Certain confidential information contained in this document, marked by [***], has been omitted because IREN Limited (the “Company”) has determined that the information (i) is not material and/or (ii) contains personal information. Microsoft PO# N/A Partner Statement of Work (“SOW”) Addresses and contacts for notices “Microsoft” “Partner” or “Supplier” Company Name: Microsoft Corporation Company Name: IE US Hardware 3 Inc., a Delaware corporation Primary Contact: Jon Tinter Primary Contact: Kent Draper Address: One Microsoft Way Redmond, WA 98052 Address: [***] Childress, TX 79201 USA Email: [***] Email: [***] Microsoft Supplier Number: N/A SOW Effective Date: The date the last party to sign this SOW signs this SOW. Agreed and accepted “Microsoft” “Partner” Signature: /s/ Scott Guthrie Signature: /s/ Kent Draper
2 Name: Scott Guthrie Name: Kent Draper Title: EVP, Cloud + AI Title: Authorized Signatory Date: 10/31/2025 Date: 11/02/2025 Signature /s/ William Roberts Name: William Roberts Title: Director Date: 02-Nov-25 | 1:12:28 AM PST This SOW (and all Exhibits attached hereto) is entered into in connection with the Microsoft Purchase Order Terms and Conditions attached hereto as Exhibit K (the “PO Terms”), by the parties and effective as of the SOW Effective Date above. Terms not defined herein will have the meaning provided in the Amended PO Terms. The PO Terms are amended, with respect to this SOW, as set forth in Exhibit F (the “Amended PO Terms”). Terms not defined herein will have the meaning provided in the Amended PO Terms. For the purposes of this SOW, “Agreement” means this SOW (and all Exhibits attached hereto) and the Amended PO Terms (but only as such Amended PO Terms relate to this SOW (and all Exhibits attached hereto)). 1. Service Descriptions, Delivery Dates, and Service End Dates 1.1 During the Total Service Term (defined below), Partner will perform or deliver to Microsoft under the Agreement the services described in this Section 1.1 (collectively with the GPU Services (defined below), the “Services”). “Base Network” Dual-path fiber at each Data Center Location with bandwidth sufficient for [***] for use by Microsoft. “Portal” Supplier’s customer service portal. “Support Services” the services described in Section 7 of Exhibit A. The parties agree that the Services under this SOW are “Cloud Services” for the purposes of the Amended PO Terms and that there are no “Goods”, “Services” or “Deliverables” (each as defined in the Amended PO Terms) provided under this SOW. The “Term” of this Agreement will commence upon the SOW Effective
3 Date and end on the last remaining Service End Date, unless terminated earlier in accordance with this Agreement. The “Total Service Term” will commence on the date Microsoft Accepts (as defined below) at least the Minimum GPU Quantity in respect of the first GPU Service in accordance with Section 2 and end on the last remaining Service End Date, unless terminated earlier in accordance with this Agreement. Microsoft agrees to comply with the Acceptable Use Policy set forth in Exhibit I (the “Acceptable Use Policy”) during the Total Service Term. Supplier agrees to comply with the terms set out in Exhibit J (the “Microsoft Policies”) to the extent applicable to the Services during the Total Service Term. Each party may update, in respect of the Supplier, the Acceptable Use Policy, and in respect of Microsoft, the Microsoft Policies, at its sole discretion from time to time upon at least thirty (30) calendar days’ prior written notice to the other party, provided, however, that if the change is not required to comply with Law and the other party reasonably considers the changes made will result in a material detrimental impact to the other party, the other party may, following receipt of such notice, object to those aspects of the change resulting in such material detrimental impact by providing written notice of that objection to the first-mentioned party (an “Objection Notice”) within seven calendar (7) days of receipt of notice of the updated applicable policy (“Objection Period”). If no objection is raised within the Objection Period, the updated version of the applicable policy shall be deemed to be accepted by the other party. If the other party provides an Objection Notice within the Objection Period, the parties will engage in good faith discussions regarding the changes and if the parties cannot resolve the disagreement within twenty (21) calendar days of receipt of the Objection Notice, the applicable policy shall remain unchanged. Subject to Section 1.2: a. During the Term, Partner will provide and make available to Microsoft each GPU Service at the relevant Data Center Location for the relevant Service Term (each as set out in Table 1). The Data Center Locations shall be in data center facilities located at Childress, Texas. b. Partner will deliver the GPU infrastructure by tranche, by its corresponding Delivery Date as set out in Table 1, each such GPU tranche being a “GPU Service”. The “Service Term” of each GPU Service will begin upon its Acceptance by Microsoft of at least the Minimum GPU Quantity in accordance with the acceptance process described in Section 2 and end on the Service End Date provided in Table 1 (as adjusted in accordance with the terms herein), unless terminated earlier in accordance with this Agreement. 1.2. VR200 Option and Pricing VR200 Option: Microsoft may, no later than four (4) months prior to the relevant Delivery Date under this SOW (or such later date mutually agreed by the parties in writing), provide written notice to Partner of its request to substitute any one or more GPU Services comprised of Nvidia GB300 GPUs for Nvidia VR200 GPUs. The parties will use good faith efforts within thirty (30) days of Microsoft’s written notice to agree to, to the extent such substitution is reasonably practicable: a. a revised Delivery Date for the GPU Service; b. a price for the Nvidia VR200 GPUs which will be determined in accordance with the below; and c. any other reasonable amendments to this Agreement to accommodate the VR200 GPUs.
4 If the parties reach such agreement, this Agreement will be adjusted accordingly including with respect to pricing and Delivery Date(s). If the parties do not reach such agreement, this Agreement will remain unchanged and Microsoft shall have the obligation to continue to procure GB300s in accordance with this Agreement. The parties acknowledge and agree that (i) this clause is subject to (A) Partner’s ability to procure, or if there are existing GB300 orders then exchange such existing orders for, Nvidia VR200 GPUs, and (B) each party’s satisfaction of any revised Delivery Date(s); and (ii) given the uncertain nature of the availability, amongst other things, of Nvidia VR200 GPUs, neither party is obligated to agree to any request to substitute any one or more GPU Services comprised of Nvidia GB300 GPUs for Nvidia VR200 GPUs. VR200 Prices. In the event that the parties agree to a request to substitute VR200 GPUs in place of GB300 for any of the locations (subject to the availability of such VR200 GPUs), the price for VR200s will be determined by the parties, acting in good faith, including considering the following: a. VR200 Cost Uplift: VR200 pricing will be adjusted for [***] total bill of materials (“BOM”) [***] other cost increases, including but not limited to, [***] and other costs associated with changing the order. The BOM will include Nvidia GPUs, GPU boards, switch boards, and networking components, including but not limited to, Infiniband. The parties shall make good faith efforts to collectively review and adjust the pricing framework to address cost drivers that have not been previously considered, [***]. i. Final Price Determination: Any pricing calculated under this Section shall be made on a one-time basis only. The parties shall use good faith efforts to reach agreement on a final VR200 price within thirty (30) days of Microsoft providing a written request with respect to substituting for VR200 GPUs. To facilitate this process, and subject to NVIDIA’s consent to such disclosure, the parties agree to exchange their respective VR200 BOM quotations received from NVIDIA, provided such exchange is conducted under an appropriate non-disclosure agreement and in accordance with any confidentiality restrictions imposed by NVIDIA, and consider the formula for pricing adjustments as set forth in Exhibit H. ii. Escalation Clause: If the parties are unable to reach mutual agreement on the price adjustment, the parties shall jointly engage an independent third party to validate the factors considered in accordance with this Section. iii. Resolution: If these efforts have not resulted in a VR200 price that both Partner and Microsoft agree to, then Microsoft has the obligation to continue to procure GB300s for the relevant GPU Service as outlined above. 2. Acceptance Process & Step-in Right 2.1. Acceptance. Delivery of GPU Services Tranches 1 through 4 (or portions of each of them) will be deemed completed upon acceptance in accordance with the acceptance process provided below (“Acceptance”). The timelines provided in the chart below may be changed if mutually agreed upon in writing by the parties. Notwithstanding anything to the contrary in this Agreement, until such time as Supplier has delivered at least the Minimum GPU Quantity for a particular GPU Service to Microsoft for acceptance testing: (a) Supplier will not provide Microsoft a Delivery Notice (as defined below) with respect to that GPU Service (or any portion of it), (b) the GPU Service (or any portion of it) will not be deemed ready for acceptance testing by Microsoft, (c) Microsoft will have no obligation to conduct testing and validation on any portion of that GPU Service, and (d) Microsoft’s failure to provide written notice of rejection with respect to that GPU Service (or any portion of it) within the Acceptance Period (as defined below) will not be deemed acceptance of that GPU Service (or any portion of it).
5 Supplier Validation Prior to delivery of each GPU Service (or portion of it), Supplier will perform a structured validation sequence on all components as set out in Exhibit B, including hardware health checks (e.g. GPU diagnostics, memory error detection), system performance validation (e.g. HPL-MxP, HPCG), and network validation (e.g. InfiniBand topology, NCCL validation). Supplier will provide copies of such test results to Microsoft. Upon completion of Supplier’s testing, it will provide notice to Microsoft that the relevant GPU Service (or portion of it) is ready for acceptance testing by Microsoft (“Delivery Notice”). Acceptance Period Microsoft shall have 5 days (“Acceptance Period”) following receipt of the Delivery Notice to conduct its own testing and validation of the relevant GPU Service (or portion of it) against the agreed-upon “Acceptance Criteria” set forth in Exhibit C. Acceptance or Rejection • Acceptance: if the GPU Service (or portion of it) meets the Acceptance Criteria, Microsoft will provide Supplier with a written notice that the GPU Service (or portion of it) is accepted. • Rejection: if Microsoft, acting in good faith, reasonably determines that the GPU Service (or portion of it) fails to meet the Acceptance Criteria, it will provide Supplier with a written notice of rejection detailing the specific deficiencies. Supplier will have fifteen (15) business days from receipt of such notice to cure the deficiencies and resubmit the applicable GPU Service (or portion of it) for acceptance testing by Microsoft. The parties shall repeat the process set forth in this Section 2 until the GPU Service (or portion of it) has been Accepted by Microsoft. Deemed Acceptance If Microsoft does not provide written notice of rejection to Supplier within the Acceptance Period, the relevant GPU Service (or portion of it) will be deemed accepted. 2.2. Step-in right. Supplier shall use good faith efforts to procure that concurrently with the closing of any applicable financing or colocation arrangements with any Third Party Operators (as defined below), Microsoft, Supplier and as applicable (i) any parties that have provided financing in relation to this
6 Agreement and (ii) the relevant colocation service provider ("Third Party Operators") will enter into a side letter or other agreement (in form and substance satisfactory to Microsoft, Supplier and such Third-Party Operator) which provides that, upon the occurrence of the insolvency or adjudication of bankruptcy, filing a voluntary petition in bankruptcy, or making an assignment for the benefit of creditors with respect to Supplier, such Third Party Operators will agree to give Microsoft the option to continue to meet Supplier’s payment obligations under the financing documents or colocation services agreement (as applicable) and shall permit the services to be provided in accordance with the terms of this Agreement so long as Microsoft continues to comply with its payment and other obligations thereunder. Microsoft will not have any obligation to exercise this option. Microsoft acknowledges that the Supplier may from time to time obtain financing or other credit support in relation to the provision of the GPU Services. Microsoft shall act in good faith and use all reasonable endeavors to cooperate with and execute such documents or arrangements as may reasonably be required by any financier or lender to the Supplier. 3. Payment 3.1 GPU Prices. The parties have agreed to use the below prices to calculate the Service Fees owed under this Agreement: SOW GPU Type Location Term Price (USD $/GPU/hr) 1 NVIDIA GB300 Childress, TX 5 years [***] 3.2. Service Fees. The total fees for the Services (“Service Fees”) will not exceed $9,666,845,337.60 USD (“TCV”); provided, however, that in the event that all or a portion of any GPU Service is terminated in accordance with the terms of this Agreement, the TCV will be reduced by an amount equal to the portion of the Tranche Value attributable to such terminated GPU Service(s). The Service Fees will be payable in accordance with the following terms. For the avoidance of doubt, additional services not provided in this SOW that are (i) subject to a separate charge and (ii) mutually agreed by the parties in writing, including without limitation storage, shall be priced and billed separately. Table 1 GPU Service SOW 1.1 SOW 1.2 SOW 1.3 SOW 1.4 Total GPU Service “Tranche 1” “Tranche 2” “Tranche 3” “Tranche 4” Totals
7 “Data Center Location” Block known as “Horizon 1” located at [***] Childress, TX 79201 USA Block known as “Horizon 2” located at [***] Childress, TX 79201 USA Block known as “Horizon 3” located at [***] Childress, TX 79201 USA Block known as “Horizon 4” located at [***] Childress, TX 79201 USA N/A “GPU Quantity” (NVIDIA GB300 GPUs) [***] [***] [***] [***] [***] “Delivery Date”, subject to Section 3.3. [***] [***] [***] [***] [***] “Service End Date” [***], 2031 [***], 2031 [***], 2031 [***], 2031 N/A “Tranche Value” [***] [***] [***] [***] USD $9,664,199,424.0 0 “Upfront Payment ” [***] [***] [***] [***] USD $1,932,839,884.8 0 Estimated Monthly Payment (First 24 Months of each Tranche)* [***] [***] [***] [***] USD $161,180,236.80 Estimated Monthly Payment (Month 25 until Service End Date)* [***] [***] [***] [***] USD $107,199,838.11 “Minimum GPU Quantity” with respect to each GPU Service, shall mean [***] of the respective GPU Quantity.
8 *Estimated Monthly Payments are calculated based on 24-hour days between the applicable Delivery Date and Service End Date. These figures are included for illustrative purposes only. Total monthly payments plus the Upfront Payments paid by Microsoft are not to exceed the total aggregate Tranche Value. The actual monthly installment amounts for GPU Services will be calculated on the basis outlined in Section 3.2.a below. a. Payment Calculations. i. The total amount owed for each GPU Service will be calculated by multiplying the GPU Quantity by the corresponding Price and by the number of hours in the corresponding Service Term (“Total Amount”). ii. The monthly installment amount for each GPU Service will be calculated by multiplying the GPU Quantity (less any GPUs that have not been Accepted by Microsoft) in the relevant GPU Service by the Price per GPU multiplied by the number of hours in the month, prorated for any partial calendar months. iii. Upfront Payment: Partner shall invoice an upfront payment for each GPU Service no earlier than [***] before the Delivery Date of each GPU Service; being an amount equal to 20% of the applicable Tranche Value provided in Table 1 (“Upfront Payment”) and Microsoft shall pay each Upfront Payment to Partner within [***] of receipt of such invoice. The Upfront Payments will not bear interest and will be credited against the Service Fees due and payable by Microsoft after the twenty-fourth (24th) calendar month of each Service Term on a pro-rata basis. iv. The parties hereby agree that the Partner shall be entitled to invoice Microsoft in respect of a GPU Service monthly commencing upon Acceptance of at least the Minimum GPU Quantity for that GPU Service up until the end of the corresponding Service Term. Subject to Section 3.2.a.iii., Microsoft will pay all invoices within [***] following the date of invoice. v. The Service Fees are non-refundable, non-cancellable and constitute a firm minimum commitment by Microsoft to Partner regardless of whether Microsoft utilises any or all of the Services, except as otherwise provided for in this Agreement. vi. If undisputed portions, or disputed portions (if such disputed portion is unresolved or resolved to be correct in favour of Partner), of an invoice are not paid on time they shall accrue a late fee of [***]. b. Total Amounts and any other amount specified in this Agreement are exclusive of sales tax, which will be included on each invoice, as applicable. c. Payment Method: All payments must be made by Wire or ACH transfer. d. Except as explicitly provided for in the Agreement, Partner will be solely responsible for all expenses it incurs while performing the Services, unless Microsoft otherwise consents in writing; provided, that Partner will not be responsible for any expenses incurred as a result of Microsoft’s failure to fulfill its obligations under this Agreement and/or Microsoft’s negligence or willful misconduct.
