Hub Service Agreement

Version v2-2026-05-26 · effective 2026-05-26T00:00:00.000Z

Hub Service Agreement — evchargerhub.lk OCPI hub (v2, 2026-05-26)

This Hub Service Agreement ("Agreement") is between Volt Industrial Company (Pvt) Ltd, a company incorporated in Sri Lanka with its registered office at [Registered address — Colombo, Sri Lanka] (the "Operator"), and the organisation that has registered through the Portal at evchargerhub.lk and has been admitted by the Operator as a connected party (the "Connected Party"). The Operator and the Connected Party are each a "Party" and together the "Parties".

This Agreement governs the OCPI roaming relationship between the Parties and takes effect on the date the Connected Party's application is approved through the Portal. The Terms of Use and the Privacy Policy form part of the contractual framework between the Parties. In the event of a conflict, this Agreement prevails over the Terms of Use; on data-protection matters, the Privacy Policy prevails.

1. Definitions

  • "OCPI" — the Open Charge Point Interface protocol, currently version 2.2.1, as published by the EVRoaming Foundation.
  • "CPO" — Charge Point Operator. "eMSP" — e-Mobility Service Provider. "HUB" — OCPI hub role.
  • "OCPI Identity" — the unique combination of country_code, party_id, and OCPI role assigned to the Connected Party.
  • "Token A" — the registration handshake token issued by the Operator on approval. "Token C" — the long-lived API token created when the Connected Party completes the OCPI /credentials handshake. "Token B" — the token the Operator uses to call the Connected Party.
  • "OCPI Traffic Data" — Tokens, Sessions, CDRs, Locations, Tariffs, and any other OCPI module payloads that flow through the Hub.
  • "Connected Party Data" — OCPI Traffic Data submitted to or routed through the Hub by or for the Connected Party.
  • "Business Day" — a day other than a Saturday, Sunday, or public holiday in Colombo, Sri Lanka.
  • "Applicable Law" — the laws of Sri Lanka and, where relevant to a particular activity, any law of the jurisdiction in which the Connected Party processes personal data of EV drivers (notably, where applicable, the EU General Data Protection Regulation).

2. Hub service

  • The Operator provides an OCPI 2.2.1 roaming hub that acts as a Receiver of Connected Party Data and as a Sender of that data to other Connected Parties on the Hub with a permitted roaming relationship.
  • The Hub implements the OCPI modules listed at /portal/sandbox under the Connected Party's account.
  • The Operator may add, deprecate, or modify modules from time to time. Deprecations of stable modules will be announced at least 90 days in advance.

3. Onboarding & token lifecycle

  • On approval of the Connected Party's application, the Operator issues a Token A.
  • The Connected Party's first call to /credentials on the Hub registers its endpoints and triggers the OCPI handshake. On success, Token A is invalidated and a Token C is issued.
  • Tokens are scoped to the OCPI modules and interface roles granted at approval. The Connected Party must not use a token outside its granted scope. Scope changes require admin approval through the Portal.
  • Either Party may rotate or revoke its tokens at any time. A revoked token takes effect immediately on revocation. The Operator will provide reasonable notice of a planned rotation where practicable.

4. OCPI Identity & data accuracy

  • The Connected Party will use a fixed OCPI Identity. A change of country_code, party_id, or role requires a new application and re-approval by the Operator.
  • The Connected Party will keep its OCPI Traffic Data accurate, current, and complete. In particular, Locations must reflect actual live infrastructure, Tariffs must be the prices the Connected Party will honour, and Sessions and CDRs must be settled in compliance with Applicable Law.
  • Repeated submission of stale, malformed, or misleading data may result in a graded response under §13 (Suspension), up to and including termination.

