August 2024

Main Services Agreement

For the Licensing of Software,
Provision of Subscription (SAAS) Services,
and Professional Services

This Main Services Agreement (“Agreement”) is entered into as of the date of last signature (“Agreement Effective Date”) on an Order Form between Provider and its Affiliates and Customer and its Affiliates, each identified in the Order Form signature block. Provider and Customer may be referred to collectively herein as the “Parties” or individually as a “Party.

For and in consideration of the representations and promises of the parties set forth herein, and other good and valuable consideration the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. DEFINITIONS.

“Account” means any accounts or instances created by or on behalf of Customer within the Services.

“Affiliate(s)” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by,or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise.

“API” means the application programming interfaces developed, made available, and enabled by Provider that permit Customers to access certain functionality provided by the Services, including without limitation, any interface that enables the interaction with the Service(s) automatically through HTTP requests and the Provider application development API that enables the integration of the Service(s) with other web applications.

“Applicable Data Protection Law(s)” means the laws and regulations of the United States (including the California Privacy Rights Act (the “CPRA”), the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom (including the General Data Protection Regulation or GDPR and any applicable national laws made under it where Customer is established in the European Economic Area), the Swiss Federal Act of 19 June 1992 on Data Protection, and the Brazilian General Data Protection Law (LGPD), all as may be amended or superseded.

“Applicable Law(s)” means all applicable local, state, federal, and international laws, rules, and regulations, including, without limitation, those related to data privacy and data transfer.

“Authorized User” means Customer’s employees, consultants, Contractors, and agents (i) who are authorized by Customer to access the Services on behalf of Customer under the rights granted to Customer pursuant to this Agreement and (ii) in the case of SaaS Services, for whom a unique user name and password to access to the Services has been provisioned per the terms and conditions of this Agreement. Where Customer has purchased the right to white label the Licensed Software or SaaS Services and allow Customer’s customer(s) to access the same, “Authorized User” shall include Customer’s customer(s) for whom Customer has purchased Users as specified on the Order Form.

“Confidential Information” means all information disclosed by one Party to the other Party that is marked confidential or which a reasonable person would understand to be confidential or proprietary given the nature of the information and circumstances of disclosure and includes, without limitation: any non-public information regarding Provider’s or Customer’s business, products and services (including, without limitation, the discovery, invention, research, improvement, development, marketing or sale thereof as well as templates, scorecards, modules, coaching cards, rubrics and the like), pricing, financial data, models and information, business and marketing plans, customer information, business opportunities, plans for development of future products, unreleased versions of products, know-how, technology, the Services, the Software, and the API. Notwithstanding the foregoing, Confidential Information shall not include information that: (a) was already known to the receiving Party at the time of disclosure by the disclosing Party without an obligation of confidentiality; (b) was or is obtained by the receiving Party from a third party not known by the receiving Party to be under an obligation of confidentiality with respect to such information; (c) is or becomes generally available to the public other than by violation of this Agreement or another valid agreement between the Parties; or (d) was or is independently developed by the receiving Party without use of the disclosing Party’s Confidential Information.

“Contractor” means an independent contractor or consultant of a Party.

“Customer Data” means all content and data, including without limitation any Personal Data, technical material, customer records, or other materials submitted by or on behalf of Customer and which remains in Provider’s possession and control for further processing. “Customer Data” does not include Feedback.

“Customer Environment” means the computing environment (excluding any software provided by Provider) separately procured, prepared or maintained by Customer for the access and use of the products and Services.

“Defect” means a material non-conformance within the Warranty period that Provider can replicate or Customer can duplicate to Provider.

“Derivative Works” means a revision, enhancement, modification, translation, abridgment, condensation or expansion of any Provider IP.

“Documentation” means any written or electronic documentation, images, video, text, or sounds specifying the functionalities of the Services provided or made available by Provider to Customer or Users through the Site.

“DPA” means the Data Processing Agreement incorporated at Section 7(c) of this Agreement.

“Effective Date” means the effective date designated on the relevant Order referencing this Agreement.

“Error” means a failure of the products or services provided by Provider to substantially conform to the Documentation that Provider can replicate or Customer can duplicate.

“Error Correction” means revisions, modifications, alterations, and additions to the products or services provided by Provider to Customer as bug fixes or workarounds, each to resolve Errors.

“Fees” means each of the License Fees, Professional Services Fees, Subscription Fees, support fees, hosting fees, and any other fees specified in the Order Form.

“Hosted Environment” means Provider or its third party’s technical environment required to operate and provide access to the relevant Provider service.

“Hosting Services” means the services that the Provider provides to Customer to allow Authorized Users to access and use the Software, including hosting set-up and ongoing services, as described in the Documentation.

“Intellectual Property Rights” means any and all respective patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights.

“License Fees” means the fees payable to license the Licensed Software.

“License Metrics” means the permitted volume of use of each of the software, maintenance and/or support services as designated, as defined in the applicable Order.

“Licensed Software” means the software product(s) licensed to the Customer and installed either on the Customer’s premises or equipment or in a hosted environment, in each case as specified in the applicable Order.

“License Term” means the duration of the license use granted by the Provider to the Customer commencing on the date specified in the Order Form and, in the case of non-perpetual licenses, continuing thereafter in accordance with Section 12(a).

“Order Form” or “Order” means the order form incorporating this Agreement specifying the products and services to be provided by Provider to Customer and the Fees to be paid.

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’), where such data subject is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person and any other data which any Applicable Data Protection Law(s) identify as being personal data.

“Professional Services” means installation, configuration, implementation, training, consulting, project management, and/or other services that the Provider may provide to the Customer.

“Professional Services Fees” means the fees payable for the Professional Services.

“Provider IP” means the Services, the catalog, the catalog data, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Provider IP includes any information, data, or other content derived from Provider’s monitoring of Customer’s access to or use of the Services, including any use by Customer of the catalog data, but does not include Customer Data.

“SaaS” means Software-as-a-Service offerings, as generally known in the industry.

“Security Breach” means the unlawful destruction, loss, alteration, disclosure of, or access to Confidential Information caused by Provider’s breach of its confidentiality obligations set forth in Section 7(a).

“Service(s)” means any products, subscriptions, licenses, and/or services, that Customer orders via an Order referencing this Agreement, including, as applicable, the API, SaaS, Software, Documentation, and Professional Services but specifically excludes Third-Party Services.

“Software” means software provided by the Provider either by download or access through the internet that allows a User to use any functionality in connection with the Services.

“Statement of Work” means any statement of work executed or approved by each Party identifying those Professional Services to be provided by the Provider.

“Subscription Fees” means the fees charged on a per-User basis for the Service(s).

“Subscription Services” means the SaaS or subscription services provided by Provider to Customer under this Agreement via the website specified in the Order Form or any other website notified to Customer by Provider from time to time, as more particularly described in the Documentation.

“Subscription Term” means the period during which Customer has agreed to subscribe to a Service with respect to any individual User starting on the Effective Date and continuing thereafter in accordance with Section 12.

“Support Services” means the maintenance and/or support services (a) provided for Licensed Software offered by the Provider as set out in Section 5 and purchased by the Customer as specified in an Order Form or (b) included with the Subscription Services as more particularly detailed in section 5(c).

“Term” means the License Term and/or the Subscription Term, as the context requires.

“Third-Party Services” means third party products, applications, services, software, networks, systems, directories, websites, databases and information to which a Service links, or which Customer may connect to or enable in conjunction with a Service, including, without limitation, Third-Party Services which may be integrated directly into Customer’s Account by Customer or at Customer’s direction.

“Updates” means periodic improvements or additions to the Licensed Software or Services provided by Provider, including Error Corrections, but excluding any new features or substantial additional functionality.

“User” means an individual authorized to use the Licensed Software and/or the Service(s) through the Customer’s Account as an agent, manager, team leader, administrator or any other role as identified through a unique login.

“Version” means the software configuration identified by a numeric representation, whether left or right of a decimal place.

“Website” means www.revalizesoftware.com or such other URL, mobile or localized versions thereof owned or operated by Provider as provided in the Order Form.

“White Label” means to present the Licensed Software or Services under the Customer’s own brand, conditional on prominently displaying the phrase “powered by Revalize” on each page of the Licensed Software.

2. SOFTWARE LICENSES AND SUBSCRIPTIONS.

(a) Licensed Software. In consideration of the License Fees paid by Customer to Provider, Provider grants to the Customer a non-exclusive, non-transferable, revocable, non-assignable personal license to use the then current version of Licensed Software for the License Term. The License is limited to License Metrics specified in the Order Form. The Licensed Software shall be used solely for Customer’s internal business purposes except where the right to White Label the Licensed Software has been purchased, in which case the Customer may grant access to Authorized Users employed by customers of the Customer provided that the number of Users does not exceed that specified on the Order Form. Licensed Software may be installed either in Customer’s own on-premise environment or may be hosted by or on behalf of Provider, as specified in the Order Form. Where Customer chooses the Licensed Software to be delivered in a Hosted Environment, Customer will purchase Hosting Services from Provider.

(b) Subscription Services. In consideration of the Subscription Fees paid by Customer to Provider, Provider grants to Customer a non-exclusive, non-transferable, revocable, non-assignable, personal right to access and use the Subscription Services specified in the Order Form through internet access, up to the number of Users specified on the Order Form. The Subscription Services shall be used solely for Customer’s internal business purposes, except where the right to White Label the Services has been purchased, in which case the Customer may include employees of Customer’s customers as Authorized Users of the Services, provided that the number of Users accessing the Subscription Services does not exceed the number specified on the Order Form.

(c) Authorized Users. Provider will issue Authorized Users with passwords and network links or connections to allow access to the Licensed Software and/or Subscription Services. The total number of Authorized Users will not exceed the number set forth in the Order Form, except as expressly agreed to in writing by the Parties and subject to any appropriate adjustment of the Fees payable hereunder. Customer acknowledges that Authorized User credentials cannot be shared or used by more than one Authorized User and that no User credential sharing is allowed, but may be reassigned to new Authorized Users replacing former Authorized Users who no longer require use of or access to the Licensed Software or Subscription Services.