9 e. The parties agree that, if the start of a Service Term is later than the Delivery Date specified in Table 1, the Service End Date for all Tranches will be adjusted such that the aggregate Total Amount payable by Microsoft for all GPU Services during the Total Service Term is an amount equal to the TCV. 3.3. Early and Late Delivery a. Late Delivery and Late Fees: If Partner becomes aware that a GPU Service is likely to be delivered to Microsoft for acceptance testing later than the applicable Delivery Date (as identified in Table 1), it will inform Microsoft (i) of such delay within [***] and (ii) of the anticipated date on which the GPU Service is likely to be delivered to Microsoft for acceptance testing. Partner will continue to keep Microsoft informed of any further delays to delivery within [***] after Partner becomes aware of such delays. The parties agree that any Delivery Date or Updated Delivery Date specified in, or otherwise agreed pursuant to, the Agreement shall be subject to extension in the event of any Force Majeure Events, delays caused by Partner’s compliance with Section 3.3.f, any Microsoft-caused delays, or any delay caused by a failure of Nvidia to deliver the GPUs to Partner’s supply chain in the volumes and by the timelines anticipated by Partner (provided Partner provides Microsoft with: (i) documentation demonstrating that Partner had contracted for the delivery of a sufficient volume of GPUs on timelines that would have enabled Partner to deliver the relevant GPU Quantity to Microsoft by the Delivery Date (or Updated Delivery Date, if applicable); and (ii) a copy of the revised delivery timeline received from Nvidia or the relevant party in Partner’s supply chain) (each, an “Excluded Delay”). Such extension to the Delivery Date or Updated Delivery Date (as applicable) shall be for a period [***] caused by the applicable Excluded Delay and, notwithstanding anything to the contrary contained herein, Microsoft shall not be entitled to any Delay Credits (as defined below) in respect of the period of any Excluded Delay. (i) If the Minimum GPU Quantity for a GPU Service is delivered by Partner to Microsoft for acceptance testing by its corresponding Delivery Date, Partner will deliver any Shortfall GPUs to Microsoft for acceptance testing within [***] of the Delivery Date for the GPU Service (“Shortfall Delivery Date”). To the extent that any Shortfall GPUs are not delivered by Partner to Microsoft for acceptance testing by the applicable Shortfall Delivery Date, Partner will provide Microsoft with a credit, to be applied against the Service Fees payable in a subsequent invoice (a “Delay Credit”) in an amount equal to [***] of the equivalent of a daily bill in respect of the Shortfall GPUs for each day after the Shortfall Delivery Date that Partner has not delivered the Shortfall GPUs for that GPU Service to Microsoft for acceptance testing in accordance with Section 2. For example, for a GPU Service with a GPU Quantity of [***] GPUs where only [***] GPUs have been delivered to Microsoft for acceptance testing by the applicable Delivery Date with an hourly bill rate of [***] the daily credit for each day after the Shortfall Delivery Date the remaining GPUs are delayed will be calculated as: [***]. (ii) Subject to Section 3.3.b, if the Minimum GPU Quantity for a GPU Service is not delivered by Partner to Microsoft for acceptance testing by its corresponding Delivery Date, Partner will provide Microsoft with a Delay Credit in an amount equal to [***] of the equivalent of a daily bill in respect of the GPU Quantity for that GPU Service for each day after the Delivery Date that Partner has not delivered the Minimum GPU Quantity for that GPU Service to Microsoft for acceptance testing in accordance with Section 2. After Partner delivers the Minimum GPU Quantity for the GPU Service to Microsoft for acceptance testing, any Shortfall GPUs must be subsequently delivered (and Delay Credits provided) in accordance with Section 3.3.a(i), mutatis
10 mutandis as if references to “Delivery Date” therein were a reference to the date the Partner delivered the Minimum GPU Quantity for the GPU Service to Microsoft for acceptance testing. “Shortfall GPUs” means, in respect of each GPU Service, an amount of GPUs equal to the GPU Quantity less any GPUs delivered by Supplier to Microsoft for acceptance testing. b. GPU Service termination right: If: (i) the Minimum GPU Quantity for a GPU Service has not been delivered to Microsoft for acceptance testing prior to expiry of the Delivery Delay Window; or (ii) Partner notifies Microsoft in writing that the Minimum GPU Quantity for a GPU Service, in Partner’s reasonable judgment, will not be delivered to Microsoft for acceptance testing prior to expiry of the Delivery Delay Window, and Partner cannot deliver an equivalent capacity for acceptance testing (as determined by Microsoft in its sole reasonable discretion) within [***] calendar days following the Delivery Date, Microsoft may elect in writing to Partner to terminate the applicable GPU Service with immediate effect or the parties may agree to an updated delivery date in writing (“Updated Delivery Date”), in which case all references to the applicable Delivery Date in the Agreement shall now mean the Updated Delivery Date, with respect to the applicable GPU Service. Notwithstanding the foregoing, if Microsoft agrees to an Updated Delivery Date, Partner will continue to pay Delay Credits owed from the Delivery Date (before it was updated) up until the Minimum GPU Quantity is delivered to Microsoft for acceptance testing or the relevant GPU Service is terminated pursuant to this Section 3.3.b, whichever is earlier (other than with respect to any period of time attributable to an Excluded Delay). If Microsoft has not exercised its right to terminate under this Section 3.3.b before the earlier of (x) [***] calendar days after that right has arisen and (y) the date Partner delivers the Minimum GPU Quantity for the relevant GPU Service to Microsoft for acceptance testing, Microsoft’s rights pursuant to this Section 3.3.b shall thereupon be deemed to have expired and to be of no further force or effect. The “Delivery Delay Window” for the purposes of this section means either: [***], in each case as the Delivery Date may be extended in accordance with the terms of this Agreement including due to an Excluded Delay. c. Updated Delivery Date: If the parties have agreed to an Updated Delivery Date under Section 3.3.b and the Minimum GPU Quantity for the applicable GPU Service is not delivered on or before the Updated Delivery Date, the applicable GPU Service will be deemed terminated by Microsoft, unless the parties agree otherwise in writing. For the avoidance of doubt, this Section 3.3.c only applies to Updated Delivery Dates that are later than the expiry of the applicable Delivery Delay Window. d. Obligations: If a GPU Service is terminated by Microsoft pursuant to this Section 3, Microsoft will have no obligation to pay for that GPU Service and Partner will refund Microsoft any Upfront Payment previously paid by Microsoft in respect of the terminated GPU Service within [***] days of such termination. For the avoidance of doubt, termination of a GPU Service by Microsoft pursuant to this Section 3 does not terminate this Agreement. Notwithstanding anything contained in the Agreement to the contrary, Microsoft’s entitlement to Delay Credits and Microsoft’s entitlement to terminate, as expressly provided in this Section 3, represent Microsoft’s sole and exclusive remedies related to Supplier’s late delivery of the GPU Services under the Agreement. e. Early Delivery: If Partner can deliver a GPU Service on an earlier date than the Delivery Date (the "Early Delivery Date"), then Partner may propose the Early Delivery Date to Microsoft [***] days prior to such Early Delivery Date. Microsoft shall have [***] from the date of Partner's proposal to accept or reject such proposed Early Delivery Date in writing. Microsoft’s acceptance or
11 failure to respond within [***] shall constitute acceptance of the Early Delivery Date, which shall be deemed the Delivery Date of such GPU Service. In the event of Microsoft’s written rejection within [***], the Delivery Date of such GPU Service shall not change and the proposed Early Delivery Date shall not be valid. Alternatively, Microsoft may propose a date between the Early Delivery Date and the then current Delivery Date, which shall be deemed the new Delivery Date for the relevant GPU Service. f. Phased delivery: Partner will not deliver Tranche 3 or Tranche 4 until Tranche 1 and Tranche 2 have been successfully merged to operate as a single Cluster (as defined in Exhibit A); provided that Partner can still deliver a GPU tranche early in the event there has not been a successful merging of previously delivered GPU tranches due to events outside of Partner’s reasonable control (including Excluded Delays and Microsoft’s failure to timely perform its obligations and responsibilities). A GPU tranche has been successfully merged with the relevant previous GPU tranche if all relevant GPU tranches are operating as a single Cluster. For the avoidance of doubt, any delivery delays arising out of Partner’s compliance with this Section 3.3.f will not trigger the terms (including, without limitation, Microsoft’s termination rights) described in Section 3.3. 4. Enhanced Ticketing Workflow & Monitoring a. Supplier acknowledges Microsoft’s interest in improving the efficiency of Supplier’s ticketing workflow and providing necessary visibility to metrics and/or logs through Supplier’s monitoring solutions. To support this goal, Supplier commits to dedicating engineering resources to collaborate with Microsoft’s technical teams. This collaboration will begin with a joint discovery workshop, required to be completed within ninety (90) days of the SOW Effective Date, with the objective of defining current-state challenges and desired future-state requirements. The output of this workshop will be a mutually agreed-upon project plan that outlines the scope, timeline, and resource allocation for developing and implementing a streamlined solution. b. Notwithstanding anything to the contrary in the Agreement, a party will not be in breach under the Agreement for any failure to comply with, or achieve any particular result or milestone contemplated under, any such project plan agreed between the parties pursuant to this Section 4. 5. Deployment Phase Project Governance and Communication a. Project Delivery: Proactive and transparent communication will be provided regarding any technical issues or planned infrastructure changes, such as those to data center equipment, that may materially impact service availability. Furthermore, timely notifications will be issued concerning any material potential feature or engineering delays, including details on the nature of the issue, its potential impact, and revised timelines. The goal is to minimize any potential disruption for Microsoft and enable effective planning through clear and anticipatory communication. b. Notwithstanding anything to the contrary in the Agreement, a party will not be in breach of this Section 5 provided it materially complies with its obligations set forth in the table below. Commitment to Predictable Timelines Both parties will use good faith efforts to establish a plan within thirty (30) calendar days of the SOW Effective Date
12 to maintain a shared, end-to-end project timeline that includes built-in buffers for key dependencies that will be reviewed weekly. Proactive Risk Communication Supplier commits to notifying Microsoft in writing within five ( 5) business days of identifying any significant risk that will likely impact a Delivery Date. This notification will include a description of the risk, the potential impact to delivery of the GPU Services and a proposed mitigation plan. Governance Structure The parties will use good faith efforts to establish a formal written governance plan within thirty (30) days of the SOW Effective Date, including a plan for weekly project status meetings, Monthly Business Reviews (MBRs), and a documented escalation matrix for incidents, including critical “P0” incidents, consistent with Exhibit D. Status Reporting Supplier will provide a written weekly status report to Microsoft detailing progress against Delivery Dates and associated risks and upcoming activities. 6. Termination and Suspension a. If Microsoft fails or refuses to pay any amount due under this Agreement (but excluding any amounts disputed in good faith in accordance with this Agreement), Supplier may provide written notice to Microsoft that it intends to terminate this Agreement. If Microsoft fails to pay the amount due within thirty (30) calendar days of Supplier providing such notice, Supplier may terminate this Agreement with immediate effect upon written notice to Microsoft. b. Subject to Section 6.a., if a party is in material breach of this Agreement, the other party may provide it written notice of such breach. If the party in material breach fails to remedy such breach within sixty (60) calendar days of receiving such notice (the “Cure Period”), the other party may terminate this Agreement with immediate effect on expiry of the Cure Period or on a date no later than ninety (90) days following the end of the Cure Period by written notice to the other party. For the avoidance of doubt, the parties agree that: (i) Supplier’s late delivery of the GPU Services under the Agreement or failure to comply with Exhibit A will not be considered a material breach for the purposes of this Section 6.b; and (ii) this Section 6.b does not in any way alter Microsoft’s rights to terminate a GPU Service under Section 3.3.b. c. Upon termination or expiry of this Agreement, Microsoft shall immediately (1) discontinue access to, and use of, the Services, including by its Users, (2) pay all fees and other amounts or liabilities that have accrued or become due before such termination or expiry and (3) except for where Microsoft terminates this Agreement pursuant to Section 6.b. or Supplier terminates pursuant to Section 7.g, pay an amount equal to the TCV less: (i) any Service Fees already paid by Microsoft to Supplier as at the date of termination; and (ii) any Service Fees Microsoft was not
13 obligated to pay, pursuant to Section 6.d, during periods of suspension under Section 9.a or Section 10 of Exhibit E. Where Microsoft terminates this Agreement pursuant to Section 6.b or Supplier terminates this Agreement pursuant to Section 7.g, Supplier will pay Microsoft, within sixty (60) days of such termination, an amount equal to all Upfront Payments made by Microsoft less: (x) any portion of the Upfront Payments that has already been credited against Service Fees due pursuant to Section 3.2.a.iii, refunded pursuant to Section 3.3.d or otherwise applied pursuant to Section 6.e; and (y) any other amounts owing by Microsoft to Supplier. d. Notwithstanding anything to the contrary in this Agreement, upon suspension of any Service under Section 9.a or Section 10 of Exhibit E, (1) Microsoft shall immediately discontinue access to, and use of, the applicable Services, (2) Microsoft shall not be obligated to pay any fees for any suspended Services during the period of suspension, (3) Microsoft shall not be entitled to any Delay Credits with respect to any period of suspension and (4) such suspension shall not be deemed Downtime (as defined in Exhibit A). e. No expiration, termination or suspension of this Agreement or the Services (as applicable) will entitle Microsoft to any refund, unless otherwise explicitly provided for under this Agreement. Supplier has the right to apply any pre-payments (including any Upfront Payment), security deposits or other collateral in satisfaction of all amounts owing by Microsoft to Supplier; provided, however, that if such application is insufficient to satisfy the full amounts due, Microsoft shall remain liable for the remaining amounts due in accordance with this Agreement. f. In the event that this Agreement is terminated before the end of the Total Service Term by Supplier pursuant to Section 6.a or 6.b, Supplier will, solely as strictly required to enable Microsoft to migrate its workloads off of the GPU Services, continue to make all delivered and Accepted GPU Services available to Microsoft for a period of sixty (60) calendar days after the date of termination, provided that (i) Microsoft and its Users do not use such GPU Services for any other purpose, including running any compute workloads (except as strictly required to migrate workloads off of the GPU Services) or any other commercial purpose, (ii) Microsoft must continue to pay for, and continue to comply with its obligations hereunder in connection with, such access and use of the GPU Services and (iii) Partner bears no liability in respect of such access and use of the GPU Services by Microsoft or any of its Users during this period. 7. Limitations of Liability and Indemnities a. EXCEPT FOR INFRINGEMENT OF THE OTHER PARTY’S IP OR A BREACH OF ITS CONFIDENTIALITY OBLIGATIONS IN SECTION 9.q. (THE “EXCLUDED CLAIMS”), NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, EXEMPLARY, INCIDENTAL OR PUNITIVE DAMAGES (INCLUDING DAMAGES FOR LOSS OF DATA, REVENUE, USE, REPUTATION AND/OR PROFITS AND BUSINESS INTERRUPTION OR SIMILAR ACTION), WHETHER FORESEEABLE OR UNFORESEEABLE, WHICH ARISE OUT OF THIS AGREEMENT, REGARDLESS OF WHETHER THE LIABILITY IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, BREACH OF WARRANTIES OR OTHERWISE, AND EVEN IF THE PARTY IS ADVISED OF THE POSSIBILITY OF THOSE DAMAGES. FOR THE AVOIDANCE OF DOUBT THE FOREGOING SENTENCE DOES NOT LIMIT IN ANY WAY MICROSFT’S LIABILITY AND OBLIGATION TO PAY ANY AMOUNTS DUE AND PAYABLE UNDER THIS AGREEMENT. b. TO THE FULLEST EXTENT PERMITTED BY LAW, THE TOTAL AGGREGATE AND MAXIMUM LIABILITY OF A PARTY, ARISING FROM OR OTHERWISE RELATING TO THIS AGREEMENT (REGARDLESS OF THE FORM OF ACTION OR CLAIM), WITH THE EXCEPTION OF EXCLUDED CLAIMS, A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER THIS SECTION 7 AND ANY PARTY’S PAYMENT
14 OBLIGATIONS (EXCLUDING DELAY CREDITS), IS LIMITED TO AN AMOUNT EQUAL TO [***] (THE “GENERAL LIABILITY CAP”); PROVIDED, HOWEVER, THAT EACH PARTY’S TOTAL AGGREGATE AND MAXIMUM LIABILITY ARISING FROM OR OTHERWISE RELATING TO ANY DATA-RELATED CLAIM AND INFINGEMENT OF THE OTHER PARTY’S IP ARISING UNDER THIS AGREEMENT (REGARDLESS OF THE FORM OF ACTION OR CLAIM) IS LIMITED TO [***]. c. EXCEPT AS OTHERWISE PROVIDED UNDER THIS AGREEMENT, SUPPLIER MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICES, INCLUDING ANY WARRANTY THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING PROCESSED MICROSOFT DATA, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. MICROSOFT ACKNOWLEDGES THAT SUPPLIER DOES NOT CONTROL OR MONITOR THE TRANSFER OF DATA OVER THE INTERNET, AND THAT INTERNET ACCESSIBILITY CARRIES WITH IT THE RISK THAT MICROSOFT’S PRIVACY, CONFIDENTIAL INFORMATION AND PROPERTY MAY BE LOST OR COMPROMISED. EXCEPT AS OTHERWISE PROVIDED UNDER THIS AGREEMENT OR TO THE EXTENT PROHIBITED BY LAW, SUPPLIER DISCLAIMS ALL WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. d. Except to extent caused by the gross negligence or willful misconduct of Microsoft or its Users, Supplier will defend, indemnify and hold harmless Microsoft and its Affiliates against all third party claims (other than from a Microsoft Affiliate or any User) arising out of any of the following in connection with this Agreement: (1) actual or alleged infringements of any third-party IP by the Services provided under this Agreement as used within the scope of the license or permitted use granted in this Agreement and unmodified from the form provided by Supplier and not combined with anything else except as otherwise expressly permitted under this Agreement; or (2) a breach of Exhibit E, (3) any act or omission of or failure to comply with tax obligations or Law by Supplier or Supplier’s agents, employees, or subcontractors; (4) the gross negligence or willful misconduct of Supplier or its subcontractors, which results in any bodily injury or death to any person or loss or damage to tangible property; and (5) any claims of Supplier’s employees, its Affiliates or subcontractors in connection with this Agreement. e. Except to the extent caused by the gross negligence or willful misconduct of Supplier or its subcontractors, Microsoft agrees to defend, indemnify and hold harmless Supplier and its Affiliates against all third party claims arising out of any of the following in connection with this Agreement: (1) any software, data, or other files provided by Microsoft (including the Microsoft Materials), as used within the scope of the license or permitted use granted in the Agreement and unmodified from the form provided by Microsoft and not combined with anything else, misappropriates a trade secret or infringes a patent, copyright, trademark, or other right of a third-party; (2) Microsoft or any of its Users’ use of the Services in an unlawful manner or in violation of the Agreement; (3) actual or alleged infringements of any third-party IP by Microsoft, (4) any act or omission of or failure to comply with tax obligations or Law by Microsoft or Microsoft’s agents, employees, or subcontractors, (5) the gross negligence or willful misconduct of Microsoft, Microsoft’s Affiliates, any of their personnel or Users, which results in any bodily injury or death to any person or loss or damage to tangible property; (6) any claims of Microsoft’s employees, its Affiliates or Users in connection with the Agreement; and (7) any bodily injury or death to any person or loss or damage to tangible property caused by the acts or omissions of Microsoft, Microsoft’s Affiliates, any of their personnel or Users in connection with such persons’ activities at or around the Premises (as defined in Exhibit E).