5. Data protection

  • For all personal data the Connected Party pushes to the Hub (including but not limited to RFID UIDs, contract IDs, Tokens, Sessions, and CDRs), the Connected Party is the data controller and the Operator is a processor acting on the Connected Party's documented instructions. The Operator will process such data only as needed to route, store, and deliver it under this Agreement and the Privacy Policy.
  • For portal account data and onboarding records, the Operator is the controller. See the Privacy Policy.
  • Each Party warrants that it has a lawful basis under Applicable Law to share personal data through the Hub for the purposes contemplated by this Agreement, and has provided any required notice or obtained any required consent from data subjects.
  • The Operator will (a) implement appropriate technical and organisational measures (see §10), (b) ensure that personnel authorised to process Connected Party Data are bound by confidentiality, (c) make available the information necessary to demonstrate compliance with this section, and (d) assist the Connected Party in responding to data subject requests and to regulators, in each case on the Connected Party's request and at the Connected Party's reasonable cost beyond routine handling.
  • For data subjects established in the European Economic Area, on request the Parties will enter into the EU Standard Contractual Clauses (Decision 2021/914) — Module 2 (controller-to-processor) or Module 3 (processor-to-processor) as appropriate — which will, on signature, supersede this section to the extent of any conflict.

6. Sub-processors

  • The Operator's sub-processors are listed in §6 of the Privacy Policy. The Connected Party authorises the use of those sub-processors as at the date of this Agreement.
  • The Operator will notify the Connected Party at least 30 days before adding or replacing a sub-processor that handles Connected Party Data. The Connected Party may object on reasonable data-protection grounds; if the Operator cannot reasonably accommodate the objection, the Connected Party may terminate this Agreement under §17 without further fee or penalty.

7. Subscription model

  • The OCPI subscription model determines which Connected Parties may receive which subsets of Connected Party Data. Default subscriptions follow the OCPI 2.2.1 specification.
  • The Operator will not enable a subscription that exposes the Connected Party's Locations, Tariffs, or other Connected Party Data to a recipient unless that recipient is itself a Connected Party in good standing with a permitted roaming relationship.
  • The Connected Party may instruct the Operator, through the Portal, to disable a subscription. The Operator will action the instruction within one Business Day.

8. Service level (SLA)

  • Availability target: 99.5% of each calendar month, measured at the public OCPI surface and excluding (a) scheduled maintenance announced at least 5 Business Days in advance, (b) emergency maintenance not exceeding 2 hours per month, and (c) outages caused by the Connected Party's systems, its internet service, or a Force Majeure event.
  • Scheduled maintenance window: Sunday 02:00–04:00 Asia/Colombo, when needed.
  • Status page: published at status.evchargerhub.lk (or such other URL as the Operator may publish).
  • Service credits: where the monthly availability falls below 99.5%, the Operator will, on written request from the Connected Party within 30 days of the month-end, credit the Connected Party's account at 5% of that month's fees per full 0.5% point below target, up to a maximum of 50% of that month's fees. Service credits are the Connected Party's sole and exclusive remedy for failure to meet the SLA.

9. Fees & payment

  • During the launch phase, access to the Hub is provided free of charge. The Operator may introduce or change fees, with at least 60 days' prior written notice through the Portal. If the Connected Party objects to a new fee, it may terminate this Agreement under §17 before the fee takes effect.
  • All fees, if introduced, are exclusive of value-added tax, withholding tax, and any other applicable tax. The Connected Party is responsible for any such taxes, except for taxes imposed on the Operator's net income.
  • Invoices are payable within 30 days of issue. Undisputed amounts not paid by the due date accrue interest at the rate prescribed by the Late Payment of Commercial Debts Act of Sri Lanka (or, if no such rate is prescribed, at 1.5% per month), and may form the basis of a suspension under §13.

10. Security obligations

  • Each Party will maintain appropriate technical and organisational measures to protect tokens, credentials, and personal data exchanged through the Hub.
  • Tokens (A, B, C) are bearer credentials. The Connected Party will store tokens only in encrypted form, will not embed them in client-side code, and will not share them outside its own systems.
  • Each Party will notify the other without undue delay, and in any event within 24 hours of becoming aware of (a) an actual or suspected compromise of a token or credential issued for or by the Hub, (b) a personal-data breach involving Hub-mediated data, or (c) any other security event that materially affects the other Party. Notifications go to the addresses in §22. The notifying Party will give the other Party reasonable assistance in containment and downstream notifications.
  • Without prejudice to other remedies, the Operator may immediately revoke a token that it reasonably believes has been compromised.