(d) Modifications. Provider reserves the right, at its discretion, to modify, add, or discontinue any Licensed Software or Subscription Services or any portion thereof, at any time, for any reason and without liability to Customer except as provided in this Section 2(d). Further, Customer acknowledges that Provider may modify the features and functionality of the Licensed Software and Subscription Services during the Term. Provider shall use reasonable efforts to provide Customer with advance notice of any deprecation of any material feature or functionality. In the event any such modification materially impairs Customer’s ability to use the Licensed Software or Subscription Services in the manner contemplated by this Agreement, Customer may terminate the Agreement upon written notice to Provider and Provider shall refund Customer, on a pro-rated basis, any pre-paid Fees corresponding to the unused portion of the applicable Services after such termination.

(e) Monitoring. Customer acknowledges that Provider reserves the right, at any time and without notice, to monitor compliance with the terms of this Agreement and to otherwise protect its rights in and to the Licensed Software and Subscription Services by incorporating license management technology into the Licensed Software and Subscription Services and monitoring usage, including, without limitation, time, date, internet protocol address, access or other controls, counters, serial numbers and/or other security devices.

(f) Use Restrictions. Customer shall require that its Authorized Users comply with all relevant terms of this Agreement and any failure or failures to comply with this Agreement by any Authorized User will constitute a breach by Customer. Customer shall not use the Licensed Software or Subscription Services for any purposes beyond the scope of the license or access right granted in this Agreement. Save that nothing in this Agreement excludes rights afforded by Sections 50A, 50B and 50C of CDPA, Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users or third party to:

(i) copy, modify, or create derivative works of the Licensed Software or Subscription Services, in whole or in part in any manner or allow the Customer or any third party the ability to reverse engineer or utilize the Licensed Software or Subscription Services;

(ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Licensed Software or Subscription Services;

(iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Licensed Software or Subscription Services, in whole or in part;

(iv) remove any proprietary notices from the Licensed Software or Subscription Services (except in compliance with Customer’s right (if such has been purchased from Provider) to White Label the Licensed Software or Subscription Services);

(v) permit any third party to access or use the Licensed Software or Subscription Services other than an Authorized User;

(vi) use the Licensed Software or Subscription Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any Applicable Law; or

(vii) use any Licensed Software or Subscription Services, or allow the transfer, transmission, export, or re- export of the Licensed Software or Subscription Services or portion thereof, in violation of any Applicable Law or regulation, including any export control laws or regulations administered by the U.S. Commerce Department or any other national or international government or government agency.

(g) Reservation of Rights. Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP. Without limiting the foregoing, Provider and its licensors retain all right, title, and interest in the Licensed Software and Subscription Services, all copies and derivatives, modifications, and improvements thereof, and all proprietary rights in the Licensed Software and Subscription Services, including copyrights, patents, trademarks, and trade secret rights.

(h) Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may, in its sole discretion, suspend Customer’s and any Authorized User’s access to any portion or all of the Licensed Software and/or Subscription Services if:

(i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP; (B) Customer’s or any Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider; (C) Customer, or any Authorized User, is using the Provider IP for fraudulent or illegal activities; (D) subject to Applicable Law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or is unable to pay its debts when they fall due or admits an inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986, or becomes the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; (E) Provider’s provision of the Licensed Software and/or Services to Customer or any Authorized User is prohibited by Applicable Law or such suspension is necessary to comply with any law, regulation, court order, or other governmental request or to otherwise protect Provider from potential legal liability; or (F) a user of the Provider IP is suspected to not be an Authorized User or if an Authorized User has shared credentials or allowed access to the system by a non-Authorized User;

(ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any Third-Party Services or products required to enable Customer to access the Licensed Software and/or Subscription Services; or

(iii) in accordance with Section 5(c)(iii) (any such suspension described in Subsection (i), (ii), or (iii), a “Service Suspension”). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Licensed Software and/or Subscription Services (as applicable) following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Licensed Software and/or Subscription Services (as applicable) as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.

(i) Use of Non-Identifiable Aggregated Data. Provider has the right to collect and use anonymized generic information derived from Customer Data (not to include Personal Data) processed by the Licensed Software and/or Services or to aggregate it with anonymized generic information from other customers (“Non-Identifiable Aggregated Data”) for Provider’s reasonable business purposes, including without limitation for analyzing customer needs and improving the Licensed Software and Subscription Services. Customer agrees that Provider may (i) make Non-Identifiable Aggregated Data publicly available in compliance with Applicable Law, and (ii) use Non-Identifiable Aggregated Data to the extent and in the manner permitted under Applicable Law.

(j) Third-Party Services. Customer acknowledges that the Services may contain software licensed to Provider from third parties (“Third Party Software”) and that the Third-Party Software is not owned by Provider, and may be subject to additional restrictions imposed by the Third-Party Software licensor. Customer agrees to abide by such additional restrictions.

3. PROFESSIONAL SERVICES.

Customer may order any Professional Services from Provider for an additional fee determined by the applicable Order and/or Statement of Work. Subject to the payment of all applicable fees for such Professional Services, Provider will deliver such Services in accordance with the terms and conditions of this Agreement as well as the applicable Order and/or Statement of Work. With respect to any installation, configuration, integration, project management, and other services by and between a Customer Environment and the products and services provided by Provider hereunder, Provider agrees to perform those services to the extent specified in an Order and/or Statement of Work. Customer must provide all necessary information, access, workspace, computing resources, and other services and support materials as reasonably required by the Provider to perform its duties in a timely manner.

Customer-specific delays which prevent the Provider from fulfilling its obligations under a Statement of Work will impact the delivery timeline. Examples of typical sources or Customer-specific delays include but are not limited to: unavailability (for any reason) of Customer personnel scheduled to work with Provider; changes in priorities for Customer projects; delays in content delivery; delays in making available the appropriate environments (such as development, staging, or production environments needed by the project; or unavailability of required software resources. Delays in receiving information, resources, or decisions from the Customer could impact Provider’s ability to deliver per the project schedule and timelines may need to be adjusted. All Professional Services provided on a time and material basis are per person unless otherwise specified, and charged hourly or daily as indicated in the applicable Order and/or Statement of Work. Customer may request changes or additions to the Professional Services being provided hereunder by making a written request to the Provider. If the Provider deems the changes feasible, Provider will provide a quote for any increase or decrease in the cost or time required for the performance of the Professional Services, as amended. Once the parties agree to the modified scope and related Professional Services Fees, the parties will enter into an Order and/or Statement of Work reflecting the changes. Provider shall not be obligated to perform any revised or additional Professional Services unless and until an Order and/or Statement of Work is executed by both parties.

4. CUSTOMER RESPONSIBILITIES.

(a) System and Equipment. Customer and Authorized Users are solely responsible for (i) obtaining, deploying, and maintaining all hardware, software, modems, routers, telecommunication or Internet connections, and other communications equipment required for Customer and its Authorized Users to access and use the Licensed Software and Subscription Services; and (ii) paying all third-party fees and access charges incurred in connection with the foregoing. Except as specifically set forth in this Agreement, an Order Form, or Statement of Work, Provider shall not be responsible for supplying any hardware, software, or other equipment to Customer or Authorized Users under this Agreement. Customer will be responsible for all timely payments despite any delays caused by its failure to timely obtain any necessary Customer equipment.

(b) Access and Use. Customer is responsible and liable for all uses of the Licensed Software and Subscription Services resulting from access provided by Customer or provided to parties at Customer’s direction, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Licensed Software and Subscription Services (as applicable) and shall cause Authorized Users to comply with such provisions.

(c) General. Customer represents and warrants that Customer has all necessary rights, title, and permissions for Customer and Provider to access, collect, share, and use Customer Data as contemplated by this Agreement and that Customer Data will not violate or infringe (i) any intellectual property, publicity, privacy or other rights, or (ii) any Applicable Laws. Customer acknowledges and agrees that Customer shall not submit to or process via the Services any Sensitive Personal Data. Customer is solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data. Customer shall comply with all Applicable Laws, rules, and regulations in using the Licensed Software and Subscription Services (as applicable).

5. SUPPORT AND MAINTENANCE.

(a) Licensed Software: To the extent specified and during the current Term of the Order (the “Support Period”), Provider will provide Support Services for the then-current Version of the Licensed Software for one (1) year after Provider has released a new Version (“End of Service” or “EOS”) (not including add-on licenses for existing installations of the previous Versions) and in accordance with Provider’s Support Services policy located at https://revalizesoftware.com/legal/customer-support-policy/ as may be updated from time to time without notice to the Customer. The EOS period commences when Provider announces that the next Version of the Licensed Software is generally available. Support Services may include, but are not limited to basic technical support, bug fixes, and Updates to Licensed Software as delivered to the Customer at the time of provisioning, without modification. Following the initial Support Period, the Support Services will automatically renew annually for successive one-year terms unless Customer gives Provider written notice at least ninety (90) days prior to the end of the then-current Support Period. If Customer terminates Support Services for Licensed Software, Customer acknowledges and agrees that in addition to not receiving Support Services, Customer shall no longer have access to the support portal, communications, customer support team, or the self-service knowledge base. If Customer terminates Support Services, but later desires to reinstate Support Services, Customer and Provider will mutually agree upon the cost of those reinstated Support Services, which may include, in Provider’s sole discretion, a reinstatement fee or the purchase and installation of the then-current Version of the Licensed Software. Provider may terminate Support Services on no less than thirty (30) days prior written notice to Customer. If Provider terminates Support Services, Provider will provide Customer with a refund of any fees prepaid for Support Services that are terminated. Notwithstanding Provider’s support obligations hereunder, Provider will have not responsibility or liability of any kind arising or resulting from Customer’s failure to (i) correctly install Updates or other modifications to the Licensed Software; or (ii) prepare a computing environment that meets the specified Customer Environment prior to the Licensed Software installation or to maintain such Customer Environment and Licensed Software thereafter.

