EX-10.9 15 ex10-9.htm

Exhibit 10.9

[Certain confidential portions of this exhibit were omitted by means of marking such portions with brackets and asterisks because the identified confidential portions (i) are not material and (ii) would be competitively harmful if publicly disclosed, or constituted personally identifiable information that is not material.]

Order 7

This Order 7 (“Order”) is provided as of October 15, 2023 (“Order Effective Date”) pursuant and subject to the terms and conditions of that certain Software-As-A-Service Agreement dated as of August 7, 2018, by and between Xyvid, Inc. (“Provider”) and [*]successor in interest to [*] (“[*]”). Any term not otherwise defined herein will have the meaning set forth in the Software-As-A-Service Agreement.

Offering URLs

https://admin.xyvid.com/

[*]

	2.	Offerings

		Offering names: Xyvid Pro Platform, Xyvid CPE Program, Self-Study Platform Program, Support and Hosted Programs

General description of Offerings:

Xyvid Pro Platform - The Xyvid Pro Platform provides a high-resolution, internet-based broadcast platform with interactive tools that provide web broadcast Users with a dynamic, interactive, and engaging virtual event experience. Under this Order, Provider will proactively monitor all connections to ensure the best quality video and will manage the operations and delivery of the broadcast using the Platform. Provider will contact Users promptly to troubleshoot connection problems before they may impact the User’s live web broadcasting experience.

Xyvid CPE Program and Special Version of the Xyvid Pro Platform - The Certified Professional Education Program (CPE) is a live certification program offered to the [*] Entities and their Users who wish to obtain CPE credits. The CPE Program is an offering made available to [*] Entities and their Users through a special version of the Xyvid Pro Platform. All programs for credits can only be run through the special version of the o Platform (the “Full Serve Version”), managed by Provider through a special version of the Platform. Each webcast provides up to 1.5 hours of live instruction and applicable CPE credits. Each webcast will accommodate up to 2000 Users per webcast. Provider’s CPE configuration will be promptly built based on needs identified in writing by [*] (e.g., the length of time a CPE course should last) and will only provide certification to Users that meet the requirements provided therein.

Self-Study Platform. - This Self-Study Platform allows for any live Xyvid CPE Program that was part of the Offering to be turned into a Self-Study Program after the initial live CPE Program runs. Each Self-Study Program provides up to 1.5 hours of videotaped instruction and provides the User who completes each course with applicable CPE credits. The CPE Self-Study Platform Offering has no limits on the number of Users per course. Provider’s CPE configuration will be promptly built based on needs identified in writing by [*] (e.g., the length of time a CPE course should last) and will only provide certification to Users that meet the requirements provided therein. The Self-Study Platform allows a User to run the Self-Study program and take the test when time permits.

Support - Provider will provide support through the following channels: [*], email support@xyvid.com, or through the tech support chat found in the Action Center of the Platform. Provider will provide a separate chat channel for User’s support requests to keep the Q&A chat cleaner to moderate the real questions to [*]. [*] will have the ability to port the Platform’s technical support abilities to [*]’s internal team or service or ask Provider to staff the event support.

Hosted Programs.- The hosted programs are generated by [*] presenters and facilitated technically by Xyvid. They are provided on Xyvid’s Pro Platform that provide a high resolution, internet-based broadcast platform with interactive tools, are a suite of one-way and two-way communication aids that [*] can add to their web broadcasts.

3.	Metrics/Usage Restrictions

■

Unlimited events:

	●	Duration of event(s): various
	●	Time & Date – to be mutually determined in writing by the parties
	●	Targeted number of Users: User counts up to 2000 included.
	●	Type of events – Audio and Video Managed
	●	Basic registration included

4.	Subscription Term

Subscription Term Start Date: November 1, 2023

Subscription Term End Date: October 31, 2026

Year 1- November 1, 2023- October 31, 2024

Year 2- November 1, 2024- October 31, 2025

Year 3- November 1, 2025- October 31, 2026

5.	Fees, Payment, Expenses, Not to Exceed

Fees as set forth below. In no event will Provider invoice [*] for, and in no event will [*] be liable for, amounts (including all fees and expenses) under this Order in excess of $6,000.000.00.

In the event that the parties anticipate exceeding this amount, an amendment to this Order must be signed by the parties prior to incurring any additional Fees.

Fees:

XYVID Pro Platform

XYVID Pro Video Full Serve Webcast Fees
Full Serve Webcast Fees up to 2000 Users for 90 minutes

WEBCAST STREAM		VIDEO		AUDIO
Video/Audio Web Broadcast – Via Google Hang, Zoom, SIP Video of Live Cam	$	5,250.00	$	3,550.00
Standard Registration (First Name, Last Name, Email) 1 year Archive, Reporting
Custom Registration System details/costs – see additional program types and services.
Standard Engagement Tools Included (Up to 15 Units Total of the Below Tools)

15 units of any standard engagement are included.

Each additional 5 standard engagement items are billed at $650/per.
●	Action Center – Moderated Q&A, Technical Support Chat, Downloadable Docs	INCLUDED	INCLUDED
●	WordCloud – One-Word Answer Live Polling and Display	INCLUDED	INCLUDED
●	Polling – Multiple Choice, Multiple Answer, and Drag-Drop Ranking	INCLUDED	INCLUDED
●	Speaker Bio – Picture and Text Displayed During Program	INCLUDED	INCLUDED
●	Pulse – Audience Topic Response Throughout the Presentation	INCLUDED	INCLUDED
●	Ticker Tape – Feed a Stream of Any Text at the Bottom of the Screen	INCLUDED	INCLUDED

WEBCAST LABOR/SERVICES
Professional Program Lead Producer		INCLUDED		INCLUDED
Professional Streaming	$	750.00		N/A
Host return feed (slides, video through webcam source) - $150 savings		INCLUDED		INCLUDED
Proactive Loop Feedback Live Technical Support (up to 5,000 attendees)		INCLUDED		INCLUDED
($1000 Attendee Level > 5000)
Backup Audio Phone Presenter Support Line (Domestic) - $500 savings		INCLUDED		INCLUDED
On-Demand Reporting (INCLUDED, additional customer reports $500+)		INCLUDED		INCLUDED
TOTAL	$	6,000.00	$	3,550.00

Live Streaming Additional Attendance Fees

Discounted Tier Pricing for additional Users* “Stream Cost” Over 180 TBD*

USERS		90 minutes		120 minutes		150 minutes		180 minutes
	2,000		(included)	$	500.00	$	750.00	$	950.00
	5,000	$	2,000.00	$	2,666.00	$	3,333.20	$	4,000.00
	10,000	$	4,000.00	$	5,332.00	$	6,666.40	$	8,000.00
	20,000	$	8,000.00	$	10,664.00	$	13,332.80	$	16,000.00
	30,000	$	12,000.00	$	15,996.00	$	19,999.20	$	24,000.00
	40,000	$	16,000.00	$	21,328.00	$	26,665.60	$	32,000.00
	50,000	$	20.000.00	$	26,660.00	$	33,332.00	$	40,000.00

XYVID CPE Program and Special Version of the Xyvid Pro Platform

Certified Professional Education (CPE)

XYVID Pro Video Full Serve Webcast Fees

Full Serve Webcast Fees up to 2000 Users for 90 minutes

WEBCAST STREAM	VIDEO		AUDIO
Video/Audio Web Broadcast – Via Google Hang, Zoom, SIP Video of Live Cam	$	5,250.00	$	3,550.00
Standard Registration (First Name, Last Name, Email) 1 year Archive, Reporting
Custom Registration System details/costs – see additional program types and services.
Standard Engagement Tools Included (Up to 15 Units Total of the Below Tools)

15 units of any standard engagement are included.
Each additional 5 standard engagement items are billed at $650/per.
●	Action Center – Moderated Q&A, Technical Support Chat, Downloadable Docs	INCLUDED	INCLUDED
●	WordCloud – One-Word Answer Live Polling and Display	INCLUDED	INCLUDED
●	Polling – Multiple Choice, Multiple Answer, and Drag-Drop Ranking	INCLUDED	INCLUDED
●	Speaker Bio – Picture and Text Displayed During Program	INCLUDED	INCLUDED
●	Pulse – Audience Topic Response Throughout the Presentation	INCLUDED	INCLUDED
●	Ticker Tape – Feed a Stream of Any Text at the Bottom of the Screen	INCLUDED	INCLUDED

WEBCAST LABOR/SERVICES
Professional Program Lead Producer		INCLUDED		INCLUDED
Professional Streaming/CPE Timing Technician	$	1250.00	$	1250.00
Host return feed (slides, video through webcam source) - $150 savings		INCLUDED		INCLUDED
Proactive Loop Feedback Live Technical Support (up to 5,000 attendees) ($1000 Attendee Level > 5000)		INCLUDED		INCLUDED
Backup Audio Phone Presenter Support Line (Domestic) - $500 savings		INCLUDED		INCLUDED
On-Demand Reporting (INCLUDED, additional customer reports $500+)		INCLUDED		INCLUDED
CPE DETAILS
Certificate Generation at the end of each program including 5-year retention	$	1,800.00	$	1,800.00
Third Party LIVE CPE Program Verification Fee - Pass Through - $700/hour,	$	1,400.00	$	1,400.00
minimum 2 hours
TOTAL	$	9,700.00	$	8,000.00

Live Streaming Additional Attendance Fees

Discounted Tier Pricing for additional Users* “Stream Cost” Over 180 TBD*

USERS		90 minutes		120 minutes		150 minutes		180 minutes
	2,000		(included)	$	500.00	$	750.00	$	950.00
	5,000	$	2,000.00	$	2,666.00	$	3,333.20	$	4,000.00
	10,000	$	4,000.00	$	5,332.00	$	6,666.40	$	8,000.00
	20,000	$	8,000.00	$	10,664.00	$	13,332.80	$	16,000.00
	30,000	$	12,000.00	$	15,996.00	$	19,999.20	$	24,000.00
	40,000	$	16,000.00	$	21,328.00	$	26,665.60	$	32,000.00
	50,000	$	20.000.00	$	26,660.00	$	33,332.00	$	40,000.00

XYVID Self-Study Platform

SELF STUDY CREATION

WEBCAST LABOR/SERVICES
	Broadcast Room Creation & Setup	$	500.00	$	500.00
	Archive Creation from the Original Live Program to Link with LMD - 1 Year Hosted	$	750.00	$	750.00
	*Professional Editing - 2 hours @ $350	$	700.00	$	700.00
	*Professional services (editing, custom HTML engagement) – 2 hours @ $350	$	700.00	$	700.00
	Rush fees included in additional services below.