11. AML, sanctions, anti-bribery

  • Each Party warrants that it complies, and will continue to comply, with all Applicable Laws relating to anti-money-laundering, counter-terrorist financing, anti-bribery, and economic and trade sanctions (including but not limited to the Prevention of Money Laundering Act No. 5 of 2006 of Sri Lanka and the published guidelines of the Financial Intelligence Unit of Sri Lanka).
  • Each Party warrants that it, its directors, and its ultimate beneficial owners are not (a) subject to any UN, EU, UK, or US sanctions, (b) ordinarily resident in or organised under the laws of a comprehensively sanctioned country, or (c) listed on any consolidated sanctions list.
  • Each Party will promptly notify the other if it ceases to be able to give the warranties in this §11. Failure to do so is a material breach and grounds for immediate termination.

12. Confidentiality

  • "Confidential Information" means any non-public information disclosed by one Party to the other in connection with this Agreement, including OCPI Traffic Data, Tariffs, technical roadmaps, security configurations, commercial terms, and incident reports. Confidential Information does not include information that (a) is or becomes public other than through the receiving Party's breach, (b) was already in the receiving Party's lawful possession without confidentiality obligation, (c) is independently developed by the receiving Party without reference to the discloser's information, or (d) is required to be disclosed by law or by a court of competent jurisdiction.
  • Each Party will (a) use Confidential Information only to perform its obligations and exercise its rights under this Agreement, (b) protect it with at least the same care it uses for its own confidential information of similar sensitivity and in any case no less than reasonable care, and (c) disclose it only to its employees, contractors, and professional advisers who need to know and who are bound by equivalent confidentiality obligations.
  • The confidentiality obligation survives termination for a period of 5 years, or indefinitely for trade secrets.

13. Acceptable use & graded suspension

  • The Connected Party must comply with the acceptable-use rules in the Terms of Use and any rate limits or fair-use policies published on the Portal.
  • The Operator may, in proportion to the severity of a breach, (i) issue a written warning, (ii) throttle the Connected Party's API traffic, (iii) suspend the Connected Party's access in whole or in part, or (iv) terminate this Agreement under §17. Where the Operator suspends access, it will state the reason, the affected scope, and the conditions for restoration. The Operator may bypass the graded escalation for emergencies (security incident, sanctions match, statutory directive) and immediately suspend.
  • The Connected Party may dispute a suspension under §19 (Dispute resolution). The Operator will, on request, provide a reasonable summary of the facts relied on, subject to confidentiality and lawful-disclosure constraints.

14. Audit rights

  • The Operator will maintain its information-security and data-protection programme in line with industry good practice. On reasonable notice (at least 30 days) and no more than once per year, the Connected Party may, at its own cost, audit the Operator's compliance with this Agreement, either (a) by reviewing the most recent independent attestation or certification the Operator holds (e.g. SOC 2, ISO/IEC 27001), or (b) where no such attestation covers the matter, by a written questionnaire and, if reasonable cause exists after the questionnaire, an on-site or remote audit at a time that does not unreasonably disrupt the Operator's operations.
  • More frequent or no-notice audits are permitted only where required by a competent authority or a binding ruling on the Connected Party.
  • Audit findings are Confidential Information. The Parties will agree a remediation plan for any material findings within 30 days.

15. Intellectual property

  • The Hub software, the Portal UI, the OCPI hub orchestration logic, the documentation, and all related materials are the Operator's property or its licensors'. Nothing in this Agreement transfers any of those rights to the Connected Party except the limited licence necessary to use the Hub as contemplated by this Agreement.
  • Connected Party Data remains the Connected Party's property. By submitting Connected Party Data, the Connected Party grants the Operator a worldwide, non-exclusive, royalty-free licence to host, store, copy, route, transform, and process that data as necessary to perform under this Agreement and the Privacy Policy.
  • Each Party retains its own pre-existing intellectual property, and neither Party is granted any licence by implication.

