Free UK AI Services Agreement Template (B2B AI System Procurement)

AI SERVICES AGREEMENT

England And Wales  ·  EU AI Act 2024/1689  ·  UK GDPR (As Amended By DUAA 2025)  ·  2026-06-04

This AI Services Agreement (this "Agreement") is made on 2026-06-04 between Cogentix AI Ltd (Companies House No. 14872103) of Floor 7, Lighterman House, 30 Wharfdale Road, London, N1 9RY (the "Vendor"), and Northbridge Insurance plc (Companies House No. 03456712) of 180 Bishopsgate, London, EC2M 4BD (the "Customer"). The Vendor provides an artificial-intelligence service known as CogentixClaims Co-Pilot (the "Service"), being a software as a service (multi-tenant cloud). The Service is classified by the parties as a High-Risk AI System under Article 6 and Annex III of the EU AI Act. The Service is powered by, integrates with, or fine-tunes the following underlying AI models: GPT-4o (via Microsoft Azure OpenAI Service, UK South), with retrieval-augmented generation against the Customer's policy document index hosted in the Vendor's UK tenant. This Agreement is entered into in the context of the EU AI Act (Regulation (EU) 2024/1689), the UK GDPR (as amended by the Data (Use and Access) Act 2025), and applicable sectoral guidance from the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).

In this Agreement, unless the context otherwise requires:

"AI Act" means Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (the "EU AI Act"), as it applies (i) directly to EU placements and deployments, and (ii) extraterritorially where outputs of the Service are used in the EU.
"Business Day" means any day other than a Saturday, Sunday or public holiday in England and Wales.
"Customer Inputs" means all data, documents, prompts, queries, instructions, attachments and other content submitted to the Service by or on behalf of the Customer.
"Customer Personal Data" means any Personal Data (as defined in the UK GDPR) processed by the Vendor on behalf of the Customer in connection with the Service.
"Customer's Group" means the Customer and any subsidiary undertaking of the Customer from time to time (sections 1162 and Schedule 7 of the Companies Act 2006).
"Fees" means the subscription, usage-based or one-off fees set out in Clause 6.
"GPAI Model" means a general-purpose AI model within the meaning of Article 3(63) of the AI Act.
"High-Risk AI System" means an AI system classified as high-risk under Article 6 of the AI Act (including AI systems listed in Annex III).
"Outputs" means any output, result, response, generation, suggestion, prediction, classification or decision produced by the Service in response to Customer Inputs.
"Personal Data", "Processing", "Controller", "Processor", "Data Subject" and related terms shall have the meanings given to them in the UK GDPR.
"Service" means the AI service described in Clause 2.
"Service Model" means the AI model (or models), fine-tuning weights, embeddings, prompts and other model assets used by the Vendor to provide the Service.
"Term" means the period set out in Clause 6.
"UK GDPR" means Regulation (EU) 2016/679 as it has effect in domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data (Use and Access) Act 2025).

References to statutes and regulations are to those instruments as amended, extended, re-enacted or replaced from time to time. Headings are for convenience only and do not affect interpretation.

2.1 Provision. The Vendor shall provide the Service to the Customer with effect from 2026-07-01, in accordance with this Agreement.

2.2 Service description. A generative AI-powered claims-handling co-pilot that summarises customer correspondence, drafts response letters, classifies fraud risk on a four-tier scale, and suggests settlement values for review by a human claims handler. Deployed via a multi-tenant SaaS portal with an enterprise SSO integration.

2.3 Acceptable Use Policy. The Customer shall not use the Service (or permit it to be used) to: (a) violate any law, regulation or third-party right; (b) produce, host or distribute content that is unlawful, defamatory, infringing, harassing, deceptive or harmful; (c) generate child sexual abuse material, non-consensual intimate imagery, or instructions enabling the manufacture of weapons of mass destruction; (d) make significant decisions about individuals affecting their legal rights or producing similarly significant effects without the safeguards required by Articles 22A-22D of the UK GDPR (as amended by the Data (Use and Access) Act 2025); (e) reverse-engineer, decompile or attempt to extract the Service Model or its training data; (f) use the Service or its Outputs to train, fine-tune or evaluate any competing AI model; (g) submit Customer Inputs containing special category personal data (within the meaning of Article 9 of the UK GDPR) other than as permitted under Clause 14 and any applicable Data Processing Agreement.