15 f. The parties will defend each other against the third-party claims described in this Section 7 and will pay the amount of any resulting adverse final judgment or approved settlement. The indemnified party will promptly notify the indemnifying party in writing of the claim and the indemnifying party will have the right to control the defense and any settlement of it, provided that the indemnified party may, in its discretion and at its cost, participate in any such defense or settlement. The indemnified party must provide the indemnifying party with all reasonably requested assistance and information. The indemnifying party will reimburse the indemnified party for reasonable expenses it incurs in providing such assistance. Neither party will stipulate, admit, or acknowledge fault or liability by the other without their prior written consent and the indemnifying party will not publicize any settlement without the other party’s prior written consent, unless required by Law or the rules of any stock exchange on which the shares of the relevant party (or any member of its group) are listed. g. In addition to all other remedies available to Microsoft, if use of the Services under this Agreement are enjoined, injunction is threatened, or may violate Law, Supplier, at its expense will notify Microsoft and, if the Services are enjoined or violates Law, at its option, promptly replace or modify such Services so they are non-infringing or compliant with applicable law (as applicable). If Supplier cannot replace, modify or cure such Services, then Supplier may terminate this Agreement upon written notice to Microsoft. h. This Section 7 states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any indemnified claim described in this Section 7. 8. Force Majeure a. Either party’s delay in performing, defective performance, or non-performance of its obligations under this Agreement (other than an obligation to pay any amount) shall be excused as set forth in this Section 8 if such delay, defective performance or non-performance is proximately caused by a Force Majeure Event. b. In the event that a party is unable to and fails to comply with its obligations under this Agreement as a result of a Force Majeure Event, then: i. the affected party will not be regarded as in breach of this Agreement for such failure; ii. the affected party’s relevant obligations shall be extended by the duration of the relevant Force Majeure Event; and iii. the affected party shall use commercially reasonable efforts to resume performance as soon as practicable. 9. Miscellaneous a. Without limiting Supplier’s termination rights, Supplier reserves the right, at any time, in Supplier’s reasonable discretion, to temporarily suspend access to or use of the Services, without being deemed to be in breach of this Agreement, where no other reasonable alternative exists, in order: (1) to comply with Law or any judicial or other governmental demand or order, subpoena or law enforcement request that requires Supplier to do so, or (2) to maintain the
16 security or integrity of Supplier’s network, hardware or associated systems or those of Supplier’s third-party providers or customers; provided that, Supplier shall provide as much advance written notice as possible to Microsoft as soon as Supplier determines that suspension is pending or being implemented, and for so long as such suspension continues, Supplier shall use good faith efforts to recommence its performance hereunder without undue delay. Supplier shall promptly notify Microsoft in writing when the cause of suspension has abated or can be circumvented and will restore Microsoft’s access to the Services when the basis for the suspension has been resolved, as determined in Supplier’s reasonable discretion. Notwithstanding anything to the contrary in this Agreement, suspension by Supplier as permitted in this Section 9.a. shall not be deemed Downtime (as defined in Exhibit A). b. Microsoft shall be responsible for all acts and omissions of its Users (including any act or omission which would constitute a breach of this Agreement if done by Microsoft which, for the purposes thereof, will be deemed to be a breach by Microsoft). c. Microsoft represents and warrants that it is, and its Users are, not: (1) located in any country in which the use of the Services or provision of the Services to persons or entities in that country are prohibited by Trade Laws; nor (2) an individual or entity included on any U.S. lists of prohibited parties including, the Treasury Department’s List of Specially Designated Nationals List and Sectoral Sanctions List. Additionally, Microsoft agrees not to (directly or indirectly) sell, export, reexport, transfer, divert, or otherwise dispose of any Services received from Supplier in contradiction with Trade Laws. d. Microsoft shall employ commercially reasonable and appropriate, in accordance with applicable industry standards, physical, administrative, and technical controls, screening, and security procedures and other safeguards designed to securely administer the distribution and use of its account access credentials and protect against any unauthorized access to or use of the Services. e. In the event Microsoft becomes aware of any breach of security relating to the Services, Microsoft shall promptly, and no later than within twenty-four (24) hours, notify Supplier in writing upon learning of such security breach. Microsoft shall assist and cooperate in any investigation or legal action that is taken by authorities and/or by Supplier. f. Except as permitted under this Agreement, Microsoft shall not: (1) decipher, decompile, disassemble, reverse engineer or otherwise attempt to derive any source code or underlying algorithms of any part of the Services (except to the extent such restriction is prohibited by Law); (2) modify, translate, or otherwise create derivative works of any software included in the Services; notwithstanding the foregoing, Microsoft is not prohibited from applying patches or updates with respect to such software, as long as such application does not (x) void any warranty provided by the relevant software supplier or claim Supplier would otherwise have but for such application, including any insurance claims, or (y) cause Supplier to be in breach of any contract or Law; (3) copy, rent, lease, resell or otherwise distribute any software included in the Services to any non-affiliate third party unless mutually agreed in writing by the parties; or (4) assign or transfer any of the rights that Microsoft receives hereunder to any third party (other than as expressly permitted hereunder). g. Each party will own and retain all rights to its own intellectual property (“IP”). The parties will not jointly develop any IP under this Agreement. h. As between Supplier and Microsoft: (1) Supplier will at all times own the Services (including all
17 GPUs used in connection with the GPU Services) and Usage Statistics, including rights to all IP therein. (2) Microsoft will at all times own the Microsoft Materials, including rights to all IP therein. i. Supplier hereby grants Microsoft and its Affiliates an irrevocable, non-exclusive, non- transferable, non-sublicensable (except to its Users), limited right to use Supplier’s IP during the Total Service Term solely as necessary for Microsoft and its Users to (i) access and use the Services, (ii) to make commercially available services and products that use the GPU Services, and (iii) for Microsoft’s Users to use Microsoft services and products that use the GPU Services, each in accordance with this Agreement. j. Microsoft grants to Supplier and its Affiliates a non-exclusive, irrevocable, non-transferable, non-sublicensable (except to its Affiliates and subcontractors) license to use Microsoft’s IP rights, including in the Microsoft Materials, solely as necessary for Supplier to provide the Services to Microsoft and create and use, solely for internal purposes, the Usage Statistics. k. Microsoft grants to Supplier and its Affiliates a non-exclusive, irrevocable, transferable, sublicensable, royalty-free and fully paid-up license to use and exploit Supplier Feedback (including any Microsoft IP therein). Supplier grants to Microsoft and its Affiliates a non- exclusive, irrevocable, transferable, sublicensable, royalty-free and fully paid-up license to use and exploit the Microsoft Feedback (including any Supplier IP therein). l. Each party represents and warrants that: i. it has full rights and authority to enter into, perform under, and grant the rights in accordance with this Agreement and its performance will not violate any agreement or obligation between it and any third party; ii. it will comply with all Laws, including “Anti-Corruption Laws” (i.e., all Laws against fraud, bribery, corruption, inaccurate books and records, inadequate internal controls, and/or money-laundering, including the U.S. Foreign Corrupt Practices Act), whether local, state, federal or foreign. The Services and Microsoft Materials provided under this Agreement (collectively, “Items”) may be subject to applicable trade laws in one or more countries. Such party will comply with all relevant laws and regulations applicable to the import or export of the Items, including but not limited to, trade laws and regulations such as the U.S. Export Administration Regulations or other end-user, end use, and destination restrictions by the U.S. and other governments, as well as sanctions regulations administered by the U.S. Office of Foreign Assets Control or any other similar restricted parties list (“Trade Laws”); iii. it agrees to provide the other party with the import/export control classifications and information, including documentation, on the applicable import, export, or re-export authorizations, and all necessary information about its Items for any required import, export or re-export procedures mandated by Trade Laws and/or licenses, without additional cost to the other party; and iv. it will comply with all applicable Anti-Corruption Laws and, while performing under this Agreement, it will provide training to its employees on compliance with Anti-Corruption Laws. m. The Supplier represents and warrants that:
18 i. the Services provided to Microsoft under this Agreement: 1. are not governed, in whole or in part, by an Excluded License. “Excluded License” means any software license that requires as a condition of use, modification and/or distribution, that the software or other software combined and/or distributed with it be: (i) disclosed or distributed in source code form; (ii) licensed to make derivative works; or (iii) redistributable at no charge; and 2. will not be subject to license terms that require any (i) Microsoft product, service, or documentation, or any Supplier or third-party IP licensed to Microsoft, or documentation which incorporates or is derived from such Services or Supplier or third-party IP, or (ii) Microsoft Materials or Microsoft IP, to be licensed or shared with any third party; and ii. it will implement and maintain policies and procedures designed to prevent the inclusion of any viruses or other malicious code that will degrade or infect the Services, or any other software or Microsoft’s network or systems. n. Microsoft represents and warrants that, by providing Processed Microsoft Data to Supplier: (1) to Microsoft’s knowledge its Processed Microsoft Data and use thereof (including by Supplier) will not violate this Agreement or any Law; (2) Microsoft is solely responsible for developing, loading, modifying, processing, operating, maintaining, and supporting the Processed Microsoft Data and it and its Users’ use of Processed Microsoft Data; (3) to its knowledge, Processed Microsoft Data and its use thereof does not and will not cause Supplier to violate any Law, or the rights of any third party; and (3) except for the specific Services provided under this Agreement, Microsoft is solely responsible for the technical operation and security of Processed Microsoft Data, including on behalf of its Users. SUPPLIER SHALL BEAR NO LIABILITY WITH RESPECT TO PROCESSED MICROSOFT DATA THAT IS LOST OR DAMAGED AS A RESULT OF THE ACTIONS OR INACTIONS OF MICROSOFT, ITS USERS OR THE ACTIONS OF ANY INDIVIDUAL WHO USES THE SERVICES ON MICROSOFT’S OR ITS USERS’ BEHALF EXCEPT TO THE EXTENT CAUSED BY SUPPLIER’S ACTS OR OMISSIONS IN BREACH OF THIS AGREEMENT. o. Supplier will not subcontract with any third party to provide any GPU Services in full without Microsoft’s prior written consent (which shall not be unreasonably withheld, conditioned or delayed). Supplier may subcontract any of its other obligations under this Agreement without Microsoft’s prior written consent. If Supplier subcontracts performance of any of its obligations under this Agreement to any subcontractor, Supplier will be fully liable to Microsoft for any actions or inactions of subcontractor and remain subject to all obligations under this Agreement. p. Each party shall deliver all notices, requests, proposals, consents, claims, demands, waivers, and other communications under this Agreement but excluding any such communications through Partner’s customer support channel(s) in writing and addressed to the other party at its address set forth on the first page of this Agreement (or to such other address that the receiving party may designate from time to time in accordance with this Section). q. The terms and obligations of the Non-Disclosure Agreement entered into between the parties (or their Affiliates) on [***] (the “NDA”) are hereby incorporated into this Agreement by reference and shall be deemed to form part of this Agreement. The terms and existence of this Agreement and any other Confidential Information (as defined in the NDA) provided to a party or any of its Affiliates by, or on behalf of, the other party in connection with this Agreement (“Agreement Information”), are strictly confidential and shall be treated in accordance with the NDA, and
19 shall not be disclosed by a party to any other person (other than in accordance with the NDA). Notwithstanding any termination of the NDA, the confidentiality obligations set out therein shall continue in full force and effect in respect of this Agreement Information for the Term; provided, however, that termination of this Agreement will not change any of the rights and duties made while the NDA as incorporated into this Agreement is in effect. Notwithstanding anything to the contrary contained herein or in any other agreement entered into by and between the parties, including the NDA, (a) either party may disclose the terms of this Agreement as required by Law or the rules of any stock exchange on which the shares of the relevant party (or any member of its group) are listed; (b) [***]. Notwithstanding the incorporation of the terms of the NDA pursuant to this Section, the parties agree that the NDA and this Agreement are independent agreements and this Agreement does not confer any rights, remedies or liabilities upon any person other than the parties to this Agreement and their respective successors and permitted assigns. r. During the Term and for 4 years after (or a longer term as required to comply with Law), Supplier will keep usual and proper records and books of account and quality and performance reports related to the Services and as otherwise required for legal compliance (“Supplier Records”). During this period, Microsoft may audit and/or inspect the applicable records and facilities to verify Supplier’s compliance with this Agreement, no more than once per calendar year and in accordance with the requirements in this Section. Microsoft or its designated independent consultant or certified public accountant (“Auditor”) will conduct audits and inspections within normal business hours. Microsoft will provide reasonable written notice (and in any event, at least 15 days’ notice except in emergencies) to Supplier before the audit or inspection and will ensure the Auditor takes all measures to avoid disrupting Supplier’s business and operations, including consolidating audits where practical. Supplier agrees to provide Microsoft’s designated audit or inspection team reasonable access to the Supplier records and facilities. If the auditors determine that Microsoft overpaid Supplier, Supplier will reimburse Microsoft for any such overpayment. If Supplier overcharged Microsoft [***] or more during an audited period, it will immediately refund Microsoft all overpayments plus pay interest at [***] per month on such overcharge. Microsoft will bear the expense of its auditors or inspection team. However, if the audit shows Supplier overcharged Microsoft by [***] or more during such audit period, Supplier will reimburse Microsoft for such expenses. s. Except as otherwise provided in this Section and Section 9.o, no right or obligation under this Agreement will be assigned without the prior written consent of the other party and any assignment without such consent will be void. Notwithstanding the foregoing, Supplier shall have the right, without Microsoft’s written consent, to assign this Agreement upon prior written notice to Microsoft to (a) an entity acquiring all or substantially all of the assets or equity of the Supplier; (b) an entity resulting from a merger, consolidation or other corporate reorganization of the Supplier; or (c) an entity obtaining Control of Supplier (each of (a) through (c), a “Change of Control Event”), provided in each case such assignee is not a Competitor, as long as it would not be a violation of Law (including Trade Laws) for such party to operate the GPU Services and continue to make them available to Microsoft. Further, either party shall be entitled to assign its rights under this Agreement (via pledge, collateral assignment, or otherwise) for financing purposes (including a collateral assignment to any Financing Parties). “Financing Parties” means the banks, lenders, noteholders and/or other financial institutions (or an agent or trustee thereof) party to the Financing Documents, including the successors in interest to such parties. “Financing Documents” means any and all loan agreements, credit agreements, reimbursement agreements, notes, indentures, bonds, security agreements, pledge agreements, mortgages, guarantee documents, intercreditor agreements, subscription agreements, equity contribution agreements and other agreements and instruments relating to
20 the financing (or refinancing) of the acquisition, development, engineering, design, construction, management, operation, ownership and maintenance of the applicable party’s activities or business relating to this Agreement. If a Change of Control Event results in a Competitor Controlling Supplier, then Supplier must promptly provide written notice to Microsoft (“Notice of Change of Control”). Microsoft may then terminate this Agreement with immediate effect by providing Supplier with written notice of termination, as long as it provides such written notice within thirty (30) calendar days of receiving the Notice of Change of Control. t. In the event of a dispute arising out of or relating to this Agreement, including any question regarding its breach, existence, validity, performance, fees or termination (each, a “Dispute”), the parties shall use reasonable efforts to cooperate to reach a resolution of the Dispute satisfactory to both parties. Either party may commence such process by requesting a meeting with the other party, which may take place in person, or remotely. The individuals listed in this Agreement (or their designee) must attend any such meeting and shall attempt in good faith to resolve the Dispute within twenty (20) calendar days of notification of any such Dispute, following which such Dispute must be escalated to a Director or Chief Executive Officer of Supplier and a Corporate Vice President of Microsoft. Nothing in this Section is intended to (a) prevent any party from seeking urgent injunctive or similar relief or (b) affect any other rights or obligations of the parties arising out of or in connection with this Agreement. u. No amendment or modification of this Agreement is effective unless it is in writing and signed by each party. v. The parties are independent contractors and shall so represent themselves in all regards. Neither party is the agent or partner of the other, and neither may make commitments on the other’s behalf. w. Notwithstanding anything to the contrary contained in this Agreement, the parties acknowledge and agree that: i. the GPUs and the Data Center Locations are not leased or licensed to Microsoft; ii. Supplier shall have reasonable access to all GPUs used in connection with the GPU Services and all areas of the Data Center Locations at all times during the Term including (i) to perform its obligations under this Agreement and (ii) to grant access to Supplier's representatives including repair personnel, security personnel, insurers and lenders; iii. Supplier is relieved from all of its responsibilities and obligations under this Agreement in the event that Supplier is unable to access the GPUs used in connection with the GPU Services and the Data Center Locations or any spaces, equipment or other assets or resources located therein necessary for Supplier to perform its obligations under this Agreement as a result of Microsoft’s restriction or limitations of Supplier's access; iv. Microsoft shall not provide Processed Microsoft Data, or any access thereto, to Supplier, any of its Affiliates or subcontractors; and v. at the end of any applicable Service Term, (i) Microsoft shall restore the applicable Data Center Location to the same condition as at the commencement of the Term, fair wear and tear excepted and (ii) without limiting the foregoing, Microsoft shall remove all its fixtures, fittings and alterations (unless otherwise agreed in writing by Supplier), make
21 good any damage caused by that installation or removal, and leave the applicable Data Center Locations clean, tidy and in good repair. x. Definitions. i. “Affiliate” means a legal entity that Controls, is Controlled by, or is under common Control with a party, where “Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and operating policies of the entity in respect of which the determination is being made, through the ownership of more than fifty percent (50%) of its voting or equity securities, contract, voting trust or otherwise; the terms “Controlled” and “Controlling” will be interpreted accordingly. ii. “Competitor” means Amazon, Oracle or Alphabet. iii. “Data-Related Claim” means any claim, loss, or liability (regardless of the form of action or claim) arising from Supplier’s breach of its security, privacy, or data protection obligations under this Agreement. iv. “Force Majeure Event” means an event beyond the control of the affected party, not caused by the gross negligence or intentional misconduct of the party claiming a Force Majeure Event. Examples of a Force Majeure Event include acts of God, natural disasters (flood, fire, earthquakes, drought), war, epidemic, pandemic, civil disturbance, action by a governmental entity, acts of terror, strikes, regional or industry-wide shortages or disruptions, or network or device failure that is not within the control of the party claiming a Force Majeure Event. For clarity, Hardware Failures (defined in Exhibit A) and delays solely caused by hardware suppliers are not, in and of themselves, Force Majeure Events. v. “Law” means all applicable laws, rules, statutes, decrees, decisions, orders, regulations, judgments, codes, enactments, resolutions, and requirements of any government authority (federal, state, local, or international) having jurisdiction. vi. “Microsoft Feedback” means any comment, question, suggestion, enhancement request, recommendation, correction or other feedback relating to the Microsoft Materials provided by Supplier. vii. “Microsoft Materials” means any tangible or intangible materials, provided by or on behalf of Microsoft, any of its Affiliates, or their respective Users, to Supplier to perform the Services (including hardware, software, source code, documentation, methodologies, know how, processes, techniques, ideas, concepts, technologies, reports, Processed Microsoft Data and data) but excluding any Feedback or Usage Statistics. viii. “Personnel” means a party’s or one of its Affiliates’ employees and contractors directly involved in providing the Services to Microsoft. ix. “Security Incident” means any: (1) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Processed Microsoft Data, transmitted, stored, or otherwise processed by Supplier or its subcontractors; or (2) Security Vulnerability (i) related to Supplier’s handling of Processed Microsoft Data, or (ii) impacting Microsoft’s use of the Services.
22 x. “Security Vulnerability” means a weakness, flaw, or error found within a security system of Supplier or its subcontractors that has a reasonable likelihood to be leveraged by a threat agent in a materially impactful way. xi. “Supplier Feedback” means any comment, question, suggestion, enhancement request, recommendation, correction or other feedback relating to the Services provided by Microsoft or any of its Users. xii. “Usage Statistics” means any data collected, derived and/or generated by Supplier from monitoring Microsoft’s and its Users’ access to, and use of, the Services, including statistical and performance information related to the provision and operation of the Services, provided that Supplier does not access the Processed Microsoft Data in collecting, deriving or generating such data. xiii. “User” means any person or entity that obtains access to and/or use of the GPU Services or any other Services through Microsoft (e.g. through Microsoft’s account or other access credentials, as applicable), and in each case whether authorized by Microsoft or not. y. Public Announcement: Notwithstanding anything to the contrary contained in this Agreement, Microsoft and Partner may each make a public announcement (jointly or separately) in respect of the Services to be delivered under this Agreement on or after the SOW Effective Date, provided that the Confidential Information disclosed in any such announcement(s) is mutually agreed by the parties in writing. z. Microsoft may grant exceptions to the requirements set forth in Annex 2 of Exhibit E in writing (including email).
23 Exhibit A - Service Level Objectives and Support Addendum [***]
24 Exhibit B - Supplier Validation [***]
25 Exhibit C - Acceptance Criteria [***]
26
27 Exhibit D - RACI, Severity Definitions, Incident Response Times and Escalation Matrix Supplier RACI Chart [***]
28 Exhibit E - GPU as a Service Security Standards [***]
29 Exhibit F – Amendments to Purchase Order Terms and Conditions Notwithstanding anything to the contrary in the Agreement, the parties acknowledge and agree that: (A) Sections 3, 4.a, 5, 7-17, 19-23, 25-28, 30 and Exhibit A of the PO Terms do not apply to this Agreement; and, (B) the PO Terms are hereby amended as follows: 1. The preamble in Section 1 of the PO Terms is hereby deleted in its entirety and replaced with the following: 1. Acceptance and Effect. These PO Terms are between Microsoft Corporation or any of its US subsidiaries (“Microsoft”) and the supplier (“Supplier”), each as identified in the applicable SOW and cover: 2. The definition of “SOW” in Section 1 of the PO Terms is hereby deleted in its entirety and replaced with the following: “SOW” means any of the following: (1) statements of work or other order forms signed by both parties’ authorized representatives; or (2) written agreements signed by both parties’ authorized representatives referencing, and subject to, these PO Terms. 3. Section 2 of the PO Terms is hereby deleted in its entirety and replaced with the following: 2. Relationship to Other Agreements. The terms and conditions of these PO Terms are the complete and binding agreement between Microsoft and Supplier except, if the parties mutually executed an agreement, such as a SOW or Microsoft Supplier Services Agreement, which is effective on the effective date of these PO Terms and applies to the Goods, Services, Deliverables, and/or Cloud Services ordered with these PO Terms, and that agreement applies to the relationship of the parties governed by these PO Terms, then the provisions of such agreement are incorporated. a. If a conflict arises between these PO Terms and such agreement, to the extent of that conflict, the following order of priority will apply: (1) the terms of such agreement, (ii) these PO Terms, and (iii) any documents incorporated by express reference in such agreement. For the purposes of these PO Terms, online terms or agreements that Microsoft accepts to login or access Goods, Services, Deliverables, or Cloud Services, such as installed applications, embedded software, software as a service, or a platform, are not an agreement that has been “mutually executed” and will not replace, supplement or amend the terms in these PO Terms in any way. b. Except as stated above in this Section 2, and other than changes described in Section 9 and the Termination provisions in Section 14, additional or different terms (for example, online terms or agreements) will not supersede these PO Terms unless the parties mutually execute a written document. Notwithstanding the provisions of these PO Terms or any SOW, these PO Terms and each SOW shall be an independent agreement, and any right, remedy, obligation, or liability, as applicable, arising under or relating to a SOW shall be limited to the provisions of such SOW (including these PO Terms only as they relate to such SOW), and references therein or in these PO Terms to “the applicable SOW” or “these PO Terms” (other than Sections 1 and 2 of these PO Terms) shall refer to such SOW together with the provisions of these PO Terms as they apply solely with respect to such SOW (and all other similar
30 references therein or in these PO Terms shall be construed accordingly). For the avoidance of doubt, a breach under a SOW by either party shall not be construed as, or give rise to, breach under any other SOW or other agreement. Neither party shall have any liability under these PO Terms except as it relates to a particular SOW, and any liability arising out of these PO Terms shall be considered liability arising under the SOW relating to the circumstances giving rise to such liability. Termination of these PO Terms does not affect any SOW entered into prior to such termination. 4. Section 4.c. of the PO Terms is hereby deleted in its entirety and replaced with the following: c. Microsoft may dispute any invoice by providing written notice or partial payment, provided it pays the undisputed portion in accordance with the applicable SOW. Microsoft will make commercially reasonable efforts to notify Supplier in writing of any disputed amount within 60 days of receiving the applicable invoice. Neither failing to provide notice nor payment of an invoice is a waiver of any claim or right. Microsoft will pay Supplier within 30 days from the date of dispute resolution in respect of the disputed amount. 5. The following is inserted at the end of Section 6.b. of the PO Terms: “Supplier will not be involved in the exportation of the Cloud Services, and any responsibilities and obligations in respect of such export, including export taxes, are the responsibility of Microsoft.” 6. In Section 18 of the PO Terms, insert “or Supplier’s” after the reference to “Microsoft’s”. 7. In Section 24 of the PO Terms, insert “provided such activity is not in breach of the intellectual property or confidentiality provisions herein” after the reference to “contemplated by these PO Terms” and delete the words “, or in lieu of,”. 8. In Section 29 of the PO Terms, the reference to “Washington State Law” is replaced with “New York Law” and the reference to “King County, Washington” is replaced with the “the borough of Manhattan in New York, New York”.
