Non-Disclosure Agreement

1/4

Non-Disclosure Agreement

13.02.2026 nr 2-2/26/140

Terms and conditions of confidentiality THALES UK Limited (registry code 00868273, address 350 Longwater Avenue, Green Park, Reading,

Berkshire, United Kingdom, RG2 6GF), represented by Mr. Kerry Adam Davey, Senior Contracts Manager

acting on the basis of an authorization issued by the company (hereinafter as the recipient of information),

by signing this Terms and conditions of confidentiality confirms that agrees to these conditions and

undertakes to comply with them.

The terms and conditions of confidentiality of a public procurement of the Estonian Centre for Defence

Investments (hereinafter the ECDI) for the submission of a tender for the procurement “MeV

miinitõrjesüsteemide elutsükli teenuse tellimine” (“Ordering Navy's MCM systems lifecycle service”)

(H2344), for which the ECDI is required to provide confidential information to the interested party

(hereinafter “the recipient of information”).

1. General terms and conditions

1.1. The purpose of these terms and conditions is to protect the confidential information

provided by the ECDI to the recipient of information during the procurement procedure and

the performance of the procurement agreement. By signing these terms and conditions, the

recipient of information undertakes to keep this information confidential (hereinafter also

the “confidentiality obligation”).

1.2. By signing these terms and conditions, the recipient of information confirms that they

undertake to comply with the requirements for the processing of confidential information

set out in legislation, including the data processing and data protection requirements set out

in the Public Information Act, the Personal Data Protection Act, the Civil Service Act and the

Archives Act, as well as the requirements set out in the State Secrets and Classified

Information of Foreign States Act and its implementing provisions.

1.3. In the procurement procedure, the procurement documents, and the procurement

agreement, the ECDI is also referred to as the contracting authority and the contracting entity

and the recipient of information is also referred to as the interested person, tenderer, and

contractor. The ECDI also means the end user, i.e. the Defence Forces. The ECDI and the

recipient of information are also jointly referred to as the Parties.

2. Confidential information

2.1. The following information, inter alia, is considered confidential:

2.1.1. the technical specifications and annexes thereto and other technical

documentation with annexes, including the design documentation, which is

provided to the recipient of information;

2.1.2. any other technical information on the object of the procurement provided in any

form (written, oral, reproducible in writing, etc.) or exchanged between the Parties;

2.1.3. questions, clarifications, explanations, opinions and proposals provided regarding

the technical specifications of the procurement or exchanged between the Parties;

2/4

2.1.4. all documents that have been deemed by the ECDI and the Defence Forces as

information intended for confidential or internal use within the meaning of the

Public Information Act and any information the nature of which refers that it must

be seen as confidential information;

2.1.5. confidential information also includes other materials describing the object of the

procurement agreement, personal and security information, computer programs,

codes, algorithms, names and professional descriptions of employees and

consultants, know-how, forms, processes, ideas, strategies, inventions (both

patentable and non-patentable), schemes and other technical, commercial,

financial or product development plans, other information which has been

recognised by law as having a restriction on access and other information the

disclosure of which could harm the interests of the ECDI;

2.1.6. information containing state secrets and classified information of foreign states.

3. The recipient of information undertakes to fulfil the following obligations without a term:

3.1. not to disclose confidential information to any extent or scale, in whole or in part, to any

third party without the prior written consent of the ECDI;

3.2. use confidential information only for the purpose of submitting a tender during the

procurement procedure and for the purpose of performing the agreement in the event of

being awarded the agreement;

3.3. the recipient of information confirms that if their tender is not successful and they are not

awarded the procurement agreement, they will delete all documents transferred by the ECDI

during the procurement procedure from all data media, return the physical data media

received from the ECDI, and ensure that their subcontractors do the same. Upon request, the

recipient of information will provide evidence of the deletion to the ECDI. In the event that

the addressee of the information withdraws from the submission of a tender, it is obliged to

immediately inform the procurement contact person of the ECDI;

3.4. the recipient of information confirms that after the termination of the procurement

agreement, they will delete all documents transferred by the ECDI during the procurement

procedure and the performance of the procurement agreement from all data media and

return the physical data media received from the ECDI, and ensure that their subcontractors

do the same; upon the request of the ECDI, the recipient of information will provide evidence

of this. The ECDI has the right to request proof of deletion;

3.5. the recipient of information confirms that confidential information may only be disclosed

with the written consent of the ECDI to the extent necessary for the purpose of performing

the procurement agreement;

3.6. ensure that the members of its governing bodies as well as the staff and subcontractors

comply with the obligations and rules necessary to fulfill the purpose of these terms and

conditions and establish the necessary measures to that end;

3.7. keep records of to whom and to what extent confidential information has been disclosed and

provide the relevant information to the ECDI upon request;

3.8. when concluding the procurement agreement, comply with all requirements for the

processing and use of confidential information.