(b) Updates and Upgrades. Provider may update or enhance the Licensed Software and/or Subscription Services from time to time. Unless otherwise specified in an applicable Order Form, Provider will include in the Licensed Software or Subscription Services (as applicable) any such Updates

or enhancements that Provider generally makes available in the ordinary course to all of its customers of such Licensed Software or Subscription Services (as applicable); provided, however, that nothing in this Agreement will obligate Provider to provide Licensed Software or Subscription Services that include any upgrades (i.e., revisions to the Licensed Software or Subscription Services that include new features or substantial increases in functionality) at no additional cost. All Updates, upgrades, or other modified or updated versions of the Licensed Software and Subscription Services provided to Customer are subject to the terms of this Agreement.

(c) Subscription Services: During the Subscription Term and subject to payment of all applicable Fees hereunder, Provider shall provide support for the Subscription Services in accordance with the terms and conditions of this Section and Provider’s Support Services policy located

at https://revalizesoftware.com/legal/customer-support-policy/ as may be updated from time to time without notice to Customer.

i. Maintaining the components of the Hosted Environment that the Provider deems necessary for the Services. Provider will use commercially reasonable efforts to implement any Error Corrections. Customer’s Authorized Users will have access to Provider’s support personnel through Provider’s support portal and responses to support requests will be provided during the support hours applicable to the specified Services purchased by Customer.

ii. With respect to any on-premise components, the Customer shall be responsible for the installation and configuration in the Customer Environment. Provider shall provide technical support for on-premise components through Provider’s support portal and responses to support requests will be provided during the support hours applicable to the specified Services purchased by Customer.

iii. Management of Services: In addition to any other rights Provider has under this Agreement, Provider reserves the right, in Provider’s sole discretion, to temporarily suspend Customer’s access to and use of any of the Services: (a) during planned downtime for upgrades and maintenance to such Service(s) (of which Provider will notify Customer as soon as reasonably practicable through our forum page and/or through a notice to Customer’s Account owner and Users) (“Planned Downtime”); or (b) during any unavailability caused by Force Majeure Events. The Provider will use commercially reasonable efforts to schedule Planned Downtime for weekends and other off-peak hours.

(d) Additional Services. If Customer desires Provider to install any Updates or upgrades, configure any Updates or upgrades, or configure any Updates or upgrades to any integrations or Licensed Software that were specifically configured by the Customer or at the Customer’s request, or exceeds the scope of Support Services specified in the Support Services policy, Provider may charge Customer for such services at Provider’s then-current hourly rates. Additionally, requests for changes to the Support Services by Customer that do not fall under Support Services, will be forwarded to the Professional Services team. Customer and Provider will agree, in writing (either, via an Order, Statement of Work, email, or through the approved ticketing system), to the estimated level of effort and fees required for Customer’s requests. All work will be completed on a time and materials basis at Provider’s current hourly rates unless stated otherwise in a Statement of Work.

6. FEES AND PAYMENT.

(a) Payment and Billing. Unless otherwise indicated on an Order referencing these terms, all Fees will be invoiced in full up front at the time of commencement of the applicable Service(s) and are non-refundable. Unless otherwise indicated in the Order, Customer shall pay all undisputed invoices within 30 days of Customer’s receipt of each invoice without set-off, counterclaim or deduction. Customer is responsible for providing valid and current payment information and Customer agrees to promptly update Customer’s Account information, including payment information, with any changes that may occur (for example, a change in Customer’s billing address or credit card expiration date).

(b) Additional Users. If Customer chooses to increase or exceeds the number of Users authorized to access and use the Licensed Software during the License Term or Subscription Services during Customer’s Subscription Term, Customer shall pay Provider the applicable Fees for each such additional User at Provider’s then-current list prices.

(c) No Refunds or Credits. Except as otherwise expressly set forth herein, no refunds or credits for Fees or other charges or payments will be provided to Customer if Customer terminates its License subscription to the Services or cancels Customer’s Account in accordance with this Agreement prior to the end of Customer’s then-effective License Term or Subscription Term.

(d) Payments. Customer shall make all payments hereunder in US dollars, unless stated otherwise in the Order Form, on or before the due date. If Customer fails to make any payment when due, without limiting Provider’s other rights and remedies: (i) Provider may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Provider for all reasonable costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for seven (7) days or more Provider may suspend Customer’s and its Authorized Users’ access to any portion or all of the Licensed Software and/or Subscription Services until such amounts are paid in full.

(e) Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Provider’s income.

(f) Auditing Rights and Required Records. Customer agrees to maintain complete and accurate records of Customer’s use during the Term of this Agreement and for a period of one year after the termination or expiration of this Agreement with respect to matters necessary for accurately determining amounts due hereunder. Provider may, at its own expense, on reasonable prior notice, annually inspect and audit Customer’s records with respect to matters covered by this Agreement, provided that if such inspection and audit reveal that Customer has underpaid Provider with respect to any amounts due and payable during the License Term or Subscription Term, Customer shall promptly pay the amounts necessary to rectify such underpayment, together with interest in accordance with Section 6. Customer shall pay for the costs of the audit if the audit determines that the Customer’s underpayment equals or exceeds ten percent (10%) for any year. Such inspection and auditing rights will extend throughout the Term of this Agreement and for a period of one year after the termination or expiration of this Agreement.

7. CONFIDENTIAL INFORMATION AND PERSONAL DATA.

(a) Protection of Confidential Information. With respect to any Confidential Information disclosed under this Agreement by the disclosing Party, the receiving Party will treat such Confidential Information as confidential and will handle it using at least the same procedures and degree of care which it uses to prevent the misuse and disclosure of its own confidential information of like importance, but in no event less than reasonable care. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder and subject to confidentiality and nonuse obligations at least as protective of the disclosing Party as those set forth in this Agreement (in which case the receiving Party will remain responsible for any noncompliance by such employees or other individuals or entities). Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required

(i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or

(ii) to establish a Party’s rights under this Agreement, including to make required court filings. On the expiration or termination of this Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

(b) Protection of Customer Data. Without limiting the foregoing and subject to the provisions of Schedule 1 in relation to Personal Data, to the extent Provider is in possession of Customer Data, Provider will use commercially reasonable efforts to protect Customer Data through use of administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data consistent with prevailing industry practices. Provider will not (i) modify Customer Data, (ii) disclose Customer Data except as compelled by law in accordance with Section 7(a) or as expressly permitted in writing by Customer or otherwise under this Agreement, or (iii) access Customer Data except to provide the Services under or in connection with the prevention of or to address service or technical problems, improve the functionality of Services, to generate Non- Identifiable Aggregated Data, or at Customer request in connection with customer support matters.

(c) Personal Data. To the extent Customer is Controller and Provider is Processor (as those terms are defined in Schedule 1 (“DPA”)) the provisions of the DPA (which is hereby incorporated into this Agreement) shall govern the Parties’ respective rights and obligations relating to Personal Data.

8. INTELLECTUAL PROPERTY OWNERSHIP; FEEDBACK.

(a) Provider IP. Customer acknowledges that, as between Customer and Provider, Provider owns all right, title, and interest, including all intellectual property rights, in and to the Provider IP, Non- Identifiable Aggregated Data and Provider’s Confidential Information. For purposes of this Agreement, all Provider IP shall be deemed to be Confidential Information of Provider. Provider shall be the owner of any and all right, title, and interest (including without limitation, all Provider IP) in, of and to any Derivative Works.

(b) Customer Data. Provider acknowledges that, as between Provider and Customer, Customer owns all right, title, and interest, including all intellectual property rights, in and to the Customer Data and Customer’s Confidential Information. Customer hereby grants to Provider a non- exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Provider to provide the Services to Customer, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data incorporated within the Non-Identifiable Aggregated Data for any purpose, including benchmarking.

(c) Feedback. If Customer, its Authorized Users, or any of its other employees or Contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features, corrections, modifications or functionality relating thereto, or any comments, questions, suggestions, or the like (collectively, “Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer hereby assigns to Provider, on Customer’s behalf, and on behalf of its Authorized Users and its other employees, Contractors and/or agents, all right, title, and interest in, and Provider is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Provider is not required to use any Feedback.

(d) Further Assurances. To the extent any of the rights, title, and interest in and to Feedback or intellectual property rights therein cannot be assigned by Customer to Provider, Customer hereby grants to Provider an exclusive, royalty-free, transferable, irrevocable, worldwide, fully paid-up license (with rights to sublicense through multiple tiers of sublicensees) to fully use, practice and exploit those non-assignable rights, title, and interest. If the foregoing assignment and license are not enforceable, Customer agrees to waive and never assert against Provider those non-assignable and non-licensable rights, title, and interest. Customer agrees to execute any documents or take any actions as may reasonably be necessary, or as Provider may reasonably request, to perfect ownership of the Feedback. If Customer is unable or unwilling to execute any such document or take any such action, Provider may execute such document and take such action on Customer’s behalf as Customer’s agent and attorney-in-fact. The foregoing appointment is deemed a power coupled with an interest and is irrevocable.

(e) Customer Trademark License. Customer hereby grants to Provider a non-exclusive, worldwide, non-transferable, royalty-free license to use, reproduce and display Customer’s name, logo and trademarks (collectively, the “Customer Marks”) as necessary for Provider to fulfill its obligations under this Agreement. Provider will comply with Customer’s trademark usage guidelines as Customer provides to Provider in writing from time to time.

