1. Unless the context otherwise requires, the bolded words shall have the following meanings:

“API” means a set of rules and protocols that allows different software applications to communicate and interact with each other. It provides a standardized way for applications to access and use functionalities provided by the particular gateway or platform.

“API Calls” means the communication of an action to or from the Cloud Service and or the gateway platform. References to “API Call” shall be construed accordingly.

“API Identity” means a specialised type of API designed to facilitate authentication by password. It replaces Open Authentication (OAuth) Directory and allow users to modify and handle calls made to authentication servers.

“Business Customer Account” means the identifiable, unique, and personalised account of the Business Customer for intents and purpose of subscribing to the Service(s).

“Business Customer Application” means a web-based, offline, mobile or other software application functionality that is provided by the Business Customer that is interoperable with Service(s).

“CAMARA” means an open-source project within Linux Foundation to define, develop and test the APIs. CAMARA works in close collaboration with the GSMA Operator Platform Group to align API requirements and publish API definitions and APIs. Harmonization of APIs is achieved through fast and agile created working code with developer-friendly documentation. API definitions and reference implementations are free to use (Apache2.0 license) with the requirement as further detailed at https://camaraproject.org/.

“Cloud Service” means applications and infrastructure resources that exists on the internet. Third-party providers contract with subscribers for these services, allowing customers to leverage powerful computing resources without having to purchase or maintain hardware and software.

“Completed API Call Flow” refers to an API Call that return a True/False/Unknown Response as the final Response. For the avoidance of doubt, if errors occur before the return of a True/False/Unknown Response, it will not be taken as a Completed API Call Flow.

"Database” means a collection of works, data or other materials with a given systematic or methodical structure that can be individually stored and retrieved through electronic or other means.

"End User" means any individual who is a customer of both you and Maxis, who is the subject of the Mobile Identity Service(s).

“KYC match API” means an API that provides the Business Customer (API invoker such as 3rd party Service Provider) with the ability to compare the Information the customer has for a particular user with that on file (and verified) by the End User’s mobile network operator in their own KYC records. The Information can include phone number, name, postal code, address, birthdate, email address etc. No Personal Data is returned via the API.

“Federation Member(s) means other telecommunications service providers, network operators or mobile alliances onboarded by Maxis to provide API services for the purpose of provisioning of the Mobile Identity Service(s).

"GSMA” means the GSM association (commonly referred to as 'the GSMA' or Global System for Mobile Communications, originally Groupe Spécial Mobile) which is a lobby organisation that represents the interests of mobile network operators worldwide. (https://www.gsma.com/)

“GSMA Operator Platform Group” means the standardisation of a common federation interface that expands the operator’s footprint and also unifies the external integration and exposure, allowing operators to offer their services or collaborate with hyperscalers and other service providers.

“Information” means the data or information that represent a particular arrangement or sequence of facts and/or learned knowledge which passes through the API Calls.

“Location Verification API” means the API which enables enterprises to verify if a mobile device is near a specified location and where the API response verifies whether the location is within the accuracy range of the Mobile Station International Subscriber Directory Number (MSISDN)'s last known location.

“Minimum Period of Service” means the period as specifically detailed out under Clause 8.1 below or such other period as stated in the Registration Form commencing from the Service Commencement Date.

“Number Verify API” means the API which enables the seamless authentication of the mobile device by the mobile network whereby the developer requests a check of the phone number of the device being used to access its service and where the API either confirms the comparison result (i.e. whether the user is using a device with the same mobile phone number as is declared), or returns the phone number.

“OAuth (Open Authentication)” is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” It is a way for users to grant websites or applications access to their information without giving away their passwords.

“Open Authentication (OAuth) Directory” means open-standard authorisation protocol or framework that provides applications the ability for “secure designated access.”

“Package(s)” means the Mobile Identity Service(s) packages which are available to you at the prescribed rate for the volume of API Calls.

“Personal Data” means any information or data related to an individual who can be identified, either directly or indirectly from that information or from that information combined with other information.

“Requesting Federation Member(s)” means the Federation Member(s) that is requesting for the End User Personal Data.

“Response” means the recommendation, returned by the Mobile Identity Service(s) about an End User based on the Information as per Maxis Database.

“Sim Swap API” means the API which checks the last time that the SIM card associated with a mobile number (MSISDN) has changed and where the response may be a timestamp or a yes/no for a defined period (e.g. last 24h). Additionally, the API can be used in subscription mode, where the consumer will receive notifications if the status of the SIM Swap changes.

“Service Commencement Date” means the date on which Maxis notifies you that the Service(s) is ready for use by you. The Service(s) is deemed accepted by you three (3) working days from the date of submission of the service acceptance form or document of similar nature or description by Maxis to you.

