLO. Capitalized terms used in this SLA, but not defined in this SLA, have the meaning setforth in the Agreement.

Definitions

The following definitions apply to the SLA:

• "Back-off Requirements" means, when an error occurs, the Application is responsible for waiting for a period of time before retrying the request. This means that after the first error, there is a minimum back-off interval of 1 second and foreach consecutive error, the back-off interval increases exponentially up to 32 seconds.
• “Covered Service” Means Stowlog SaaS.
• “Downtime". means more than a five percent Error Rate. Downtime is measured based on server side Error Rate.
• “Downtime Period". means a period of five consecutive minutes of Downtime. Intermittent Downtime for a period of less than five minutes will not be counted towards any Downtime Periods.
• “Error rate". means the number of Valid Requests that result in a response withHTTP Status 500 and Code "Internal Error", "Unknown", or "Unavailable" divided by the total number of Valid Requests during that period. Repeated identical requests do not count towards the Error Rate unless they conform to the Back-off Requirements.
• “Service Credit". means the following for Stowlog SaaS

• “Monthly Uptime Percentage". means total number of minutes in a month, minus the number of minutes of Downtime suffered from all Downtime Periods in a month, divided by the total number of minutes in a month.
• “Valid Requests". are requests that conform to the Documentation, and that would normally result in a non-error response.

Technical Support

Supplier shall as part of the Services provide bug fixes, error fixing, corrections, modifications, enhancements, upgrades, and new releases and versions to the Services to ensure: (a) the functionality and content of the Services, as described in the Agreement, is available to Customer; (b) the functionality and content of the Services in accordance with the terms and conditions set forth in the Agreement, including e.g. that the Services conforming to the specifications, functions, content requirements and baseline, descriptions, standards, and criteria as set forth in the Product description; (c) that service levels can be achieved; and (d) the Services work with standard internet browsers.

Technical support description. Licensor will provide to Licensee phone and email support (“Technical Support”) 24/7 . Technical Support will include any research and resolution activity performed by Licensor.

a) Request for technical support. Users will make Technical Support requests by calling or emailing Licensor's Technical Support staff or by submitting a request via Licensor's customer service web portal. The Technical Support staff shall assign to the request the Problem Severity Level (as defined below) and as indicated by the requestor. In case of dispute as to designation of applicable Severity Level in relation to the relevant problem, incident, fault or similar, Licensee's reasonable assessment must be used.

b) Problem Severity Levels 1 and 2 response and resolution. For Technical Support requests not made by telephone, within the request response time of such a request, Licensor shall confirm to the requestor receipt of the request by Licensor. If a Problem Severity Level 1 or 2 request cannot be corrected to the reasonable satisfaction of the requestor within the request resolution time after the requestor makes the initial request for Technical Support, Licensor will: (a) immediately escalate the request to Licensor's management; (b) take and continue to take the actions which will most expeditiously resolve the request; (c) provide a hourly report to the requestor of the steps taken and to be taken to resolve the request, the progress to correct, and the estimated time of correction until the request is resolved; and, (d) every hour, provide increasing levels of technical expertise and Licensor management involvement in finding a solution to the request until it has been resolved.

c) Problem Severity Levels 3 and 4 response and resolution. For Technical Support requests not made by telephone, within the request response time of such a request, Licensor shall confirm to the requestor receipt of the request by Licensor. If a Problem Severity Level 3 or 4 request cannot be corrected to the reasonable satisfaction of the requestor within the request resolution time after the requestor makes the initial request for Technical Support, at the sole election of requestor: (a) Licensor will work continuously to resolve the request; or, (b) requestor and Licensor will mutually agree upon a schedule within which to resolve the request.

Technical support Problem Severity Levels

a) Problem Severity Level 1.

• Description. This Problem Severity Level is associated with: (a) Services, as a whole, are non-functional or are not accessible; (b) unauthorized exposure of all of part of Licensee Data; or, (c) loss or corruption of all or part of Licensee Data.
• Request response time. 30 minutes.
• Request resolution time. 2 hours.

b) Problem Severity Level 2.

• Description. This Problem Severity Level is associated with significant and / or ongoing interruption of an Permitted User's use of a critical function (as determined by the Permitted User) of the Services and for which no acceptable (as determined by the Permitted User) work-around is available.
• Request response time. 1 hour.
• Request resolution time. 4 hours.

c) Problem Severity Level 3.