2.4 Additional restrictions. The Customer further agrees not to use the Service for: No use to determine credit-worthiness; no use to make decisions about life-insurance underwriting that have a legal or similarly significant effect on a natural person without prior human review.

2.5 Suspension. The Vendor may suspend the Service on written notice if the Customer materially breaches the Acceptable Use Policy. The Vendor shall lift the suspension as soon as the breach is cured.

3.1 Classification. The parties classify the Service as a High-Risk AI System under Article 6 and Annex III of the EU AI Act, specifically falling within the use case described as: Annex III paragraph 5(b) — AI systems used in the risk assessment and pricing of insurance — high-risk under the AI Act.

3.2 High-Risk obligations. The Service is a High-Risk AI System under Article 6 of the AI Act. The Vendor warrants that, from 2 August 2026 (or such earlier date as the Vendor places the Service on the market), the Service shall comply with the requirements of Articles 9 to 15 of the AI Act (risk management system, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy / robustness / cybersecurity). Detailed obligations are set out in Clause 9 (where Expert section selected).

3.3 Conformity assessment. The Vendor shall procure that the Service has undergone the conformity assessment procedure required by Article 43 of the AI Act, and shall maintain the EU declaration of conformity and CE marking required by Articles 47 and 48 throughout the Term.

4.1 Ownership of Inputs. As between the parties, the Customer retains all rights in Customer Inputs. The Customer grants the Vendor a non-exclusive, royalty-free, worldwide licence to process Customer Inputs solely to the extent necessary to provide the Service.

4.2 Training and improvement use. The Vendor shall not use Customer Inputs or Prompts to train, fine-tune, evaluate or improve any AI model — including the Service Model and any derived or successor model — and shall encrypt Customer Inputs in transit and at rest. The Vendor shall delete all Customer Inputs within the Data Return Period after termination.

4.3 No prompt mining. The Vendor shall not mine, analyse or aggregate the substantive content of Customer Prompts (the natural-language instructions submitted by the Customer) for any purpose other than providing the Service to the Customer.

5.1 Outputs. All right, title and interest in and to the Outputs vest in the Customer immediately on generation. The Vendor hereby assigns, with full title guarantee, all such rights it may acquire to the Customer.

5.2 No vendor reuse. The Vendor shall not reuse, redistribute, or use Outputs (or aggregates derived therefrom) for any purpose, including the training, fine-tuning or evaluation of any AI model.

5.3 No warranty of copyrightability. The Vendor makes no representation that any Output is protectable by copyright or any other intellectual property right. The parties acknowledge that under English law, a work produced solely by an AI system without sufficient human authorship may not be protected by copyright (see Copyright, Designs and Patents Act 1988 sections 9(3) and 178).

6.1 Fees. The Customer shall pay £180,000.00, payable annually in advance.

6.2 Term. This Agreement shall commence on the Service Start Date and continue for an initial term of 24 months (the "Initial Term"). Thereafter it shall automatically renew for successive periods equal to the Initial Term unless either party gives written notice of non-renewal not less than ninety (90) days before the end of the then-current term.

6.3 Payment terms. Fees are payable within 30 days of the date of the Vendor's invoice, in cleared funds to the bank account nominated by the Vendor. Time of payment is of the essence. Fees are exclusive of VAT and any other applicable taxes, which shall be additional.

6.4 Late payment. Any amount not paid by the due date shall bear interest from the due date until actual payment at the Bank of England base rate plus 8% per annum (in line with the Late Payment of Commercial Debts (Interest) Act 1998), accruing daily and compounded monthly. The Vendor may exercise the statutory right to recover reasonable compensation for the costs of debt recovery under section 5A of the Late Payment of Commercial Debts (Interest) Act 1998.

6.5 Indexation. The Vendor may, on no less than sixty (60) days' written notice, increase the Fees by no more than the percentage change in the UK Consumer Prices Index over the preceding twelve months, with effect from each anniversary of the Service Start Date.

7.1 Availability. The Vendor shall use reasonable endeavours to ensure that the Service is available not less than 99.95% of the time, measured monthly and excluding planned maintenance windows of which the Vendor gives reasonable advance notice.