1. At your request and subject to acceptance by us, and subject to your payment of the Charges and compliance with the Agreement, we will provide the Service(s) to you based on the Package(s) subscribed by you as stated in the Registration Form.
2. We will make reasonable attempts to ensure that the Response provided through the Service(s) are based on the latest Information as per our Database collected from the End User but we shall not be held responsible for any loss, damage, or undesirable outcome to you (such as fraud or misuse of the Response) resulting from the use of such Response.
3. In addition to the disclaimers and limitation of liability as set out in the GTC, we are also not responsible nor shall we be held liable for accuracy of each of the Response and Information as well as the actions taken by you as a result of the Information gathered from the variables shared which remains solely your responsibility.
4. We reserve the right to suspend or discontinue the Service(s) or any part thereof at any time for operational reasons and/or in an emergency.
5. You hereby acknowledge and agree that by using the Service(s), there may be inherent security risks and that you:
   1. may be subject to unauthorised invasion of your privacy during, or as a result of, your or another party’s use of the Network; and
   2. may be subject to unauthorised exposure of information and material you listed or sent, on or through the Service(s), to other users, the general public or any other specific entities for which the information and material was not intended by you.
6. We reserve the right, but are under no obligation, to scan, review and/or delete any such content, data, or Information and to delete or deactivate your use of the Service(s) notwithstanding that such access and storage of such content, data, or Information is a requirement or constitutes as part of the Service(s).
7. We reserve the right to reject or cancel any request for API Calls from your end at any time for any reason whatsoever (including reasonable belief by us that the sharing of the Response through the API Calls may subject us to criminal or civil liability or is otherwise adverse to our interest). Our failure or delay in rejecting any request for API Calls shall not in any way reduce, limit, waive or otherwise affect your responsibility and obligations under this Agreement.
8. Save for the Response, we do not provide any other details, Database or distribution lists whatsoever under the Service(s).
9. In the event that we are requested or required to co-operate or assist with any investigations of suspected or actual criminal violations, violations of system or Network security or other violation of laws by any law enforcement or relevant authorities, this may result in the suspension or cancellation of your access to the Service(s) and/or our Network, system, servers, directories, listing, Information and Databases.
10. You acknowledge and agree that violations of system or network security are prohibited and may result in criminal and civil liability. Examples of system or network security violations include, without limitation, the following:-
    1. unauthorised access to or use of data, systems or networks, including any attempt to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without express authorization of the owner of the system or network;
    2. unauthorized monitoring of data or traffic on any network or system without express authorisation of the owner of the system or network;
    3. interference with the Service(s) to any person, host or network including, without limitation, mailbombing, flooding, deliberate attempts to overload a system and broadcast attacks.
    4. forging of any TCP-IP packet header or any part of the header information in an email or a newsgroup posting; and
    5. circumventing any user authentication or security of any host, network or account (referred to as ‘cracking’ and ‘hacking’).
11. You acknowledge and agree that:
    1. the Mobile Identity Service(s) provided by Maxis under this Agreement may be offered solely through Maxis’ own Network and Information or through the Federation Members’ network and Information. Maxis does not warrant or represent that the Mobile Identity Service(s) shall include API services from other telco providers unless and until such providers are formally onboarded as Federation Member(s) at Maxis’ sole discretion;
    2. the availability and performance of the Mobile Identity Service(s) may be dependent on API services made available to Maxis by Federation Members; and
    3. in the event of any suspension, interruption or unavailability of the Mobile Identity Service(s) (in whole or in part) caused by or attributed to Federation Member(s), your sole and exclusive remedy shall be the waiver of Charges incurred for API Calls made to the Federation Member(s) during the affected period. No other compensation, refund, liability, or remedy shall apply to you in respect of such suspension, interruption or unavailability.

1. The monthly recurring Charges for the Service(s) shall be at the rates basedon the Package(s) subscribed by you as stated in the Registration Form.
2. The billing for the Service(s) shall commence from the ServiceCommencement Date.
3. Where applicable, you shall pay Maxis a one-time installation Charges or a refundable deposit at the prevailing rates set by Maxis.
4. Each Package purchased for Mobile Identity Service(s) Package(s) will be billed at the end of each billing cycle.
5. For every API Call made to our Network or network of our Federation Members that Completed API Call Flow, such call will still be charged to you regardless if it ends in a True/False/Unknown Response.