16. Warranties & disclaimers

  • Each Party warrants that it has full corporate authority to enter into this Agreement and that doing so does not breach any other binding obligation.
  • The Operator warrants that it will provide the Hub with reasonable skill and care.
  • Except as expressly stated in this Agreement, the Hub is provided "as is" and "as available", and the Operator disclaims all other warranties, express or implied, including merchantability, fitness for a particular purpose, accuracy, completeness, and non-infringement.

17. Liability

  • Neither Party is liable to the other for any indirect, incidental, special, consequential, exemplary, or punitive loss, or for loss of profits, revenue, business, goodwill, anticipated savings, or data (other than the cost of restoration of data from the latest available backup), even if advised of the possibility.
  • The Operator's aggregate liability to the Connected Party arising out of or in connection with this Agreement in any rolling twelve-month period is capped at the greater of (a) the fees paid by the Connected Party under this Agreement in that period, or (b) LKR 1,500,000.
  • The cap and exclusions in this §17 do not apply to: (i) breaches of §11 (AML, sanctions, anti-bribery), (ii) the indemnities in §18, (iii) breaches of §12 (Confidentiality), (iv) infringement of the other Party's intellectual property, (v) wilful misconduct or fraud, or (vi) any liability that cannot be limited or excluded under Applicable Law.

18. Indemnity

  • The Connected Party will defend, indemnify, and hold harmless the Operator and its officers, employees, and agents from and against any third-party claim, loss, liability, damage, fine, penalty, fee, and cost (including reasonable legal fees) arising out of or in connection with: (a) Connected Party Data, including any claim that it infringes a third party's rights or breaches Applicable Law (including data-protection or sanctions law); (b) the Connected Party's breach of §11 (AML, sanctions, anti-bribery) or §5 (Data protection); (c) any unauthorised use of the Connected Party's tokens that arises from the Connected Party's failure to safeguard them; and (d) any liability incurred by the Operator as a result of acting on the Connected Party's instructions.
  • The Operator will defend, indemnify, and hold harmless the Connected Party from and against any third-party claim that the Hub itself (as supplied by the Operator and used in accordance with this Agreement) infringes a third party's intellectual property right enforceable in Sri Lanka, provided that the Connected Party (i) notifies the Operator promptly, (ii) gives the Operator sole control of the defence and settlement, and (iii) provides reasonable assistance at the Operator's cost.
  • The indemnified party will (a) notify the indemnifying party promptly in writing of any claim, (b) not admit liability or settle without the indemnifying party's written consent, and (c) provide reasonable assistance at the indemnifying party's cost.

19. Dispute resolution

  • The Parties will first attempt to resolve any dispute through good-faith discussion between their technical leads, escalating to a senior executive of each Party if not resolved within 10 Business Days.
  • If the dispute is not resolved within 30 Business Days of first escalation, either Party may submit it to the competent courts of Colombo, Sri Lanka, which the Parties accept as having exclusive jurisdiction. The Parties may instead, by mutual written agreement, submit the dispute to arbitration under the Arbitration Act No. 11 of 1995 of Sri Lanka, seated in Colombo, in English, with a sole arbitrator agreed by the Parties or, failing agreement, appointed by the Institute for the Development of Commercial Law and Practice (ICLP).
  • Nothing in this section limits either Party's right to seek interim or injunctive relief from any court of competent jurisdiction to protect intellectual property, Confidential Information, or to prevent imminent unlawful conduct.

20. Governing law

This Agreement is governed by the laws of the Democratic Socialist Republic of Sri Lanka, without regard to its conflict-of-laws rules. The United Nations Convention on Contracts for the International Sale of Goods (Vienna 1980) does not apply.