7.2 Maintenance windows. Planned maintenance shall be scheduled outside the Customer's ordinary business hours where reasonably practicable.

7.3 Support. The Vendor shall provide reasonable technical support to the Customer during the Vendor's ordinary business hours via the support channels notified in writing from time to time.

7.4 Service credits. If the Vendor fails to meet the availability target in any calendar month, the Customer shall be entitled to service credits applied against the next invoice as follows: (a) availability between 99.0% and the target — 5% of the monthly Fees; (b) availability between 98.0% and 99.0% — 10% of the monthly Fees; (c) availability below 98.0% — 25% of the monthly Fees. Service credits are the Customer's sole and exclusive remedy for breach of the availability target, save for the Customer's right to terminate under Clause 20 where availability falls below 95% in any rolling three-month period.

8.1 Application. This Clause applies in addition to any other obligation in this Agreement, in respect of the high-risk classification of the Service under Article 6 of the AI Act.

8.2 Risk management system (Article 9). The Vendor shall establish, implement, document and maintain a continuous, iterative risk management system covering the Service throughout its lifecycle, including identification and analysis of known and reasonably foreseeable risks to health, safety and fundamental rights, and adoption of targeted risk-management measures.

8.3 Data governance (Article 10). The Vendor shall implement appropriate data governance and management practices covering training, validation and testing data sets, including relevant design choices, data collection processes, examination of biases, and gap remediation. Data sets shall be relevant, representative, free of errors and complete in view of the intended purpose.

8.4 Technical documentation (Article 11). The Vendor shall draw up and keep up to date the technical documentation required by Annex IV of the AI Act before placing the Service on the market or putting it into service, and shall make such documentation available to the Customer's appointed compliance personnel on reasonable request.

8.5 Record-keeping (Article 12). The Service shall technically allow for the automatic recording of events (logs) over its lifetime, to ensure traceability of its functioning. Logs shall be retained for a period appropriate to the intended purpose and in any event for at least six (6) months from generation.

8.6 Transparency and information to deployers (Article 13). The Vendor shall provide the Customer with concise, complete, correct and clear instructions for use, including the characteristics, capabilities, limitations, intended purpose, and human-oversight measures of the Service. The Customer (as a "deployer" under the AI Act) acknowledges its corresponding obligations under Article 26.

8.7 Human oversight (Article 14). The Service shall be designed and developed to be effectively overseen by natural persons. Such oversight shall be aimed at minimising risks to health, safety and fundamental rights. The Vendor shall identify and build in appropriate human-machine interface tools, and shall specify in the instructions for use the measures the Customer should implement.

8.8 Accuracy, robustness and cybersecurity (Article 15). The Service shall achieve appropriate levels of accuracy, robustness and cybersecurity, and shall perform consistently in those respects throughout its lifecycle. The Vendor shall declare accuracy metrics and metrics relevant to robustness and cybersecurity in the accompanying instructions for use, in line with the NCSC Secure AI System Development Guidelines (27 November 2023).

8.9 Conformity assessment and CE marking. The Vendor shall ensure that the Service has undergone the conformity assessment procedure under Article 43 of the AI Act before being placed on the EU market or put into service in the EU, and shall maintain the EU declaration of conformity (Article 47) and CE marking (Article 48) throughout the Term.

9.1 Application. This Clause applies where the Vendor is, or relies on, a provider of a General-Purpose AI Model within the meaning of Article 3(63) of the AI Act.

9.2 Model card. The Vendor shall provide the Customer with a model card (or equivalent technical documentation) for any GPAI Model used in the Service, in line with the templates published by the European AI Office under Article 53(1)(a) of the AI Act, including a description of the model's capabilities, limitations and intended uses.

9.3 Copyright training summary. The Vendor shall make available a sufficiently detailed summary about the content used for training of any GPAI Model, in line with Article 53(1)(d) of the AI Act and the template published by the European AI Office.

9.4 EU AI Office and authorities. The Vendor shall cooperate with the European AI Office and national competent authorities, and shall provide the information required by Articles 53 and 55 of the AI Act on reasonable request.