• Description. This Problem Severity Level is associated with: (a) minor and / or limited interruption of an Permitted User's use of a non-critical function (as determined by the Permitted User) of the Services; or, (b) problems which are not included in Problem Severity Levels 1 or 2.
• Request response time. 8 hours.
• Request resolution time. 24 hours.

d) Problem Severity Level 4.

• Description. This Problem Severity Level is associated with: (a) general questions pertaining to the Services; or, (b) problems which are not included in Problem Severity Levels 1, 2, or 3.
• Request response time. 8 hours.
• Request resolution time. 48 hours.

Customer Must Request Service Credit

The following definitions apply to the SLA: In order to receive any of the Financial Credits described above, Customer must notify Stowlog technical support https://estudiocactus.atlassian.net /servicedesk/customer/portal/15 within thirty days from the time Customer becomes eligible to receive a Service Credit. Failure to comply with this requirement will forfeit Customer's right to receive a Service Credit.

Maximum Service Credit

The aggregate maximum number of Service Credits to be issued by Estudio Cactus Media SL to Customer for any and all Downtime Periods that occur in a single billing month will not exceed 50% of the amount due by Customer for the applicable Covered Service for the applicable month. Service Credits will be made in the form of a monetary credit applied to future use of the Service and will be applied within 60 days after the Service Credit was requested.

SLA Exclusions

The SLA does not apply to any: (a) features or Services in testing period, or (b) errors: (i) caused by factors outside of Estudio Cactus Media SL's reasonable control; (ii) that resulted from Customer's software or hardware or third party software or hardware, or both; (iii) that resulted from abuses or other behaviors that violate the Agreement.

The uptime services can always be checked at: https://status.stowlog.com

Annex 4 - Minimum Device Requirements

Due to the App working over mobile phones, Android or iPhone, and over a web browser, the solution needs certain capacity from the devices or web browser to be able to work without problems.

For Android devices, the requirements are the following:

• Minimum OS Version: Android 7.0 (API Level 24)
• Screen size: 6.2, however, any other screen size can be used, but will need scrolling
• Camera quality: 12 Megapixels

For iPhone devices, the requirements are the following:

• Minimum OS Version: iOS 15.1
• Supported Devices:
  • iPhone 7 and newer
  • iPad (5th generation) and newer

In the case that an Apple device is used as a Kiosk, the following requirements are mandatory:

• Minimum OS Version: iOS 15.1
• Minimum screen size: 11 inches
• Camera with 12 Megapixels

For the web application, the requirements are the following:

• Supported Browsers:
  • Chrome: 60+
  • Safari: 10.1+ / iOS Safari: 10.1+
  • Edge: 12+
  • Firefox: ESR

Annex 5 - Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") will be applicable in those cases in which the provision of the Services, as defined in the Terms to which this DPA is attached as an annex, implies an access or process by Stowlog (" Processor") to personal data responsibility of the Customer ("Controller"). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

In accordance with the foregoing and in compliance with the provisions of article 28 of Regulation (EU) No. 2016/679, of April 27, 2016 ("GDPR") as well as article 33 of the Spanish Organic Law 3 / 2018 of December 5, Protection of Personal Data and guarantee of digital rights (jointly "Data Protection Law"), the Parties agree to formalize this DPA.

1. Purpose and Scope

This DPA defines the rights and obligations of both parties regarding the processing of personal data in connection with the provision of the Services in accordance with Data Protection Law.

Stowlog, as a Processor, will Processing the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to countries outside the European Economic Area or to international organizations, unless required to do so by Union or Member State law to which the Processor is subject, in which case it is obliged to inform the Controller.

2. Nature, Categories of Data and Duration of Processing

• The content and duration of the processing of personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in annex 1 to the DPA.
• The terms "processing of personal data", "personal data", "data subject", "personal data breach" have the meaning given to them in the GDPR.

3. Controller Responsibilities

The Controller:

• 1. Determines the purpose and means of processing personal data within its Facility.
• 2. Ensures lawful data collection and transparency toward App Users. In this regard, the Controller shall ensure that the Processing of Personal Data complies with the requirements of the Applicable Data Protection Law and shall put in place organisational, physical and technical security measures for the protection of personal data that comply with the requirements of the Applicable Data Protection Legislation and shall make them available to the Processor to the extent necessary.
• 3. Defines data retention periods and deletion policies applicable to its Facility.
• 4. Provides a valid link to its own data protection terms or privacy policy through the Admin Dashboard, which will be displayed to App Users upon their first interaction with the Facility via the Stowlog App.
• 5. Handles all Data Subject requests (access, rectification, deletion, portability, restriction, objection) related to Facility data.