9. WARRANTY; DISCLAIMER.

(a) Limited Performance Warranty.

i. Licensed Software. Provider warrants to Customer that during the Warranty Period of ninety (90) days after its initial delivery, the Licensed Software shall operate substantially in accordance with the Documentation. Customer’s exclusive remedy for a breach of the foregoing shall be for Provider to use commercially reasonable efforts to either correct any verifiable material non-conformity or to replace the materially non- conforming Licensed Software; provided, however, if Provider cannot provide either remedy, upon receipt of the materially non-conforming Licensed Software, Provider shall refund Customer the License Fee paid to Provider for same. Customer’s remedy is conditional on Customer providing Provider with written notice that includes a reasonably detailed explanation of the Defect within the Warranty Period. THE FOREGOING SETS FORTH THE PROVIDER’S SOLE AND EXCLUSIVE REMEDY FOR ANY DEFECTIVE LICENSED SOFTWARE

ii. Subscription Services. Provider warrants to Customer that during any Subscription Term, the Subscription Services will perform substantially in accordance with the Documentation. Customer’s exclusive remedy for a breach of the foregoing shall be for Provider to use commercially reasonable efforts to either correct any verifiable Errors; provided, in the event Provider is unable to correct that non-conformity, Customer shall have the right to terminate the remaining Subscription Term and receive a pro-rata refund of any remaining pre-paid Subscription Fees paid to Provider for those defective Services. Customer’s remedy is conditional on Customer providing Provider with written notice that includes a reasonably detailed explanation of the Defect within the Subscription Term. THE FOREGOING SETS FORTH THE PROVIDER’S SOLE AND EXCLUSIVE REMEDY FOR ANY DEFECTIVE SUBSCRIPTION SERVICES.

iii. Professional Services. Provider warrants to Customer that the Professional Services will be performed in a reliable and professional manner by personnel with appropriate skills, qualifications and experience and in accordance with applicable law and regulations (save for cybersecurity law and regulations including but not limited to the Network and Information Systems Regulations 2018 (SI 506/2018)).

(b) Customer agrees that its purchases hereunder are neither contingent on the delivery of any future functionality or features nor dependent on any oral or written public comments made by Provider regarding any future functionality or features.

(c) Disclaimer. EXCEPT FOR THE WARRANTIES SET FORTH IN THIS SECTION 9, THE LICENSED SOFTWARE, SUBSCRIPTION SERVICES, PROVIDER IP, PROFESSIONAL SERVICES AND SUPPORT SERVICES ARE PROVIDED “AS IS”. CUSTOMER’S USE OF THE LICENSED SOFTWARE, SUBSCRIPTION SERVICES, PROVIDER IP, PROFESSIONAL SERVICES, AND SUPPORT SERVICES IS AT ITS OWN RISK. PROVIDER DOES NOT MAKE, AND PROVIDER HEREBY DISCLAIMS, ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUALITY, SUITABILITY, OPERABILITY, CONDITION, SYSTEM INTEGRATION, NON-INTERFERENCE, WORKMANSHIP, TRUTH, ACCURACY (OF DATA OR ANY OTHER INFORMATION OR CONTENT), ABSENCE OF DEFECTS, WHETHER LATENT OR PATENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE LICENSED SOFTWARE, SUBSCRIPTION SERVICES, PROVIDER IP, PROFESSIONAL SERVICES OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR-FREE. THE EXPRESS WARRANTIES MADE BY PROVIDER IN SECTION 9 ARE FOR THE BENEFIT OF THE CUSTOMER ONLY AND NOT FOR THE BENEFIT OF ANY THIRD PARTY. TO THE EXTENT APPLICABLE, REVALIZE DOES NOT WARRANT THAT THE OPERATION OF THE WEBSITE PROJECT AND SERVICES WILL BE COMPLIANT WITH THE ADA. CUSTOMER ASSUMES FULL RESPONSIBILITY FOR ADA COMPLIANCE OF THE WEBSITE PROJECT AND SERVICES. THE TERMS OF THIS SECTION SHALL SURVIVE TERMINATION OF THIS AGREEMENT.

(d) NO AGENT OF PROVIDER IS AUTHORIZED TO ALTER OR EXPAND THE WARRANTIES OF PROVIDER AS SET FORTH HEREIN. PROVIDER DOES NOT WARRANT THAT: (I) THE USE OF THE LICENSED SOFTWARE, SUBSCRIPTION SERVICES, PROVIDER IP, OR PROFESSIONAL SERVICES WILL BE SECURE, TIMELY, UNINTERRUPTED OR ERROR-FREE OR OPERATE IN COMBINATION WITH ANY OTHER HARDWARE, SOFTWARE, SYSTEM OR DATA; (II) THE LICENSED SOFTWARE, SUBSCRIPTION SERVICES, PROVIDER IP, PROFESSIONAL SERVICES OR SUPPORT SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS; OR (III) LICENSED SOFTWARE, SUBSCRIPTION SERVICES, THE PROVIDER IP OR PROFESSIONAL SERVICES WILL BE ERROR-FREE OR THAT ERRORS OR DEFECTS IN THE PROVIDER IP WILL BE CORRECTED.

10. INDEMNIFICATION.

(a) Provider Indemnification.

i. Provider shall indemnify, defend, and hold harmless Customer, Customer’s officers, directors, employees and agents (each, a “Customer Indemnitee”) from and against direct damages ordered by a court of competent jurisdiction to the extent they result from any claim, suit, action, or proceeding by a third party that Customer’s use of the Licensed Software or Subscription Services in accordance with this Agreement, infringes or misappropriates such third party’s copyright, patent or trade secret rights in the United Kingdom, on the conditions that Customer promptly notifies Provider in writing of the claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such claim. Nothing in this clause 10 shall restrict or limit the Customer’s general obligation at law to mitigate any loss it suffers or incurs as a result of an event that might give rise to a claim under this indemnity.

ii. If such a claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Licensed Software or Subscription Services (as applicable), or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer.

iii. This Section 10 will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with any data, software, hardware, equipment, network, system, or technology not provided by Provider or authorized by Provider in writing; (B) modifications or alterations to the Licensed Software or Subscription Services (as applicable) not made by Provider; (C) Customer’s continued use of the Licensed Software or Subscription Services (as applicable) after Provider notifies Customer to discontinue use because of an infringement claim; or (D) Customer Data.

iv. THE FOREGOING STATES THE ENTIRE LIABILITY OF PROVIDER WITH RESPECT TO THE INFRINGEMENT OF ANY INTELLECTUAL PROPERTY OR PROPRIETARY RIGHTS BY THE LICENSED SOFTWARE, SUBSCRIPTION SERVICES OR OTHERWISE, AND CUSTOMER HEREBY EXPRESSLY WAIVES ANY OTHER LIABILITIES OR OBLIGATIONS OF PROVIDER WITH RESPECT THERETO.

(b) Customer Indemnification. Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider, Provider’s officers, directors, employees and agents (each, a “Provider Indemnitee”) from and against all claims, losses, expenses, costs (including legal fees), damages, losses arising from any breach by Customer or any User of Sections 2, 4, 13(i) or Schedule 1.

(c) Indemnification Procedures. Each party’s indemnification obligations in this Section 10 are subject in each instance to the indemnified party: (i) promptly notifying the indemnifying party in writing of the threat or notice of the claim; (ii) giving the indemnifying party sole and exclusive control and authority to select defense attorneys, defend, and/or settle any such claim (however, the indemnifying party shall not settle or compromise any claim that results in liability or admission of any liability without the indemnified party’s prior written consent); and (iii) the indemnified party fully cooperating with the indemnifying party in connection with the defense or settlement of any claim.

11. LIMITATIONS OF LIABILITY.

(a) Except as expressly provided in this agreement and to the fullest extent permitted by applicable law: (i) the Customer shall be solely responsible, as against the Provider, for any opinions, recommendations, forecasts or other conclusions made or actions taken by the Customer, any client of the Customer or any other third party based (wholly or in part) on the results obtained from the use of the Services by the Customer; (ii) the Provider shall have no liability for any damage caused by errors or omissions in any information or instructions provided to the Provider by the Customer in connection with the Services; and (iii) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are excluded from this agreement.

(b) Neither party excludes or limits liability to the other party for:

(i) fraud or fraudulent misrepresentation;

(ii) death or personal injury caused by negligence;

(iii) a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or

(iv)any matter for which it would be unlawful for the parties to exclude liability.

(c) Subject to clause 11(b), the Provider shall not in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:

(a) any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;

(b) any loss or corruption (whether direct or indirect) of data or information;

(d) any loss or liability (whether direct or indirect) under or in relation to any other contract.

(d) Clause 11(c) shall not prevent claims, which fall within the scope of clause 11(e), for: direct financial loss that are not excluded under any of the categories set out in clause 1.1(a)(i) to clause 11(c)(iv); or tangible property or physical damage.

(e) Subject to clause 11(b), the Provider’s total aggregate liability in contract (including in respect of the indemnity at Error! Bookmark not defined.10), tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement or any collateral contract shall be limited to the price paid for the Services during the 12 months preceding the date on which the claim arose or, if the claim arose during any period before 12 months had elapsed from the Effective Date, during that shorter period.

(f) The parties acknowledge and agree that any dates quoted for delivery of Services are approximate only, and that the time of delivery is not of the essence. The Provider shall not be liable for any delay in delivery of the Services that is caused by an event, circumstance or cause within the scope of Error! Bookmark not defined.13(c) or the Customer’s failure to provide the Provider with adequate delivery instructions.

12. TERM AND TERMINATION.

(a) Initial Term and Renewal. The initial Term of each License or Subscription shall be twelve (12) months from the Effective Date, unless otherwise stated on the applicable Order Form (“Initial Term”). At the end of the Initial Term, the License or Subscription shall automatically renew for periods (each a “Renewal Term”) equal to the initial Term, unless either Customer or Provider has served written notice on the other not less than thirty (30) days prior to the end of the then-current Term. Unless otherwise provided for in any Order, Provider has the right to automatically increase the Fees applicable to Customer’s License or Subscription for any such Renewal Term at Provider’s then-current rates. If Provider determines, in its reasonable discretion, that material product or feature enhancements to the Licensed Software or Services require an increase in Fees for a Renewal Term, Provider will first obtain Customer’s prior written consent before applying such increase before such Renewal Term.