10.1 Lawful training data. The Vendor warrants that the data used to train and validate the Service Model: (a) was lawfully acquired and processed; (b) does not infringe any third-party intellectual property right (including any copyright, database right or trade mark) of which the Vendor has actual or constructive knowledge; (c) was used in accordance with applicable text and data mining exceptions (including section 29A of the Copyright, Designs and Patents Act 1988 and Article 4 of the EU Directive on Copyright in the Digital Single Market (2019/790)); and (d) was not obtained by scraping or extraction from any data source whose terms of service explicitly prohibit such use.

10.2 No personal data in training. The Vendor warrants that no Customer Personal Data has been or will be used to train or fine-tune any AI model (including the Service Model), except with the Customer's prior express written consent on a per-feature basis. To the extent any other personal data is used in training, the Vendor warrants that such use complies with the UK GDPR and applicable data-protection law, including provision of fair-processing information where required.

10.3 Bias and protected characteristics. The Vendor shall implement reasonable steps to identify and mitigate bias in training, validation and testing data that could lead to direct or indirect discrimination on the basis of any protected characteristic under the Equality Act 2010 (including age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation).

Output accuracy disclaimer + Customer human-review obligation. The Vendor expressly disclaims any warranty that the Outputs are accurate, current, complete, free from bias, free from error, suitable for any particular purpose, or compliant with any specific regulation. Outputs are probabilistic — they may "hallucinate", omit material information, or reflect biases. The Customer warrants that it shall review every Output for accuracy and appropriateness before relying on it for any decision affecting an individual, regulated outcome, or material commercial transaction; shall not present Outputs as factual without independent verification; and shall implement a documented human-review process aligned with the AI Playbook published by the UK Government Digital Service.

11.2 Excluded use cases. The Service shall not be used to render legal, medical, accountancy, financial, taxation or any other regulated professional advice that the Customer (or any user) holds out as advice from a qualified professional. The Customer shall ensure all Outputs in regulated contexts are reviewed and approved by a qualified human professional before reliance.

11.3 Customer-specific excluded uses. The Customer shall additionally not use the Service for: Final settlement of any claim above £25,000 without a senior claims handler's written approval.

11.4 Reasonableness under UCTA 1977. The parties agree (and the Customer expressly acknowledges as a sophisticated business contracting at arm's length) that the disclaimers in this Clause are reasonable for the purposes of section 3 of the Unfair Contract Terms Act 1977. Nothing in this Clause excludes or limits liability for fraud or fraudulent misrepresentation, death or personal injury caused by negligence, or any liability that cannot be excluded as a matter of law.

12.1 Customer obligation. The Customer shall implement and maintain a documented human-oversight plan covering the use of the Service, in line with the AI Playbook published by the UK Government Digital Service (February 2025). The plan shall identify: (a) the natural persons responsible for oversight, including their qualifications and authority; (b) the points in the workflow at which Outputs are reviewed before action is taken; (c) the criteria for accepting, modifying or rejecting Outputs; (d) the escalation procedure for anomalies, errors or harmful Outputs; and (e) the training programme for personnel using the Service.

12.2 Vendor support. The Vendor shall provide reasonable assistance to the Customer in developing the plan, including the provision of model cards, capability/limitation documentation, and recommended oversight controls.

13.1 Bias testing. The Vendor shall conduct bias and fairness testing of the Service on a quarterly basis, covering accuracy and error rates across protected characteristics under the Equality Act 2010 where data is available, and shall provide summary results to the Customer on request.

13.2 Anti-discrimination. The Customer is responsible for ensuring that its use of the Service does not constitute direct or indirect discrimination under sections 13 and 19 of the Equality Act 2010. The Vendor shall provide the Customer with reasonable documentation to support an equality impact assessment.

13.3 Incident reporting. Each party shall promptly notify the other of any material bias-related incident or harm of which it becomes aware in connection with the Service.

14.1 Roles. The Customer is the Controller of Customer Personal Data; the Vendor is a Processor (or, where the Vendor independently determines purposes and means, a Controller in its own right) within the meaning of the UK GDPR.

14.2 Processing terms. The parties have executed a separate Data Processing Agreement (the "DPA") on or before the Service Start Date. The DPA contains the mandatory Article 28 UK GDPR processing terms and prevails over this Agreement in the event of conflict on data-protection matters.

14.3 Data residency. Customer Personal Data and Customer Inputs shall be processed and stored only in the United Kingdom.