SELF STUDY SERVICES (Original broadcast not hosted by XYVID)
	Conversion of Slide Transition, Screen Movement and Timing	$	1,250.00	$	1,250.00
	Rendering of Video Content from Production	$	750.00	$	500.00

CPE DETAILS
	New Certificate Generation and Cornerstone Package Generation – including 5-year retention	$	1,800.00	$	1,800.00
	Post Event Scoring and Testing Results Link to Cornerstone System	$	1,000.00	$	1,000.00
	Transcription Services	$	350.00	$	350.00
	Third Party SELF STUDY CPE Program Verification Fee - Pass Through	$	2,250.00	$	2,250.00

Extension of CPE Self-study (+1 year) – fees applied annually.
●	Renewal of self-study course - archive extension linking with Vantage, 1 Year (XYVID fees)	$	750.00	$	750.00
●	Renewal of self-study course - post-event scoring including reporting (XYVID fees)	$	1,000.00	$	1,000.00
●	Renewal of self-study course - additional year of enduring content retention/cert generation (XYVID fees)	$	800.00	$	800.00
●	Renewal of self-study course (Madray fees)	$	1,250.00	$	1,250.00

Priority Services (Rush Self Study Requests)
●	Priority Service (Rush Request), transcription	$	475.00		per hour
●	Priority Service (Rush Request), self-study (Madray fees)	$	1,750.00	$	1,750.00
●	Priority Service (Rush Request), self-study (XYVID fees)	$	1,000.00	$	1,000.00

XYVID Support Services

Proactive Feedback Loop Tech Support (Over 5000)

1,000.00

XYVID Hosted Programs

Custom Archive/On-Demand Package

●	Rendering of Video Content from Production	$	750.00	$	500.00
●	Conversion of Slide Transition, Screen Movement and Timing	$	1,250.00	$	1,250.00
●	Video Edits and 1 Round of Changes/Modifications	$	750.00	$	500.00
●	1 Year of Event Hosting	$	500.00	$	500.00
●	Broadcast Room Creation	$	500.00	$	500.00

Simulated Live Production Services

●	XYVID Pro VIDEO/AUDIO – Full-Serve Webcast Fees (See Above)		$	5,250.00	$	3,550.00
	○	Professional Streaming (Non-CPE)	$	750.00		N/A
	○	Professional Streaming/CPE Timing Technician	$	1,250.00	$	1,250.00
●	Video and Audio Playback Equipment		$	450.00	$	450.00
●	Video Edits and 1 Round of Changes/Modifications		$	450.00	$	450.00
●	Live Presenter Q&A Switchover from Pre-Record (optional)		$	450.00	$	450.00

Additional Program Services

		VIDEO		AUDIO
Advanced Engagement Tools
●	Social Integration – include Facebook, Twitter, or LinkedIn Feeds	$	650.00	$	650.00
●	Gaming – Compete for Hi-Score Individually or in Teams	$	900.00	$	900.00
●	Custom Web Panel – Slide in any Web Page to show your audience	$	400.00	$	400.00
●	Live Secondary Stream Additional Attendance Video Fees 90 mins - 1500 (ASL)	$	1,000.00
●	In Platform Survey – Multiple Choice, Ranking and Open Text Non-CPE only	$	400.00	$	650.00
●	Integration of 3rd party software/engagement (dev/creative services)	$	350.00	$	350.00
●	Additional 5 Unit Pack of Standard Engagement Tools	$	650.00	$	650.00
●	Mobile Device Q&A – Web-Based Q&A System	$	500.00	$	500.00

○

Custom mobile-friendly website that allows participants to submit polls or Q&A to moderator outside of the player window. Used primarily in group participation event, so that individuals can connect without logging in.

Custom Registration System

●	Creation of Basic Landing Page – CPE course information, no custom emails	$	1,000.00	$	1,000.00
●	Direct copy of basic CPE landing page/maintenance for multiple events (no emails)	$	600.00	$	600.00
●	Custom Registration System	$	2,500.00	$	2,500.00
●	Additional email template (3 included)	$	250.00	$	250.00
●	Registration Source Tracking Code	$	500.00
●	Maintenance of Branded Registration System	$	1,000.00	$	1,000.00
●	3 rounds of edits, included (each additional at $350/hour)	$	350.00	$	350.00
●	Creation of Additional Custom Email for one-time deployment	$	150.00	$	150.00

Captioning/Transcription

●	Closed Caption Dictation per 90 mins (Live Program Only)	$	450.00	$	450.00
●	Additional languages (AI generated)	$	50.00	$	50.00
●	Transcription Services	$	350.00		per hour
●	Priority Service (Rush Request), transcription	$	475.00		per hour
●	Captioning overlay/subtitles on video	$	1,450.00	$	1,450.00
●	Custom Web Panel – Captioning menu and ASL player page	$	400.00	$	400.00

Professional Services

●	Priority Service (Rush Request), scheduling or registration	$	500.00
●	Professional Services (Editing, Add Slide, Timings, etc.) 2 hours @ $350	$	350.00		per hour
●	Professional development hours (min of 4 hours) ($500/hour)	$	2,000.00	$	2,000.00
●	Programming, disabling CPE certification generation, and custom CPE reports,	$	1,050.00	$	1,050.00
●	for [*]-sponsored CPE Disable tab in Action Center (1 hour of professional services)	$	350.00	$	350.00
●	Testing (load testing and other technical testing), includes labor Custom Reporting (Starting at $500)		TBD $ 500.00
●	Custom Reporting (> 2 Hours Dev or if additional professional services)	$	350.00		per hour

Additional Services

●	Program Video File MP4 of the Program	$	600.00
●	Program Audio MP3/M4a of the Program			$	150.00
●	Additional 1 Year of Event Hosting	$	500.00
●	Online Walk-Through (per hour after first – included)	$	450.00
●	International Conference Call per line, per 30 mins (up to 500 lines)	$	3.00

XYVID Pro Virtual Studio Package

Virtual Studio Package: Signal Acquisition & Seamless Switching; with layout design

		VIDEO		AUDIO
				N/A
Video Bridge Technician		$	750.00
Technical Director		$	1,000.00
Show Mixing Package
●	Video & Audio Mixing Hardware	$	1,500.00
●	Video Playback Hardware	$	450.00
●	Graphic Overlay Generator Presenter Multiview		$ 700.00 INCLUDED
Signal Acquisition (up to 4)
●	Dedicated Source Machine per feed	$	1,000.00
●	Video Capture per feed
Fee per each additional signal acquisition after 4 ($250)					TBD
	TOTAL			$	5,400.00

XYVID Pro VIDEO/AUDIO – On-Site Studio Fees all programs

EQUIPMENT
Primary and Backup Streaming Hardware (on-site)	$	1,500.00	$	1,500.00
Control Laptops - Primary and Backup Host, Moderator, Streaming (on-site)		INCLUDED		INCLUDED
Audio/Video playback equipment (Simulated live only)	$	450.00	$	450.00
Travel, Hotel, Board, Per Diem		TBD		TBD
On-Site Dry Run Day Before is 50% Stream Plus Actuals		TBD		TBD

Invoicing and Payment Terms

Invoice Schedule. Fees will be billed after the successful completion of each webcast event and payable in accordance with the Agreement. Payment of fees shall be in arrears. One invoice will be submitted by Provider to [*] on a monthly basis for the events provided in the previous thirty days.

Method of Invoice

Invoices will be submitted by Provider to [*] as follows:

By email as an excel spreadsheet with details provided by [*] and sent to (i) if invoice is a purchase order, [*] or (ii) if invoice is a non-purchase order, [*].

Expenses – Not Applicable

Not-To-Exceed Amount. In no event will Provider invoice [*] for, and in no event will [*] be liable for, amounts (including all fees and expenses) under this Order in excess of $6,000,000.00. In the event that the parties anticipate exceeding this amount, an amendment to this Order must be signed by the parties prior to incurring any additional Fees.

6.	Configuration Services. Not Applicable
7.	Training Services. Not Applicable
8.	Additional Services. Not Applicable.

IN WITNESS WHEREOF, the partners hereto have executed this order as of the Order Effective Date.

*[]**		Xyvid, Inc.
Signature:	[*]	Signature:
Date:	Oct 11, 2023	Date:	Oct 9, 2023
Printed Name:	[*]	Printed Name:	Randy Jones
Title:	[*]	Title:	CEO

SOFTWARE-AS-A-SERVICE AGREEMENT

This Software-as-a-Service Agreement (“Agreement”) is entered into as of August 7, 2018 (“Effective Date”) by and between Xyvid, Inc. (“Provider”), a Pennsylvania corporation with principal offices located at 1170 Wheeler Way, Langhorne, PA 19047, and [*] (“[*]”).

A. Provider is in the business of providing software and related services regarding webcasting hosted application and conferencing solution.

B. [*] desires to obtain from Provider, and Provider is willing to provide to [*] and its Affiliates, certain rights to access and use the Offering as described in and in accordance with this Agreement.

In consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows.

1. Definitions. Capitalized terms used in this Agreement have the following meanings unless defined elsewhere in the Agreement.

1.1 “Adoption Agreement” means a separate local adoption agreement, substantially in the form set forth in Exhibit I, that is entered into between Provider (or an Affiliate of Provider) and a Network Firm other than [*] or its Affiliates (or an Affiliate of such Network Firm) and that incorporates the provisions of this Agreement and any variations to such provisions to which such parties may agree.

1.2 “Affiliate” means, with respect to a party, an entity that directly or indirectly controls, is controlled by, or is under common control with that party; where “control” means the direct or indirect ownership of at least fifty percent (50%) of the then-outstanding voting shares or equity interests of that party, or the power to direct or cause the direction of the management and policies of that party, whether by contract or otherwise; but only for so long as such control relationship exists.

1.3 “Background Technology” means, with respect to an entity, all Technology that is owned, invented, developed, or obtained by that entity either (a) before the Effective Date or (b) during the Term, but independently outside the scope of the activities contemplated by this Agreement and without reference to the Confidential Information of the other party.

1.4 “Client” means an entity that has engaged a [*] Entity to provide [*] Services.

1.5 “Confidential Information” with respect to a disclosing party, means all non-public information, data and material disclosed by such disclosing party to the receiving party (in whatever form) that is marked or described as, or provided under circumstances reasonably indicating it is, confidential or proprietary. Without limiting the generality of the foregoing, as between the parties: (a) Provider’s Confidential Information includes the Offering, and the confidential data, materials, or source code associated therewith; and (b) [*]’s Confidential Information includes all [*] Data and all non-public information, data and materials (technical, business and otherwise) related to any [*] Entity or any Client, and any reports, results and outputs generated through use of the Offering by or for [*] Entities and Clients.

1.6 “Documentation” means documentation, user manuals, help guides, and other explanatory materials regarding the Offering, including materials that describe or support the use of the Offering, whether in printed or electronic form.