(b) Termination. In addition to any other express termination right set forth in this Agreement:

i. Provider may terminate this Agreement, effective on written notice to Customer, if Customer: (A) fails to pay any amount when due hereunder, and such failure continues more than thirty (30) days after Provider’s delivery of written notice thereof; or (B) breaches any of its obligations under Section 2(b) or Section 6;

ii. either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach;

iii. either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (B) makes or seeks to make a general assignment for the benefit of its creditors; or (C) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business; or

(c) Effect of Expiration or Termination. Unless the Parties agree otherwise, termination of this Agreement will terminate each of the Order Forms and other Service Addenda, even if the Order Form or other Service Addenda specifies an expiration date after the effective termination date of this Agreement. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination, or entitle Customer to any refund except as expressly provided herein. Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Provider IP and, without limiting Customer’s obligations under Section 6, Customer shall delete, destroy, or return all copies of the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or destroyed.

(d) Exporting Customer Data. During the Term and up to expiration or termination of this Agreement, Customer will have the ability to export or download Customer’s Data. After such expiration or termination, Provider will have no obligation to maintain or provide any of Customer’s Data, and Provider will, unless prohibited by law or legal order, delete Customer’s Data in the Services in accordance with Provider’s then-current deletion policy without notice or liability to Customer.

(e) Survival. Provisions herein which by their context and content are intended to survive termination or expiration shall so survive including Sections 1, 2, 4, 5, 6, 7, 8, 10, 11, 12, and 13 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement. Termination of this Agreement shall not limit either Party’s liability for obligations accrued as of or prior to such termination for breach of this Agreement.

13. MISCELLANEOUS.

(a) Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related schedules and exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. If there is a conflict between the terms of this Main Services Agreement and the terms of any of its attachments, then this Main Services Agreement will prevail unless the conflicting attachment explicitly specifies the attachment to prevail in case of such a conflict.

By placing an Order with Provider, Customer agrees that the terms and conditions of this Agreement shall apply to and govern that Order. Except with respect to product, services and pricing applicable to an Order, additional or conflicting terms in any Order shall have no force or effect on either party, unless that Order is signed in hardcopy form by each party, and then those terms shall apply to the parties solely for that Order. Except as otherwise specified herein, any additional or conflicting terms contained in any other document (including, without limitation, any preprinted, additional or conflicting terms on any Customer purchase order, or acknowledgement from either party) shall be null, void and of no effect on either party. If there is a conflict between the terms of this Agreement and the Order Form, the terms of the Order Form shall take precedence.

(b) Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and delivered by personal delivery, via a internationally recognized overnight courier (with all fees pre-paid), or (if sender and recipient are in the same country) certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise provided in this Agreement, a Notice is effective only: (i) upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements of this Section. All notices to be provided by Provider to Customer under this Agreement may be delivered in writing by electronic mail to the electronic mail address provided by Customer on the applicable Order and/or Statement of Work. All notices shall be deemed to have been given immediately upon delivery by electronic mail, or if otherwise delivered upon the earlier of receipt or two (2) business days after being deposited in the mail or with a Courier as permitted above.

(c) Force Majeure. In no event shall Provider be liable to Customer, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond Provider’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, epidemic or pandemic, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo. Provider shall notify Customer of such force majeure within ten (10) days after such occurrence by giving written notice to Customer stating the nature of the event, its anticipated duration, and any action being taken to avoid or minimize its effect. The suspension of performance shall be of no greater scope and no longer duration than is necessary and Provider shall use commercially reasonable efforts to remedy its inability to perform.

(d) Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

(e) Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

(f) Limitation of Claims. No claim or action, regardless of the form, which in any way arises out of or in connection with this Agreement may be made or brought by or on behalf of Customer or its Affiliates more than one (1) year following the earlier of (a) the expiration or sooner termination of this Agreement and (b) the date that Customer first has knowledge of the events giving rise to such claim or action.

(g) Governing Law and Jurisdiction. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims). The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply in any respect to this Agreement or the parties.

(h) Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by merger, sale of assets, operation of law or otherwise, without the prior written consent of Provider, which consent may be conditioned on Customer paying any remaining payments due hereunder in full. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns. In the event that Customer or its business using the Subscription Services or Licensed Software is acquired by a third party that is also a customer of Provider, Customer shall continue to pay the Fees in accordance with this Agreement and any applicable Order Form and other Service Addenda unless the Parties mutually agree in writing otherwise, even if the other customer may have more favorable terms than those offered to Customer hereunder.

(i) Relationship of the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties. Nothing herein shall prevent either Party from entering into any further agreements or business relationships, nor prevent either Party from conducting similar business with others as long as such Party observes its obligations under this Agreement.

(j) Export Regulation. The Services utilize software and technology that may be subject to US export control laws, including the US Export Administration Act and its associated regulations. Customer shall not, directly or indirectly, export, re-export, r release or make accessible the Licensed Software or Subscription Services from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Customer shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Licensed Software or Subscription Services or the underlying software or technology available outside the US. Customer represents, warrants and covenants that (i) Customer is not named on any U.S. government list of persons or entities prohibited or restricted from receiving U.S. exports, or transacting with any U.S. person, (ii) Customer is not a national of, or a company registered in, any Prohibited Jurisdiction, (iii) Customer shall not permit its Users to access or use the Services in violation of any U.S. or other applicable export embargoes, prohibitions or restrictions, and (iv) Customer shall comply with all Applicable Laws regarding the transmission of technical data exported from the United States and the country in which Customer and its Users are located.

(k) Equitable Relief. Customer acknowledges and agrees that a breach or threatened breach of any of its obligations under this Agreement would cause Provider irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, Provider will be entitled to equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.

(l) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

(m) Expenses. All costs and expenses incurred in connection with this Agreement and each other agreement, document and instrument contemplated by this Agreement and the transactions contemplated hereby and thereby shall be paid by the Party incurring such costs and expenses.

(n) Attorneys’ Fees and Costs. In the event of a dispute arising under this Agreement, whether or not a lawsuit or other proceeding is filed, the prevailing party shall be entitled to recover its reasonable attorneys’ fees and costs, including attorneys’ fees and costs incurred in litigating entitlement to attorneys’ fees and costs, as well as in determining or quantifying the amount of recoverable attorneys’ fees and costs. The reasonable costs to which the prevailing party is entitled shall include costs that are taxable under any applicable statute, rule, or guideline, as well as non-taxable costs, including, but not limited to, costs of investigation, copying costs, electronic discovery costs, telephone charges, mailing and delivery charges, information technology support charges, consultant and expert witness fees, travel expenses, court reporter fees, and mediator fees, regardless of whether such costs are otherwise taxable.

(o) Publicity. Provider may, with Customer’s consent, which shall not be unreasonably withheld, conditioned or delayed, (i) issue a press release announcing the relationship between the parties within thirty (30) days after the Effective Date and (ii) use Customer’s name or logo in Provider’s advertising, promotion, and similar public disclosures with respect to the Services. Provider may disclose the terms of this Agreement to prospective investors and prospective acquirors of Provider’s business, assets or stock solely for such purposes provided that any such investor or acquirer is subject to a written confidentiality agreement.

(p) Non-Solicitation of Employees. Customer agrees that, during the Term of this Agreement, and for a period of one (1) year following the Term, it will not employ, solicit for or offer employment, or enter into any contract for services with the employees, agents or representatives of Provider without Provider’s prior written consent; provided, however, that the foregoing prohibition shall not preclude the hiring by Customer of any individual who responds to a general solicitation or advertisement, whether in print or electronic form, on job postings and social networking sites. In the event that any of Provider’s employees, agents or representatives are employed by or enter into a contract for services (whether as an employee or a Contractor) with Customer or any Affiliate of Customer in breach of the foregoing sentence, Customer shall, upon demand, pay to Provider a sum equal to six months’ basic salary or the fee that was payable by Provider to that employee, agent or representative plus the recruitment costs incurred by Provider in replacing such person by way of compensation for the cost and inconvenience incurred by Provider. The above payment shall not be in lieu of Provider’s other remedies at law and in equity.

(q) Legal Provisions. The official language of this Agreement is, and all attachments or amendments to this Agreement, contract interpretations, notices and dispute resolutions shall be in English. Translations of this Agreement shall not be construed as official or original versions. No exclusive rights are granted by Provider under this Agreement. All rights or licenses not expressly granted to Customer herein are reserved to Provider, including the right to license the use of the Subscription Services and any Software to other parties. Any reference to a law or statute in this Agreement shall be deemed to include any amendment, replacement, re-enactment thereof for the time being in force and to include any by-laws, statutory instruments, rules, regulations, orders, notices, directions, consents, or permissions (together with any conditions attaching to any of the foregoing) made in respect thereof.

SCHEDULE 1

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Main Subscription Agreement (“Agreement”) between Provider and Customer. The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. DEFINITIONS.

In addition to the capitalized terms in Schedule A, all capitalized terms shall have the meaning ascribed to them herein this Schedule, and for the purposes of this Schedule, shall govern and control in the event of any conflict, including the following:

1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 Adequacy Decision means, for a jurisdiction with Privacy Laws that have data transfer restrictions, a decision that the Supervisory Authority or other body in such jurisdiction recognizes as providing an adequate level of data protection as required by such jurisdiction’s Privacy Laws such that transfer to that country shall be permitted without additional requirements;

1.1.2 Affiliate means any entity which now or in the future controls, is controlled by, or is under common control with the signatory to this DPA, with “control” defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such person or entity, whether through the ownership of voting securities, by contract, or otherwise;

1.1.3 CCPA means the California Consumer Privacy Act of 2018 (California Privacy Act Cal Civ Code § 1798.100 et seq) and its implementing regulations;

1.1.4 Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data including “business” as that term is defined by the CCPA, and in the context of this DPA shall mean the Customer;

1.1.5 Data Processing Instructions means the Processing instructions set out in Annex I B;

1.1.6 Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller (including “service provider” as that term is defined by the CCPA), and in the context of this DPA shall mean Provider;

1.1.7 Data Subject means the identified or identifiable person to whom Personal Data relates (including “consumer” as that term is defined by the CCPA);

1.1.8 EU GDPR means all EU regulations applicable (in whole or in part) to the Processing of Personal Data such as Regulation (EU) 2016/679;

1.1.9 EU SCCs means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and set out as Appendix 1 to this DPA;

1.1.10 Information Security Schedule means the information security, technical and organizational measures specified in Annex II, as may be updated from time to time;

1.1.11 Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

1.1.12 Privacy Laws means all data protection and privacy laws and regulations applicable to the Personal Data in question, including (without limitation and as applicable) the EU GDPR, UK GDPR, and CCPA, in each case as amended, superseded or replaced from time to time.