14.4 Automated decision-making (Articles 22A-22D UK GDPR). The parties acknowledge that the Service may produce or contribute to "significant decisions" within the meaning of Article 22A UK GDPR (as inserted by the Data (Use and Access) Act 2025). The Customer shall ensure that, where a significant decision is taken solely based on processing by the Service:
(a) the data subject is informed of the decision and the basis for it;
(b) the data subject is able to make representations about the decision;
(c) the data subject can obtain meaningful human intervention from the Customer; and
(d) the data subject can contest the decision.

The Vendor shall provide the Customer with such technical and organisational measures, model documentation and Output explanations as are reasonably necessary to enable the Customer to discharge these obligations under Article 22C UK GDPR.

14.6 Data Protection Impact Assessment. The Customer shall conduct a Data Protection Impact Assessment under Article 35 UK GDPR before commencing live use of the Service. The Vendor shall provide reasonable assistance, including model and risk documentation, on Customer request.

14.7 Breach notification. The Vendor shall notify the Customer without undue delay and in any event within 24 hours after becoming aware of a personal data breach affecting Customer Personal Data, and shall provide the information required by Article 33(3) UK GDPR.

15.1 Authorisation. The Customer authorises the Vendor to engage subprocessors (including underlying AI model providers and cloud-hosting providers) to perform the Service.

15.2 Current subprocessors. As at the Service Start Date, the Vendor uses the following subprocessors:
Microsoft Azure (UK South region, cloud hosting + Azure OpenAI Service)
OpenAI, LLC (model provider, no customer-data training)
Auth0 by Okta (identity + access management)

15.3 Change notification. The Vendor shall provide the Customer with at least 30 days' prior written notice of any new subprocessor or replacement of an existing subprocessor, including the identity of the subprocessor and the scope of its engagement. The Customer may object on reasonable data-protection or competitive grounds within the notice period; the parties shall in good faith seek to resolve any objection.

15.4 Flow-down terms. The Vendor shall impose on each subprocessor data-protection and security obligations at least equivalent to those in this Agreement, and shall remain liable to the Customer for the acts and omissions of each subprocessor.

17.1 Security measures (Article 32 UK GDPR). The Vendor shall implement appropriate technical and organisational measures to protect the Service and Customer Inputs against unauthorised or unlawful processing, accidental loss, destruction or damage. As a minimum, measures shall include: encryption in transit and at rest; access controls and least-privilege provisioning; identity and authentication management; logging and monitoring; secure software development; regular vulnerability scanning; and an incident-response plan.

17.2 NCSC guidelines. The Vendor shall design, develop, deploy and operate the Service in accordance with the Secure AI System Development Guidelines published by the National Cyber Security Centre on 27 November 2023.

17.3 Incident response. The Vendor shall maintain a documented incident-response plan and shall notify the Customer of any security incident likely to affect the Customer within 24 hours of becoming aware of it, and shall provide updates as further information becomes available.

18.1 Cap on aggregate liability. Subject to Clause 18.3, the aggregate liability of each party under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty or otherwise, shall not exceed the aggregate Fees paid by the Customer in the twenty-four (24) months immediately preceding the event giving rise to the claim.

18.2 Excluded losses. Neither party shall be liable for any loss of profits, loss of revenue, loss of goodwill, loss of opportunity, loss of anticipated savings, loss of data (other than as required for breach of UK GDPR), or any indirect or consequential losses, whether or not the possibility of such loss was contemplated.

18.3 IP indemnity. The Vendor shall indemnify the Customer against any third-party claim that the Customer's use of the Service or an Output infringes any third-party intellectual property right, up to uncapped (in respect of IP infringement only). This indemnity is conditional on: (a) the Customer promptly notifying the Vendor; (b) the Vendor having sole conduct of the defence and any settlement; (c) the Customer providing reasonable assistance; and (d) the Customer not having materially modified the Service or the Output in a way that caused the infringement.

18.4 Reasonableness. The parties agree, as sophisticated businesses contracting at arm's length, that the limitations in this Clause are reasonable for the purposes of section 3 of the Unfair Contract Terms Act 1977 (where applicable).

19.1 Audit. The Customer (or a reputable independent auditor appointed by the Customer and reasonably acceptable to the Vendor) may, on reasonable advance notice, audit the Vendor's compliance with this Agreement, once per calendar year. The scope of the audit shall be full compliance audit covering security, data protection, algorithmic auditing and AI Act obligations.