21. Force majeure

Neither Party is liable for delay or failure to perform any obligation under this Agreement (other than an obligation to pay money already due) to the extent caused by a Force Majeure Event, meaning an event beyond the affected Party's reasonable control, including natural disasters, fire, flood, war, civil unrest, government action, public-health emergencies, internet-backbone or undersea-cable outages, prolonged grid power failures, and labour disputes not involving the affected Party's own workforce. The affected Party will notify the other promptly, take reasonable steps to mitigate, and resume performance as soon as practicable. If a Force Majeure Event continues for more than 60 consecutive days, either Party may terminate this Agreement on written notice.

22. Term & termination

  • This Agreement starts on application approval and continues until terminated under this section.
  • Either Party may terminate for convenience on 30 days' written notice.
  • Either Party may terminate immediately on written notice if the other Party (a) commits a material breach that it does not cure within 30 days of being notified of it, or that is incapable of being cured, (b) becomes insolvent, files for or has filed against it bankruptcy or winding-up proceedings that are not dismissed within 60 days, or (c) ceases to comply with §11 (AML, sanctions, anti-bribery).
  • The Operator may suspend or terminate immediately where required to do so by Applicable Law or by a directive of a competent authority.
  • On termination, (i) the Operator will revoke the Connected Party's tokens, (ii) each Party will return or destroy the other Party's Confidential Information (subject to any record-keeping required by Applicable Law), and (iii) the Operator will retain the Connected Party's data for the periods set out in §8 of the Privacy Policy.
  • Sections that by their nature should survive termination (§5 Data protection — to the extent of residual processing, §10 Security, §11 AML, §12 Confidentiality, §15 IP, §17 Liability, §18 Indemnity, §19 Dispute resolution, §20 Governing law, and this §22) survive.

23. Change of control

If a Party undergoes a change of control (becoming controlled by, or commonly controlled with, an entity that was not its affiliate at the date of this Agreement), it will notify the other Party in writing within 10 Business Days. The other Party may, within 30 days of that notice, terminate this Agreement on written notice if the new controller is a direct competitor or is subject to sanctions.

24. Notices

  • Notices under this Agreement must be in writing and sent to (a) for the Operator: legal@evchargerhub.lk with a copy to the registered office above, (b) for the Connected Party: the work email address on its portal account and its registered office on the application.
  • A notice sent by email is deemed received on the next Business Day after sending, provided no failed-delivery message is received. A notice sent by registered post is deemed received 5 Business Days after dispatch.

25. Variations

  • This Agreement may be amended only in writing. An update published through the Portal, with at least 30 days' notice to active Connected Parties, is treated as a written amendment to which the Connected Party agrees by continuing to use the Hub after the effective date.
  • Variations to commercial terms (fees, scope grants, individual SLAs) for a specific Connected Party may be agreed by exchange of emails between the Parties' designated commercial contacts.

26. Assignment

  • The Connected Party may not assign or sub-contract this Agreement or any rights under it without the Operator's prior written consent (not unreasonably withheld).
  • The Operator may assign this Agreement to an affiliate or to a successor in connection with a merger, acquisition, restructuring, or sale of the Hub business, on notice to the Connected Party.

27. General

  • Severability. If any provision of this Agreement is held to be invalid or unenforceable, the rest remains in effect, and the invalid provision will be modified to the minimum extent necessary to make it enforceable while preserving its commercial intent.
  • No waiver. A failure to enforce a provision is not a waiver of the right to do so later.
  • Independent parties. Nothing in this Agreement creates a partnership, joint venture, employment, or agency relationship between the Parties. Neither Party may make representations or commitments on behalf of the other.
  • Third parties. This Agreement does not create rights enforceable by anyone other than the Parties.
  • Counterparts & electronic signing. This Agreement may be executed by click-through acceptance in the Portal, by digital signature, or by exchange of signed counterparts. The Parties acknowledge that electronic signature constitutes a valid signature under the Electronic Transactions Act No. 19 of 2006 of Sri Lanka.
  • Governing language. The English version of this Agreement is the controlling text. Any translation is for convenience only.
  • Entire agreement. This Agreement, together with the Terms of Use and the Privacy Policy, sets out the entire agreement between the Parties concerning the Hub and supersedes any prior arrangement on the same subject matter.