31 Exhibit G – GPU Services Specs [***]
32 Exhibit H – Calculating illustrative VR200 pricing [***]
33 Exhibit I – Acceptable Use Policy [***]
34 Exhibit J – Microsoft Policies
Microsoft Supplier Code of Conduct (July 2025) 1 Microsoft Supplier Code of Conduct Microsoft’s mission is to empower every person and every organization on the planet to achieve more. Achieving our mission isn’t just about building innovative technology. It’s also about who we are as a company and as individuals, how we manage our business internally, and how we work with customers, partners, governments, communities, and suppliers. Through the Standards of Business Conduct, Microsoft has established company standards that include ethical business practices and regulatory compliance. Similarly, Microsoft expects the companies with whom we do business to embrace this commitment to integrity by complying with—and training their employees on—the Microsoft Supplier Code of Conduct (SCoC). In alignment with the United Nations Guiding Principles on Business and Human Rights, the provisions in this Code are derived from and respect internationally recognized standards including: International Labour Organization’s Declaration on Fundamental Principles and Rights at Work International Labour Organization’s Core Conventions (No. 29, 87, 98, 100, 105, 111, 138, 182) and Labor Standards United Nations Convention on the Rights of the Child Article 32 OECD Guidelines for Multinational Enterprises OECD Due Diligence Guidance for Responsible Business Conduct United Nations Global Compact Principles International Bill of Human Rights, including the Universal Declaration of Human Rights and the main instruments through which it has been codified: the International Covenant on Civil and Political Rights, and International Covenant on Economic, Social and Cultural Rights. The SCoC is also aligned with Microsoft’s Global Human Rights Statement and Supply Chain Human Rights Policy Statement. Microsoft is committed to maintaining a high standard on environmental, health and safety, human rights, and ethical practices in its supply chain, including workers’ rights to self-determination, physical integrity, and individual liberty, including freedom of movement, thought, conscience, religion, speech, family rights, nationality, and privacy. 1. Compliance with the Supplier Code of Conduct Suppliers and their employees, personnel, agents, subcontractors, and sub-tier suppliers shall adhere to this Supplier Code of Conduct while conducting business with or on behalf of Microsoft. Suppliers shall require their subcontractors, and sub-tier suppliers to comply with the SCoC in their operations and across their supply chains for work that is directly related to a Microsoft contract. Suppliers shall promptly inform their Microsoft contact, a member of Microsoft management, or the contacts provided at the end of this document when any situation develops that causes the Supplier to operate in violation of this Code of Conduct.
Microsoft Supplier Code of Conduct (July 2025) 2 All Microsoft Suppliers shall conduct their practices in full compliance with all applicable laws and regulations and in compliance with this Supplier Code of Conduct, whichever are stricter. Elements of this SCoC may go beyond legal compliance in order to advance social and environmental responsibility and business ethics. In no case can complying with the SCoC violate applicable laws. If, however, there are differing standards between the SCoC and applicable laws, the SCoC defines conformance as meeting the strictest requirements. Suppliers are responsible for implementing and monitoring improvement programs designed to achieve conformance with the Supplier Code of Conduct. While Microsoft Suppliers are expected to self-assess and demonstrate their compliance with the SCoC, Microsoft may audit Suppliers or inspect Suppliers’ facilities to confirm compliance. For suppliers involved in the production of tangible goods, including but not limited to hardware, this may include unannounced audits that require unrestricted access to workers, as needed and based upon risk. Suppliers that behave in a manner that is unlawful or inconsistent with the SCoC, or any Microsoft policy, risk termination of their business relationship with Microsoft. Complying with the SCoC and completing SCoC training are required in addition to meeting any other obligations contained in any contract a Supplier may have with Microsoft. 2. Legal and regulatory compliance Microsoft Suppliers shall, without limitation, meet the following requirements: 2.1 Trade: Suppliers shall comply with all laws and regulations applicable to the import or export of goods, software, technology, or services subject to any agreement with Microsoft. Suppliers shall meet the following requirements: Notice: Suppliers shall not provide controlled technologies, products, or technical data to Microsoft, without providing notice of such controls as necessary for Microsoft to maintain compliance with applicable laws. Restricted Parties: Suppliers shall ensure they are not owned or controlled (directly or indirectly) by any person or entity designated as restricted under Trade Laws. This includes parties located in embargoed jurisdictions or affiliated with military or intelligence organizations prohibited by applicable laws. Trade Compliance Program: Suppliers shall maintain a trade compliance program with reasonable due diligence standards, as outlined in Microsoft contracts or terms. This includes conducting independent sanctions and ownership screening of all known subcontractors and third parties against Restricted Party lists throughout the business relationship. Violations: Suppliers shall not take actions that would cause Microsoft to violate trade laws or risk exposure to sanctions, penalties, or legal action, including actions that may require Microsoft to submit a voluntary self-disclosure or defend against government investigations or enforcement actions. 2.2 Antitrust: Suppliers shall conduct business in full compliance with antitrust and fair competition laws that govern the jurisdictions in which they conduct business. 2.3 Anti-Corruption: Microsoft prohibits corrupt payments of all kinds, including facilitating payments. We require that all our Suppliers comply with the Anti-Corruption Policy for Microsoft
Microsoft Supplier Code of Conduct (July 2025) 3 Representatives. Suppliers are expected to conduct themselves with high ethical standards and comply with the U.S. Foreign Corrupt Practices Act (“FCPA”) and all other applicable Anti- Corruption and anti-money laundering laws. No Supplier shall, directly or indirectly, promise, authorize, offer, or pay anything of value (including but not limited to gifts, travel, hospitality, charitable donations, or employment) to any Government Official or other party to improperly influence any act or decision of such official for the purpose of promoting the business interests of Microsoft in any respect, or to otherwise improperly promote the business interests of Microsoft in any respect. Suppliers shall prohibit any and all forms of bribery and corruption and their business dealings shall be Suppliers shall implement monitoring, record keeping, and enforcement procedures to ensure compliance with Anti-Corruption laws. Suppliers shall report to Microsoft any signs of any personnel, representative or subcontractor performing unethically or engaged in bribery or kickbacks. Definitions: “Government Official” refers to any employee of a government entity or subdivision, including elected officials; any private person acting on behalf of a government entity, even if just temporarily; officers and employees of companies that are owned or controlled by the government; candidates for political office; political party officials; and officers, employees and representatives of public international organizations, such as the World Bank and United Nations. 2.4 Accessibility: Over one billion people around the world live with a broad range of disabilities including vision, hearing, mobility, cognitive, speech and mental health conditions. Creating products, apps, and services that are accessible to people of all abilities is part of our DNA at Microsoft as well as our mission of empowering every person and organization on the planet to achieve more. When creating any deliverable each Microsoft Supplier shall comply with all legal and Microsoft- provided accessibility requirements and standards for creating accessible devices, products, websites, web-based applications, cloud services, software, mobile applications, content, or services. For purchases with a User Interface (UI) this includes conformance to Level A and AA Success Criteria of the latest published version of the Web Content Accessibility Guidelines (“WCAG”), available at https://www.w3.org/standards/techs/wcag#w3c_all, Section 508 of the Rehabilitation act, available at https://www.section508.gov and the European standard EN 301 549 available at https://eur-lex.europa.eu/eli/dir/2016/2102/oj. Suggested documentation includes the completion of the latest published Voluntary Product Accessibility Template (VPAT) International Edition available at https://www.itic.org/policy/accessibility/vpat. Microsoft is committed to helping our Suppliers create a culture of accessibility and helping everyone get the most out of Supplier deliverables. Explore the Microsoft Supplier Accessibility Resources at https://www.microsoft.com/en-us/accessibility/resources. 3. Business practices and ethics Microsoft Suppliers shall be open, honest, and transparent in all discussions and conduct business interactions and activities with integrity and trust. Suppliers shall, without limitation, meet the following requirements:
Microsoft Supplier Code of Conduct (July 2025) 4 3.1 Disclosure of Information: Information regarding Suppliers’ and sub-tier suppliers’ human rights, health and safety, environmental practices, business activities, structure, financial situation, and performance is to be disclosed in accordance with applicable regulations and prevailing industry practices. Suppliers are to retain all records for a minimum of seven (7) years; any retention beyond seven (7) years is at the discretion of the Supplier. Falsification of records or misrepresentation of conditions or practices in the supply chain are unacceptable and may result in termination of Supplier’s business relationship with Microsoft. When requested by Microsoft, and in accordance with applicable privacy and data protection laws, Supplier shall provide necessary information and supporting documentation to enable Microsoft to perform and complete supply chain due diligence, including providing access to documentation, personnel, and workers for verification of the absence of forced labor indicators, including at the recruitment stage, and disclosure of certain information from subcontractors or sub-tier suppliers. This may include complete lists of workers involved in making product, wage payment, worker residency status and origin, working hours and output consistent with documented workers, voluntary nature of employment, risk assessment and analysis, contractual terms, compliance data such as findings, grievances, remedial action, complaints, and related decision-making. 3.2 Management system: Supplier shall have an environmental, health and safety, human rights and ethics management system with a scope that is related to the content of this Code and aligned with the OECD Due Diligence Guidance for Responsible Business Conduct. The management system shall be designed to ensure: (a) compliance with applicable laws, regulations and customer requirements related to the Supplier’s operations and products; (b) conformance with this SCoC; and (c) identification and mitigation of operational risks related to this SCoC. It should also facilitate continual improvement. The management system should contain the following elements: (1) Supplier commitment, (2) management accountability and responsibility, (3) legal and customer requirements, (4) risk assessment and risk management, (5) improvement objectives, (6) training, (7) communication, (8) stakeholder engagement and feedback, participation and grievance mechanism, (9) audits and assessments, (10) corrective action and effective remedy process for any adverse human rights or labor impacts, including the disclosure of any and all potential violations, (11) documentation and records, and (12) define Supplier responsibility. Particular attention should be paid to the rights and needs of individuals from groups at heightened risk of vulnerability or marginalization. 3.3 Gifts and entertainment: Suppliers shall use good judgment when exchanging business courtesies. Gifts, meals, entertainment, hospitality, and trips that are lavish or lack transparency or a legitimate purpose may be viewed as bribes, may create the appearance of a conflict of interest, or may be perceived as an attempt to improperly influence decision making. Giving business courtesies to Microsoft employees, if permitted at all, should be modest, infrequent and occur in the normal course of business. Do not offer anything of value to obtain or retain a benefit or advantage for the giver, and do not offer anything that might appear to influence, compromise judgment, or obligate the Microsoft employee. Do not request or accept anything interests in the work you do for Microsoft. Suppliers are prohibited from giving gifts of any value to any member of certain Microsoft organizations, including Microsoft Procurement or its
Microsoft Supplier Code of Conduct (July 2025) 5 representatives. Suppliers are required to ask Microsoft employees what the Microsoft gift policy limits are for potential recipients and to not exceed those limits. 3.4 Conflicts of interest: Suppliers shall avoid even the appearance of conflict of interest in their work with Microsoft and shall immediately disclose any known family or other close personal relationship with our employees who may influence their engagement with Microsoft or have any involvement in business dealings between the Supplier and Microsoft. Be honest, direct, and truthful when answering questions from Microsoft about relationships with Microsoft employees. 3.5 Insider trading: Insider trading is prohibited. Under Federal Securities Laws, Suppliers cannot buy or sell Microsoft or another company’s securities when in possession of information about Microsoft or another company that is (1) not available to the investing public, and (2) could influence an investor’s decision to buy or sell the security. 3.6 No solicitation: Suppliers shall refrain from initiating any sales-related communication with Microsoft employees unless there exists a documented prior business relationship. Prior business engagement includes any contractual agreement or ongoing collaboration between the supplier and the Microsoft employee. Sales communication includes any attempt to promote, sell, or offer products, services, or business opportunities to Microsoft employees. Unsolicited sales calls, emails, or in-person visits fall under this prohibition. 3.7 Travel: Suppliers seeking reimbursement for their travel incurred during the performance of their obligations under the agreed statement of work or other contractual obligations shall be compliant with the Travel Guidelines for Suppliers. 3.8 Responsible sourcing of raw materials: All Microsoft Suppliers shall, without limitation, design and implement specialized due diligence systems to track and monitor human rights and associated environmental risks linked to the extraction, transport, and use of all raw materials. These systems shall be informed by the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, and shall include appropriate risk identification, mitigation, monitoring, remediation, and reporting mechanisms. If applicable, all Suppliers of batteries to Microsoft shall ensure the design and implementation of their due diligence systems conform to the requirements of Regulation (EU) 2023/1542 Concerning Batteries and Waste Batteries (EU Battery Regulation). 3.9 Traceability: Suppliers shall establish a system of controls showing chain of custody identifying all upstream Suppliers from raw materials to finished product or service being supplied to Microsoft. This system is to be supported by transactional and shipment documents such as purchase orders, invoices, packing lists, payment records, shipping records, bills of records, and manufacturing records such as batch numbers, production quantity and ratios. Suppliers shall, upon request, provide to Microsoft necessary supply chain mapping data to enable Microsoft to meet its supply chain due diligence obligations to demonstrate the origin and control of each raw material or input. (See also Disclosure of Information) Where raw materials from Supplier are commingled, Suppliers shall have an auditable process and evidence to demonstrate the origin and control of each raw material or input.
Microsoft Supplier Code of Conduct (July 2025) 6 4. Human rights and fair labor practices We strive to ensure that every person who makes our products and services is treated with respect and dignity. Microsoft expects its Suppliers to comply fully with all employment laws, share its commitment to respect all human rights and to provide equal opportunity in the workplace, engage with impacted communities, and take effective measures to remedy any adverse human rights impacts. Without limitation, Suppliers shall meet the following requirements: 4.1 Non-discrimination/non-harassment/humane treatment: Suppliers shall commit to a workforce and workplace free of harassment, unlawful discrimination, and retaliation. There shall be no harsh or inhumane treatment including violence, gender-based violence, sexual harassment, sexual abuse, corporal punishment, mental or physical coercion, bullying, public shaming, or verbal abuse of workers; nor is there to be the threat of any such treatment. Suppliers should ensure their business practices respect the rights of different demographic groups, including women, and migrant workers. Suppliers shall provide equal opportunity in the workplace and reasonable accommodation, and not infringe on voting rights or political participation, engage in harassment or discrimination in employment on the basis of age, ancestry, ethnic origin, caste, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital or family status, minority status, pay, medical condition, national origin, physical or mental disability, political affiliation, union membership, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations, and ordinances. Suppliers shall not require workers or potential workers to undergo medical tests including pregnancy tests, except where required by applicable laws or regulations or prudent for workplace safety and shall not discriminate based on test results. Suppliers shall accommodate all disabilities to the extent required by law. 4.2 Prohibit the use of child labor: Child labor shall not be used under any circumstance. Suppliers shall not employ anyone under the age of 15, or under the age for completing compulsory education, or under the legal minimum working age for employment, whichever requirement is greatest. Suppliers shall implement an appropriate mechanism to verify the age of workers. Microsoft only supports the use of legitimate workplace learning or apprenticeship programs for the educational benefit of young people, which comply with all laws and regulations, and will not do business with those who abuse such systems. Workers under the age of 18 shall not perform work that is likely to jeopardize their health or safety, including night shifts or overtime. Suppliers shall ensure proper management of student workers through proper maintenance of student records, rigorous due diligence of educational partners, and protection of students’ rights in accordance with applicable laws and regulations. Suppliers shall provide appropriate support and training to all student workers. In the absence of local law, the wage rate for student workers, interns, and apprentices shall be at least the same wage rate as other entry-level workers performing equal or similar tasks. If child labor is identified, remediation is required. When developing a remediation strategy to address child labor, suppliers shall give due consideration to and consider strategies to minimize potential loss of income to families that may result from measures taken to eliminate the use of child labor.
Microsoft Supplier Code of Conduct (July 2025) 7 4.3 Prohibit the use of forced labor, prison labor, and trafficking in persons: Forced, bonded (including debt bondage) or indentured labor, prison labor, the procurement of commercial sex acts, slavery or trafficking of persons is not permitted. This includes support for or engagement in transporting, harboring, recruiting, transferring, or receiving persons by means of threat, force, coercion, abduction or fraud for labor or services. There shall be no unreasonable restrictions on workers’ freedom of movement in the facility in addition to unreasonable restrictions on entering or exiting Supplier provided facilities including, if applicable, workers’ dormitories or living quarters. Workers will be free from arbitrary arrest and detention. All work shall be voluntary, and workers shall be free to leave work at any time or terminate their employment without penalty if reasonable notice is given, which shall be clearly stated in the worker’s contract. Documentation shall be maintained on all leaving workers. Workers shall not be required to pay employers’, agents’, or sub-agents’ recruitment fees or other related fees for their employment. If any such fees are found to have been paid by workers, such fees shall be immediately repaid to the worker. Suppliers shall have a labor compliance plan in place that (1) relies on the International Labour Organization's (ILO) indicators of Forced Labour in the supply chain, (2) provides provisions for training Supplier personnel and raising their awareness of issues related to forced labor, and (3) details what remediation the Supplier will provide in case of any violations. Suppliers shall inform employees, agents, sub-agencies, recruiters, contractors, subcontractors, and sub-tier suppliers about Supplier’s policies that prohibit human trafficking, prison labor, forced labor, and other forms of slavery and provide training and programs to promote awareness, risk identification, employee reporting, corrective action, and potential penalties for violations. If forced labor is identified, remediation is required. When developing a remediation strategy to address forced labor, suppliers shall give due consideration to and consider strategies to minimize potential loss of income to families that may result from measures taken to eliminate the use of forced labor. 4.4 Ensure workers have access to identity-related and personal documents: Suppliers, agents, and sub-agents may not hold or otherwise destroy, conceal, or confiscate identity or immigration documents, such as government-issued identification, passports, driver’s license, or work permits. Employers can only hold documentation for the time needed to obtain or renew work permits and other legal documents. Suppliers or their agents shall provide proper documentation (stating the reason for holding of passport/ travel document and expected duration to hold such documents). In addition, if requested by workers, the company needs to have a process in place to return the documentation to workers in less than 12 hours. 4.5 Provide return transportation for foreign migrant workers: When hiring foreign workers who are not nationals of the country in which the work is taking place and who are recruited and who migrate from their home country to another country for the specific purpose of working for the Supplier, Suppliers shall provide or pay for return transportation upon the end of their employment. This requirement does not apply to workers with permanent residency of professional employees who are on short-term or long-term assignments.
Microsoft Supplier Code of Conduct (July 2025) 8 4.6 Use appropriately trained recruiters to support compliance: Suppliers shall use recruiters, employment agencies, and recruiting companies that are trained and which comply with international standards, local labor laws of the countries in which the recruitment takes place, or Microsoft requirements, whichever are stricter. Recruitment fees shall not be charged to workers. 4.7 Make conditions of employment clear when hiring: All Suppliers, including recruiters, employment agencies, sub-agencies, and recruitment firms, are prohibited from using misleading or fraudulent practices during the recruitment of employees or offering of employment, such as failing to disclose, in a format and language accessible to the worker, basic information or making material misrepresentations during the recruitment of employees regarding the key terms and conditions of employment, including wages and fringe benefits, the location of work, the living conditions, housing and associated costs (if employer or agent provided or arranged), any significant cost to be charged to the employee, and, if applicable, the hazardous nature of the work. 4.8 Provide written employment contracts or agreements when necessary: As part of the hiring process, all workers shall be provided with a written employment agreement in their native language that contains a description of terms and conditions of employment, including work descriptions, wages, prohibitions on charging recruitment fees, work locations, living accommodations and associated costs, time off, roundtrip transportation arrangements, grievance processes, and the content of applicable laws and regulations that prohibit trafficking in persons. Foreign migrant workers shall receive the employment agreement at least prior to the worker departing from his or her country of origin and there shall be no substitution or change(s) allowed in the employment agreement upon arrival in the receiving country unless these changes are made to meet local law and provide equal or better terms. 4.9 Provide fair compensation: Suppliers shall ensure the payment of wages in accordance with applicable wage laws and provide legally mandated benefits within the jurisdiction where the Supplier operates or engages workers, including employees who are permanent, temporary, or dispatched, migrant workers, apprentices, or contract workers. Suppliers are expected to comply with the new and existing applicable living wage requirements or regulations. All workers shall receive equal pay for equal work and qualification. In compliance with local laws, workers shall be compensated for overtime at pay rates greater than regular hourly rates. Deductions from wages as a disciplinary measure shall not be permitted. For each pay period, workers shall be provided with a timely and understandable wage statement that includes sufficient information to verify accurate compensation for work performed. All use of temporary, dispatch and outsourced labor will be within the limits of the local law. Workers with disabilities whose wages are governed by section 14(c) of the Fair Labor Standards Act shall receive no less than the full minimum wage rate as defined by Executive Order 13658. 4.10 Treat employees with dignity and respect: Suppliers shall not engage in any harsh or inhumane treatment, including violence, gender-based violence, sexual harassment, sexual abuse, corporal punishment, mental or physical coercion, bullying, or public shaming, verbal abuse or other forms of intimidation of workers; nor is there to be the thread of any such treatment. Suppliers shall have a humane treatment policy and monitor supervisors to ensure
Microsoft Supplier Code of Conduct (July 2025) 9 appropriate conduct. Disciplinary policies and procedures in support of these requirements shall be clearly defined and communicated to workers. 4.11 Meet working hours and rest day requirements: Working hours are not to exceed the maximum set by local law. Further, a work week should not be more than 60 hours per week, including overtime, except in emergency or unusual situations. All overtime shall be voluntary. Workers shall be allowed to have at least one day off every seven days. 4.12 Ensure freedom of association and right to collective bargaining: Open communication and direct engagement between workers and management are the most effective ways to resolve workplace and compensation issues. Workers and/or their representatives shall be able to openly communicate and share ideas and concerns with management regarding working conditions and management practices without fear of discrimination, reprisal, intimidation or harassment. In alignment with these principles, suppliers shall respect the right of all workers to form and join trade unions of their own choosing, to bargain collectively, and to engage in peaceful assembly as well as respect the right of workers to refrain from such activities. When local laws or circumstances restrict this right, Suppliers should pursue other ways of engaging in meaningful dialogue with their workers on employment issues and workplace concerns. 4.13 Provide effective grievance procedures and work in partnership with Microsoft to remedy any identified human rights violations: Suppliers shall provide an anonymous, impartial, and confidential method for all employees and their supply chains to raise concerns to senior level management without fear of retaliation. Grievances and the progress of their resolution shall be tracked and recorded. Grievance channels shall be accessible and culturally appropriate. Suppliers shall review these reporting procedures periodically. Workers and/or their representatives shall be able to openly communicate and share ideas and concerns with management regarding working conditions and management practices without fear of discrimination, reprisal, intimidation, or harassment. Suppliers shall periodically provide workers with information and training on all grievance procedures. Suppliers agree to work in partnership with Microsoft to remedy any identified human rights violations and associated adverse impacts. Suppliers shall provide their sub-tier suppliers with information regarding their own reporting channels, as well as Microsoft’s reporting channels, described in the “Raising concerns and reporting questionable behavior” section of this SCoC. 4.14 Use of security forces: Suppliers are prohibited from using private or public security forces that result in torture, inhumane or degrading treatment, bodily harm, or limitation on freedom of association. 4.15 Community engagement and indigenous people: Suppliers are prohibited from unlawfully evicting and taking land and forests, and limiting access to water for communities and indigenous people that rely on them. Consultation with all affected parties is required. 4.16 Retaliating against human rights defenders: Suppliers are prohibited from retaliating against human rights defenders.