1. You hereby agree to:
   1. ensure that the Service(s) are used solely for the purposes of verification or as an addition to your decision making process;
   2. comply with all applicable laws, regulations, binding directions and codes by any authorities including by SKMM as may be updated from time to time;
   3. not re-supply or resell the Service(s) to any person unless otherwise agreed by us;
   4. ensure that the Equipment and software used by you in connection with the Service(s) or any part thereof are compatible, can properly function, and are compliant with the GSMA CAMARA requirements;
   5. ensure that the purposes and usage of the Service(s) should be legal, decent, honest and truthful and prepared with a sense of responsibility to consumers and society and respecting the principles of fair competition; and
   6. at your own expense, carry out such additions, improvements, adjustments, modifications, alterations or replacements to any of your Equipment and software (other than Maxis’ equipment and software) used in relation to the provision of the Service(s), as and when required by us for the purpose of maintaining the quality or increasing the efficiency of the Service(s) or for any other purpose whatsoever.
2. You may not do or allow to be done any of the following:
   1. introduce into our systems or distribute via the Service(s), any system contamination, including, without limitation, viruses, worms and Trojan horses causing unauthorised, damaging or harmful access and/or retrieval of information and data on your Equipment and/or other forms of activity that may be considered unlawful;
   2. use the Service(s) in any way that may damage and/or harm Maxis’ reputation including but not limited to for any offensive, unlawful or illegal purposes or which is likely to encourage crime, against public interest, public order or national harmony or otherwise cause Maxis to be in breach of any applicable laws;
   3. cause excessive or disproportionate load on the Service(s) and/or on our Network.
3. In the event we receive any complaint that the Service(s) and/or our Network has been used is in contravention of applicable laws, standards, regulations or code of conduct, you agree to work together with us to suspend the relevant Business Customer Account which is the subject of contravention immediately failing which we reserve the right to suspend the Service(s) or refuse further Service(s) to you.
4. You agree that you shall comply with any and all notices, instructions and/or directions relating to the Service(s) given by us via any mode of communication, as we may see fit to issue from time to time. If we detect any non-compliance or if we have reason or cause to suspect that you are not complying with your responsibilities and obligations, we shall notify you in writing to rectify such non-compliance or cease such prohibited actions failing which we reserve the right to suspend the Service(s) or refuse further Service(s) to you.
5. Pursuant to Clause 6.12 of the GTC, if you make payment for Charges by way of Maxis Pay, you declare and undertake that if the Direct Debit payment method is activated within Maxis Pay, it is made pursuant to the selection of the Direct Debit option by you.
6. You shall, prior to reporting a Service(s) failure or problem, carry out all necessary steps to determine the cause of the Service(s) failure or problem and to mitigate such failure or problem.

For the purpose of this Clause 6:

1. In addition to Clauses 14.1 and 14.2 of the GTC, you hereby represent, warrant and undertake to Maxis that that Your Personal Data provided, disclosed and transferred to Maxis under this Agreement has been collected, used, processed, disclosed and transferred to Maxis in accordance with the PDPA. To the extent required by the PDPA, You are responsible for ensuring that all necessary privacy notices have been or are provided to all the Data Subjects, and unless another legal basis set forth in the PDPA supports the lawfulness of the Processing, that any necessary Data Subjects’ consents to the Processing have been or are obtained, and for ensuring that a record of such consents is maintained. Should such consent be withdrawn by a Data Subject, you are responsible for notifying Maxis in writing of such withdrawal of consent.
2. You represent, warrant and undertake that Your Personal Data that have been provided, disclosed and transferred to Maxis pursuant to this Agreement is accurate, complete, not misleading and up-to-date.
3. Maxis shall process Your Personal Data only for the purposes as described in Table A below or elsewhere in this Agreement or to facilitate Maxis’ performance of its obligations or exercise of its rights under this Agreement or as may be required or authorised by or under any law or for the purpose of complying with a legal obligation to which Maxis is subject or as otherwise permitted by applicable laws.
4. You shall implement sufficient and appropriate technical and organisational security measures consistent with the PDPA for the purpose of protecting the security, confidentiality, integrity and availability of the Personal Data during the transmission to Maxis. You shall also immediately (and, in any event within 24 hours) notify Maxis if you become aware of any Data Beach or suspected Data Breach and comply with any reasonable directions from Maxis in respect of the same.
5. In addition to the clauses mentioned in Clauses 6.1 until 6.4, you represent, warrant and undertake that you agree to notify and secure the consent from the End User for the following:
   1. access to the End User Personal Data for:
      1. you to access the End User Personal Data from Maxis and/or the Federation Member(s);
      2. Maxis to access the End User Personal Data from Federation Member(s); and
      3. the Requesting Federation Member(s) to access the End User Personal Data from Maxis.
   2. disclose the End User Personal Data for:
      1. Maxis to disclose the End User Personal Data to you and/or the Requesting Federation Member(s), as the case may be; and
      2. the Federation Member(s) to disclose the End User Personal Data to Maxis.
6. You understand that you will be required to provide a copy of the consent to Maxis for the purpose of compliance audit or whenever it is required, should it be requested by Maxis, and such consent may be compiled and documented in the form of a consent confirmation letter as provided by Maxis (“Consent Confirmation Letter”).
7. Notwithstanding the End User’s consent being given and received by you, you hereby agree that Maxis still reserves the right to withhold or not provide any report requested by you for verification or authentication under the Service(s) without giving any reason/s.
8. You further represent, warrant and undertake that:
   1. the Consent Confirmation Letter is in place for meeting the periodic audit requirements by Maxis;
   2. you shall notify Maxis in writing whenever there is/ any changes of the consent clause or form and/or the processes to obtain consent and authorisation from the End User;
   3. you shall provide Maxis with the consent or application form with the consent clause as agreed and signed and/or acknowledge by the End User, which the document can be identified to the end User concerned, whenever requested by Maxis or the Regulatory Authority for the purpose of audit and/or investigation of a complaint;
   4. you shall provide response on the regular audit exercise (e.g monthly/ quarterly/yearly) conducted by Maxis; and
   5. you have established a process to ensure all Personal Data obtained from Maxis are kept secure and confidential;
   6. you understand that Maxis is subject to all applicable laws including the PDPA and that the requirements under this Clause 6 are subject to change.
9. You shall, at no cost to Maxis, co-operate fully with Maxis in assisting and enabling Maxis to respond to any data access request and data correction request from a Data Subject pursuant to the PDPA and comply with all other statutory obligations related thereto applicable to Maxis as data controller under the PDPA.
10. You acknowledge that security requirements are constantly changing and that effective security measures requires frequent evaluation and regular improvements of outdated security measures. You will therefore evaluate the measures as implemented on an on-going basis in order to maintain compliance with the requirements of the security principle under the PDPA.
11. You shall be responsible for any violation or breach of this Clause 6 and shall at its own expense immediately remedy any conditions giving rise to such violation or breach. Without derogating from Maxis’ rights under this Agreement or at law, Maxis shall be entitled to direct you to temporarily suspend any Processing of Maxis Personal Data until such violation or breach is remedied.
12. You shall indemnify and defend Maxis, Maxis Group and their respective officers, agents and employees (each being an Indemnified Party) and hold such Indemnified Party harmless, at the your own cost and expense, against any and all damages, losses, claims, fines, penalties, liabilities and expenses (including without limitation, solicitor’s fees and expenses in connection with any action, suit or proceeding) incurred or suffered by the Indemnified Party arising from your breach of this Clause 6.
13. Maxis is entitled to terminate this Agreement immediately upon written notice to you, should it reasonably believe that:
    1. the Consent Confirmation Letter is in place for meeting the periodic audit requirements by Maxis; your technical and organisational security measures in place are not sufficient and appropriate for the purposes of protecting your Personal Data in accordance with this Agreement;
    2. you are in breach of any provision of the Agreement including relating to the use and protection of Your Personal Data; or
    3. you are in breach of, or is not complying with, any requirement of the PDPA.
14. In the event of any conflict or inconsistency between the provisions of Clause 14 or Clause 15 of the GTC and the provisions of Clause 6, the provisions of Clause 6 shall prevail to the extent of that conflict or inconsistency.
15. This Clause 6 shall survive the termination or expiry of the Agreement.

Table A

Purposes for the Processing of Personal Data

1. In addition to the indemnification obligations in the GTC, you agree to defend, indemnify and hold harmless Maxis and its respective employees, directors, officers, suppliers, contractors and agents harmless from and against any and all claims, demands, actions, damages, loss, costs, charges, liabilities and expenses (including solicitor’s fees and costs) of every nature directly and indirectly, arising out of or in connection with, including (i) your breach of Clause 6, (ii) your use of the Service(s), (iii) a dispute between you and the End User, or (iv) a claim by an End User.

1. The Minimum Period of Service is either 12 months or 24 months or 36 months commencing from the Service Commencement Date depending on your subscription if applicable
2. Maxis may terminate this Agreement and/or the Service(s) for convenience by giving you a thirty (30) days’ advance written notice.
3. You may terminate this Agreement and/or the Service(s) by giving us thirty (30) days advance written notice.
4. If you terminate this Agreement and/or the Service(s) during the Minimum Period of Service or if this Agreement and/or the Service(s) is terminated not due to Maxis’ breach, you agree to pay Maxis the early termination charge which is the total monthly recurring Charges for the remainder of the Minimum Period of Service.
5. This Agreement shall automatically continue for an extended term as the existing Minimum Period of Service at the prevailing charges and rates imposed by Maxis and on the terms and conditions contained herein (unless otherwise notified by Maxis) unless you give Maxis thirty (30) days advance written notice of your intention to terminate this Agreement before expiry of the Minimum Period of Service.