1.1.13 Process or Processing means any operation or set of operations that is performed upon Personal Data in connection with the Services, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, as described in the Data Processing Instructions;

1.1.14 Restricted Transfer means:

1.1.14.1 a transfer of Personal Data from Customer or a Customer Affiliate to Provider; or

1.1.14.2 an onward transfer of Personal Data from Provider to a Sub processor, in each case, where such transfer would be prohibited by Privacy Laws in the absence of an approved method of transfer (such as (a) an Adequacy Decision, (b) Standard Contractual Clauses, (c) by the terms of other recognized forms of data transfer agreements or processes under applicable Privacy Laws or (d) a permitted derogation), or would be in breach of the terms of such an approved method of transfer or permitted derogation;

1.1.15 Services means the services and other activities to be supplied to or carried out by or on behalf of Provider for Customer pursuant to the Agreement;

1.1.16 Standard Contractual Clauses means the contractual clauses approved by a Supervisory Authority pursuant to Privacy Laws, as may be updated from time to time, which permit the transfer of Personal Data where such transfer would otherwise be a Restricted Transfer;

1.1.17 Sub processor means any third party (including any third party and any Provider Affiliate) appointed by or on behalf of Provider to undertake Processing in connection with the Services, which are listed in Annex I;

1.1.18 Supervisory Authority means a public authority or government or quasi- governmental agency which is established in a jurisdiction under Privacy Laws with competence in matters pertaining to data protection;

1.1.19 Swiss Addendum means the addendum to the EU SCCs set out in Appendix 3 to this DPA.

11.1.20 UK Addendum means the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018, a copy of which is set out in Appendix 2 to this DPA; and1.1.21 UK GDPR means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.2 References to Annexes are to annexes of the EU SCCs.

2. PROCESSING OF PERSONAL DATA

2.1 Provider will not:

2.1.1 retain, use, disclose or otherwise Process Personal Data for any purpose (including its own commercial purposes) other than on Customer’s documented instructions (as set out in this DPA and in the Agreement) unless Processing is required under applicable law and under the terms of the Standard Contractual Clauses (where applicable); or

2.1.2 sell Personal Data received from Customer or obtained in connection with the provision of the Services to Customer.

2.2 Customer on behalf of itself and each Customer Affiliate:

2.2.1 instructs Provider:

2.2.1 to Process Personal Data; and

2.2.1.2 in particular, transfer Personal Data to any country or territory; in each case as reasonably necessary for the provision of the Services and consistent with this DPA.

2.3 The Data Processing Instructions sets out the subject matter and other details regarding the Processing of the Personal Data contemplated as part of the Services, including Data Subjects, categories of Personal Data, special categories of Personal Data, Sub processors and description of Processing.

2.4 The parties acknowledge that Customer’s transfer of Personal Data to Provider is not a “sale” of Personal Data within the meaning of applicable Privacy Laws (including the CCPA) and Provider provides no monetary or other valuable consideration to Customer in exchange for the Personal Data.

3. PROVIDER PERSONNEL

Provider shall ensure that persons authorized to undertake Processing of the Personal Data have:

3.1 Committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in respect of the Personal Data; and

3.2 Undertaken appropriate training in relation to protection of Personal Data.

4. SECURITY

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall in relation to the Personal Data implement appropriate technical and organizational measures designed to provide a level of security appropriate to that risk in the provision of the Services and for the purposes of this DPA Provider’s technical and organizational measures are set out in the Information Security Schedule.

4.2 In assessing the appropriate level of security, Provider shall take account in particular of the risks that are presented by Processing.

5. SUBPROCESSING.

5.1 Provider shall only appoint Sub processors which enable Provider to comply with Privacy Laws. Customer authorizes Provider to appoint Sub processors in accordance with this Section 5 subject to any restrictions or conditions expressly set out in the Agreement. Sub processors appointed as at the effective date of this DPA are listed in the Data Processing Instructions. Provider shall remain liable to Customer for the performance of Sub processors’ obligations subject to the Agreement.

5.2 Notwithstanding any notice requirements in the Agreement, before Provider engages any new Sub processor, Provider shall give Customer notice of such appointment, including details of the Processing to be undertaken by the proposed Sub processor. Any new Sub processor shall be added to the following https://revalizesoftware.com/legal and notified to Customer via email. In addition to any other notifications, Provider may provide such notice by updating the list of Sub processors in the Data Processing Instructions. Customer may notify Provider of any objections (on reasonable grounds related to Privacy Laws) to the proposed Sub processor or Data Processing Instructions (“Objection”), within 15 days of the notification from Provider of the updated Sub processor list, then Provider and Customer shall negotiate in good faith to agree to further measures including contractual or operational adjustments relevant to the appointment of the proposed Sub processor or operation of the Services to address Customer’s Objection. Where such further measures cannot be agreed between the parties within forty-five (45) days from Provider’s receipt of the Objection (or such greater period agreed by Customer in writing), Customer may by written notice to Provider with immediate effect terminate that part of the Services which require the use of the proposed Sub processor or another part of the Services which are so terminated.

6. DATA SUBJECT RIGHTS.

6.1 Provider shall:

6.1.1 Upon becoming aware, promptly notify Customer if Provider receives a request from a Data Subject relating to an actionable Data Subject right under any Privacy Law in respect of Personal Data;

6.1.2 Not respond to that request except on the documented instructions of Customer or as required by a Supervisory Authority or under applicable law; and

6.1.3 Upon request from Customer where required by Privacy Laws and in the context of the Services, reasonably assist Customer in dealing with an actionable Data Subject rights request to the extent Customer cannot fulfil this request without Provider’s assistance. Provider may fulfil this request by making available functionality (at Customer’s expense) that enables Customer to address such Data Subject rights request without additional Processing by Provider. To the extent such functionality is not available, in order for Provider to provide such reasonable assistance, Customer must communicate such request in writing to Provider providing sufficient information to enable Provider (at Customer’s expense) to pinpoint and subsequently amend, export or delete the applicable record.

7. PERSONAL DATA BREACH.

7.1 Provider shall notify Customer without undue delay upon Provider or any Sub processor confirming a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Privacy Laws. Subject to Section

7.3 below, such notification shall as a minimum:

7.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

7.1.2 communicate the name and contact details of Provider’s data protection officer or

other relevant contact from whom more information may be obtained;

7.1.3 describe the likely consequences of the Personal Data Breach in so far as Provider is able to ascertain having regard to the nature of the Services and the Personal Data Breach; and

7.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.

7.2 Provider shall co-operate with Customer and take such commercially reasonable steps as are necessary to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7.3 Where and in so far as, it is not possible to provide the information or Provider is prohibited by law or law enforcement from providing the information referred to in Section 7.1 at the same time, the information may be provided in phases without undue further delay.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION.

8.1 To the extent necessary, Provider shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Privacy Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Provider. To the extent that such impact assessment and/or prior consultation requires assistance beyond Provider providing the applicable Provider processing record(s) and Documentation, Provider shall reserve the right to charge Customer such engagement at Provider’s then current daily rates.

9. DELETION OR RETURN OF PERSONAL DATA.

9.1 Within thirty (30) days from termination or expiry of the Agreement (the “Return Period”), and subject to Section 9.2 below, at Customer’s request, Provider will either delete or return available Personal Data. At the expiry of the Return Period, if Customer has not elected either of the foregoing Provider may delete and destroy all Personal Data without notice or liability to Customer. Where Customer requests Provider return available Personal Data, Provider may fulfil this request by making available functionality that enables Customer to retrieve the Personal Data without additional Processing by Provider. If Customer declines to use this functionality, Customer may, within the Return Period, request that Provider return the available Personal Data under an Order for the applicable professional services. In the event the Agreement is terminated for Customer’s breach, Provider shall have the right to require that Customer prepay for such professional services. Provider shall provide written confirmation to Customer that it has fully complied with this Section 9 within thirty (30) days of Customer’s request for such confirmation.

9.2 Provider may retain Personal Data to the extent required by Privacy Laws or any other statutory requirement to which Provider is subject and only to the extent and for such period as required by Privacy Laws or any other statutory requirement to which Provider is subject and always provided that (a) during such retention period the provisions of this DPA will continue to apply, (b) that Provider shall ensure the confidentiality of all such Personal Data, and (c) Provider shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Privacy Laws requiring its storage or any other statutory requirement to which Provider is subject and for no other purpose.

10. REVIEW, AUDIT AND INSPECTION RIGHTS.

10.1 Upon Customer’s reasonable request, Provider shall provide all relevant and necessary material, documentation and information in relation to Provider’s technical and organizational security measures used to protect the Personal Data in relation to the Services provided in order to demonstrate compliance with Privacy Laws. Such information may be provided in summary form to minimize the risk of such measures being circumvented.

10.2 Provider shall ensure a security audit of its technical and organizational security measures is carried out at least annually in compliance with Privacy Laws. The results of such security audit will be documented in a summary report. Provider shall promptly provide Customer upon request with (i) a confidential summary of such report; and (ii) evidence of appropriate remediation of any critical issues within four (4) weeks from date of issuance of the audit report.

10.3 If, following the completion of the steps set out in Sections 10.1 and 10.2, Customer reasonably believes that Provider is non-compliant with Privacy Laws, Customer may request that Provider make available, either by webinar or in a face-to-face review, extracts of all relevant information necessary to further demonstrate compliance with Privacy Laws. Customer undertaking such review shall give Provider reasonable notice, by contacting Provider’s Information Security Director at [email protected], and any review will be conducted under this Section 10.3.