Microsoft Supplier Code of Conduct (July 2025) 10 5. Health and safety At Microsoft, we seek to empower every person and every organization on the planet to achieve more—and one way we do that is by ensuring the health and safety of people who work on behalf of Microsoft. We realize our commitment to health and safety through our investment in injury and illness prevention, hazard elimination, and risk reduction, all of which help provide an environment where all individuals can thrive. Microsoft Suppliers are required to develop and implement health and safety management practices in all aspects of their business. Without limitation, Suppliers shall meet the following requirements: 5.1 Occupational health and safety: Worker potential for exposure to health and safety hazards (chemical, electrical and other energy sources, fire, vehicles, lone work, and fall hazards, etc.) are to be identified and assessed, mitigated using the Hierarchy of Controls, which includes eliminating the hazard, substituting processes or materials, controlling through proper design, implementing engineering and administrative controls, preventative maintenance and safe work procedures (including lockout/tagout), and providing ongoing occupational health and safety training. Where hazards cannot be adequately controlled by these means, workers are to be provided with appropriate, well-maintained, personal protective equipment, and educational materials about risks to them associated with these hazards. Gender responsive measures shall be taken, such as avoiding the assignment of pregnant women and nursing mothers to work environments that could be hazardous to them or their child and providing reasonable accommodations for nursing mothers. 5.2 Provide a safe and healthy work environment for all employees at any work location: Suppliers shall ensure that their workers performing services under a Microsoft contract at any location have access to a secure and healthy work environment, in accordance with applicable laws, regulations, and the health and safety procedures outlined in their Microsoft contract. Suppliers shall take action to manage and minimize the causes of hazards inherent in the working environment and implement controls to protect sensitive populations. 5.3 Provide safe housing when the Supplier intends to provide accommodation: Worker dormitories or housing provided by the Supplier shall meet the host country housing and safety standards and are to be maintained to be clean and safe, and provided with appropriate emergency egress, hot water for bathing and showering, adequate lighting, heat and ventilation, individually secured accommodations for storing personal and valuable items, and reasonable personal space along with reasonable entry and exit privileges. Workers are to be provided with ready access to clean toilet facilities, potable water and sanitary food preparation, storage, and eating facilities. Sanitation shall include methods, procedures and cleaning materials used to clean food processing equipment, facilities, and workers. 5.4 Prohibit the use, possession, distribution, or sale of illegal drugs. 5.5 Industrial hygiene: Worker exposure to chemical, biological, and physical agents is to be identified, evaluated, and controlled according to the Hierarchy of Controls. If any potential hazards were identified, Supplier shall look for opportunities to eliminate and/or reduce the potential hazards. If elimination or reduction of the hazards is not feasible, potential hazards are to be controlled through proper design, engineering, and administrative controls. When hazards
Microsoft Supplier Code of Conduct (July 2025) 11 cannot be adequately controlled by such means, workers are to be provided with and use appropriate, well-maintained, personal protective equipment free of charge. Protective programs shall be ongoing and include educational materials about the risks associated with these hazards, also covering the preventive exposure to biological agents. 5.6 Physically demanding work: Worker exposure to the hazards of physically demanding tasks, including manual material handling and heavy or repetitive lifting, prolonged standing, and highly repetitive or forceful assembly tasks are to be identified, evaluated, and controlled. 5.7 Machine safeguarding: Production and other machinery shall be evaluated for safety hazards, using the appropriate Hierarchy of Controls. Physical guards, interlocks, emergency stop devices, light curtains, and barriers are to be provided and properly maintained where machinery presents an injury hazard to workers. 5.8 Health and safety communication: Suppliers shall provide workers with appropriate workplace health and safety information and training in the language of the worker or in a language the worker can understand for all identified workplace hazards that workers are exposed to, including but not limited to mechanical, electrical, chemical, fire, and physical hazards. Health and safety related information shall be clearly posted in the facility or placed in a location identifiable and accessible by workers. Health information and training shall include content on specific risks to relevant demographics, such as gender and age, if applicable. Training is provided to all workers prior to the beginning of work and regularly thereafter. Workers shall be encouraged to raise any health and safety concerns without retaliation. 5.9 Emergency preparedness: Potential emergency situations and events are to be identified and assessed, and their impact minimized by implementing emergency plans and response procedures including emergency reporting, employee notification and evacuation procedures, worker training, and drills. Emergency drills shall be executed at least annually or as required by local law, whichever is more stringent. Emergency plans should also include appropriate fire detection and suppression equipment, clear and unobstructed egress, adequate exit facilities, contact information for emergency responders, and recovery plans. Such plans and procedures shall focus on resilience, minimizing harm to life, the environment, and property. Suppliers must conduct regular reviews and updates of their emergency plans and procedures to ensure they remain effective and relevant. 5.10 Occupational injury and illness: Suppliers must ensure their workers are fit for work and undergo necessary occupational medical exams based on role and Supplier’s local regulations. Procedures and systems are to be in place to prevent, manage, track and report occupational injury and illness, including provisions to encourage worker reporting, classify and record injury and illness cases, provide necessary medical treatment, investigate cases, and implement corrective actions to eliminate their causes, and facilitate the return of workers to work. Suppliers shall allow workers to remove themselves from imminent harm, and not return until the situation is mitigated, without fear of retaliation. Any injury, illness, or near miss event involving a Supplier employee and a Microsoft employee at a contracted location must be reported to Microsoft via aka.ms/safetyhubreport. If the reporting party is unable to access the aforementioned link, they should report the incident to
Microsoft Supplier Code of Conduct (July 2025) 12 Microsoft Global OHS (globalohs@microsoft.com). For the avoidance of doubt: in any situation, any individual in need of first aid or assistance should dial their local emergency services. 6. Environmental protection and compliance Microsoft recognizes its social responsibility to protect the environment, conduct environmental due diligence, and promote environmental sustainability. We expect Suppliers to share our corporate commitments to proactively reduce carbon emissions, reduce water consumption, and minimize waste generation. Without limitation, Suppliers shall meet the following requirements: 6.1 Comply with all applicable environmental laws, regulations, reporting requirements and international treaties, including but not limited to those that mandate Environmental, Social and Governance (ESG) related reporting and/or regulate hazardous materials, air, and water emissions, noise pollution, waste, and land degradation. 6.2 Pollution prevention and resource conservation: Emissions and discharges of pollutants, harmful soil change, generation of waste and noise pollution that impairs human rights and other ecosystem or land degradation are to be minimized or eliminated at the source or by practices such as adding pollution control equipment; modifying production, maintenance, and facility processes; or by other means. The use of natural resources, including water, fossil fuels, minerals, and virgin forest products, is to be conserved by practices such as modifying production, maintenance and facility processes, materials substitution, re-use, conservation, recycling, water and waste circularity or other means. 6.3 Water management: Suppliers shall implement a water management program that documents, characterizes, and monitors water sources, use and discharge; seeks opportunities to conserve water; and controls channels of contamination. All wastewater is to be characterized, monitored, controlled, and treated as required prior to discharge or disposal. Suppliers shall conduct routine monitoring of the performance of their wastewater treatment and containment systems to ensure optimal performance and regulatory compliance. 6.4 Air emissions: Air emissions of volatile organic chemicals, aerosols, corrosives, particulates, ozone depleting substances, and combustion byproducts generated from operations are to be characterized, routinely monitored, controlled, and treated as required prior to discharge. Ozone-depleting substances are to be effectively managed and phased out in accordance with the Montreal Protocol and phase out emissions of hydrofluorocarbons (HFC) in accordance with the Kigali Amendment, and applicable regulations. Suppliers shall conduct routine monitoring of the performance of their air emission control systems. 6.5 Hazardous substances: Chemicals, waste, and other materials posing a hazard to humans, or the environment are to be identified, labeled, and managed to ensure their safe handling, movement, storage, use, recycling or reuse, and disposal, including in products or services. Hazardous waste data shall be tracked and documented. 6.6 Materials restrictions: Suppliers shall adhere to all applicable laws, regulations, and customer requirements regarding the prohibition or restriction of specific substances in products, packaging, and manufacturing, including labeling for recycling and disposal.
Microsoft Supplier Code of Conduct (July 2025) 13 6.7 Product and packaging: Supplier agrees to conform to all Microsoft requirements regarding product and packaging marking and labeling, material content and restrictions, recycling, and disposal as directed by Microsoft in their business contracts. 6.8 Environmental permits and reporting: All required environmental permits (e.g. discharge monitoring), approvals, and registrations are to be obtained, maintained, and kept current and their operational and reporting requirements are to be followed. 6.9 Waste: Suppliers shall prevent or eliminate waste of all types, including solid waste, water discharges and energy losses, by implementing appropriate conservation measures in Supplier facilities through (1) the use of conservation-minded maintenance and production processes, (2) by implementing strategies to reduce, reuse, and recycle materials (in that order), whenever possible, prior to disposal, and (3) seek and use renewable energy whenever possible. 6.10 Identify threats: Identify any chemicals, waste, or other materials that may be released, and which may pose a threat to the environment, and manage such chemicals or materials appropriately to ensure their safe handling, movement, storage, use, reuse, recycling, and disposal. 6.11 ESG disclosure and greenhouse gas (GHG) reduction: Upon request Suppliers shall: Disclose complete, consistent, and accurate scope 1, 2 and 3 greenhouse gas (GHG) emissions data and/or components required to calculate GHG emissions data, as well as any relevant ESG data that is reasonably necessary for Microsoft to meet its ESG reporting requirements. Suppliers may also be required to provide independent third- party assurance over such disclosed emissions data. Provide and achieve plans to reduce Microsoft delivered goods and services absolute GHG emissions by a minimum of 55% by 2030 or an alternative reduction target pursuant to the baseline established in their Supplier contract or in other written communication with Microsoft. Transition to 100% carbon-free electricity for their Microsoft delivered goods and services and target utilizing Sustainable Aviation Fuel (SAF), where possible, for Microsoft business related airline travel by 2030, as part of the above plan. For further information and guidance on carbon-free criteria and use of SAF for Microsoft business related airline travel, please visit the Environmental Protection FAQs. We recognize the challenges some suppliers may face in disclosing and reducing GHG emissions and we’re committed to working with suppliers. Additional details, including specific requirements for data disclosure, method, assurance, alternative timelines and/or targets, and achievement of planned reductions will be set forth in the Supplier’s contract or in other written communication sent by Microsoft to Supplier. 7. Protecting information Microsoft Suppliers shall respect intellectual property rights, protect confidential information, comply with security standards, policies, and controls, and comply with privacy rules and regulations. Without limitation, Suppliers shall meet the following requirements:
Microsoft Supplier Code of Conduct (July 2025) 14 7.1 Intellectual property: Intellectual property rights are to be respected, transfer of technology and know-how is to be done in a manner that protects intellectual property rights, and customer and Supplier information is to be safeguarded. 7.2 Security: Suppliers shall maintain a security program in accordance with Microsoft requirements such as but not limited to: the PO Terms and Conditions, Principal Agreement (or other applicable agreements), or the Microsoft Supplier Security and Privacy Assurance Data Protection Requirements (SSPA). Suppliers shall report any potential incident that involves Microsoft customer data (whether internally or through a partner or Supplier) as soon as possible. 7.3 Privacy: At Microsoft, we value, protect, and defend privacy. Suppliers shall (1) comply with all local privacy and data protection laws, (2) have appropriate processes and practices to secure and protect Personal data, (3) use Personal data only as agreed to by Microsoft representatives or Microsoft’s customers, and (4) cooperate with Microsoft compliance efforts. 7.4 Retention of corporate records and internal business information created managed or used (all formats): The requirements below apply to all formats of information assets, globally and enterprise wide: a. Work conducted within Microsoft premises or with Microsoft equipment/tools: All business records created, managed, or used on Microsoft premises or with Microsoft equipment/tools will be retained in full compliance with the Microsoft Document Retention Policy, Corporate Retention Schedule, and other Microsoft-directed practices. b. Work conducted outside of Microsoft’s premises and/or Microsoft equipment/tools: Unless otherwise specified, Microsoft will retain all rights of ownership, and control of all information created, managed, or used outside of Microsoft’s premises and/or Microsoft equipment/tools as described in the contract with Microsoft. c. Specific instances: Supplier may be required to retain, pull, or otherwise provide data to Microsoft for a prescribed amount of time as established in the contract or in the case of a legal or audit matter a hold may require data be retained beyond that obligation. 8. Supplier Code of Conduct Training Training compliance: Suppliers shall ensure their employees, subcontractors, and sub-tier suppliers working on Microsoft matters understand and comply with the contents of the Supplier Code of Conduct, the applicable laws and regulations and generally recognized standards. a. On an annual basis, an authorized representative from the Supplier shall review and acknowledge the SCoC, and complete Microsoft’s SCoC training course. Confirmation of this shall be attested to annually in Microsoft’s SupplierWeb platform. b. On an annual basis, Suppliers shall train all employees, subcontractors, and sub-tier suppliers working on Microsoft matters on the content of this SCoC. Suppliers may use the SCoC training course to meet this requirement. In addition to Supplier’s training obligations noted above, all external staff requiring access credentials to the Microsoft corporate network and/or buildings are required to complete SCoC
Microsoft Supplier Code of Conduct (July 2025) 15 training before they obtain their access rights. This training will be managed and provided by Microsoft. 9. Requirements related to Microsoft network or building access When Supplier workers require access to Microsoft’s network or facilities, the following conditions apply: Supplier Pre-Placement Policy, Supplier’s use of Microsoft Facilities and Network, and Supplier Benefit Requirements for Applicable US-based Workers. 10. Raising concerns and reporting questionable behavior To report questionable behavior or a possible violation of the SCoC, Suppliers are encouraged to work with their primary Microsoft contact in resolving their concern. If that is not possible or appropriate, please contact Microsoft through any of the methods described at: http://www.microsoftintegrity.com/. Microsoft’s reporting channels may be used to report possible non-compliance with the SCoC by any entity or individual. Microsoft will maintain confidentiality to the extent possible and will not tolerate any retribution or retaliation taken against any individual who has, in good faith, sought out advice or reported questionable behavior or a possible violation of the SCoC.
Anti-Corruption Policy for Microsoft representatives Microsoft Corporation, and all of its subsidiaries and joint ventures worldwide (“Microsoft”), requires its channel partners (for example, resellers, software advisors, original equipment manufacturers, and distributors), suppliers, vendors, consultants, lobbyists, and any other third-party representative (collectively, “Microsoft Representatives”) to comply with this anti- Compliance with anti-corruption laws Each Microsoft Representative is expected to conduct itself with high ethical standards and comply with the FCPA and all other applicable anti-corruption laws. No Microsoft Representative shall, directly or indirectly, promise, authorize, offer, or pay anything of value (including but no limited to gifts, travel, hospitality, charitable donations, or employment) to any Government Official or other party to improperly influence any act or decision of such official for the purpose of promoting the business interests of Microsoft in any respect, or to otherwise improperly promote the business interests of Microsoft in any respect. No retaliation Enforcement Microsoft will not tolerate retaliation against anyone who has, in good faith, reported a possible violation of this Policy or who refused to participate in activities that violate this Policy. In addition to its rights and remedies under applicable agreements, Microsoft may refer any representative who violates this policy to US or foreign authorities for criminal prosecution or other enforcement action or bring suit for damages.
February 2025 Exhibit K – PO Terms
February 2025 Microsoft Corporation Purchase Order Terms & Conditions (“PO Terms”) 1. Acceptance and Effect. These PO Terms are between Microsoft Corporation or any of its US subsidiaries (“Microsoft”) and the supplier identified in the applicable SOW (“Supplier”) and cover: a. “Cloud Services”: the services, websites (including hosting), solutions, platforms, and products that Supplier makes available under or in relation to these PO Terms, including the software, mobile apps, equipment, technology, and services necessary for Supplier to provide the foregoing. b. “Deliverables”: all work product developed by Supplier (or Supplier’s approved subcontractor) for Microsoft as part of the delivery of Goods, Services or Cloud Services, including intellectual property (“IP”) in connection with these PO Terms. Deliverables are “work made for hire” for Microsoft as that term is defined under copyright law. c. “Goods”: software and/or tangible goods licensed or purchased by Microsoft under these PO Terms. d. “Services”: professional services, advertising, consulting services, and support and maintenance services purchased by Microsoft under these PO Terms. e. “SOW” means any of the following: (1) Microsoft purchase orders; (2) statements of work or other order forms signed by both parties’ authorized representatives; or (3) written agreements signed by both parties’ authorized representatives referencing, and subject to, these PO Terms. These PO Terms are effective upon Supplier’s commencement of performance or the date of Supplier’s signature on the applicable SOW, whichever is earlier. Except as set forth in Section 2 below, Supplier’s acceptance of these PO Terms is expressly limited to these terms and conditions without counterproposal. 2. Relationship to Other Agreements. The terms and conditions of these PO Terms are the complete and binding agreement between Microsoft and Supplier except: a. If the parties mutually executed an agreement, such as a Microsoft Supplier Services Agreement, which is effective on the date of these PO Terms and applies to the Goods, Services, Deliverables, or Cloud Services ordered with these PO Terms, and that agreement applies to the relationship of the parties governed by these PO Terms, then the provisions of such agreement are incorporated. If a conflict arises between these PO Terms and such agreement, to the extent of that conflict, the terms of such agreement will apply. For the purposes of these PO Terms, online terms or agreements that Microsoft accepts to login or access Goods, Services, Deliverables, or Cloud Services, such as installed applications, embedded software, software as a service, or a platform, are not an agreement that has been “mutually executed” and will not replace, supplement or amend the terms in these PO Terms in any way.
February 2025 b. If multiple agreements with similar or contradictory provisions could apply to these PO Terms, the parties agree the terms most favorable to Microsoft will apply, unless the result would be unreasonable, unconscionable, or prohibited by law. c. Except as stated above in this Section 2, and other than changes described in Section 9 and the Termination provisions in Section 14, additional or different terms (for example, online terms or agreements) will not supersede these PO Terms unless the parties mutually execute a written document. 3. Packing, Shipment and Returns of Goods or Deliverables. Unless specifically provided in these PO Terms: a. Packing. (1) Price based on weight will include net weight only. (2) Supplier will not charge Microsoft for packaging or pre-shipping costs, such as boxing, crating, handling damage, drayage, or storage. b. Shipping. (1) Supplier will mark all containers with necessary handling and shipping information, PO number(s), date of shipment, and names of the consignee and consignor. (2) An itemized invoice and packing list, and other documentation required for domestic or international transit, regulatory clearance or identification of the Goods or Deliverables will accompany each shipment. (3) Microsoft will only pay for the quantity received, not to exceed the maximum quantity ordered. (4) Microsoft or its agent will hold over-shipments at Supplier’s risk and expense for a reasonable time awaiting Supplier’s shipping instructions. (5) Microsoft will not be charged for shipping or delivery costs. (6) Unless otherwise agreed, Goods and Deliverables will be delivered on the 10th day after the purchase order date: (1) FOB to the Microsoft designated delivery location if the Goods and Deliverables originate in the same jurisdiction as the Microsoft designated delivery location; or (2) DDP (Incoterms 2010) to the Microsoft designated delivery location for cross border delivery of Goods and Deliverables to the Microsoft designated delivery location.