4. Security requirements and confidentiality

3/4

4.1. The recipient of information undertakes to comply with the security rules in force in the area

of governance of the Ministry of Defence. In the event of the recipient of information using

subcontractors, such subcontractors must be coordinated with the ECDI in advance in writing

and all the security conditions set out in the terms and conditions will also apply to them.

The recipient of information will be held liable for the compliance of the subcontractor with

the security requirements.

4.2. The recipient of information undertakes to process the information identified as intended for

internal use in accordance with the procedure provided for in the Public Information Act and

its implementing provisions.

4.3. The recipient of information will be prohibited from reproducing or disclosing information

intended for internal use to any third party, including persons who do not have the

appropriate right of access and need to know.

4.4. The recipient of information is obliged, on an ongoing basis, to keep records of the persons

who have access to the restricted materials designated “for internal use” related to the

project and to provide a summary of that information (incl. subcontractors) at the request of

the ECDI.

4.5. The internal work process of the recipient of information and the computer systems used

must prevent access to restricted information (incl. documents designated “for internal use”,

design instructions of the ECDI, protocols, etc.) by persons who are not included in the list.

4.6. All parts of the documents with restricted access (“for internal use”) must be encrypted with

the DigiDoc crypto program or an encryption solution offering equivalent protection before

being sent by email.

4.7. All parts of the documents with restricted access (“for internal use”) must be encrypted with

the DigiDoc crypto program or an encryption solution offering equivalent protection when

saving them on data media (CD, DVD, USB drive, etc.).

4.8. Restricted materials may not be copied to servers beyond the control of the recipient of

information (e.g. Google Drive, DropBox, OneCloud, etc.). Specify, upon the commencement

of cooperation with the ECDI, how the recipient of information is allowed to handle the

restricted materials.

4.9. Persons processing restricted material for the recipient of information must give their

consent to background checks pursuant to section 41 of the Estonian Defence Forces

Organisation Act. Successfully passing the background check is a prerequisite for the

processing of restricted material.

4.10. The recipient of information must keep a record of and check the integrity of the data media

containing restricted material relating to the procurement agreement.

4.11. The recipient of information undertakes to ensure the continuous monitoring of restricted

media.

4.12. At the end of the procurement agreement, all restricted information obtained and created

during the performance of the procurement agreement is returned to the contracting

authority.

4.13. The obligation of the Parties to protect the information applies without a term, unless the

Parties have agreed otherwise.

4.14. The recipient of information is obliged to notify the ECDI without delay of a breach of the

terms and conditions or the suspicion that the information has been disclosed, and to

immediately take all comprehensive measures to mitigate the consequences of the breach

and prevent further damage. The ECDI has the right to file a claim for a contractual penalty

and compensation for damage within two months as of becoming aware of the breach. If the

4/4

circumstances on which the claim is based need to be clarified or investigated, the ECDI may

extend that term by notifying the recipient of information as soon as possible.

5. Liability

5.1. The recipient of information is liable for any breaches of obligations pursuant to these terms

and conditions and legislation.

5.2. For a breach of an obligation provided in the terms and conditions, the recipient of

information undertakes to pay a contractual penalty of up to 5,000 (five thousand) euros per

each individual breach.

5.3. In addition to the contractual penalty, the recipient of information is required to compensate

the ECDI for the damage caused by the breach of the confidentiality obligation to the extent

that the contractual penalty did not cover. Damage caused to third persons by a breach of

the confidentiality obligation, which the ECDI has paid for or must pay for, is also considered

damage.

5.4. The recipient of information is required to pay a contractual penalty and/or compensation

for damage to the ECDI within 28 (twenty-eight) days as of the receipt of the relevant claim.

If the recipient of information delays the payment, a late payment interest of 0.2% per day

will be applied to the claimed amount.

5.5. Compliance with the obligation of confidentiality provided for in the terms and conditions

does not relieve the recipient of information from liability for offences under the law.

6. Govering Law and Dispute Resoution

6.1. This Terms and conditions of confidentiality shall be governed and construed in accordance

with Estonian law.

6.2. All disputes arising in connection with this Terms and conditions of confidentiality which

cannot be amicably settled by the recipient of information and the Estonian Centre for

Defence Investments, shall be resolved under the Estonian law in Estonian Harju County

Court.

7. Entry into force of the terms and conditions

7.1. The terms and conditions enter into force upon signing.

recipient of information

(date, signature)

For and on Behalf of Thales UK Limited

Mr. Kerry Adam Davey

Senior Contracts Manager