10.4 In the event that Customer reasonably believes that its findings following the steps set out in Section 10.3 do not enable Customer to comply materially with Customer’s obligations mandated under the Privacy Laws in relation to its appointment of Provider, then Customer may give Provider not less than thirty (30) days prior written notice of its intention, undertake an audit which may include inspections of Provider to be conducted by Customer or an auditor mandated by Customer (not being a competitor of Provider). Such audit and/or inspection shall (i) be subject to confidentiality obligations agreed between Customer (or its mandated auditor) and Provider, (ii) be undertaken solely to the extent mandated by, and may not be further restricted under applicable Privacy Laws, (iii) not require Provider to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Sub processors), and (iv) not be undertaken where it would place Provider in breach of Provider’s confidentiality obligations to other Provider customers vendors and/or partners generally or otherwise cause Provider to breach laws applicable to Provider. Customer (or auditor mandated by Customer) undertaking such audit or inspection shall avoid causing any damage, injury or disruption to Provider’s premises, equipment, personnel and business in the course of such a review. To the extent that such audit performed in accordance with this Section 10.4 exceeds one (1) business day, Provider shall reserve the right to charge Customer for each additional day at its then current daily rates.

10.5 If following such an audit or inspection under Section 10.4, Customer, acting reasonably, determines that Provider is non-compliant with Privacy Laws then Customer will provide details thereof to Provider upon receipt of which Provider shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the “Remediation Plan”). Where the parties are unable to reach agreement on the Remediation Plan, or in the event of agreement, Provider materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer’s notice or another period as mutually agreed between the Parties, Customer may terminate the Services in part or in whole which relates to the non-compliant Processing and the remaining Services shall otherwise continue unaffected by such termination.

10.6 The rights of Customer under this Section 10 shall only be exercised once per calendar year unless Customer reasonably believes Provider to be in material breach of its obligations under either this DPA or Privacy Laws.

11. RESTRICTED TRANSFERS.

11.1 Customer and Provider, as appropriate, hereby agree that the applicable Standard Contractual Clauses shall apply in respect of any Restricted Transfer from Customer or any Customer Affiliate to Provider to the extent required by Privacy Laws. The parties agree that the provisions of the Standard Contractual Clauses shall apply to the Restricted Transfer. Where Personal Data is subject to the EU GDPR, the applicable Standard Contractual Clauses shall be the EU SCCs, and where Personal Data is subject to the UK GDPR, the applicable Standard Contractual Clauses shall be the UK Addendum. Where Personal Data is subject to Swiss Federal Data Protection Act, the provisions of the Swiss Addendum shall apply.

11.2 For the purposes of Annex I or other relevant part of the applicable Standard Contractual Clauses, the Data Processing Instructions sets out the Data Subjects, categories of Personal Data, special categories of Personal Data, Sub processors and description of Processing (processing operations). Where the EU SCCs apply to transfers from the Customer or a Customer Affiliate to Provider, they will be completed as set out in Annex I. Optional clauses in the applicable Standard Contractual Clauses shall not apply unless otherwise set out in Annex I.

11.3 For the purposes of Annex II or other relevant part of the applicable Standard Contractual Clauses, the Information Security Schedule sets out the description of the technical and organizational security measures implemented by Provider (the data importer).

11.4 Wherever the applicable Standard Contractual Clauses enable a choice of law or jurisdiction, the laws and courts of Ireland shall apply, unless otherwise required under applicable Privacy Law.

11.5 Provider shall not make any Restricted Transfer of Personal Data that it has received under this DPA, unless it has lawful grounds to do so under applicable Privacy Laws. Such lawful grounds may include (a) an Adequacy Decision, (b) Standard Contractual Clauses, (c) the terms of other recognized forms of data transfer agreements or processes); or (d) any permitted derogation under Privacy Law.

12. OTHER PRIVACY LAWS.

12.1 To the extent that Processing relates to Personal Data originating from a jurisdiction or in a jurisdiction which has any mandatory requirements or introduces any such requirements in the future, in addition to those in this DPA, both Parties may agree to any additional measures required to ensure compliance with applicable Privacy Laws and any such additional measures agreed to by the Parties will be documented as an Annex to this DPA or in an Order to the Agreement.

12.2 The Customer further agrees that to the extent that Provider is required to enter into an appropriate transfer mechanism or additional safeguards to transfer Personal Data under applicable Privacy Laws, Provider may enter into an agreement to affect such a transfer on its own behalf, and where required on behalf of the Customer, on a named or unnamed basis.

12.3 Due to the fact that Provider has no control over the type, character, properties, content, and/or origin of Personal Data Processed hereunder, notwithstanding anything to the contrary herein, Provider shall not be in breach of this DPA or the Agreement or liable to Customer to the extent Personal Data subject to jurisdictional requirements mandating security, processing or other measures not set forth in, or contrary to the terms of, this DPA is provided by Customer without amending this DPA or entering into an Order addressing the same.

12.4 If any variation is required to this DPA as a result of a change in Privacy Laws, including any variation which is required to the Standard Contractual Clauses, then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary variations to this DPA, including the Standard Contractual Clauses, to address such changes.

13. GENERAL TERMS.

13.1 The parties to this DPA hereby submit to the applicable choice of governing law and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.

13.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

13.3 The applicable law provisions of this DPA are without prejudice to clauses 7 (Mediation and Jurisdiction) and 10 (Governing Law) of the Standard Contractual Clauses where applicable to Restricted Transfers of Personal Data from the European Union (including the United Kingdom) to a third country.

14. ORDER OF PRECEDENCE.

14.1 Nothing in this DPA reduces Provider’s or any Provider Affiliate’s obligations under the Agreement in relation to the protection of Personal Data or permits Provider or any Provider Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of inconsistencies between the provisions of this DPA and (i) the Information Security Schedule), or (ii) any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. For the avoidance of doubt, the limitations and exclusions of liability set out in the Agreement shall also apply in respect of this DPA, to the fullest extent permitted under applicable law.

15. SEVERANCE.

15.1 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

APPENDIX 1

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex

I.A. (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional

Not Used.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

MODULE TWO: Transfer controller to processor

8.1 Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE THREE: Transfer processor to processor

8.1 Instructions

(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.

(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

MODULE TWO: Transfer controller to processor

(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub- processor contract and to instruct the sub-processor to erase or return the personal data.

MODULE THREE: Transfer processor to processor

(a) The data importer has the controller’s general authorisation for the engagement of sub- processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub- processors at least 15 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

Clause 10

Data subject rights

MODULE TWO: Transfer controller to processor

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

MODULE THREE: Transfer processor to processor

(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

MODULE TWO: Transfer controller to processor MODULE THREE:

Transfer processor to processor

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III

LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module 3: The data exporter shall forward the notification to the controller.]

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module 3:, if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [For Module 3: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

The data exporter shall forward the notification to the controller.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module 3: The data exporter shall forward the information to the controller.]

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV

FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority [For Module 3: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Data Exporter
Name	Customer as identified in the Agreement
Address	As detailed in the Agreement
Contact person name, position and contact details	As detailed in the Agreement
Activities relevant to the data transferred under these Clauses	Receipt of services under the Agreement
Signature and date	By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the Agreement.
Role (controller/processor)	Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Data Importer
Name	Provider as identified in the Agreement, being Revalize, Inc or such subsidiary thereof as identified in the Agreement
Address	As detailed in the Agreement
Contact person name, position and contact details	Kristen Shaheen, General Counsel & Chief Privacy Officer, Revalize, Inc, [email protected]
Activities relevant to the data transferred under these Clauses	Provision of services under the Agreement
Signature and date	By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the Agreement.
Role (controller/processor)	Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred	Employees, clients, customers and suppliers of Customer. Employees or contractors of Customer who contact Provider’s technical support facilities.
Categories of personal data transferred	Customer’s employee categories: name, title, department, ID number, system usage, email address, job title, login credentials and/or contact telephone number. Customer’s end-user or consumer categories: name, email address, contact telephone number, account number. Additional Categories of Personal Data may be provided by Customer either as part of a Support request or through Customer’s use of Hosted Subscription Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and risks involved such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	Not applicable.
The frequency of the transfer (eg. whether the data is transferred on a one-off or continuous basis)	Support & Professional Services: Personal Data is processed only for as long as is necessary to provide the particular Support and/or Professional Services. Subscription Services: Personal Data is stored for the duration of the Services and is deleted or returned to Customer as set out in the data processing agreement or as otherwise amended or deleted by Customer during the Term.
Nature of the processing	Provider may Process Personal Data as necessary to perform the Services, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems and IT infrastructure; and migration,implementation,configuration and performance testing.
Purpose(s) of the data transfer and further processing	Support may be provided by Provider in accordance with Provider’s Support Plan. When providing Support, Provider may be required by Customer to Process Personal Data. Provider may access and/or receive Personal Data when providing Support. Personal Data is not accessed and/or received in every Support case because some errors can be analyzed and rectified without such access if the background to the error is known. Depending on the issue, Provider or third-party vendors may provide Support and therefore an international transfer of Personal Data may occur. If, as part of an Order, Customer requires Provider to perform Professional Services to assist in deployment of the product during the term, then Provider may be required by Customer to Process Personal Data as part of that engagement. Customer will upload data to the Hosted Subscription Services in order to maximize the functionality of the product. Some of the data which may be uploaded to the Hosted Subscription Services may include Personal Data. Provider will store (either directly or using a third party Subprocessor as noted below) all data uploaded into the Hosted Subscription Services on behalf of Customer in accordance with the terms and conditions of service underthe Agreement as mutually agreed to by the Parties. Customer will determine how and why the product will be used to its benefit which may include the frequent or infrequent use of Personal Data. Customer acknowledges that in relation to these Processing operations, Provider has no control over the submission of Data Subject’s Personal Data and that the design of the data to be submitted to Provider’s Hosted Subscription Services is at all times under the control of Customer. Except for the storage of the data within the Hosted Subscription Services (and the provision of Support, if applicable, described above), Provider is not involved in any Processing activities associated with this use of the product. If, as part of an Order, Customer requires Provider to perform Professional Services to assist in deployment of the product or application managed services during the Term, then Provider may be required by Customer to Process Personal Data for those purposes.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	For as long as necessary to perform the Services.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	The Provider may transfer Personal Data to sub-processor(s) for the purposes of performing the Services for such period as is necessary for such performance.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