1.7 “Intellectual Property Rights” means all copyrights, patents, rights with respect to trademarks, service marks, and trade dress, trade secret rights, rights in domain names, rights with respect to databases and other compilations and collections of data or information, publicity and privacy rights, rights with respect to personal information, and other intellectual and industrial property rights anywhere in the world, whether statutory, common law or otherwise.

1.8 “Network Firm” means any of the following: (a) an entity that has executed a written participation agreement with [*] or a Name License Agreement with the [*] Business Trust; (b) an entity that has executed an agreement with any entity described in clause (a) for the purpose of participating in [*]; and (c) any Affiliate of the foregoing.

1.9 “Offering” means the Software, as hosted by Provider, together with its Documentation, associated offline components, and related Services.

1.10 “Order” means a written order, in the form set forth in Exhibit A, that the parties may enter into from time to time under this Agreement as described in Section 2.1, setting forth the Offering to be provided by Provider, the subscription term start date, the subscription term end date, any configuration, training or other services to be provided by Provider, any applicable fees, and such other terms as the parties may agree related to the transactions contemplated by this Agreement.

1.11 “[*] Data” means any and all information, data, and materials that are (a) uploaded, submitted, posted, transferred, transmitted or otherwise provided or made available by and on behalf of a [*] Entity, Client, or User for processing by or through the Offering; or (b) collected, downloaded or otherwise received by Provider or the Offering for a [*] Entity, Client, or User pursuant to this Agreement (including any Order or SOW), or at the written request or instruction of a [*] Entity, Client, or User. All output, copies, reproductions, improvements, modifications, adaptations, translations and other derivative works of, based on, derived from or otherwise using any [*] Data are themselves also [*] Data. For clarity, [*] Data includes the information, data and materials of Clients.

1.12 “[*] Entities” means [*] and its Affiliates.

1.13 “[*] Services” means the ordinary business activities of a [*] Entity, including providing consulting or other services to Clients.

1.14 “Services” means the various services provided or to be provided by Provider under this Agreement, including the services described in Section 3.

1.15 “Software” means the compiled code versions of the software programs described in the applicable Order, which will be hosted by Provider and provided as part of the Offering. Software includes all Updates thereto.

1.16 “SOW” means a statement of work (in the form to be agreed upon by the parties) executed by the parties from time to time during the Term, pursuant to which Provider will provide certain professional services as described in the SOW and this Agreement.

1.17 “Subcontractor” means any third party to whom Provider delegates provision of any portion of the Offering or Services, and includes any individual who provides any services relating specifically to the Offering or the Services to be provided under this Agreement who is not an employee of Provider under applicable law.

1.18 “Subscription Term” means the period commencing on the subscription term start date and ending on the subscription term end date, as set forth in the applicable Order and subject to renewal as set forth in Section 4.2.

1.19 “Technology” means information, know-how, trade secrets, data, works of authorship and other creations, ideas, databases, compilations, inventions, developments, software, firmware, and other computer programs (in source code, object code or any other format), documentation, technical information, specifications, configuration information, designs, plans, drawings, artwork, writings, schematics, documents, memoranda, notes, working papers, reports, methods, procedures, concepts, techniques, protocols, formulae, algorithms, systems, elements, components, subsystems, devices, equipment and other hardware, domain names, and other technology.

1.20 “Term” has the meaning given in Section 5.1.

1.21 “Updates” means all error corrections, bug fixes, security patches, updates, upgrades, revisions, versions, minor releases (e.g., 0.x), major releases (e.g., x.0), new releases, and other modifications, improvements, fixes or additions to the Software or other part of the Offering.

1.22 “User” means an individual permitted or authorized by a [*] Entity to use the Offering.

1.23 “Work Product” means deliverables, work product and Technology that are developed or created by Provider and its personnel, solely or working jointly with others under an Order or SOW, but excluding each party’s Confidential Information and Background Technology.

2. General; License and Restrictions; Access Credentials

2.1 General. Provider will provide the Offering set forth in the Order attached to this Agreement as Exhibit A. From time to time, the parties may enter into one or more additional Orders, each of which will be substantially in the form set forth in Exhibit A and will set forth the applicable Offering to be provided by Provider, the subscription term start date, the subscription term end date, any configuration, training or other services to be provided by Provider, any applicable fees, and such other information as the parties may agree. Upon execution by both parties, each Order will form a part of (and be subject to the terms and conditions of) this Agreement. In addition, the parties may from time to time enter into one or more SOWs (to be consecutively numbered), each of which will set forth a description of the project and professional services to be provided by Provider, the estimated schedule, any applicable fees, any applicable specifications and other requirements, and such other information as the parties may agree. Upon execution by both parties, each SOW will form a part of (and be subject to the terms and conditions of) this Agreement. Either party may propose changes to a project or any services to be provided under an SOW (a “Change”). Such proposed Change will not bind either party unless and until it has been agreed upon in writing by both parties in accordance with this Section 2.1. To propose a Change, a party will deliver a written proposal (“Change Order Proposal”) to the other party specifying (a) the proposed Change and its objective or purpose, (b) the requirements or specifications of the project or services to be performed pursuant to such Change, (c) the requested prioritization and schedule for such Change, and (d) the effect, if any, of such Change on the fees payable under such SOW. The parties will then discuss such Change Order Proposal in good faith and, if both parties wish to make such Change, either party may issue to the other party a written proposed amendment to the SOW embodying such Change, which, if executed by both parties, will be deemed to supplement or modify, as applicable, the terms and conditions of the applicable SOW. If there is any conflict between an Order or SOW and the terms and conditions of the main body of this Agreement, then the terms and conditions of the main body of this Agreement will govern, except to the extent that the Order or SOW expressly states that it modifies any specified provisions in the main body of this Agreement, in which case such modified provisions will control with respect to such Order or SOW.

2.2 Delivery. Starting on the subscription start date indicated on the applicable Order and during the Subscription Term, Provider will make the Software available to the [*] Entities and their respective Users on a hosted “as-a-service” basis at the URL set forth in the applicable Order or otherwise agreed upon by the parties. Provider will deliver or otherwise make available Documentation to each [*] Entity. If Provider discontinues marketing (or ceases to make commercially available) the Offering or the Software but designates a new offering or software as a replacement, then [*] will be entitled to access and use the replacement as an Update under this Agreement.

2.3 License. Provider hereby grants the [*] Entities a non-exclusive, fully paid (after the applicable undisputed payment is received), royalty-free, sublicenseable (to any other Network Firm), worldwide license during the Subscription Term to (and to permit Users to):

(a) Access and use the Offering, subject to any usage metrics set forth in the Order, for use in connection with their business operations.

(b) Access, use, reproduce, excerpt, translate, adapt, modify, prepare derivative works based upon (including by incorporating into other materials), display, distribute, and disseminate the Documentation (or excerpts, translations, and derivative works thereof) as reasonably necessary to support use of the Offering.

The foregoing license includes access and use of the Offering by Clients and their Users, subject to any usage metrics set forth in the applicable Order.

2.4 Restrictions. Except as otherwise provided in this Agreement or permitted by applicable law, the [*] Entities may not (and will not knowingly allow unauthorized third parties to): (a) derive or attempt to derive the source code underlying the Offering by reverse engineering, disassembly, decompilation, or any other means, except as permitted by applicable law to achieve interoperability; (b) modify or make derivative works of the Software or Documentation; or (c) remove, alter, or modify any proprietary notices on the Offering (including copyright and trademark notices); (d) sell, distribute, sublicense, rent, lease, assign, pledge, or otherwise make the Offering available to any unauthorized third party; (e) attempt to gain unauthorized access to the Offering or its related systems or networks; or (f) use the Offering in a manner that could be reasonably anticipated to interfere with, degrade, or disrupt the integrity or performance of Provider’s technologies, services, systems or offerings.

2.5 Access Credentials. Provider will provide [*] instructions to enable each User to register to receive access credentials through which the User can access and use the Offering. [*] Entities may notify Provider from time to time that an individual is no longer an authorized user (e.g., if an individual ceases employment), in which case Provider will terminate access to the Offering under that individual’s access credentials. In connection with normal personnel activities and practices (e.g., if an individual ceases employment, is promoted, is removed from a particular client project, etc.), [*] Entities may reassign Offering usage to a replacement User, provided that the reassignment is not undertaken for the primary purpose of avoiding any applicable per-User fees.

3. Services

3.1 Configuration, Training, and Other Professional Services. Provider will provide: (a) all reasonable and timely assistance in configuring the Software, including as may be set forth in any Order or SOW; (b) training related to the Offering as may be set forth in any Order or SOW; and (c) any other professional services as may be set forth in any Order or SOW.

3.2 Hosting. During the Subscription Term, Provider will host, manage and operate the Software for remote electronic access and use by Users, and will at all times meet the service levels set forth in Exhibit B.

3.3 Support and Maintenance. During the Subscription Term, Provider will provide support and maintenance services for the Offering as set forth in Exhibit C. As part of these services, Provider will apply Updates as soon as commercially practicable.

4. Financial and Payment Terms

4.1 Fees. In consideration of the license to the Offering and Provider’s provision of the Services contemplated by this Agreement, [*] will pay the amounts set forth in the Order (or any SOW) in accordance with the terms set forth in this Section 4. Payment will be made in US Dollars within sixty (60) days of receipt of an undisputed invoice. [*] may make payments by any reasonable means, including ACH, wire transfer, or check For each invoice submitted pursuant to this Agreement, Provider will include the appropriate contract identification number (if any) set forth in this Agreement. Invoices that do not include the number will be returned, unpaid, for correction and resubmission.

4.2 Renewals. [*] may extend the Subscription Term of the applicable Order for 3 years (at applicable fees to be agreed to by the parties) by written notice to Provider prior to the end of the then-current Subscription Term.

4.3 Expenses. Subject to the terms set forth in this Section 4, Provider may invoice [*] for reasonable out-of-pocket expenses that are within the guidelines set forth in Exhibit D and are necessarily and actually incurred in the performance of the Services, but only if [*] has approved such expenses in writing and has provided supporting documentation. Provider acknowledges and agrees that necessary travel must be via coach or economy class and that lunch expenses are not reimbursable by [*]. To avoid doubt, [*] will not reimburse Provider for expenses that [*] has not pre-approved in accordance with this Section or for which supporting documentation is not submitted, or for amounts not invoiced within ninety (90) days of the date on which it is incurred.

4.4 Not To Exceed. Provider’s aggregate fees and expenses will not exceed the “Not-To-Exceed Amount” that may be set forth in the applicable Order (or SOW) without [*]’s prior written consent. Except as expressly set forth in this Agreement, each party will bear all of its own costs and expenses in connection with or arising under this Agreement.