19.2 Conduct. Audits shall be conducted during the Vendor's ordinary business hours, with minimal disruption, subject to confidentiality, and shall not require disclosure of trade secrets or third-party confidential information.

19.3 Findings. The Vendor shall remedy any material non-compliance identified by the audit within a reasonable period agreed by the parties, and shall bear the cost of remediation. The Customer shall bear its own audit costs, save where the audit reveals a material non-compliance, in which case the Vendor shall reimburse reasonable audit costs.

20.1 Termination for cause. Either party may terminate this Agreement immediately on written notice if the other: (a) commits a material breach incapable of cure or fails to cure a curable material breach within thirty (30) days of written notice; (b) becomes insolvent, has a receiver, administrator or liquidator appointed, or enters into any arrangement with creditors; or (c) ceases or threatens to cease trading.

20.2 Termination for convenience. Either party may terminate this Agreement at the end of any term by giving the other not less than ninety (90) days' written notice. The Customer may terminate immediately for the Vendor's material change to the Service's safety or AI Act classification.

20.3 Effect of termination. On termination: (a) all licences granted under this Agreement shall end (subject to perpetual or surviving licences expressly granted); (b) the Customer shall pay all accrued Fees and outstanding charges; and (c) each party shall return or destroy the other's Confidential Information.

20.4 Data return. The Vendor shall make Customer Inputs and Customer Personal Data available to the Customer for export in a structured, commonly used, machine-readable format for a period of ninety (90) days after termination (the "Data Return Period"). Thereafter the Vendor shall, on the Customer's written instruction, securely delete or anonymise such data within thirty (30) days, save to the extent retention is required by law.

20.5 Surviving clauses. The following Clauses shall survive termination: definitions, ownership, hallucination disclaimer, liability, indemnities, data protection (insofar as relating to any retained data), confidentiality, audit rights (limited to records of the surviving Term), and governing law.

21.1 Definition. "Confidential Information" means any information of either party which is, or by its nature should reasonably be regarded as, confidential, including business plans, strategies, financial information, customer lists, technical information and the terms of this Agreement.

21.2 Obligation. Each party shall keep the other's Confidential Information strictly confidential, shall not use it other than for the purposes of this Agreement, and shall not disclose it to any third party save: (a) to professional advisers under a duty of confidentiality; (b) where compelled by law or competent court; or (c) with the prior written consent of the disclosing party.

21.3 Survival. This obligation shall survive termination and continue for five (5) years thereafter (without limit for trade secrets).

This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

Entire agreement. This Agreement (together with any DPA, Schedule or addendum executed in connection with it) constitutes the entire agreement between the parties in relation to its subject matter and supersedes all prior drafts, proposals, term sheets and understandings. No variation shall be effective unless in writing and signed by or on behalf of each party.

Severability. If any provision of this Agreement is held invalid or unenforceable by a court of competent jurisdiction, the provision shall be modified to the minimum extent necessary to render it enforceable, and the remainder of this Agreement shall continue in full force.

23.1 Counterparts. This Agreement may be executed in any number of counterparts, each of which when executed shall constitute an original, and all counterparts together shall constitute one and the same agreement.

23.2 Electronic execution. The parties agree that this Agreement may be executed by electronic signature in accordance with section 7 of the Electronic Communications Act 2000 and the Law Commission's 2019 statement on Electronic Execution of Documents.

23.3 Notices. Any notice or other communication shall be in writing and delivered by hand, by first-class pre-paid post or by email to the addresses set out above (or such other address as a party may notify in writing). Notices delivered by hand are deemed received on delivery; by first-class post on the second Business Day after posting; by email on the next Business Day after transmission (subject to no bounce-back).

23.4 Third-party rights. A person who is not a party to this Agreement has no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term, save that any member of the Customer's Group may enforce the Vendor's warranties and indemnities in its own right.

23.5 Assignment. Neither party may assign or transfer any of its rights or obligations under this Agreement without the prior written consent of the other (such consent not to be unreasonably withheld), save that either party may assign to a successor in business or group company on written notice.

23.6 Force majeure. Neither party shall be liable for any failure to perform its obligations to the extent caused by events beyond its reasonable control (excluding payment obligations).

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date indicated.