European Economic Area: The State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg
(https://www.baden-wuerttemberg.datenschutz.de)

Switzerland:
The Swiss Federal Data Protection Authority
(https://www.edoeb.admin.ch/edoeb/en/home.html)

United Kingdom:
The Information Commissioner’s Office (ICO) (https://ico.org.uk/)

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

PART 1 – TECHNICAL MEASURES TO ENSURE SECURITY OF PROCESSING

Technical Measures to Ensure Security of Processing	Description
1. Inventory and Control of Hardware Assets	Actively manage all hardware devices on the network so that only authorised devices are given access, and unauthorised and unmanaged devices are found and prevented from gaining access.
2. Inventory and Control of Software Assets	Actively manage all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution.
3. Continuous Vulnerability Management	Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
4. Controlled Use of Administrative Privileges	Maintain processes and tools to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, applications, and data.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers	Implement and manage the security configuration of mobile devices, laptops, servers, and workstations using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
6. Maintenance, Monitoring, and Analysis of Audit Logs	Collect, manage, and analyse audit and security logs of events that could help detect, understand, or recover from a possible attack.
7. Email and Web Browser Protections	Deploy automated controls to minimise the attack surface and the opportunities for attackers to manipulate human behaviour through their interaction with web browsers and email systems or content.
8. Malware Defenses	Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimising the use of automation to enable rapid updating of defense, data gathering, and corrective action.
9. Limitation and Control of Network Ports, Protocols, and Services	Manage (track, control, correct) the ongoing operational use of ports, protocols, services, and applications on networked devices in order to minimise windows of vulnerability and exposure available to attackers.
10. Data Recovery Capabilities	Maintain processes and tools to properly back up personal data with a proven methodology to ensure the confidentiality, integrity, availability, and recoverability of that data.
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches	Implement and manage the security configuration of network infrastructure devices using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
12. Boundary Defenses	Detect, prevent, and correct the flow of information transferring networks of different trust levels with a focus on personal data.
13. Data Protection	Maintain processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the confidentiality and integrity of personal data.
14. Controlled Access Based on the Need to Know	Maintain processes and tools to track, control, prevent, and correct secure access to critical or controlled assets (e.g. information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical or controlled assets based on an approved classification.
15. Wireless Access Control	Maintain processes and tools to track, control, prevent, and correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.
16. Account Monitoring and Control	Actively manage the life cycle of system and application accounts, their creation, use, dormancy, and deletion in order to minimise opportunities for unauthorised, inappropriate, or nefarious use.

PART 2 – SUPPLEMENTARY MEASURES

1. Implement a Comprehensive Information Security Programme	Through the implementation of a Comprehensive Information Security Programme (CISP), maintain various administrative safeguards to protect personal data. These measures are designed to ensure: security, confidentiality and integrity of personal data protection against unauthorized access to or use of (stored) personal data in a manner that creates a substantial risk of identity theft or fraud that employees, contractors, consultants, temporaries, and other workers who have access to personal data only process such data on instructions from the data controller.
2. Implement a Security Awareness and Training Programme	For all functional roles (prioritizing those mission critical to the business, its security, and the protection of personal data), identify the specific knowledge, skills and abilities needed to support the protection and defense of personal data; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organisational planning, training, and awareness programmes.
3. Application Software Security	Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
4. Incident Response and Management	Protect the organisation's information, including personal data, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight, retainers, and insurance) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the organisation’s network and systems.
5. Security and Privacy Assessments, Penetration Tests, and Red Team Exercises	Test the overall strength of the organisation’s defense (the technology, processes, and people) by simulating the objectives and actions of an attacker; as well as, assess and validate the controls, policies, and procedures of the organisation’s privacy and personal data protections.
6. Physical Security and Entry Control	Require that all facilities meet the highest level of data protection standards possible, and reasonable, under the circumstances relevant to the facility and the data it contains, process, or transmits.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors: please see the list at https://revalizesoftware.com/legal

APPENDIX 2 UK ADDENDUM

ICO INTERNATIONAL DATA TRANSFER ADDENDUM TO EU COMMISSION STANDARD CONTRACTUAL CLAUSES (UK)

BACKGROUND

(A) This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

AGREED TERMS

Table 1: Parties [ICO clause]

Start Date	The commencement date of the Agreement.
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties' details	Customer as identified in the Agreement	Provider as identified in the Agreement
	Trading name (if different):	Trading name (if different):
	As identified in the Agreement	As identified in the Agreement
	Official registration number (if any) (company number or similar identifier): As identified in the Agreement	Official registration number (if any) (company number or similar identifier): As identified in the Agreement
Key contacts	Full name (optional):	Full name (optional): Kristen Shaheen
	Job title: As identified in the Agreement	Job title: General Counsel & Chief Privacy Officer
	Contact details including email: As identified in the Agreement	Contact details including email: [email protected]
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs	[X] The version of the Approved EU SCCs, which this Addendum is appended to, detailed below, including the Appendix Information. Date: date of the Agreement Reference (if any): Other identifier (if any): OR The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.]
Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2
3
4

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties:

Annex 1B: Description of Transfer:

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:

Annex III: List of Sub processors (Modules 2 and 3 only):

Table 4: Ending this Addendum when the Approved Addendum changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19:
[X] Importer
[X] Exporter
[ ] Neither Party

PART 2: MANDATORY CLAUSES

Entering into this Addendum

2. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

3. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

4. Where this Addendum uses terms that are defined in the Approved EU SCCs, those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.

Addendum EU SCCS: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.

Appendix Information: As set out in Table 3.

Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) of the UK GDPR.

Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.

Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

ICO: The Information Commissioner.

Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.

UK: The United Kingdom of Great Britain and Northern Ireland.

UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

UK GDPR: As defined in section 3 of the Data Protection Act 2018.

5. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

6. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

7. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

8. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

9. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

10. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.

11. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the

inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

12. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation ((EU) 2016/679), then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

(a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

(b) Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

(c) this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England

and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

14. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.

15. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.

16. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:

(a) references to the “Clauses” mean this Addendum, incorporating the Addendum EU SCCs;

(b) In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

(d) Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

(e) Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

(e)

References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”.

(f)

References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

(g) References to Regulation (EU) 2018/1725 are removed;

(h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with “the UK”;

(i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module 1 is replaced with “Clause 11(c)(i)”;

(j) Clause 13(a) and Part C of Annex I are not used;

(k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

(l) In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

(m) Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

(n) Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer

before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

(o) The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

17. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

18. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

19. From time to time, the ICO may issue a revised Approved Addendum which:

(a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

(b) reflects changes to UK Data Protection Laws.

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

20. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

(a) its direct costs of performing its obligations under the Addendum; and/or

(b) its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

21. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Table 4: Ending this Addendum when the Approved Addendum changes

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

APPENDIX 3 SWISS ADDENDUM

This Addendum is intended to amend the EU SCCs to accommodate the Swiss Federal Act on Data Protection (“FADP”) in accordance with the decision of the Swiss Data Protection Authority (“FDPIC”). This Addendum applies if and to the extent a transfer of personal data to a country outside the EU or EEA without an adequate level of data protection governed by the SCCs is subject to the FADP. In such cases, the EU SCCs shall be interpreted as follows:

1. References to the General Data Protection Regulation shall be deemed to include references to the equivalent provisions of the FADP.

2. Clause 13 and Annex 1 C shall include the FDPIC as the competent supervisory authority for Switzerland.

3. Clause 17 shall include Swiss law as the governing law where the transfer is exclusively subject to FADP.

4. The term “Member State” shall be extended to include Switzerland for the purposes of allowing Swiss data subjects to pursue their rights in their habitual place of residence.

Main Services Agreement

For the Licensing of Software, Provision of Subscription (SAAS) Services, and Professional Services

1. DEFINITIONS.

2. SOFTWARE LICENSES AND SUBSCRIPTIONS.

3. PROFESSIONAL SERVICES.

4. CUSTOMER RESPONSIBILITIES.

5. SUPPORT AND MAINTENANCE.

6. FEES AND PAYMENT.

7. CONFIDENTIAL INFORMATION AND PERSONAL DATA.

8. INTELLECTUAL PROPERTY OWNERSHIP; FEEDBACK.

9. WARRANTY; DISCLAIMER.

10. INDEMNIFICATION.

11. LIMITATIONS OF LIABILITY.

12. TERM AND TERMINATION.

13. MISCELLANEOUS.

SCHEDULE 1

DATA PROCESSING ADDENDUM

1. DEFINITIONS.

2. PROCESSING OF PERSONAL DATA

3. PROVIDER PERSONNEL

4. SECURITY

5. SUBPROCESSING.

6. DATA SUBJECT RIGHTS.

7. PERSONAL DATA BREACH.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION.

9. DELETION OR RETURN OF PERSONAL DATA.

10. REVIEW, AUDIT AND INSPECTION RIGHTS.

11. RESTRICTED TRANSFERS.

12. OTHER PRIVACY LAWS.

13. GENERAL TERMS.

14. ORDER OF PRECEDENCE.

15. SEVERANCE.

APPENDIX 1

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

Clause 2

Effect and invariability of the Clauses

Clause 3

Third-party beneficiaries

Clause 4

Interpretation

Clause 5

Hierarchy

Clause 6

Description of the transfer(s)

Clause 7 - Optional

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Clause 9

Use of sub-processors

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Clause 10

Data subject rights

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Clause 11

Redress

MODULE TWO: Transfer controller to processor MODULE THREE:

Transfer processor to processor

Clause 12

Liability

Clause 13

Supervision

SECTION III

LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

Clause 15

Obligations of the data importer in case of access by public authorities

SECTION IV

FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

For the Licensing of Software,
Provision of Subscription (SAAS) Services,
and Professional Services