February 2025 (7) Supplier will bear all risk of loss, damage, or destruction to the Goods or Deliverables, in whole or in part, occurring before final acceptance by Microsoft at the designated delivery location. Microsoft is responsible for any loss caused by the gross negligence of its employees before acceptance. c. Returns. Supplier will bear the expense of return shipping charges for over-shipped quantities or rejected items. 4. Invoices. a. Unless otherwise agreed, Supplier will invoice Microsoft monthly in arrears and only for accepted Goods, Services, Deliverables, and Cloud Services. b. Supplier will invoice Microsoft as per instructions received in their PO email notification. Therefore, Supplier will invoice Microsoft: Either using SupplierWeb (microsoft.com); Or, using the SAP Business Network Supplier for purchase orders sent via Ariba. The Microsoft invoicing process is an electronic invoice submission process. MS Invoice (https://einvoice.microsoft.com) is a web-based application, provided by Microsoft to its payees, which allows payees to submit electronic invoices directly to Microsoft. The MS Invoice tool supports electronic invoice submissions on a one-on-one basis or via mass upload if there are multiple invoices. Payee should contact the Microsoft Accounts Payable Help Desk at https://www.microsoft.com/en-us/procurement/contracting- apsupport.aspx with any questions or utilize the self-help sections within SupplierWeb or the SAP Business Network for invoice guidance. Invoices must contain the following information: PO number, item number, description of item, quantities, unit prices, extended totals, packing slip number, shipping, ship to city and state, taxes, and any other information reasonably required by Microsoft. Supplier will not charge Microsoft for researching, reporting on, or correcting any errors relating to its invoices. c. Microsoft may dispute any invoice by providing written notice or partial payment. Microsoft will make commercially reasonable efforts to notify Supplier in writing of any disputed amount within 60 days of receiving the applicable invoice. Neither failing to provide notice nor payment of an invoice is a waiver of any claim or right. 5. Payment Terms, Cash Discounts, Offset, and Expenses. a. After Microsoft accepts the Goods, Services, Deliverables, or Cloud Services and receives a correct and undisputed invoice (the “Create Date”), Microsoft will release payment by net 10 days less a 2% discount on the invoiced amount or by net 60 days with no discount if Microsoft does not issue payment within 10 days following the Create Date. b. Microsoft is not obligated to pay any invoice received from Supplier more than 120 days after Microsoft accepts the Goods, Services, Deliverables, or Cloud Services.
February 2025 c. Payment of an invoice will not constitute acceptance under these PO Terms, and is subject to adjustment for errors, shortages, defects, or other failure of Supplier to meet the requirements of these PO Terms. d. Microsoft may set-off amounts owed to Microsoft against an amount Microsoft owes Supplier or Supplier’s affiliated companies. Microsoft will provide notice to Supplier within a reasonable time after the set-off. e. Unless otherwise agreed, Supplier is responsible for all expenses incurred providing the Goods, Services, Deliverables, or Cloud Services and performing under these PO Terms. 6. Taxes. a. Except as otherwise provided below, the amounts to be paid by Microsoft to Supplier do not include taxes. Microsoft is not liable for any taxes that Supplier is legally obligated to pay, including net income or gross receipts taxes, franchise taxes, and property taxes. Microsoft will pay Supplier any sales, use or value added taxes it owes due to these PO Terms and which the law requires Supplier to collect from Microsoft. b. Microsoft will not be involved in the importation of the Goods, Services, Deliverables, or Cloud Services, and import taxes are the responsibility of the Supplier unless otherwise agreed in a SOW. c. If Microsoft provides Supplier a valid exemption certificate, Supplier will not collect the taxes covered by such certificate. d. If the law requires Microsoft to withhold taxes from payments to Supplier, Microsoft may withhold those taxes and pay them to the appropriate taxing authority. Microsoft will deliver to Supplier an official receipt for such taxes. Microsoft will use reasonable efforts to minimize any taxes withheld to the extent allowed by law. 7. Inspection and Acceptance. a. Microsoft may cancel these PO Terms or the applicable SOW if Supplier fails to comply with the standards and specifications in these PO Terms. b. All Goods and Services will be subject to Microsoft’s inspection and testing, at any time and place, including the period of manufacture and before final acceptance. If Microsoft inspects or tests at Supplier’s premises, Supplier, without additional charge, will provide all reasonable facilities and assistance for the safety and convenience of Microsoft’s inspectors. No inspection or testing done or not done before final inspection and acceptance will relieve the Supplier from responsibility for defects or for other failure to meet the requirements of these PO Terms. c. If any item provided under these PO Terms is defective in materials or workmanship or not in conformity with the requirements, then Microsoft may reject it without correction, require its correction within a specified time, accept it with an adjustment in price, or return it to Supplier for full credit. When Microsoft provides notice to Supplier, Supplier will promptly replace or correct, at their expense, any item rejected or
February 2025 requiring correction. If, after Microsoft’s request, Supplier fails to promptly replace or correct a defective item within the delivery schedule, Microsoft may, at its sole option: (1) replace or correct such item and charge the cost to Supplier; (2) without further notice terminate these PO Terms or the applicable SOW for default, return the rejected item to Supplier at Supplier’s expense and Supplier will promptly refund any amounts paid by Microsoft for the returned item; or (3) require a reduction in price. d. Notwithstanding any prior inspections or payments made, all Goods and Services will be subject to final inspection and acceptance at Microsoft’s designated location within a reasonable time after delivery or performance. Records of all inspection work will be complete and available to Microsoft during performance of these PO Terms and for such further period as Microsoft determines. 8. Additional Cloud Services Requirements. a. Service Levels. Supplier will schedule any Cloud Services upgrades or maintenance during the Maintenance Window defined in the applicable SOW. Supplier will provide Cloud Services in accordance with the service levels and terms specified at https://aka.ms/CS_SLA (or any successor link), which is deemed part of documentation (e.g., specifications) and incorporated and made part of these PO Terms. b. Business continuity. Supplier will be responsible for establishing, implementing, testing, and maintaining an effective enterprise-wide business continuity program (including disaster recovery and crisis management procedures) to provide continuous access to, and support for, the Cloud Services to Microsoft. At a minimum, Supplier must, at all times: (1) back up, archive and maintain duplicate or redundant systems that: (i) are located at a secure physical location (other than the location of primary system(s) used to provide Cloud Services); (ii) are updated and tested at least annually; and (iii) can fully recover the Cloud Services and all Microsoft Materials on a daily basis; and (2) establish and follow procedures and frequency intervals for transmitting backup data and systems to Supplier’s backup location. On request, Supplier will provide Microsoft with an overview of Supplier’s enterprise business continuity program and will promptly and in good faith provide written responses to Microsoft’s inquiries in connection with that program to enable Microsoft to review the adequacy of the program. c. Transition. If the applicable SOW terminates or expires, or if Microsoft requests in writing, Supplier will provide: (1) backup media to Microsoft (as reasonably requested by Microsoft) containing all Microsoft Materials unless the Cloud Services provide this as a self-service function to Microsoft); and (2) all assistance Microsoft reasonably requires (at Microsoft’s expense) to timely and smoothly transition from the Cloud Services. 9. Changes. Microsoft may suspend Supplier’s performance, increase or decrease the ordered quantities, or make changes for Microsoft’s reasonable business needs (each, a “Change Order”), by written notice to Supplier, including via e-mail, and without any notice to Supplier sureties, subcontractors, or assignees. Unless mutually agreed, a Change Order does not apply to change the Goods and Services timely and fully delivered before the date of the Change Order. If any change causes an increase or decrease in the cost of, or the time required for,
February 2025 Supplier’s performance, an equitable adjustment may be made in the price or delivery schedule or both, if Microsoft agrees to such adjustment in writing. 10. Tools and Equipment. All tools, equipment or materials acquired by Supplier for use in providing the Goods and Services, which have been furnished to, paid for by or charged against Microsoft, including specifications, drawings, tools, dies, molds, fixtures, patterns, hobs, electrodes, punches, artwork, screens, tapes, templates, special test equipment, gauges, content, data, and software, will remain or become Microsoft’s property, treated as Microsoft Confidential Information, and delivered in good condition, normal wear and tear excepted, by Supplier to Microsoft’s designated delivery location per Section 3, immediately upon demand and without cost to Microsoft. Supplier warrants the item(s) and information will not be used for any work or production of any materials or parts other than for Microsoft, without Microsoft’s prior written permission. Supplier will identify for Microsoft all third- party IP or software used in conjunction with the Services. 11. Reports. Upon request from Microsoft, Supplier will promptly provide Microsoft with a Software Bill of Materials (“SBOM”) for all software provided under these PO Terms. Each SBOM will meet the minimum requirements established by the U.S. Department of Commerce or otherwise set forth by Law. 12. Ownership and Use of the Parties’ Respective IP. a. Each party will own and retain all rights to its pre-existing IP and any IP developed independently of the Goods, Services, Deliverables, and Cloud Services under these PO Terms, including any of such party’s IP rights therein. b. Microsoft will own all Deliverables, including all IP rights, all media in any format, hardware, and other tangible materials created by Supplier while delivering the Services. Any Supplier work which is a written or customized product or report related to, or to be used in, a Deliverable is regarded as IP. c. If Deliverables do not qualify as a work made for hire, Supplier assigns to Microsoft all right, title, and interest in and to the Deliverables, including all IP rights. Supplier waives all moral rights in Deliverables. d. If Supplier uses any Supplier or third-party IP in any Good or Service, Supplier will continue to own Supplier’s IP rights. Supplier will grant Microsoft a worldwide, nonexclusive, perpetual, irrevocable, royalty- free, fully paid up right and license, under all current and future IP rights, to use Supplier’s and third-party IP consistent with Microsoft’s ownership interests under this Section 12. e. Supplier grants to Microsoft and its affiliated companies (including their employees, contractors, consultants, outsourced workers, and interns engaged by Microsoft or any of its affiliated companies to perform services) a worldwide, irrevocable, nonexclusive, perpetual, paid-up and royalty free license for any Goods that include software or other IP not subject to a mutually executed separate license (including installed applications). The license allows Microsoft to use such software and IP in connection with Goods. Microsoft may transfer this license to a Microsoft affiliated company, or a successor owner by sale or lease.
February 2025 f. Supplier grants to Microsoft and its affiliated companies (including their employees, contractors, consultants, outsourced workers, and interns engaged by Microsoft or any of its affiliated companies to perform services) and their end users (if any), to the limited extent necessary to the performance of the Cloud Services, a worldwide, nonexclusive, unlimited, paid-up and royalty free right to access and use, during the term, Cloud Services, in each case for Microsoft’s business purposes. Access to the Cloud Services is unlimited unless otherwise specified in a SOW. g. Pass through warranties and indemnities. Supplier assigns and passes through to Microsoft all of the third-party manufacturers’ and licensors’ warranties and indemnities for the Goods. h. Title to the Goods (other than licensed software) will pass from Supplier to Microsoft on final acceptance. i. Microsoft IP. (1) Supplier may use “Microsoft Materials,” meaning any tangible or intangible materials, provided by or on behalf of Microsoft, any of its affiliated companies, or their respective end users, to Supplier to perform Services, Deliverables, or Cloud Services, or obtained or collected by Supplier in connection with the Goods, Services, Deliverables, or Cloud Services (e.g., usage data) (including hardware, software, source code, documentation, methodologies, know how, processes, techniques, ideas, concepts, technologies, reports and data). Microsoft Materials may include any modifications to, or derivative works of, the foregoing materials, (i) Personal Data, (ii) trademarks, (iii) inputs and prompts to and outputs generated by an AI Model (as defined below), and any data entered into any Supplier database as part of the Services or Cloud Services. Microsoft Materials do not include Microsoft products obtained by Supplier outside of and unrelated to these PO Terms. (2) Microsoft grants Supplier a nonexclusive, non-sublicensable (except to subcontractors approved by Microsoft in accordance with these PO Terms), revocable license (i) under Microsoft’s IP rights in the Microsoft Materials to copy, use and distribute Microsoft Materials provided to it only as necessary to perform the Services in accordance with these PO Terms, and (ii) to use Microsoft Materials only as necessary to perform the Cloud Services in accordance with these PO Terms. Supplier will not Sell, share, license, or otherwise commercialize any Microsoft Materials. (3) Microsoft retains all other interest in Microsoft Materials and related IP rights. Supplier has no right to sublicense Microsoft Materials except to approved subcontractors as required to perform the delivery of Goods, Services, Deliverables, and CloudServices. If the Microsoft Materials come with a separate license, the terms of that license will apply and those terms control in the case of conflict with these PO Terms. Supplier will obtain a separate license to any Microsoft products or services used in connection with the Good, Services, Deliverables, or Cloud Services.
February 2025 (4) Supplier will take reasonable precautions to protect and ensure against loss or damage, theft, or disappearance of Microsoft Materials. (5) Microsoft may revoke the license to Microsoft Materials at any time for any reasonable business reason. The license will terminate automatically on the earlier of the expiration or termination of these PO Terms or an applicable SOW. Supplier will promptly return any Microsoft Materials on request or termination of Supplier’s license. (6) Regarding Supplier’s use of Microsoft Materials: (i) Supplier will not modify, reverse engineer, decompile, or disassemble Microsoft Materials except as allowed by Microsoft; (ii) Supplier will leave in place, and not alter or obscure proprietary notices and licenses contained in Microsoft Materials; (iii) Microsoft is not obligated to provide technical support, maintenance, or updates for Microsoft Materials; (iv) all Microsoft Materials are provided “as-is” without warranty; and (v) Supplier assumes the risk of loss, damage, unauthorized access or use, or theft or disappearance of Microsoft Materials in Supplier’s (or subcontractor’s) care, custody, or control. (7) No Microsoft Materials, IP or Confidential Information, may be used by Supplier or an AI Model to customize, train, or improve, directly or indirectly, any artificial intelligence model or product, including any AI Model, (collectively, “AI Training”) without Microsoft’s express prior written consent. Any AI Training without obtaining such consent is a material breach and Supplier’s limitation of liability in Section 19 will not apply to claims based on a breach of this section. If Microsoft provides such consent, the parties will first enter into a separate written agreement that addresses the terms governing the AI Training. “AI Model” means any artificial intelligence model (which includes any deep learning or machine learning model) used in connection with or incorporated into the Goods, Services, Cloud Services, or any Deliverable. 13. Representations and Warranties. Supplier represents and warrants that: a. it has full rights and authority to enter into, perform under, and grant the rights in according to these PO Terms and its performance will not violate any agreement or obligation between it and any third party; b. Services will be performed professionally and be at or above industry standard; c. Goods, Services, Cloud Services, and Deliverables must meet the standards and specifications in these PO Terms and be suitable for the intended use;
February 2025 d. it will provide to Microsoft all Goods, Services, and Deliverables free from: (1) any defects in design, workmanship, and materials; (2) any liability for royalties; and (3) any mechanic’s liens or any other statutory lien or security interest or encumbrance; e. the Goods, Services, Cloud Services, Deliverables and any Supplier or third-party IP provided to Microsoft under these PO Terms: (1) are not governed, in whole or in part, by an Excluded License. “Excluded License” means any software license that requires as a condition of use, modification and/or distribution, that the software or other software combined and/or distributed with it be: (i) disclosed or distributed in source code form; (ii) licensed to make derivative works; or (iii) redistributable at no charge; and (2) will not be subject to license terms that require any (i) Microsoft product, service, or documentation, or any Supplier or third-party IP licensed to Microsoft, or documentation which incorporates or is derived from such Goods, Services, Cloud Services, Deliverables, or Supplier or third-party IP, or (ii) Microsoft Materials or Microsoft IP, to be licensed or shared with any third party; f. the Goods, Services, Cloud Services, Deliverables and any Supplier or third-party IP provided to Microsoft under these PO Terms will not: (1) to the best of Supplier’s knowledge, infringe any third-party patent, copyright, trademark, trade secret or other proprietary right of any third party; or (2) contain any viruses or other malicious code that will degrade or infect any Goods, Deliverables, products, services, or any other software or Microsoft’s network or systems; g. Supplier will comply with all Laws, rules, and regulations, including Data Protection Law (as defined in Exhibit A), AI Laws (as defined in Section 15(f)), and Anti-Corruption Laws (i.e., all Laws against fraud, bribery, corruption, inaccurate books and records, inadequate internal controls, and/or money-laundering, including the U.S. Foreign Corrupt Practices Act), whether local, state, federal or foreign. The Goods, Services, Deliverables, Cloud Services, parts, components, devices, software, technology, and other materials provided under these PO Terms (collectively, “Items”) may be subject to applicable trade laws in one or more countries. The Supplier will comply with all relevant laws and regulations applicable to the import or export of the Items, including but not limited to, trade laws and regulations such as the U.S. Export Administration Regulations or other end-user, end use, and destination restrictions by the U.S. and other governments, as well as sanctions regulations administered by the U.S. Office of Foreign Assets Control (“Trade Laws”). Microsoft may suspend or terminate these PO Terms immediately to the extent that Microsoft reasonably concludes that continued performance would violate Trade Laws or put it at risk of becoming subject to sanctions or penalties under Trade Laws. Supplier is responsible for ensuring compliance with the transfer or re-transfer of intangible items, such as technology. Supplier agrees to provide Microsoft with the import/export control classifications and information, including documentation, on the applicable import, export, or re-export authorizations,
February 2025 and all necessary information about the Items for any required import, export or re- export procedures and/or licenses, without additional cost to Microsoft. For additional information, see https://www.microsoft.com/en- us/exporting. “Law” means all applicable laws, rules, statutes, decrees, decisions, orders, regulations, judgments, codes, enactments, resolutions, and requirements of any government authority (federal, state, local, or international) having jurisdiction; h. Supplier will comply with all applicable Anti-Corruption Laws. While performing under these PO Terms, Supplier will provide training to its employees on compliance with Anti- Corruption Laws and, upon request by Microsoft, will complete Microsoft’s standard online training for supplier compliance with Anti-Corruption Laws; and i. Supplier will, at its expense: (1) implement and maintain appropriate technical and organizational measures to protect the Microsoft Materials, including Personal Data, and any other Microsoft Confidential Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Microsoft Materials, including Personal Data, or any other Microsoft Confidential Information, transmitted, stored or otherwise processed; (2) as soon as commercially and technologically practicable, remediate any material vulnerabilities of which Supplier becomes aware; and (3) comply with Supplier’s confidentiality, artificial intelligence, privacy and data protection obligations under these PO Terms, including Sections 15, 16 and Exhibit A. 14. Termination. Microsoft may terminate these PO Terms or the applicable SOW with or without cause. Termination is effective upon written notice. If Microsoft terminates for convenience, its only obligation is to pay for: a. Deliverables or Goods it accepts before the effective date of termination; or b. Services performed, where Microsoft retains the benefit after the effective date of termination; or c. Cloud Services delivered before the effective date of termination (or any post termination transition requested by Microsoft). Supplier will (without prejudice to any other remedies Microsoft may have) provide a pro-rata refund to Microsoft for any prepaid unused fees. 15. Security, Privacy, Artificial Intelligence and Data Protection. Supplier will comply with the following, at its own cost and expense. a. Without limiting Microsoft’s audit rights in these PO Terms, Supplier will (1) participate in the Microsoft Supplier Security and Privacy Assurance (“SSPA”) program, as required by Microsoft, including by attesting to Supplier’s compliance status with respect to all applicable portions of Microsoft’s then current Supplier Data Protection Requirements (“DPR”) on an annual basis (or more frequently if additional portions of the DPR become available), and (2) comply with Microsoft’s then current DPR. See https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx, Supplier Security and Privacy Assurance (SSPA) (aka.ms), for SSPA program details, including the program requirements and current DPR.