4.5 Disputed Amounts. If there is a good faith dispute with respect to any portion of an invoice, [*] will use reasonable efforts to provide Provider with written notice detailing the dispute (“Dispute Notice”) within sixty (60) days of receipt of the applicable invoice. If [*] provides Provider with a Dispute Notice, then [*] may withhold the disputed amount but will pay the undisputed portion as provided in this Agreement. The parties will attempt in good faith to resolve any disputes promptly and will devote sufficient resources to that end. Any unresolved dispute will be resolved in accordance with Section 17.6. Provider will continue to provide the Offering and perform the Services in full pending final resolution of any dispute, unless otherwise requested by [*]. In no event will [*] be deemed in breach of this Agreement for withholding payment of amounts subject to a good faith dispute; provided, however, the parties shall agree to resolve the dispute in accordance with Section 17.6 if payment is withheld for more than one hundred and twenty (120) days from receipt of invoice.

5. Term and Termination

5.1 Term. This Agreement will commence on the Effective Date and continue in full force and effect until the end of the last Subscription Term, unless earlier terminated in accordance with this Section 5 (such period, the “Term”).

5.2 Termination For Breach. Either party may terminate this Agreement or any SOW or Order by providing written notice to the other party if the other party materially breaches its obligations under this Agreement (or the particular SOW or Order) and such breach is not cured within thirty (30) days after receipt of written notice of the breach.

5.3 Termination For Insolvency/Bankruptcy. Either party may terminate this Agreement upon sixty (60) days’ written notice to the other party after (i) the commencement of any involuntary case in respect of the other party or any substantial part of its properties under any bankruptcy laws, (ii) the commencement by the other party of a voluntary case under any bankruptcy law, (iii) the consent by the other party to the appointment by a receiver, liquidator, assignee, trustee, custodian, or other similar official for taking possession of the other party or any part of its properties material to the subject matter of this Agreement, or (iv) the other party ceases or threatens to cease to carry on business as a going concern.

5.4 Termination For Convenience. [*] may terminate this Agreement or any SOW or Order for its convenience upon thirty (30) days’ prior written notice to Provider. Provider may terminate Agreement upon thirty (30) days’ prior written notice to [*] if the parties are unable to resolve disputes relating to non-payment by [*] pursuant to Sections 4.5 and 17.6 of the Agreement.

5.5 Termination For Independence Issues. [*] may immediately terminate this Agreement without penalty or liability: (a) if continuing to perform under this Agreement could, in [*]’s sole and absolute judgment, result in [*]’s noncompliance with any applicable law, rule or regulation, or any regulatory guidance, professional standard, or self-regulatory rule or policy, in each case as in effect from time to time; or (b) upon the occurrence of an event that, in [*]’s sole and absolute judgment, causes or would be likely to cause [*] or any Network Firm not to be “independent” as required by any law, rule, regulation, regulatory guidance, professional standard, or self- regulatory rule or policy relating to independence.

5.6 Effect of Termination (General). Subject to Section 5.7 and Section 5.8, upon any expiration or termination of this Agreement (or of a particular SOW, in which case only clauses (d), (e) and (f) will apply to the extent applicable to the Services and Confidential Information relevant to that SOW); or of a particular Order, in which case the applicable Subscription Term of that Order will immediately end and only clauses (c), (e) and (f) will apply to the extent applicable to the Offering relevant to that Order:

(a) the Term and any applicable outstanding Subscription Term will immediately end;

(b) any outstanding SOWs will immediately terminate;

(c) the [*] Entities’ rights to use (and allow use of) the Offering will end;

(d) amounts due for Services performed and accepted prior to the expiration or termination date will become due and payable;

(e) any amounts prepaid by [*] for the terminated portion of the Offering or Services will be

refunded; and

(f) subject to any applicable law, rule or regulation, the receiving party will return or destroy as directed by the disclosing party all documents and other embodiments (whether in tangible, electronic or other form) that contain or constitute Confidential Information of the disclosing party, except to the extent necessary for each party to continue to exercise its surviving rights under this Agreement and subject to Section 5.8.

5.7 Transition Assistance. Upon any termination of this Agreement, except where Provider has terminated this Agreement for [*]’s breach under Section 5.2, if requested by [*] (in writing), Provider will (for a period not to exceed ninety (90) days):

(a) continue to make the Offering available to the [*] Entities and Users;

(b) complete any Services or Work Product set forth in an Order or SOW (in exchange for the fees outlined therein); and

(c) provide reasonable cooperation and assistance to [*] in transitioning to a replacement offering or service. This cooperation may include: providing [*] with specifications for hardware, software or other equipment; providing limited training to [*] personnel regarding processes and operations; answering questions regarding the services on an “as-needed” basis; and delivering any remaining [*]-owned reports and documentation relating to the terminated Services.

For clarity, if Provider has terminated this Agreement for [*]’s breach under Section 5.2, this Section 5.7 will not apply.

5.8 Data Retention Period. Upon any expiration or any termination of this Agreement, and upon [*]’s written request, Provider will continue to retain the [*] Data, or such specific databases or other collections or articles of [*] Data as [*] may request, as though this Agreement were still in effect, for a period to be agreed to by the parties in writing, but in no event shorter than ninety (90) days after the expiration or termination date. Immediately upon the conclusion of this period (or upon [*]’s request, if earlier), Provider will return such [*] Data to the information technology infrastructure, including the computers, software, databases, electronic systems (including database management systems), and networks, of [*] or any of its designees (collectively, “[*] Systems”), taking all steps required or reasonably requested to assist [*] and any of [*]’s designees in migrating such [*] Data to the [*] Systems in both Provider’s data format and a platform-agnostic format. If [*] requests delivery of [*] Data, Provider will not withhold the [*] Data for any reason.

5.9 Survival. The following Sections will survive any expiration or termination of this Agreement: 5.6, 5.7, 5.8, 5.9, 6.3, 7 (in accordance with its terms), 8, 9, 10, 11, 14 (in accordance with its terms) and 17.

6. Ownership and Intellectual Property Matters

6.1 Provider. As between the [*] Entities and Provider, Provider owns and will retain all right, title, and interest (including all Intellectual Property Rights) in and to Provider’s Confidential Information and Background Technology, including (for clarity) the Offering, Software, and Documentation.

6.2 [*] Entities. As between the [*] Entities and Provider, the [*] Entities own and will retain all right, title, and interest (including all Intellectual Property Rights) in and to the [*] Entities’ Confidential Information, Background Technology, and [*] Data, including as may be embodied in or associated with any [*] Services.

6.3 Work Product

(a) General. Except as may be otherwise provided in the Order or the applicable SOW, [*] will have exclusive, unlimited ownership rights to any and all Work Product, whether fully completed or otherwise. All Work Product will be deemed to be vested in and owned by [*] at the time of creation. To the extent that ownership of any Work Product vests in Provider, Provider hereby assigns to [*] all right, title and interest in and to all Work Product (and Intellectual Property Rights in and to Work Product), and waives any and all moral rights in Work Product to which it may now or in the future be entitled under the laws of any jurisdiction. Further, Provider hereby grants and agrees to grant to the [*] Entities a perpetual, irrevocable, fully paid, royalty-free, transferable, sublicenseable, nonexclusive, worldwide right and license to use, reproduce, distribute, display and perform (whether publicly or otherwise), prepare derivative works of and otherwise modify, and otherwise exploit any of Provider’s Background Technology that is reflected in, embodied or incorporated into, or otherwise necessary to use the Work Product, and to have such rights practiced by third parties on the [*] Entity’s behalf, and to practice any Intellectual Property Rights owned or controlled by Provider in connection with any of the foregoing activities.

(b) Further Assurances. Provider agrees to take or cause to be taken such further actions, execute, deliver and file or cause to be executed, delivered and filed such further documents and instruments, obtain such consents as may be reasonably required or requested by [*], and cooperate with [*] or its designees in applying for, obtaining, perfecting, evidencing, sustaining or enforcing [*]’s rights in and to the Work Product. Provider hereby irrevocably appoints [*], and its designees, as an attorney in fact to act for and on Provider’s behalf and instead of Provider, with the same legal force and effect as if executed by Provider, with respect to such activities.

(c) Evaluation and Acceptance. Work Product will only be deemed accepted if accepted in writing by [*]. Unless otherwise agreed in writing by the parties, the following acceptance procedure will apply to Work Product provided by Provider to [*] (any such item, a “Review Item”):

(i) After the Review Item is made available to [*], [*] will have a reasonable period to review and evaluate the Review Item to determine whether it meets the specifications and requirements specific to it.

(ii) After completion of its review and evaluation, [*] will notify Provider of its acceptance or rejection of the Review Item. If [*] rejects the Review Item, [*] will identify the defect, error, or failure to meet the applicable specifications and requirements in reasonable detail and will provide a reasonable period for Provider to make any necessary corrections, repairs and modifications.

(iii) Following rejection of the Review Item, Provider will make any necessary corrections, repairs and modifications within the correction period. This process will repeat until the Review Item is accepted by [*] in writing. If [*] does not accept the Review Item after Provider’s second or subsequent attempt to make any necessary corrections, repairs and modifications thereof, or Provider fails to correct the Review Item within the correction period, [*] may, in its sole discretion, by written notice to Provider, deem the failure to be a non-curable material breach of this Agreement and terminate this Agreement pursuant to Section 5.2.

(iv) [*] may condition any acceptance upon Provider’s agreement to correct any requirements specific to the Review Item, and such correction will be subject to [*]’s further review and evaluation as set forth above. [*]’s acceptance of any Review Item will not constitute a waiver of any right or remedy it may have under this Agreement.

6.4 Limited License to Use [*] Data. Subject to the terms and conditions of this Agreement, the [*] Entities hereby grant Provider a limited, royalty-free, fully paid, non-exclusive, non-transferable and non-sublicenseable license during the Term to ingest and process [*] Data in the United States as instructed by the applicable [*] Entity (or Client, if authorized by the applicable [*] Entity), and solely as necessary to provide the Services for the benefit of the [*] Entity (or Client, if applicable) as provided in this Agreement, and solely for so long as the [*] Entity, Client (if applicable), or User uploads or stores such [*] Data for processing by or on behalf of Provider through the Software. If [*] requests that Provider delete [*] Data that is stored on the Offering, Provider will comply with such request within thirty (30) days (and after such request, Provider will handle the applicable [*] Data only to execute such deletion process).

6.5 Reservation of Rights. Each party reserves all rights in and to such party’s Intellectual Property Rights that are not explicitly granted under this Agreement. The foregoing does not alter or limit the parties’ rights and obligations under any other agreement between them.

6.6 Freedom of Action. This Agreement is a nonexclusive arrangement and does not create any exclusivity of any nature between the parties. Subject to the obligations under this Agreement (e.g., confidentiality), nothing in this Agreement prevents any [*] Entity from creating, developing, licensing or acquiring any materials or services similar to those provided by Provider under this Agreement (including the Offering or any part thereof), and nothing in this Agreement prevents Provider from providing services or offerings to third parties.