4. Processor Obligations

The Processor agrees to:

• 1. Process personal data only to the extent necessary to operate the Stowlog Platform and in accordance with documented instructions from the Controller.
• 2. Ensure that personnel authorized to process data are bound by confidentiality.
• 3. Adopt and maintain appropriate technical and organizational measures in accordance with Article 32 GDPR.
• 4. Notify the Controller without undue delay upon becoming aware of a Personal Data Breach.
• 5. Provide reasonable assistance to the Controller in responding to Data Subject requests, only if explicitly instructed by the Controller.
• 6. Maintain written records of processing activities related to account-level data.
• 7. Not transfer or process personal data outside the European Economic Area (EEA) without the Controller's authorization.
• 8. Not share Personal Data with third parties, unless the Customer has authorized such transmission.
• 9. Taking into account the nature of the Processing and the information available to Processor, Stowlog will assist Customer with ensuring compliance with the obligations laid out in GDPR Articles 32 to 36.
• 10. Protect the confidentiality of Controller's Personal Data subject to Processing under the Agreement, and to maintaining the absolute confidentiality of any Personal Data that may be known to Processor at the time the Services are provided.

5. Sub-Processors

The Controller authorizes the use of the following sub-processor indicated in Annex 2.

The Processor will notify the Controller at least 30 days in advance of any intended changes concerning additional sub-processors, giving the Controller the opportunity to object on reasonable grounds.

6. Data Security

The Processor maintains an ISO 27001-certified Information Security Management System and implements:

• Encrypted transmission (TLS 1.2+)
• Access control and authentication
• Data redundancy and encrypted backups
• Continuous monitoring and audit logs
• Regular vulnerability assessments and reviews

Security documentation may be provided upon request under confidentiality.

7. Data Subject Rights

The Processor will assist the Controller by appropriate technical and organizational measures, insofar as this is possible, to collaborate in the Controller's obligation to answer data subjects' requests to exercise their rights under Chapter III of the GDPR.

The Processor will promptly notify the Controller of any requests received from data subjects, unless otherwise required by applicable law.

8. International Transfers

The Processor stores all personal data within the European Union (AWS Frankfurt region). No data transfers outside the EEA will occur unless adequate safeguards under GDPR Articles 45–46 are in place and expressly authorized by the Controller.

9. Data Retention, Return, and Deletion

Once the existing contractual relationship between the Parties has concluded, the Customer will have a maximum period of sixty (60) days to download the information in a standard format. After this period, the information will be deleted in compliance with data protection regulations.

10. Breach Notification

In case of a personal data breach affecting account-level or Facility-hosted data, the Processor shall:

• 1. Notify the Controller within 72 hours of becoming aware of the breach.
• 2. Provide available information including nature, scope, and remedial actions.
• 3. Cooperate fully with the Controller and any supervisory authority.

11. Audits and Compliance

The Controller may request documentation demonstrating compliance with this DPA. On-site audits are permitted only where legally required or requested by a supervisory authority, with reasonable notice and subject to confidentiality.

12. Limitation of Liability

The Processor's liability under this DPA is limited to the processing of account-level data under its direct control. The Processor shall not be responsible for any loss, breach, or misuse of data arising from actions or omissions of the Controller, its users, or third parties authorized by the Controller.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of Spain, and the parties submit to the exclusive jurisdiction of the courts of Castellón de la Plana, Spain.

ANNEX 1

DESCRIPTION OF PERSONAL DATA AND THEIR PROCESSING

1. Type of personal data

Identifying information: name, professional email address, position, professional postal address, professional phone number, user^[1].

Browsing usage data: logs.

2. Categories of data subject

Registered users of the Stowlog Platform: Controller's employees, collaborators, suppliers.

3. How the data is processed

Considering that the Stowlog Platform is a SaaS, the Processor will host in its infrastructure the personal data provided by the Controller.

4. Duration of the processing of personal data

ANNEX 2

LIST AND DETAILS OF SUB-PROCESSOR

^[1] The data may be adjusted at the express request of the Controller, considering the actual scope of the service provided by Stowlog.