February 2025 b. Supplier will, at its expense, implement and maintain appropriate technical and organizational measures to protect Confidential Information, including Personal Data, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Confidential Information, including Personal Data, transmitted, stored or otherwise processed, and will, as soon as commercially and technologically practicable, remediate any material vulnerabilities of which Supplier becomes aware. Supplier’s security procedures must include risk assessment and controls for: (1) system access; (2) system and application development and maintenance; (3) change management; (4) asset classification and control; (5) incident response, physical and environmental security; (6) disaster recovery/business continuity; and (7) employee training. Those measures will be set forth in a Supplier security policy. Supplier will make that policy available to Microsoft, along with descriptions of the security controls in place for the Services and Cloud Services, upon Microsoft’s request and other information reasonably requested by Microsoft regarding Supplier security practices and policies. c. When Supplier provides Cloud Services: (1) At Supplier’s cost, Supplier will maintain a valid certification under the International Organization for Standardization standard ISO 27001 or a valid SOC 2 Type II attestation report (“Supplier Certification”). Supplier will promptly provide to Microsoft upon Microsoft’s request a full copy of the Supplier Certification and report on which the Supplier Certification is based. The Supplier Certification will cover all Cloud Services, except cloud infrastructure services provided by cloud infrastructure providers other than Supplier or its affiliates. (2) Supplier will only use the cloud infrastructure provider (“CIP”) identified in the applicable SOW in providing Cloud Services and will notify Microsoft at least 90 days before it changes, adds, or undertakes any plan to change, the CIP and at least 30 days before any change in location of Microsoft Materials. If Microsoft rejects the change, it may terminate the applicable SOW immediately, with no further obligations. d. Supplier will comply with the privacy and data protection requirements in Exhibit A. e. Without limiting Supplier’s obligations under these PO Terms, including the DPR, on becoming aware of any Security Incident (defined below), Supplier will: (1) notify Microsoft without undue delay of the Security Incident (in any case no later than it notifies any similarly situated customers of Supplier and in all cases before Supplier makes any general public disclosure (e.g., a press release)); (2) promptly investigate or perform required assistance in the investigation of the Security Incident and provide Microsoft with detailed information about the Security Incident, including a description of the nature of the Security Incident, the approximate number of Data Subjects affected, the Security Incident’s current and foreseeable impact, and the measures Supplier is taking to address the Security Incident and mitigate its effects; and (3) promptly take all commercially reasonable steps to mitigate the effects of the Security Incident, or assist Microsoft in doing so. “Security Incident” means any: (1) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Confidential Information, including Personal
February 2025 Data, transmitted, stored, or otherwise processed by Supplier or its subcontractors; or (2) Security Vulnerability (i) related to Supplier’s handling of Confidential Information, including Personal Data, or (ii) impacting Microsoft products, services, software, network, or systems. “Security Vulnerability” means a weakness, flaw, or error found within a security system of Supplier or its subcontractors that has a reasonable likelihood to be leveraged by a threat agent in an impactful way. Supplier will comply with this Section 15(e) at Supplier’s cost unless the Security Incident arose from Microsoft’s negligent or willful acts or Supplier’s compliance with Microsoft’s express written instructions. Supplier must obtain Microsoft’s written approval before notifying any governmental entity, individual, the press, or other third party of a Security Incident that affected or reasonably could affect Microsoft, including any Confidential Information that Supplier received from Microsoft or Processed on behalf of Microsoft. f. Artificial Intelligence. Supplier will not use any AI System in connection with or incorporate any AI System into the Goods, Services, Cloud Services, or any Deliverable without Microsoft’s prior written consent. Supplier will, at its expense, implement and maintain appropriate technical and organizational measures to ensure any AI System used or developed in connection with or incorporated into the Goods, Services, Cloud Services, or any Deliverable, and any Goods, Services, Cloud Services, or Deliverables intended to be used with or incorporated into an AI System, complies with AI Laws and Policies, including all Policies related to the ethical or responsible use of artificial intelligence technology. Supplier’s artificial intelligence program must include processes and controls sufficient to meet the requirements mandated under applicable AI Laws and Policies. Those measures will be set forth in a Supplier artificial intelligence policy, including all documentation needed to demonstrate compliance with AI Laws. Supplier will make that policy available to Microsoft on Microsoft’s request along with descriptions of the controls in place for the artificial intelligence technology, and will provide any other information reasonably requested by Microsoft regarding Supplier’s responsible artificial intelligence practices and policies. Supplier will cooperate with Microsoft, upon request, to assist Microsoft in responding to an AI Inquiry, including providing Microsoft will all necessary information regarding any AI System used or developed in connection with or incorporated into the Goods, Services, Cloud Services, or any Deliverable, or any Goods, Services, Cloud Services, or Deliverables intended to be used with or incorporated into an AI System. “AI System” means an engineered system that applies an optimized model so that the system can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing the environments it interacts with. AI Systems include AI Models. “AI Laws” means any Laws applicable to Supplier or Microsoft, relating to artificial intelligence systems and technology, including Regulation (EU) 2024/1689 of the European Parliament and of the Council, Executive Order 14110 on Safe, Secure and Trustworthy Artificial Intelligence and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted. “AI Inquiry” means an inquiry by a governmental body, standards body, or similar entity relating to (1) any AI System used or developed in connection with or incorporated into the Goods, Services, Cloud Services, or any Deliverable, or (2) any
February 2025 Goods, Services, Cloud Services, or Deliverables intended to be used with or incorporated into an AI System. g. Notifications. (1) Supplier must obtain Microsoft’s written approval before (i) notifying any governmental entity, individual, the press, or other third party of a Security Incident that affected or reasonably could affect Microsoft, including any Confidential Information that Supplier received from Microsoft or Processed on behalf of Microsoft, or (ii) responding to, or notifying any governmental entity, individual, the press, or other third party of, an AI Inquiry. As part of its notification to Microsoft, Supplier will disclose the identity of the third party and a copy of the notification (if the notification to the third party has not been sent, Supplier will provide a draft to Microsoft). Supplier will permit Microsoft to offer edits or updates to the notification. (2) Supplier may notify a third party about a Security Incident affecting Personal Data if Supplier is under a legal obligation to do so, provided that Supplier makes every effort to give Microsoft prior notification, as soon as possible and if prior notification is not possible, notify Microsoft immediately once it becomes possible to give notification. 16. Supplier Code of Conduct. Supplier will comply with the most current Supplier Code of Conduct at https://aka.ms/scoc and the most current Anti-Corruption Policy for Microsoft Representatives at http://aka.ms/microsoftethics/representatives, and any other Policies (e.g., those related to physical or information security or artificial intelligence) or training identified by Microsoft in a SOW or otherwise during the Term (and will provide such training). 17. Accessibility. Any device, product, website, web-based application, cloud service, software, mobile applications, or content developed or provided by or on behalf of Supplier or Supplier’s Affiliate under these PO Terms must comply with all legal accessibility requirements. For purchases with a User Interface (UI) this includes conformance to Level A and AA Success Criteria of the latest published version of the Web Content Accessibility Guidelines (“WCAG”), available at https://www.w3.org/standards/techs/wcag#w3c_all, Section 508 of the Rehabilitation Act, available at https://www.section508.gov and the European standard EN 301 549 available at https://eur-lex.europa.eu/eli/dir/2016/2102/oj. Suggested documentation includes completion of the VPAT 2.4 INT: which incorporates all three of the above standards and is available at https://www.itic.org/policy/accessibility/vpat. 18. No Waiver. Microsoft’s delay or failure to exercise any right or remedy will not result in a waiver of that or any other right or remedy. 19. Insolvency; Limitations of Liability. a. The insolvency or adjudication of bankruptcy, filing a voluntary petition in bankruptcy, or making an assignment for the benefit of creditors by either party will be a material breach of these PO Terms. For these PO Terms, “insolvency” means either (1) the party’s liabilities exceed its assets, each fairly stated, or (2) the party’s failure to pay its business obligations on a timely basis in the regular course of business.
February 2025 b. Limitations of Liability. EXCEPT FOR THE INDEMNIFICATION OBLIGATIONS STATED IN SECTION 21, A BREACH OF A PARTY’S ARTIFICIAL INTELLIGENCE, CONFIDENTIALITY, SECURITY, PRIVACY, DATA PROTECTION, AND PUBLICITY OBLIGATIONS UNDER THESE PO TERMS, INFRINGEMENT, MISUSE, OR MISAPPROPRIATION OF IP RIGHTS IN CONNECTION WITH THESE PO TERMS, OR FRAUD, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES (INCLUDING DAMAGES FOR LOSS OF DATA, REVENUE, AND/OR PROFITS), WHETHER FORESEEABLE OR UNFORESEEABLE, WHICH ARISE OUT OF THESE PO TERMS, REGARDLESS OF WHETHER THE LIABILITY IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, BREACH OF WARRANTIES OR OTHERWISE, AND EVEN IF THE PARTY IS ADVISED OF THE POSSIBILITY OF THOSE DAMAGES. 20. Subcontracting. Supplier will not subcontract with any third party to furnish any Goods, Services, Deliverables, or Cloud Services without Microsoft’s prior written consent. If Supplier subcontracts any Services or Cloud Services to any subcontractor, Supplier will be fully liable to Microsoft for any actions or inactions of subcontractor, remain subject to all obligations under these PO Terms, require the subcontractor to agree in writing that Microsoft is an intended third-party beneficiary of its agreement with Supplier and require the subcontractor to agree in writing to terms no less protective of Microsoft than the terms of these PO Terms applicable to the work performed by the subcontractor, including the privacy and data protection terms in Section 15 of these PO Terms and Exhibit A. 21. Indemnification and Other Remedies. a. Supplier will defend, indemnify and hold harmless Microsoft and Microsoft affiliates companies against all claims, demands, loss, costs, damages, and actions for: (1) actual or alleged infringements of any third-party IP or IP rights or Microsoft IP or IP Rights, which arise from the Goods, Services, Deliverables, or Cloud Services provided under these PO Terms; (2) any claim that, if true, would constitute a breach of Section 15, Exhibit A, or any Supplier warranty contained herein; (3) any act or omission of or failure to comply with tax obligations or Law by Supplier or Supplier’s agents, employees, or subcontractors; (4) any breach by Supplier or its subcontractors of any artificial intelligence, confidentiality, security, or privacy, data protection, or publicity obligations under these PO Terms; (5) the negligent or willful acts or omissions of Supplier or its subcontractors, which results in any bodily injury, including mental injury, or death to any person or loss, disappearance or damage to tangible or intangible property; and (6) any claims of its employees, affiliated companies or subcontractors regardless of the basis, including, but not limited to, the payment of settlements, judgments, and reasonable attorneys’ fees. b. In addition to all other remedies available to Microsoft, if use of the Goods, Services, Deliverables, or Cloud Services under these PO Terms are enjoined, injunction is threatened, or may violate applicable law, Supplier, at its expense will notify Microsoft and immediately replace or modify such Goods, Services, Deliverables, and Cloud Services so they are non-infringing, compliant with applicable law, and useable to Microsoft’s satisfaction. If Supplier does not comply with this Section 21(b), then in addition to any amounts reimbursed under this Section 21 (Indemnification and Other Remedies), Supplier will refund all amounts paid by Microsoft for infringing or non-
February 2025 compliant Goods, Services, Deliverables, and Cloud Services and pay reasonable costs to transition Services and Cloud Services to a new supplier. 22. Insurance. Supplier will maintain sufficient insurance coverage to meet obligations required by these PO Terms and by Law. Supplier’s insurance must include the following coverage (or the local currency equivalent) to the extent these PO Terms or the applicable SOW creates risks generally covered by these insurance policies: Table A1 – Required Insurance Coverage Coverage Form Limit1 Commercial general liability, including contractual and product liability2 Occurrence $2,000,000 USD Automobile liability Occurrence $2,000,000 USD Privacy and cybersecurity liability, as reasonably commercially available (including costs arising from data destruction, hacking or intentional breaches, crisis management activity related to data breaches, and legal claims for security breach, privacy violations, and notification costs) Per claim $2,000,000 USD Workers’ compensation Statutory Statutory Employer’s liability Occurrence $500,000 USD Professional liability/E&O, covering third-party proprietary rights infringement (e.g., copyright and trademark) if reasonably commercially available Per claim3 $2,000,000 USD NOTES: 1 All limits per claim or occurrence unless statutory requirements are otherwise may be converted to local currency. 2 Supplier will name Microsoft, its subsidiaries, and their respective directors, officers, and employees as additional insureds in the Commercial general liability policy, to the extent of contractual liability assumed by Supplier in Section 21. 3 With a retroactive coverage date no later than the effective date of these PO Terms or the applicable SOW or Order. Supplier will maintain active policy coverage or an extended reporting period providing coverage for claims first made and reported to the insurer within 12 months after these PO Terms terminate or expire or the applicable SOW or Order is fulfilled. Supplier must obtain Microsoft’s prior written approval for any deductible or retention in excess of $100,000 USD per occurrence or accident. Supplier will deliver to Microsoft proof of the insurance coverage required under these PO Terms on request. Supplier will promptly
February 2025 buy additional coverage, and notify Microsoft in writing, if Microsoft reasonably determines Supplier’s coverage is less than required to meet its obligations. 23. Non-Disclosure of Confidential Matters. If the parties have entered into a standard Microsoft Non-Disclosure Agreement, the terms of such agreement will apply to and be incorporated in these PO Terms and the existence of and all terms and conditions of these PO Terms and Microsoft Materials will be deemed Microsoft Confidential Information. If the parties have not entered into a standard Microsoft Non-Disclosure Agreement, then Supplier agrees that during the term of these PO Terms and for 5 years thereafter, Supplier will hold in strictest confidence, and will not use or disclose to any third party (except to a Microsoft Affiliate), any Microsoft Confidential Information. The term “Microsoft Confidential Information” means all nonpublic information that Microsoft or an affiliated company designates in writing or orally as being confidential, or which, under the circumstances of disclosure would indicate to a reasonable person that it ought to be treated as confidential. Notwithstanding anything to the contrary in these PO Terms, all Personal Data shared with Supplier or a Supplier affiliate and in connection with these PO Terms is Microsoft Confidential Information. If Supplier has questions regarding what comprises Microsoft Confidential Information, Supplier will consult Microsoft. Microsoft Confidential Information will not include information known to Supplier before Microsoft’s disclosure to Supplier, or information publicly available through no fault of Supplier. On expiration or termination of these PO Terms or the applicable SOW, or on request by Microsoft or Microsoft’s Affiliate, Supplier will without undue delay: (i) return all Microsoft Confidential Information (including copies thereof) to Microsoft or the applicable Microsoft Affiliate; or (ii) where requested by Microsoft or its Affiliate, destroy the Microsoft Confidential Information (including copies thereof) and certify its destruction, in each case unless the Law expressly requires otherwise. For any Microsoft Confidential Information that Supplier retains after expiration or termination of these PO Terms or the applicable SOW (for example, because Supplier is legally required to retain the information), Supplier will continue to comply with all terms of these PO Terms applicable to that Confidential Information, including all confidentiality obligations, and those applicable terms will survive such termination or expiration. 24. Independent Development. Nothing in these PO Terms restricts Microsoft’s ability to, directly or indirectly, acquire, license, develop, manufacture, or distribute, same or similar technology or services to the Goods, Services, Deliverables, or Cloud Services contemplated by these PO Terms. Microsoft may use, market, and distribute such similar technology or services in addition to, or in lieu of, the technology or services contemplated by these PO Terms, including any software or cloud services (in whole or in part). 25. Audit. During the term of these PO Terms and for 4 years after (or a longer term as required to comply with Law), Supplier will keep usual and proper records and books of account and quality and performance reports related to Goods, Services, Deliverables, or Cloud Services, the Processing of Personal Data, and as otherwise required for legal compliance (“Supplier Records”). During this period, Microsoft may audit and/or inspect the applicable records and facilities to verify Supplier’s compliance with these PO Terms, including privacy, security, export compliance, accessibility, and taxes. Microsoft or its designated independent consultant or certified public accountant (“Auditor”) will conduct audits and inspections.