7. Confidentiality

7.1 Limitations on Use and Disclosure. Each party will use the other party’s Confidential Information only for the purpose of exercising its rights and fulfilling its obligations under this Agreement or as required by applicable law or professional standard, and will not disclose such Confidential Information to third parties except to the extent necessary to exercise its rights and fulfill its obligations under this Agreement or as required by applicable law or professional standard. Each party may disclose the other party’s Confidential Information to its and its Affiliates’ employees, agents and consultants (and in the case of Provider, to Subcontractors), but only if such employees, agents or consultants (and Subcontractors) have a legitimate need to know such information in connection with this Agreement, are bound by confidentiality obligations at least as restrictive as those set forth herein, and periodically receive information security and data protection training. Each party will use the same degree of care and discretion (but in any event no less than a reasonable degree of care and discretion) to avoid unauthorized disclosure or use of the other party’s Confidential Information as that receiving party uses to protect its own information of a similar nature from unauthorized disclosure or use.

7.2 Exclusions. Without granting any right or license, the parties agree that no obligation of nondisclosure or nonuse under this Agreement will apply to information, data or materials that (a) is or becomes generally available to the public other than by breach of this Agreement, (b) the recipient already rightfully possesses at the time of the disclosure, without any obligations of nondisclosure or nonuse to the disclosing party, (c) is rightfully received from a third party without any obligations of nondisclosure or nonuse to the disclosing party, or (d) is independently developed by the recipient without use of or reference to the disclosing party’s Confidential Information. In addition, each party may disclose the other party’s Confidential Information (i) in confidence to its attorneys, auditors, accountants, insurers, and other professional advisors, in each case who have a legitimate business need to receive such information, data or materials; and (ii) to the extent required by applicable law (including any subpoena or other similar form of process), professional standards or any government authority, and subject to providing the other party prompt notice thereof and fully cooperating with attempts to prevent or limit such required disclosure. With respect to a tax audit, prior notice may not be provided; in such event, the parties will use commercially reasonable efforts to ensure that any Confidential Information of the other party that is subject to a valid request from the taxing authority is not subject to further disclosure by the taxing authority (e.g., by marking such information as a trade secret).

7.3 Equitable Relief. The parties acknowledge and agree that, due to the unique nature of Confidential Information, there can be no adequate remedy at law for any breach of the disclosing party’s confidentiality obligations under this Agreement, that any such breach or threatened breach will result in irreparable harm to the disclosing party. Accordingly, in the event of a breach or threatened breach of the confidentiality and related provisions in this Agreement, the disclosing party will be entitled to seek equitable relief, including injunctive relief without a requirement to post bond, in addition to whatever remedies it might have at law or under this Agreement.

7.4 Duration; Return of Confidential Information. The disclosing party’s obligations under this Agreement with respect to any particular item of Confidential Information received under this Agreement will survive for five (5) years after any termination of this Agreement. Except to the extent necessary for each party to continue to exercise its rights and perform its obligations under this Agreement or as required by applicable law or professional standard, at any time upon the other party’s request, the receiving party will return or destroy as directed by the disclosing party all documents and other embodiments (whether in tangible, electronic or other form) that contain or constitute Confidential Information of the disclosing party.

8. Personal Data

8.1 Data Protection Addendum. Provider will comply with the Data Protection Addendum set forth in the attached Exhibit H, which is hereby incorporated by reference.

9. Representations and Warranties; Disclaimer

9.1 Mutual. Each party hereby represents and warrants to the other party that: (a) it is duly organized and validly existing under the laws of the jurisdiction in which it was incorporated or organized; and (b) it has all requisite corporate power and authority to execute and deliver this Agreement and perform its obligations under this Agreement.

9.2 By Provider. Provider hereby represents, warrants and covenants that:

(a) Provider has and will retain the full and unencumbered right to provide the Offering, and the Offering (including Services and any Work Product) and other items provided by Provider (and the use thereof as contemplated by this Agreement) do not and will not infringe, misappropriate or otherwise violate the Intellectual Property Rights or other rights of any third party.

(b) Provider is not bound by any agreements, obligations or restrictions (and will not assume any obligation or restriction or enter into any agreement) that would interfere with its obligations under this Agreement, and the execution, delivery and performance of this Agreement does not and will not (i) conflict with, violate or breach any applicable law or regulation to which Provider is subject (including export control), (ii) require the consent, approval or authorization of any governmental or regulatory authority or third party, or (iii) require the provision of any payment or other consideration to any third party. Provider will immediately notify [*] if circumstances change such that Provider is no longer in compliance with any of the foregoing.

(c) The Offering will operate in all material respects in accordance with the Documentation and any specifications and other requirements agreed to by the parties, and in a manner consistent with applicable general industry standards, without the need for particular hardware, software (including connectivity software), environment configurations or other technology unless specifically set forth in the applicable Order.

(d) The functionality of the Offering will not be materially decreased during the Term.

(e) Prior to the introduction of any production version of the Offering, Provider will scan the Software with one or more current, industry-standard Malware detection programs. Provider will not introduce into the production version of the Offering any Malware. For purposes of this Agreement, “Malware” means any code, program, program routine, device, feature, function, or algorithm (including any time bomb, software lock, drop-dead device, malicious logic, worm, Trojan horse, error, defect or trap door) that (i) could cause (directly or indirectly, in whole or in part) any material corruption, deterioration, alteration or other adverse change to the Software or any other software or hardware of the [*] Entities, or damage or loss of computer files or other programs, or disrupt the use of any part of a computer system, or otherwise cause or result in other loss, damage or liability to the [*] Entities, (ii) is capable of deleting, disabling, deactivating, interfering with, or otherwise harming or providing unauthorized access to the Software, third party databases or the [*] Entities’ hardware, data, or computer programs or codes, (iii) could permit unauthorized persons to access the systems of the [*] Entities, or (iv) could cause a [*] Entity to not be in compliance with export regulatory requirements (such as unapproved encryption/decryption), privacy laws (such as unauthorized collection of Personal Data), or copyright laws (such as bypassing copyright protection features).

(f) Provider’s use of any free, public domain, copyleft or open source software (e.g., software with source code that others can inspect or modify) will not result in an obligation to disclose, license or otherwise make available to any third party(ies) any part of the Offering, the systems of the [*] Entities or their Clients, or any Confidential Information or other information or property of the [*] Entities or their Clients.

(g) Provider and its employees, personnel and Subcontractors possess the knowledge, skill and experience necessary to perform the Services in accordance with the terms and conditions of this Agreement (including any SOW) and will perform the Services in a competent and workmanlike manner and in compliance with all applicable laws and relevant industry codes and standards.

(h) Provider meets and will continue to meet the standards of [*]’s Supplier Code of Conduct (available at [*] or as otherwise provided by [*]).

Additional representations, warranties and covenants set forth elsewhere in this Agreement, including the IT Security provisions of Exhibit E, are hereby incorporated into this Section 9.2.

9.3 Disclaimer. To the fullest extent allowed by applicable law, except as specifically set forth in Section 9.1 or Section 9.2, each party disclaims all other warranties, whether express, implied, or statutory, including the implied warranties of merchantability and fitness for a particular purpose, and any warranties that may arise from course of dealing or usage of trade.

10. Indemnification

10.1 General. Provider will indemnify, hold harmless, and (at [*]’s option) defend the [*] Entities and their respective partners, principals, directors, officers, employees, consultants, contractors, representatives, agents, Clients and Users (collectively, “Indemnitees”) from and against any and all claims, actions, and proceedings (collectively, “Claims”), and all associated liabilities, damages, losses, costs and expenses (including attorneys’ fees) (collectively, “Damages”), arising out of or related to: (a) any allegation by a third party that the Offering or any Services or other items supplied by or for Provider under this Agreement infringe, misappropriate or otherwise violate any Intellectual Property Rights; (b) Provider’s breach (or allegation that, if true, would be a breach) of this Agreement; (c) any failure by Provider or its employees, agents or subcontractors to comply with applicable law or regulation; (d) any negligent, reckless or intentionally wrongful act by Provider or its employees, agents or subcontractors; (e) personal injury or property damage caused by the fault or negligence of Provider or its employees, agents or subcontractors; or (f) any Employment and ACA Claims. “Employment and ACA Claims” means (i) the hiring, retention, or use by Provider of any person who is not authorized to work in the United States, for those persons who work for Provider in the United States; (ii) any claims made by Provider personnel, including those based on laws relating to their employment or consulting relationship status with Provider, or termination thereof; and (iii) any taxes, penalties, or other liabilities under Internal Revenue Code Sections 4980H, 6055 and 6056, and any interest and penalties related thereto, to which Indemnitees become subject (collectively, “ACA Penalties”), to the extent such ACA Penalties are attributable to current or former Provider personnel or subcontractors who have been reclassified by a governmental agency or court as employees of [*] Entities and whose reclassification results in, or affects the amount of, the ACA Penalties.

10.2 Exceptions. Provider will have no obligation under Section 10.1(a) above to the extent the Claim is based upon: (a) the unauthorized modification of the Offering or Documentation by [*] if such infringement, misappropriation, or violation would not have occurred without such modification; or (b) use of the Software in combination with other products or services not provided by or for Provider, or contemplated or specified in the Documentation, if such Claim would not have occurred without such combination and such other products or services (rather than the items supplied by Provider) substantially embody the allegedly infringed Intellectual Property Right.

10.3 Defense Process. [*] (or an Indemnitee) will promptly notify Provider of the existence of a Claim; provided, however, that the failure to give such notice will not limit Provider’s obligations except to the extent that Provider is prejudiced thereby. Indemnitees may retain the defense of any Claim or request that Provider control the defense. For any Claim for which an Indemnitee elects to have Provider control the defense, Provider will employ counsel and assume defense of the Claim. Each affected Indemnitee will have the right to employ separate counsel and participate in the defense of the Claim at its own expense, except that Provider will bear the fees and expenses of such counsel if (a) the employment of counsel by the Indemnitee has been separately authorized in writing by Provider, (b) Provider has been advised by its counsel that there is a conflict of interest between Provider and the Indemnitee (in which case, Provider will not have the right to control the defense of the Claim on behalf of the Indemnitee) or (c) Provider has not employed counsel to assume the defense of the Claim within a reasonable period of time following receipt of the notice of the Claim. Provider may not consent to any judgement or settlement of any Claim subject to indemnification under this Agreement without the prior written consent of the Indemnitee if such judgement or settlement imposes any obligation or liability upon the Indemnitee.

10.4 Replacement; Modification. Without limiting Provider’s obligations under Section 10.1, if the Offering, Services or other items supplied by Provider become (or in Provider’s reasonable opinion are likely to become) the subject of a Claim, or the use of any of the foregoing as contemplated under this Agreement is (or in Provider’s reasonable opinion is likely to become) prohibited or materially limited (including as a result of a Claim or the settlement thereof), Provider will promptly, at Provider’s option and expense: (a) procure the right for the [*] Entities to continue using the affected component of the Offering, Services, or other item, without any additional cost to them; or (b) replace or modify the affected component of the Offering, Services, or other item with a non-infringing component that does not have any impact on functionality or performance and meets [*]’s technical approval (such approval not to be unreasonably withheld). The foregoing provisions will not limit any of [*]’s other rights or remedies or limit or affect Provider’s obligations as otherwise set forth in this Agreement.

11. LIMITATION OF LIABILITY. TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, AND EXCEPT WITH RESPECT TO PROVIDER’S OBLIGATIONS UNDER SECTION 10 (INDEMNIFICATION) OR FOR PROVIDER’S BREACH OF SECTION 7 (CONFIDENTIALITY), SECTION 8 (PERSONAL DATA), SECTION 13 (INFORMATION TECHNOLOGY) OR SECTION 15 (PERSONNEL MATTERS): (A) IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY; AND (B) [*]’S ENTIRE LIABILITY TO PROVIDER IN ANY WAY RELATED TO THIS AGREEMENT, THE OFFERING, SERVICES, OR OTHER ITEMS SUPPLIED BY OR FOR PROVIDER UNDER THIS AGREEMENT, AND ANY OTHER SUBJECT MATTER OF THIS AGREEMENT, AND REGARDLESS OF THE FORM OF ANY CLAIM OR ACTION, WILL NOT EXCEED TWO (2) TIMES THE AGGREGATE AMOUNTS PAID BY [*] DURING THE TWELVE (12) MONTHS PRIOR TO THE DATE ON WHICH THE LIABILITY AROSE.

12. Regulatory Matters

12.1 Commitment to Cyber Resilience. Provider recognizes the interdependence of private and public sector organizations in the global, hyperconnected environment and the role in contributing to the overall levels of cyber risk mitigation on a national and global level. Provider agrees to review and consider endorsing the Commitment to Cyber Resilience established by the World Economic Forum available at http://www3.weforum.org/docs/WEF_IT_PartneringCyberResilience_Guidelines_2012.pdf.

12.2 Compliance with Laws. Provider agrees that it, its employees, personnel, Subcontractors, joint venture partners, and any other party acting on its behalf or at its instruction, will fully comply at all times with the provisions of the United States Foreign Corrupt Practices Act (“FCPA”) and any other legal provisions concerning corruption and anti-bribery as otherwise requested by a [*] Entity. Provider agrees that it will not give, offer, or promise any payment or any item of value to any of the following individuals for the purpose of influencing any act or decision of these individuals in their official capacity to help a [*] Entity obtain or retain business, or obtain any unfair advantage in connection with [*]’s business: (a) any foreign official (as that term is defined in the FCPA), including any person acting in an official capacity for a non-U.S. government; (b) a non-U.S. political party official or political party; (c) a candidate for a non-U.S. political office; or (d) any officer or employee of a public international organization. Without limiting and notwithstanding any other termination provisions in this Agreement, [*] may terminate this Agreement if [*] determines, in its sole discretion, that Provider has breached this Section. Prior to the commencement of any renewal or extension of the Subscription Term: (i) Provider will confirm in writing to [*] that Provider remains in full compliance with this Section and (ii) if requested, Provider will complete to [*]’s reasonable satisfaction the then-existing portion of [*]’s vendor due diligence questionnaire related to the FCPA and anti-bribery. If [*] requests certain information in order to enable [*] to comply with applicable laws related to [*]’s use of the Offering, Provider will provide such reasonably requested information in Provider’s possession or control solely for such purpose.

12.3 Independence. In light of US Securities and Exchange Commission (“SEC”) regulations applicable to business relationships between an accounting firm and its audit client, and any other applicable law, regulation, professional standard, self-regulatory organization rule or policy relating to auditor independence, Provider hereby acknowledges to [*] that:

(a) This Agreement is entered in the ordinary course of Provider’s business. Provider represents, warrants and covenants that the terms and conditions under this Agreement (including pricing): (i) are and will be at market rates or otherwise in accordance with Provider’s internal pricing policies; and (ii) are and will be, on average, no more or less favorable than those being offered or otherwise agreed to by Provider to other similarly situated customers of comparable size and complexity.

(b) The aggregate amounts expected to be earned by Provider from [*] in respect of this Agreement, and otherwise under all agreements with [*] for the performance of services or provision of products, will not exceed five percent (5%) of Provider’s revenues (including all revenues for the Offering, Services and any other services) for each fiscal year of Provider in which the Offering, Services or other services will be performed or provided.

In connection with any audit or other query initiated by the SEC or Public Company Accounting Oversight Board, Provider will assist [*] in documenting comparable provisions in its agreements with other similarly situated customers of comparable size and complexity.

12.4 PCAOB and State Board Compliance; Self-Reporting Obligation. The Public Company Accounting Oversight Board (“PCAOB”) and other regulatory bodies, including various state boards of accountancy, require [*] to report when it has entered into an arrangement with individuals or entities who are the subject of certain disciplinary sanctions with the PCAOB or SEC. The PCAOB requires [*] to notify the PCAOB within thirty (30) days of occurrence of the event. In order for [*] to comply with these rules, Provider confirms that it is not the subject of:

(a) A PCAOB disciplinary sanction which suspends or bars it from being an associated person of a registered public accounting firm (e.g., [*]); or

(b) An SEC order under Rule 102(e) of the SEC Rules of Practice which suspends or bars it from appearing or practicing before the SEC.

If Provider’s status regarding either of the above statements change, Provider will inform [*] via email to [*][*] within fourteen (14) days of occurrence of the event.

12.5 Required Notification for Independence Issues. Provider will immediately notify [*] in writing of any change in Provider’s officers, directors, or individual holders of ten percent (10%) or more of Provider’s stock; any such changes to the companies with which any of those individuals is associated as an officer, director or holder of ten percent (10%) or more of such companies’ stock; and any such changes to its corporate shareholders whose investment in Provider equals ten percent (10%) or more of Provider’s stock. If Provider is or becomes a public company, this Section will apply only to notifications relating to individual shareholders holding stock of ten percent (10%) or more of Provider’s stock, and to corporate shareholders whose investment in Provider equals ten percent (10%) or more of Provider’s stock. Provider will provide additional relevant information, as may be requested by [*], to enable [*] to evaluate its compliance with applicable independence rules and regulations.

13. Information Technology. Provider will comply with the Third Party Supplier Information Security Requirements set forth in the attached Exhibit E, which is hereby incorporated by reference.

14. Insurance. As of the Effective Date, Provider has the insurance coverage set forth in Exhibit F. Provider will maintain, at its sole expense, such coverage in effect for all claims arising during the Term and thereafter (as provided in Exhibit F).

15. Personnel Matters

15.1 US Authorized Personnel. The Offering is provided from, and all Services hereunder will be performed entirely in, the United States. Provider will ensure that its personnel involved in the provision of the Offering and the performance of Services are authorized to work in the United States, and will ensure that any legally required verification of employment eligibility and identity is performed.

15.2 Security and Other Policies. For any of Provider’s personnel performing Services while at [*]’s premises, Provider will cause all such personnel to observe and comply with all rules, policies, requirements and procedures of [*], including all security procedures, rules, regulations and policies, working hours and holiday schedules then in effect (collectively, “[*] Policies and Procedures”), to the extent [*] has provided the [*] Policies and Procedures to Provider (including by making them available on a website designated to Provider by [*]). [*] reserves the right to amend, revise or update the [*] Policies and Procedures from time to time. If Provider determines, in its sole discretion, that the modification to such [*] Policies and Procedures change the economics or risks in this Agreement, then Provider will notify [*] so that Provider and [*] may discuss in good faith such modifications, with a view toward either modifying the applicable [*] Policies and Procedures or amending this Agreement. If the parties cannot reach an amicable resolution to the issue within thirty (30) days after receipt of such notice, then either party may elect to terminate this Agreement by written notice to the other party. At the request of [*], Provider will acknowledge and certify in writing that it is compliant with the [*] Policies and Procedures. Provider will exercise commercially reasonable efforts to minimize any disruption to [*]’s normal business operations at all times. If any Provider personnel performing Services is unacceptable to [*] for any lawful reason, Provider will immediately take appropriate corrective action, including removal from the [*] account.

15.3 Non-Discrimination. The parties acknowledge and agree that Provider is not serving as a federal subcontractor to [*] under this Agreement. Nevertheless, Provider agrees to comply with the equal opportunity and affirmative action requirements set forth in 41 CFR 60-1.4, the affirmative action commitment for disabled veterans and veterans of the Vietnam Era set forth in 41 CFR 60-250.5, and other related regulations at 41 CFR 60-300.5(a), 41 CFR 60-741.5(a), and 29 CFR part 471, Appendix A to Subpart A, which are incorporated by reference into this Agreement. In addition, [*] and Provider will abide by the requirements of 41 CFR 60-1.4(a), 60-300.5(a) and 60- 741.5(a). These regulations prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, or national origin. Moreover, these regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, sexual orientation or gender identity, national origin, protected veteran status or disability.

15.4 Background Checks. Provider agrees that, prior to Provider’s access of the data, systems, network or facilities of a [*] Entity, all Provider personnel will successfully undergo background checks in accordance with [*]’s current requirements as set forth in Exhibit G.

15.5 No Subcontractors. Provider may not use Subcontractors for the provision of the Offering or the performance of any Services without [*]’s prior written consent in each case. Without limiting the foregoing, Provider will ensure that all Subcontractors are bound in writing by the confidentiality and use restrictions and other applicable terms of this Agreement applicable to the protection of the [*] Entities’ and Clients’ Background Technology, Confidential Information, [*] Data, and any other right, title and interest in Technology and Intellectual Property Rights of the [*] Entities. Provider and any of its Subcontractors will be jointly and severally liable for all acts or omissions of its Subcontractors. To avoid doubt, [*] has no obligation or liability under this Agreement to any Subcontractors.