February 2025 Microsoft will provide reasonable notice (15 days except in emergencies) to Supplier before the audit or inspection and will instruct the Auditor to avoid disrupting Supplier’s operations, including consolidating audits where practical. Supplier agrees to provide Microsoft’s designated audit or inspection team reasonable access to the Supplier records and facilities. If the auditors determine that Microsoft overpaid Supplier, Supplier will reimburse Microsoft for any such overpayment. If Supplier overcharged Microsoft 5% or more during an audited period, it will immediately refund Microsoft all overpayments plus pay interest at 0.5% per month on such overcharge. Microsoft will bear the expense of its auditors or inspection team. However, if the audit shows Supplier overcharged Microsoft by 5% or more during such audit period, Supplier will reimburse Microsoft for such expenses. Nothing in this Section limits Microsoft’s right to audit Supplier under any other Section of these PO Terms, including Exhibit A. 26. Assignments. No right or obligation under these PO Terms (including the right to receive monies due) will be assigned without the prior written consent of Microsoft. Any assignment without such consent will be void. Microsoft may assign its rights under these PO Terms. 27. Notice of Labor Disputes. Whenever an actual or potential labor dispute delays or threatens to delay the timely performance of these PO Terms, Supplier will immediately notify Microsoft in writing of such dispute and furnish all relevant details. Supplier will include a provision identical to the above in each subcontract and, immediately upon receipt of such notice, give written notice to Microsoft. 28. Patent License. Notwithstanding other conditions stated herein, if Supplier fails in performance according to the terms of these PO Terms, Supplier, as part of the consideration for these PO Terms and without further cost to Microsoft, automatically grants to Microsoft an irrevocable, non-exclusive, royalty- free right and license to use, sell, manufacture, and cause to be manufactured any and all products, which embody any and all inventions and discoveries made, conceived, or actually reduced to practice by or on behalf of Supplier in connection with a Deliverable under these PO Terms. 29. Jurisdiction and Governing Law. Where Goods, Services, Deliverables, or Cloud Services are provided to Microsoft in the United States, these PO Terms are governed by Washington State Law (disregarding conflicts of law principles), and the parties consent to exclusive jurisdiction and venue in the state and federal courts in King County, Washington. All Cloud Services are deemed provided in the United States if any access or use of Cloud Services by Microsoft occurs in the United States. In all other instances, these PO Terms are governed by the Laws of the country where Microsoft (i.e., the entity other than Supplier who is the contracting entity to these PO Terms) is incorporated or otherwise formed and the parties consent to exclusive jurisdiction and venue in that country. Neither party will claim lack of personal jurisdiction or forum non conveniens in the courts agreed above. In any action or suit related to these PO Terms, the prevailing party is entitled to recover its costs including reasonable attorneys’ fees. 30. Publicity; Use of Trademarks. Supplier will not issue press releases or other publicity related to Supplier’s relationship with Microsoft or these PO Terms without prior written approval from Microsoft. If written approval is granted, Supplier may only use Trademarks for
February 2025 Services, Cloud Services and Deliverables in compliance with the guidelines at https://www.microsoft.com/en- us/legal/intellectualproperty/Trademarks/Usage/General.aspx. 31. Severability, URLs. If a court of competent jurisdiction determines that any provision of these PO Terms is illegal, invalid, or unenforceable, the remaining provisions will remain in full force and effect. URLs also refer to successors, localizations, and information or resources linked from within websites at those URLs. Neither party has entered into these PO Terms in reliance on anything not contained or incorporated in these PO Terms. These PO Terms will be interpreted according to their plain meaning without presuming that they should favor either party. 32. Survival. The provisions of these PO Terms which, by their terms, require performance after the termination or expiration or have application to events that may occur after the termination or expiration of these PO Terms or the applicable SOW, will survive the termination or expiration of these PO Terms and the applicable SOW. All indemnity obligations and indemnification procedures will survive the termination or expiration of these PO Terms and the applicable SOW. [Remainder of this page is intentionally left blank]
February 2025 Exhibit A – Data Protection SECTION 1 Scope, Order of Precedence, and Term (a) This Exhibit modifies and supplements the terms and conditions in the PO Terms as they relate to Supplier’s Processing of Personal Data and compliance with Data Protection Law. The SOW (if any) designates the Supplier’s status as a Controller or a Processor. Notwithstanding anything to the contrary in the PO Terms, if there is a conflict between this Exhibit and the PO Terms, this Exhibit will control. This Exhibit will be attached to and incorporated into the PO Terms. (b) This Exhibit applies only to the extent that Supplier receives, stores, or Processes Personal in connection with the Goods, Services, Deliverables, or Cloud Services. SECTION 2 Definitions (a) All capitalized terms not defined in this Exhibit will have the meanings set forth in the PO Terms. (b) The following terms have the definitions given to them in the CCPA: “Business,” “Business Purpose,” “Sale,” “Share,” “Service Provider,” “Contractor,” and “Third Party.” (c) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. “Controller” includes a Business, Controller (as that term is defined in the GDPR), and equivalent terms in Data Protection Laws, as context requires. (d) “Data Exporter” means the party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism and (2) transfers Personal Data, or makes Personal Data available to, the Data Importer. (e) “Data Importer” means the party that is (1) located in a jurisdiction that is not the same as the Data Exporter’s jurisdiction and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by the Data Exporter. (f) “Personal Data Incident” means any: (1) destruction, alteration, use, loss, disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by Supplier or its subcontractors that is not authorized by law or these PO Terms or any other breach of the protection of Personal Data; or (2) Security Vulnerability related to Supplier’s handling of Personal Data. “Security Vulnerability” means a weakness, flaw, or error found within a security system of Supplier or its subcontractors that has a reasonable likelihood to be leveraged by a threat agent in an impactful way. (g) “Data Protection Law” means any Law applicable to Supplier or Microsoft, relating to data security, data protection, and/or privacy, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of that data (“GDPR”), Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”), and any other U.S. federal, U.S. state, or foreign data privacy laws, and any implementing, derivative or related
February 2025 legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted. (h) “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. (i) “De-identified Data” means information that cannot reasonably be linked to an identified or identifiable individual. (j) “EEA” means the European Economic Area. (k) “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) and any other data or information that constitutes personal data or personal information under any applicable Data Protection Law. An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. (l) “Process” or “Processing” means any operation or set of operations that a party performs on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. (m) “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes Service Provider, Contractor, Processor (as that term is defined in the GDPR), and equivalent terms in Data Protection Laws, as context requires. (n) “Protected Health Information” or “PHI” means Microsoft Personal Data that is protected by the Health Information Portability and Accountability Act (HIPAA). (o) “Pseudonymous Data” means information that cannot be attributed to a specific individual without the use of additional information provided that it is kept separately and subject to appropriate technical and organizational measures to ensure that it is not attributed to the individual. (p) “Sensitive Data” means the following types and categories of data: (1) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, immigration or citizenship status, or trade union membership; genetic data; (2) biometric data; (3) data concerning health, including protected health information governed by the Health Insurance Portability and Accountability Act; (4) data concerning a natural person’s sex life or sexual orientation; (5) government identification numbers (e.g., SSNs, driver’s license); (6) payment card information; (7) nonpublic personal information governed by the Gramm Leach Bliley Act; (8) an unencrypted identifier in combination with a password or other access code that would permit access to a data subject’s account; (9) personal bank account numbers; (10) data related to
February 2025 children; (11) precise geolocation; and (12) any other data defined as “sensitive data,” “sensitive information,” or similar terms under Data Protection Law. (q) ”Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://ec.europa.eu/info/law/law-topic/data- protection/international-dimension-data- protection/standard-contractual-clauses-scc_en or other applicable country-specific standard contractual clauses or equivalent. (r) “Subprocessor” means a Processor engaged by a party who is acting as a Processor. SECTION 3 Description of the Parties’ Personal Data Processing Activities and Statuses of the Parties (a) Schedule 1 describes the purposes of the parties’ Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing. (b) Schedule 1 lists the parties’ statuses under relevant Data Protection Law. (c) The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of Data Subjects may be more specifically described in a statement of work, Microsoft purchase order, or written agreement signed by the parties’ authorized representatives, which forms an integral part of the PO Terms; if this is the case, the more specific description will control over Schedule 1. SECTION 4 International Data Transfer (a) Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does not protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data Transfer Mechanism”). The parties will comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law, or agreed upon bv the parties, including the Standard Contractual Clauses, the Data Privacy Framework and Binding Corporate Rules. (b) If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties will work together in good faith to find a suitable alternative. (c) With respect to Personal Data of Data Subjects located in a jurisdiction that requires an International Data Transfer Mechanism, (e.g., the EEA, Switzerland, or the United Kingdom) that Microsoft transfers to Supplier or permits Supplier to access, the parties agree upon these PO Terms becoming effective they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of the PO Terms. The parties agree that, with respect to the elements of the Standard Contractual Clauses that require the parties’ input, Schedules 1 and 2 contain information relevant to the Standard Contractual Clauses’ Annexes. The parties agree that, for Personal Data of Data Subjects in the United Kingdom, Switzerland, or another country specified in Schedule 1, they adopt the modifications to the Standard
February 2025 Contractual Clauses listed in Schedule 1 to adapt the Standard Contractual Clauses to local law, as applicable. SECTION 5 Mutual Obligations of the Parties (a) Compliance. The parties will comply with their respective obligations under applicable Data Protection Laws and their privacy notices, including by providing the same level of privacy protection that is required by applicable Data Protection Laws, when acting as Controllers or Processors. (b) Information. Upon request, Supplier will provide reasonably relevant information to demonstrate Supplier’s compliance with its obligations under applicable Data Protection Law, and to enable Microsoft to demonstrate Supplier’s compliance with its obligations under applicable Data Protection Law, and fulfill its obligations (if any) to conduct data protection assessments or prior consultations with data protection authorities and any other regulatory bodies. (c) Notification. Supplier will notify Microsoft if it determines that it can no longer meet its obligations under applicable Data Protection Law. (d) Cooperation. If Supplier receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or regulatory authority, or faces an actual or potential claim, inquiry, or complaint in connection with Parties’ Processing of Personal Data provided to Supplier by or on behalf of Microsoft, its affiliates, or its respective end users, or obtained or collected by Supplier in connection with the purposes described in Schedule 1 (collectively, an “Inquiry”), then Supplier will notify Microsoft without undue delay, but in no event later than ten (10) business days, unless such notification is prohibited by applicable law. Supplier will promptly provide Microsoft with information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable Microsoft to respond to the Inquiry. (e) Confidentiality. Supplier will ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality obligations no less protective than those set forth in the PO Terms or are under an appropriate statutory obligation of confidentiality. (f) Security Controls. Supplier will abide by Schedule 2 and take all measures required in accordance with good industry practice and by Data Protection Law relating to data security (including pursuant to Article 32 of the GDPR). Supplier will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering as well any additional measures to ensure an appropriate level of protection with regards to Sensitive Data that may be subject to these PO Terms. (g) Obligations Related to PHI. If Supplier’s engagement involves the Processing of PHI, Supplier must have a Business Associate Agreement and/or other required agreement in place with Microsoft. SECTION 6 Supplier’s Obligations as Independent Controller (if applicable). If Supplier is a Controller of Personal Data that is collected, exchanged, or otherwise Processed in connection with Supplier’s performance of the PO Terms (see Schedule 1), then:
February 2025 (a) Supplier acknowledges and agrees that Supplier is independently responsible for compliance and will comply with applicable Data Protection Law (e.g., obligations of Controllers); (b) Supplier will not Sell or Share Personal Data; (c) Supplier agrees to be responsible for providing notice to Data Subjects as may be required by applicable Data Protection Law (e.g., GDPR Articles 13 and 14, as applicable) and responding, as required by Data Protection Laws such as Chapter III of GDPR, to Data Subject’s requests to exercise their rights and identifying the lawful basis on which Processing of their personal data is based (e.g., consent or legitimate interest); (d) Supplier agrees that it will keep Pseudonymous Data separate from any additional information necessary to prevent such Pseudonymous Data from being attributable to a specific individual and will subject such Pseudonymous Data to appropriate technical and organizational measures to ensure that it is not attributed to specific individual; and (e) Supplier agrees that it will take reasonable measures to ensure that De-identified Data and Pseudonymous Data cannot be associated with a specific individual or household, publicly commit to maintain the De- identified Data and Pseudonymous Data in de-identified form and not attempt to reidentify it, implement technical and organizational measures as required by these PO Terms, and contractually commit any Subprocessors to do the same and take all other actions necessary to maintain the information’s status as De- identified Data or Pseudonymous Data under Data Protection Laws. SECTION 7 Supplier’s Obligations as Third Party (if applicable). If Supplier Processes Personal Data as a Third Party under the CCPA or equivalent term under applicable U.S. state data privacy laws and other Data Protection Laws in connection with Supplier’s performance of the PO Terms (see Schedule 1), then: (a) Supplier will Process Personal Data only for the limited and specific business purpose(s) described in Schedule 1. (b) Supplier agrees that the Personal Data is made available only for the limited and specified purpose(s) set forth in the contract, and that Supplier may use the information only for those purposes; (c) Supplier will not Sell or Share Personal Data made available to it by Microsoft; (d) Supplier will allow Microsoft to take reasonable and appropriate steps to ensure that Supplier uses the Personal Data that it received from, or on behalf of, Microsoft in a manner consistent with Microsoft’s obligations under the CCPA and applicable U.S. state data privacy laws and other Data Protection Laws; and (e) Supplier will allow Microsoft, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.
February 2025 SECTION 8 Supplier’s Obligations as a Processor, Contractor, Subprocessor, or Service Provider. Supplier will have the obligations set forth in this Section 8 if it Processes the Personal Data of Data Subjects in its capacity as Microsoft’s Processor, Contractor, or Service Provider; for clarity, these obligations do not apply to Supplier in its capacity as an Independent Controller, Business, or Third Party. (a) Scope of Processing (1) Supplier will Process Personal Data solely to (i) provide Services to Microsoft (and where applicable for the Business Purposes specified in the applicable SOW, (ii) carry out its obligations under the PO Terms, and (iii) carry out Microsoft’s documented instructions. Supplier will not Process Personal Data for any other purpose, unless required by applicable law, and will not Sell or Share Personal Data that it collects or obtains pursuant to the PO Terms. (2) Processing any Personal Data outside the scope of the PO Terms and this Exhibit will require prior written PO Terms between Supplier and Microsoft by way of written amendment to the PO Terms. (3) Supplier will notify Microsoft if it believes that it cannot follow Microsoft’s instructions or fulfill its obligations under the PO Terms because of a legal obligation to which Supplier is subject, unless Supplier is prohibited by law from making such notification. (4) Supplier is prohibited from retaining, using, or disclosing the Personal Data (1) for any purpose other than the Business Purposes specified in Schedule 1, including retaining, using, or disclosing the Personal Data for a commercial purpose other than carrying out Microsoft’s instructions; (2) outside of the Parties’ direct business relationship, unless permitted by applicable Data Protection Law, or (3) by combining Personal data that Supplier receives from, or on behalf of, Microsoft with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, provided that Supplier may combine Personal Data to perform any Business Purposes permitted by applicable Data Protection Law. Supplier certifies that it understands with and will comply with the prohibitions set forth in this Section (8)(a)(4). (5) Supplier will allow Microsoft, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data. (b) Obligations Regarding Pseudonymous Data and De-identified Data (1) Supplier agrees that will keep Pseudonymous Data separate from any additional information necessary to prevent such Pseudonymous Data from being attributable to a specific individual and will subject such Pseudonymous Data to appropriate technical and organizational measures to ensure that it is not attributed to specific individual; (2) Supplier agrees that it will (i) take reasonable measures to ensure that De-identified Data and Pseudonymous Data cannot be associated with a specific individual or household, (ii) publicly commit to maintain the De-identified Data and Pseudonymous
February 2025 Data in de-identified form and not attempt to reidentify it, (iii) implement technical and organizational measures as required by these PO Terms (iv) contractually commit any Subprocessors to do the same and (v) take all other actions necessary to maintain the information’s status as De-identified Data or Pseudonymous Data under Data Protection Laws. (c) Data Subjects’ Requests to Exercise Rights. Supplier will promptly inform Microsoft if Supplier receives a request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law. Supplier will not respond to such Data Subjects except to acknowledge their requests. Supplier will provide Microsoft with assistance, upon request, to help Microsoft to respond to a Data Subject’s request, including by stopping the Processing of Personal Data where required in accordance with a Data Subject’s request. Microsoft will notify the Supplier of any Data Subject request that the Supplier must comply with and will provide information necessary for compliance. (d) Supplier’s Subprocessors. Supplier will not engage a Subprocessor without Microsoft’s prior written authorization. Supplier will be liable for the acts or omissions of its Subprocessors to the same extent as Supplier would be liable if performing the services of the Subprocessor directly under this Exhibit, except as otherwise set forth in the PO Terms. Supplier will require Subprocessors to agree in writing to terms no less protective than the terms in this Exhibit. (e) Personal Data Incident (1) Without limiting Supplier’s obligations under the PO Terms, including the DPR and this Exhibit with respect to Personal Data, on becoming aware of any Personal Data Incident, Supplier will: (i) keep a register of all Personal Data Incidents; (ii) notify Microsoft without undue delay of the Personal Data Incident (in any case no later than it notifies any similarly situated customers of Supplier and in all cases before Supplier makes any general public disclosure (e.g., a press release)); (iii) promptly investigate or perform required assistance in the investigation of the Data Incident and provide Microsoft with detailed information about the Personal Data Incident, including a description of the nature of the Personal Data Incident, the approximate number of Data Subjects affected, the Personal Data Incident’s current and foreseeable impact, and the measures Supplier is taking to address the Personal Data Incident and mitigate its effects; and (iv) promptly take all commercially reasonable steps to mitigate the effects of the Data Incident, or assist Microsoft in doing so. (2) Supplier will comply with this Section 8(e) at Supplier’s cost unless the Personal Data Incident arose from Microsoft’s negligent or willful acts or Supplier’s compliance with Microsoft’s express written instructions.
February 2025 (3) Supplier must obtain Microsoft’s written approval before notifying any governmental entity, individual, the press, or other third party of a Data Incident that affected or reasonably could affect Personal Data that Supplier received from Microsoft or Processed on behalf of Microsoft. Notwithstanding anything to the contrary in this Exhibit, Supplier may notify a third party about a Personal Data Incident affecting Personal Data if it is under a legal obligation to do so, provided that Supplier must: (i) make every effort to give Microsoft prior notification, as soon as possible, if it intends to disclose the Personal Data Incident to a third party; and (ii) if it is not possible to give Microsoft such prior notification, notify Microsoft immediately once it becomes possible to give notification. For any disclosure of a Personal Data Incident to a third party, Supplier will, as part of its notification to Microsoft, disclose the identity of the third party and a copy of the notification (if the notification to the third party has not been sent, Supplier will provide a draft to Microsoft). Supplier will permit Microsoft to offer edits or updates to the notification. (f) Deletion and Return of Personal Data. On expiration or termination of the applicable statement of work, cloud order, purchase order, or other written agreement between the parties, or upon request by Microsoft or Microsoft’s Affiliate, Supplier will, without undue delay: (1) return all Personal Data (including copies thereof) to Microsoft or the applicable Microsoft Affiliate; or (2) on request by Microsoft or its Affiliate, destroy all Microsoft Personal Data (including copies thereof), and certify its destruction, in each case unless the Law expressly requires otherwise. For any Microsoft Personal Data that Supplier retains after expiration or termination of the applicable statement of work, cloud order, purchase order, or other written agreement between the parties (for example, because Supplier is legally required to retain the information), (A) Supplier will continue to comply all terms of the PO Terms applicable to that Personal Data, including all with the data security and privacy provisions in this Exhibit and those applicable terms will survive such expiration or termination and (B) Supplier must De-identify or aggregate Personal Data (if any) to the extent feasible. All Personal Data is Microsoft Confidential Information. (g) Audits. Without limiting any of Microsoft’s existing audit rights under the PO Terms (if any), Supplier will make available to Microsoft all information necessary to demonstrate compliance with Data Protection Law and allow for and contribute to audits, including inspections, conducted by Microsoft or another auditor mandated by Microsoft. [Remainder of this page is intentionally left blank]
February 2025 Schedule 1: Description of the Processing and Subprocessors Processing Activity Status of the Parties Categories of Personal Data that May Be Processed Categories of Sensitive Data that May Be Processed Applicable SCCs Module Supplier Processes Personal Data to provide the Goods, Services, Deliverables, or Cloud Services. Microsoft is a Controller. Supplier is a Processor. Captured in SOW Captured in SOW Module 2 Module 3, if Microsoft acts as a Processor to another Controller The parties Process Personal Data of their employees to, e.g., administer and provide the Goods, Services, Deliverables, or Cloud Services; manage invoices; manage the PO Terms and resolve any disputes relating to it; respond and/or raise general queries; comply with their respective regulatory obligations; and create and administer web- based accounts. Microsoft is a Controller. Supplier is a Processor. Captured in SOW Captured in SOW Module 2 Module 3, if Microsoft acts as a Processor to another Controller Supplier collects or receives Personal Data as a Controller/Third Party. Microsoft is a Controller. Supplier is a Controller/ Third Party. Captured in SOW Captured in SOW Module 1 Subprocessors Supplier uses the Subprocessors listed in a statement of work or written agreement signed by the parties’ authorized representatives when it acts as a Processor.
February 2025 Information for International Transfers Frequency of Transfer Continuous for all Personal Data. Retention Periods As Controllers, the parties retain Personal Data for as long as they have a business purpose for it or for the longest time allowable by applicable law. As a Processor, Supplier retains Personal Data it collects or receives from Microsoft for the duration of the PO Terms and consistent with its obligations in this Exhibit. For the purpose of the Standard Contractual Clauses: Clause 7: The parties do not adopt the optional docking clause. Clause 9, Module 2(a), if applicable: The parties select Option 1. The time period is 30 days. Clause 9, Module 3(a), if applicable: The parties select Option 1. The time period is 30 days. Clause 11(a): The parties do not select the independent dispute resolution option. Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Republic of Ireland. Clause 18: The parties agree that the forum is the High Court in Dublin, Ireland. Annex I(A): The data exporter is the Data Exporter (defined above) and the data importer is the Data Importer (defined above). Annex I(B): The parties agree that Schedule 1 describes the transfer. Annex I(C): The competent supervisory authority is the Irish Data Protection Commission. Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer. For the purpose of localizing the Standard Contractual Clauses: Switzerland The parties adopt the GDPR standard for all data transfers.
February 2025 Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above. Clause 17: The parties agree that the governing jurisdiction is Republic of Ireland. Clause 18: The parties agree that the forum is the High Court in Dublin, Ireland. The parties agree to interpret the Standard Contractual Clauses so that Data Subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c). The parties agree to interpret the Standard Contractual Clauses so that “Data Subjects” includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative. United Kingdom “UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office under S119A(1) Data Protection Act 2018, as modified by the Information Commissioner’s office from time to time, available at https://ico.org.uk/for-organisations/guide-to-data- protection/guide-to-the-general-data-protection- regulation- gdpr/international-data-transfer-agreement-and-guidance/. For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the parties hereby incorporate the UK SCC Addendum by reference and, by signing the PO Terms, also enter into and agree to be bound by the Mandatory Clauses of the UK SCC Addendum. The parties agree that the following information is relevant to Tables 1 – 4 of the UK SCC Addendum and that by changing the format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the UK SCC Addendum). Table 1: The parties’ details, key contacts, data subject contacts, and signatures are in the signature block of the PO Terms. Table 2: The selected SCCs, Modules and Selected Clauses are described in Schedule 1. Table 3: The list of parties, description of transfer, and list of sub-processors are described in Schedule 1. The Technical and Organizational measures to ensure the security of the data are described in Schedule 2. Table 4: Neither party may end the UK SCC Addendum when the Approved Addendum changes.
February 2025 Clause 17 of the Standard Contractual Clauses: The parties agree that the governing jurisdiction is the United Kingdom. Clause 18 of the Standard Contractual Clauses: The parties agree that the forum is the courts of England and Wales. The parties agree that Data Subjects may bring legal proceedings against either party in the courts of any country in the United Kingdom. Brazil “Brazilian Standard Contractual Clauses” means the Standard Contractual Clauses contained in Annex II of Resolution CD/ANPD No. 19/2024, of August 23, 2024. For transfers from Brazil to countries that are not subject to an adequacy decision issued by the Brazilian national data protection authority or are not otherwise permitted in accordance with the General Data Protection Law 13.709/2018 of Brazil (“LGPD”), the parties hereby incorporate the Brazilian Standard Contractual Clauses by reference and, by signing these PO Terms, also enter into and agree to be bound by the Mandatory Clauses of the Brazilian Standard Contractual Clauses. Clause 2: The parties agree that Schedule 1 of these PO Terms describes the transfer. Clause 3.1: As stated in Schedule 1, Supplier may use the Subprocessors listed in a statement of work or written agreement signed by the parties’ authorized representatives when it acts as a Processor in accordance with this Exhibit. Where the parties have not agreed to a transfer of personal data by Supplier to a Subprocessor per this Exhibit, the parties agree that OPTION A of Clause 3.1 governs. OPTION B of Clause 3.1 governs where the parties agree Supplier may use the Subprocessors listed in a statement of work or written agreement signed by the per the PO Terms. Clause 4: The Status of Parties are detailed in Schedule 1. Where Microsoft is a Controller under this Exhibit, it shall be the Designated Party for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting). Supplier remains responsible for compliance with Clauses 14 to 16 for any data to which it may otherwise be the data controller. Clause 24: In accordance with SECTION IV, the parties agree that the governing forum is São Paulo. The parties agree that transfer and processing of Brazilian data subjects’ personal data is in accordance with and governed under the LGPD.
February 2025 Schedule 2: Technical and Organizational Security Measures Supplier will comply with Microsoft’s DPR as agreed in Section 15(a) of the PO Terms. [Remainder of this page is intentionally left blank