16. Participation By Other Network Firms. Provider acknowledges and agrees that Network Firms may participate under this Agreement through the execution of an Adoption Agreement by the applicable Network Firm with Provider in the form attached hereto as Exhibit I. Upon the execution of an Adoption Agreement, the terms of this Agreement will apply between Provider and the Network Firm and, for the purposes of such arrangement between Provider and the Network Firm, the references to “[*]” in this Agreement will mean the Network Firm that has executed such Adoption Agreement. For the avoidance of doubt, neither Provider nor any Network Firm is obligated to enter into an Adoption Agreement. Provider will provide the Offering and any Services to each applicable Network Firm in accordance with the terms and conditions of this Agreement and any applicable Adoption Agreement. All obligations and liabilities of such Network Firm will be solely as between such Network Firm and Provider and will be borne solely by such Network Firm, and not by [*] or any other Network Firm. Each Network Firm that executes an Adoption Agreement acts solely on its own behalf and for its own account and does not bind or act as an agent for any other Network Firm. No Network Firm is responsible or liable for any acts or omissions of any other Network Firm under this Agreement or any Adoption Agreement. By way of example, a breach by a Network Firm of any provision of this Agreement or an Adoption Agreement will be deemed to be a breach only by that Network Firm and by no other entity. Any rights of Provider arising out of such breach, including rights to terminate or receive damages, will apply only to the specific Network Firm and only to the extent of such Network Firm’s breach. Any modification of the terms of this Agreement in an Adoption Agreement between a Network Firm and Provider will not affect the terms of this Agreement as between any other Network Firm (including [*]) and Provider. While [*] is entering into this Agreement on its own behalf, this Section 16 also is intended for the benefit of the Network Firms.

17. Miscellaneous

17.1 Interpretation. For purposes of interpreting this Agreement, (a) unless the context otherwise requires, the singular includes the plural, and the plural includes the singular; (b) unless otherwise specifically stated, the words “herein,” “hereof,” and “hereunder” and similar words refer to this Agreement as a whole and not to any particular section or paragraph; (c) “include” and “including” mean “including but not limited to” and “including without limitation”; (d) the word “or” will not be exclusive; (e) the word “extent” in the phrase “to the extent” means the degree to which a subject or other thing extends, and not simply “if”; (f) unless otherwise specifically stated, the words “writing” or “written” mean preserved or presented in retrievable or reproducible form, whether electronic (including email but excluding voice mail) or hard copy; (g) references to the parties include their permitted successors and assigns; and (h) unless otherwise expressly provided herein, any agreement, instrument or statute defined or referred to herein means such agreement, instrument or statute as it may be amended over time.

17.2 Notices. Unless otherwise provided elsewhere in this Agreement, any notice, request, demand or other communication required or permitted under this Agreement will be in writing and delivered by personal hand delivery, registered mail, or by overnight delivery to the other party at the addresses set forth below (or such other address as either party may provide in accordance with this Section 17.2), and will be deemed given on the day they are received.

If to [*]:		If to Provider:

[*]		Xyvid Inc. 1170 Wheeler Way Langhorne, PA 19047 Attn: Legal

With a required copy (which will not be deemed notice) to:

[*]

17.3 Entire Agreement. This Agreement (including its Exhibits and any executed Orders and executed SOWs) constitutes the entire agreement between the parties concerning the subject matter hereof and supersedes all prior or contemporaneous representations, discussions, proposals, negotiations, conditions and agreements, whether oral or written, and all communications between the parties relating to the subject matter of this Agreement and all past courses of dealing or industry custom. No amendment or modification of any provision of this Agreement will be effective unless in writing and signed by a duly authorized signatory of Provider and [*]. The parties expressly agree that the terms and conditions of this Agreement will supersede any different or additional terms in any order forms, purchase orders, order acknowledgements, invoices or other similar ordering documents submitted by Provider, which additional or different terms are expressly rejected. [*] objects to any such additional or different terms contained in any of the foregoing Provider documents. [*]’s acceptance of any offer is expressly made conditional on assent to the terms of this Agreement. The terms of any click-wrap end user license or similar agreement found electronically in the Offering or other materials provided by Provider under this Agreement, including any such license or agreement where the user has clicked an “I Agree” or similar button, or any such license or agreement that has been deemed accepted by installing or using such materials, will be deemed null, void and of no effect and will not apply to this Agreement or its subject matter.

17.4 Assignment. Neither party will assign, transfer, delegate or otherwise dispose of this Agreement or any of its rights or obligations under this Agreement, whether voluntarily or involuntarily, by operation of law or otherwise, without the other party’s prior written consent. Notwithstanding the foregoing, [*] may assign, transfer, delegate or otherwise dispose of, whether voluntarily or involuntarily, by operation of law or otherwise, this Agreement or any of its rights or obligations under this Agreement, without Provider’s prior written consent (a) to any [*] Entity or (b) in connection with any acquisition, merger, consolidation, reorganization, or similar transaction, or any spin-off, divestiture, or other separation of a [*] business or portion of a [*] business. Any attempted assignment, transfer, delegation or disposal in violation of the foregoing will be void and will constitute a material breach of this Agreement. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the parties and their successors and permitted assigns.

17.5 Governing Law. This Agreement, and any dispute relating to this Agreement or the subject matter of the Agreement, will be governed by and construed, interpreted and enforced in accordance with the domestic laws of the State of New York, without giving effect to any provisions that would require the laws of another jurisdiction to apply. The parties expressly disclaim the applicability of, and waive any rights based on, the Uniform Computer Information Transactions Act, the Uniform Commercial Code, or the United Nations Convention on Contracts for the International Sale of Goods, however each may be codified or amended.

17.6 Dispute Resolution. Any unresolved dispute relating in any way to this Agreement or the subject matter of this Agreement (including the Software and the use thereof) will be resolved by arbitration, except that either party is free to seek equitable relief in a court having jurisdiction. The arbitration will be conducted in accordance with the Rules for Non-Administered Arbitration of the International Institute for Conflict Prevention and Resolution then in effect (“CPR Rules”). The arbitration will be conducted before a panel of three arbitrators selected using the screened process provided for in the CPR Rules. Any in-person appearances will be held in New York, New York. The arbitration panel will have no power to award non-monetary or equitable relief of any sort, or to award damages inconsistent with this Agreement (including Section 11). Judgment on any arbitration award may be entered in any court having jurisdiction. All aspects of the arbitration will be treated as confidential. Provider acknowledges and agrees that any demand for arbitration must be issued within one (1) year from the date that Provider became aware or should reasonably have become aware of the facts that give rise to [*]’s alleged liability and in any event no later than two (2) years after the cause of action accrued.

17.7 No Publicity. Except as otherwise expressly permitted in this Agreement, neither party will use the other party’s name, trademarks or logo or refer to the other party directly or indirectly in any media release, public announcement or public disclosure relating to this Agreement or its subject matter, including in any promotional or marketing materials, lists, referral lists, or business presentations, without consent from the other party for each such use or release. Notwithstanding the foregoing, [*] may use Provider’s name in experience citations and recruiting materials. Except as expressly set forth in this Agreement, Provider does not and will not acquire any right under this Agreement to use, and will not use, the name “[*]” or “[*]” (either alone or in conjunction with or as part of any other word or name) or any logos, marks or designs of [*] or its related entities (including the Network Firms).

17.8 Relationship of the Parties; No Third Party Beneficiaries. This Agreement will not be construed as creating an agency, partnership, joint venture or any other form of association, for tax purposes or otherwise, between the parties; the parties will at all times be and remain independent contractors and neither party nor its agents have any authority of any kind to bind the other party in any respect whatsoever. Except as otherwise set forth in this Agreement (including with respect to [*]’s Affiliates, it is not the intention of this Agreement or of the parties to this Agreement to confer a third party beneficiary right of action upon any third party or entity whatsoever, and nothing in this Agreement will be construed to confer upon any third party other than the parties to this Agreement a right of action under this Agreement or in any manner whatsoever.

17.9 Rights in Bankruptcy. Provider agrees that [*] will retain and may fully exercise all rights granted and other rights under this Agreement (collectively, the “Rights”) in all circumstances, including any future bankruptcy or insolvency proceeding involving Provider, whether as licensees of intellectual property under the U.S. Bankruptcy Code (the “Bankruptcy Code”), applicable non-bankruptcy law, or otherwise. Without limiting the foregoing, Provider acknowledges and agrees that: (a) neither this Agreement nor any of the Rights is vulnerable to rejection as an executory contract under Section 365 of the Bankruptcy Code; (b) if a court of competent jurisdiction nonetheless allows the rejection of this Agreement under Section 365 of the Bankruptcy Code, such rejection will not result in termination of any of the Rights and [*] will retain and may fully exercise all of its rights and elections under the Bankruptcy Code; and (c) Provider will not (and Provider hereby irrevocably waives any right to) object to or challenge any assertion of the matters described in the preceding subsections (a), (b), and (c) by [*].

17.10 Waiver. No failure by any party to insist upon the strict performance of any covenant, agreement, term or condition of this Agreement or to exercise any right or remedy consequent upon a breach of such or any other covenant, agreement, term or condition will operate as a waiver of such or any other covenant, agreement, term or condition of this Agreement. Any party by notice given in accordance with this Agreement may, but will not be under any obligation to, waive any of its rights or conditions to its obligations hereunder, or any duty, obligation or covenant of any other party. No waiver will affect or alter the remainder of this Agreement but each and every covenant, agreement, term and condition hereof will continue in full force and effect with respect to any other then existing or subsequent breach. The rights and remedies provided by this Agreement are cumulative and the exercise of any one right or remedy by any party will not preclude or waive its right to exercise any or all other rights or remedies.

17.11 Headings. The headings of Sections of this Agreement are for convenience only and will not be interpreted to limit or amplify the provisions of this Agreement.

17.12 Severability. Each provision of this Agreement will be considered separable and if for any reason any provision or provisions hereof are determined to be invalid and contrary to any existing or future law, such invalidity will not impair the operation of or affect those portions of this Agreement that are valid, but in such case the parties will endeavor to amend or modify this Agreement to achieve to the extent reasonably practicable the purpose of the invalid provision.

17.13 Absence of Presumption. The parties hereto have participated jointly in the negotiation and drafting of this Agreement and, in the event of ambiguity or if a question of intent or interpretation arises, this Agreement will be construed as if drafted jointly by the parties and no presumption or burden of proof will arise favoring or disfavoring any party by virtue of the authorship of any of the provisions of this Agreement.

17.14 Counterparts. This Agreement may be executed in multiple counterparts, each of which will be deemed an original and all of which, taken together, will constitute one and the same instrument.

[Signature page follows]

[*]

IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the Effective Date.

[*]		Xyvid, Inc.

Signature:	[]*	Signature:	David Kovalcik
	[*]		David Kovalcik (Aug 20, 2018)
Email:	[*]	Email:	dkovalcik@dyventive.com
Title:	[*]	Title:	CEO

Exhibits

A: Order

B: Service Level Agreement

C: Support and Maintenance

D: Travel and Expense Policy

E: Third Party Supplier Information Security Requirements

F: Insurance Requirements

G: Background Screening Requirements

H: Data Protection Addendum

I: Form of Adoption Agreement

J: Initial Statement of Work

[*] Confidential

Contract # ______________

Exhibit A

Order 1

This Order is provided as of August 7, 2018 (“Order Effective Date”) pursuant and subject to the terms and conditions of that certain Software-As-A-Service Agreement dated as of August 7, 2018 by and between Xyvid, Inc. (“Provider”) and [*] (“[*]”). Any term not otherwise defined herein will have the meaning set forth in the Software-As-A-Service Agreement.

1.	Offering URL

[*]

2.	Offering

Offering name: Xyvid Pro Platform

General description of Offering: Web broadcasting solution with interactive tools.

3.	Metrics/Usage Restrictions

■

20 events, with the following specifications:

Duration of event(s): 90 minutes

Time & Date – to be determined

Targeted number of attendees: up to 1500 per program

Type of events – Audio and Video Managed

Basic Registration included

4.	Subscription Term

Subscription Term Start Date: August 7, 2018

Subscription Term End Date: October 30, 2018, or the date of the last of the 20 events/webcast provided by or for [*], whichever occurs last.

5.	Fees, Payment, Expenses, Not-To-Exceed Amount

Fees

[*]. Total Fees for this Order shall be: $60,000 to 80,000 dollars for up to 20 events, depending on [*]’s use of the Offering.

Invoicing and Payment Terms

Invoice Schedule

To be billed after each program

[*] Confidential

Contract # ____________

Method of Invoice

Invoices will be submitted by Provider to [*] as follows:

By email as an excel spreadsheet with details provided by [*] and sent to (i) if invoice is a purchase order, [*] or (ii) if invoice is a non-purchase order, [*].

Expenses

No additional expenses.

Not-To-Exceed Amount

In no event will Provider invoice [*] for, and in no event will [*] be liable for, amounts (including all fees and expenses) under this Order in excess of $100,000.

6.	Configuration Services

N/A

7.	Training Services

Virtual training to be provided at [*]’s request during implementation phase, at no additional cost.

8.	Additional Services

[*] may order additional Xyvid services offered by Provider, as set forth in the schedule below, by executing a separate written Order for the applicable service(s) with the Provider:

XYVID Pro Full Serve Production Services
Production Services:
On-Site Professional Streaming Technician	$	750
On-Site Program Lead Producer	$	1,250
Proactive Feedback Loop Tech Support	$	1,000
Back-Up Audio Phone Line	$	500
Primary and Backup Encoding Hardware On-Site	$	1,000
Content Creation Audio:
Rendering of Audio Content from Production	$	500
Conversion of Slide Transition, Screen Movement and Timing	$	750
Initial Audio Edits and 1 Round of Changes / Modifications	$	1,000
Presentation of Rough Cut for Approval	$	1,000

Content Creation Video:
Rendering of Video Content from Production	$	750
Conversion of Slide Transition, Screen Movement and Timing	$	1,000
Initial Video Edits and 1 Round of Changes / Modifications	$	1,250
Presentation of Rough Cut for Approval	$	1,250
Simulated Live Production Services:
Playback Pro and Audio Playback Equipment	$	450
Conference Call Q&A Switchover from Pre-Record	$	450
Pre-Recorded Live Slide Click Execution	$	350

Additional Services:
Program Video File MP4 of the Program	$	750
Program Video File MP3 of the Program	$	150
Text wire - Text to Chat Q&A System	$	500
Operator Assisted Conference Call Per Person Per Hour Domestic	$	25
Non-Operator Assisted Conference Call Per Person Per Hour Domestic.	$	12
Custom Registration System	$	2,500
Professional Services (Editing, Add Slide Timings, etc.)	$	350	/Hr
Transcription Services	$	350	/Hr
Invitation Participant Group Tracking Code	$	500
Additional 1 Year of Event Hosting	$	500
Additional 30 Minutes of streaming	$	500
Additional Increments of 500 People / Based on Setup	$	500
Additional Email Reminder Prior to Event Start.	$	150
On-Site Dry Run Day Before is 50% Stream Plus Actuals		TBD
Media Acceleration Services for High Volume Meetings		TBD
On-Line Dry Run Day Before is 50% Stream Plus Actuals.	$	450
Rush event setup/ Link required within 24 hours of Content	$	500

[*] Confidential

Contract # ____________

Exhibit B

Service Level Agreement

1. Availability. “Availability” means the percentage of time, calculated in the manner described in this Exhibit, that the Offering is available to Users. Provider will provide the Offering with the goal of achieving the maximum level of Availability.

2. Measuring Availability.

(a) Total Monthly Minutes. First, the total number of minutes in a calendar month (“Total Monthly Minutes”) is calculated. Example for May: 24 hours per day x 60 minutes in an hour x 31 days in May (average) = 44,640 minutes in May.

(b) Calculated Minutes of Unavailability. Next, the total minutes of Calculated Minutes of Unavailability (defined below) in the same calendar month is calculated according to the formula provided in Section 3(e) below.

(c) Calculation of Availability. To calculate the monthly Availability (expressed as a percentage), the following formula is used each calendar month:

Availability in the calendar month = [Total Monthly Minutes – Calculated Minutes of Unavailability/Total Monthly Minutes] * 100%

3. Service Level Factors and Definitions.

(a) Availability. The measurement of Availability and the potential for [*] to receive credits pursuant to this Exhibit will commence when the Offering is first used by a User.

(b) Scheduled Downtime. Provider will work with [*], as reasonably practicable, to arrange for Scheduled Downtime during non-peak hours and will use its best efforts to minimize the need for Scheduled Downtime. The term “Scheduled Downtime” means one or more periods when the Software is not available to [*] because Provider-initiated maintenance is being performed by Provider or its third party service provider, including but not limited to: installation of new or upgraded equipment, software or any other materials or infrastructure used by Provider or its third party service provider to provide the Offering. Provider intends that such Scheduled Downtime will not exceed 22 hours per calendar quarter and further agrees that if such Scheduled Downtime exceeds 22 hours in a calendar quarter, any excess time will be considered Unscheduled Downtime for purposes of determining the Calculated Minutes of Unavailability under Section 3(e) of this Exhibit. Provider will provide [*] with at least seven (7) days’ prior notice of the Scheduled Downtime described above.

(c) Unscheduled Downtime. “Unscheduled Downtime” means one or more minutes during an applicable calendar month where the Offering is unavailable to Users as a direct result of Provider’s failure to meet an obligation set forth in this Agreement, but in no event will Unscheduled Downtime include unavailability which results from Scheduled Downtime described in Section 3(b) above.

(d)

Potential Modifications to Raw Minute Calculations.

i. Core Business Hours Multiplier. Any Unscheduled Downtime that occurs between 8:00 AM and 6:00 PM Monday through Friday in the time zone applicable to the User’s address, will be subject to a “Core Availability” multiplier. The Core Availability multiplier is 1.5 such that Unscheduled Downtime or any portion thereof which occurs during this period will be counted as 1.5 times the actual minutes incurred. By way of example, if a User incurred 30 minutes of Unscheduled Downtime between 9:00 and 9:30 AM on a Monday, while the raw calculation is 30 minutes, for purposes of the availability totals, such period would initially be calculated as 45 minutes (30 * 1.5).

ii. Read Only Access Multiplier. Any Unscheduled Downtime that occurs will also be subject to a “Read Only Access” multiplier if a User has read only access to the Software during such time. The Read Only Access multiplier is 0.5 such that Unscheduled Downtime or any portion thereof which occurs where such read only access is available will be counted as 0.5 times the actual minutes incurred. By way of example, if Company incurred 30 minutes of Unscheduled Downtime between 10:00 PM and 10:30 PM but Company had access to a read only environment during such time, while the raw calculation is 30 minutes, the period would count as 15 minutes (30 * 0.5).

[*] Confidential

Contract # ____________

(e) Calculated Minutes of Unavailability. To determine the Calculated Minutes of Unavailability for the Software Availability calculation above, Provider will total the number of minutes in the month of Unscheduled Downtime and then apply any applicable multipliers described in Section 3(d) above. For the sake of clarity, in the event that both the Core Availability and the Read Only Access multipliers are applicable to any portion of Unscheduled Downtime, both multipliers will be applied. By way of example if a User experienced 30 minutes of Unscheduled Downtime between 9:00 and 9:30 AM on a Monday and had read only access during such time period, while the raw calculation is 30 minutes, for purposes of the availability totals, such period would be calculated as

22.5 minutes (30 * 1.5 * 0.5). In the event of a period of Unscheduled Downtime that began during a calendar month and continued into the next calendar month, the entire period of such Unscheduled Downtime will be deemed included in the calendar month in which such Unscheduled Downtime began.

4. Service Level Credits.

For any month during which actual Availability is less than 99.99%, upon [*]’s written request no later than thirty

(30) days following the end of such month, Provider will provide [*] a service credit on the next billing cycle as follows:

Monthly Hosting Services Availability		Percent of monthly fees provided as credit
<99.99% and >=99.0%		4%
<99.0% and >= 98.5%		8%
<98.5% and >= 98%		12%
< 98.0% and >= 97%		15%
< 97.0% and >= 96%		30%
<96%		50%

If Provider provides [*] the maximum service credit set forth in the table above for any two (2) calendar months within any rolling six (6) calendar month period during the Term, [*] may terminate this Agreement without penalty as if it were a breach under Section 5.2 of the Agreement.

[*] Confidential

Contract # ____________

Exhibit C

Support and Maintenance

1. Support Services. Provider will provide User Support and Level 2 Support and other support services as set forth in this Exhibit. Provider will provide [*] with a primary point of contact for any issues relating to the Offering during [*]’s standard business hours (9:00 AM – 6:00PM Pacific Time, Monday through Friday (excluding standard holidays)). Provider’s primary point of contact will be [*]. Additionally, Provider will provide [*] with contact information for 24x7x365 emergency support outside of standard business hours, who will receive and respond to support queries from [*] on a 24x7x365 basis. Provider’s emergency contact will be [*]. Provider will respond to all [*] support requests in writing, will begin issue investigation within ten (10) minutes of [*]’s issuance of each such request, and will resolve all such requests and issues as soon as possible.

1.1 “User Support” means responding to and solving basic User problems relating to the Software. User Support consists of: (a) responding to questions from Users regarding the Documentation or usage of the Software, and (b) reasonable efforts to diagnose the root cause of any incident.

1.2 “Level 2 Support” means responding to and solving any problem that is not resolved under User Support, including significant User problems relating to the operation of the Software and assisting Users in interfacing with other vendors if problems arise as a result of interoperability issues relating to the Software and other software or hardware installed by the User.

2. Errors; Error Correction.

2.1 “Error” means a defect, or combination of defects, in the Offering that result in a failure of the Offering to function in accordance with the specifications and Documentation therefor. Errors are classified as follows:

(i) Priority 1: The Error renders the Offering inoperative or causes a complete failure of the Software.

(ii) Priority 2: The Error affects the performance of the Offering, or restricts the use of the Offering (for example, important Offering features are unavailable with no acceptable workaround).

(iii) Priority 3: The Error causes only a minor impact on use of the Offering but no acceptable workaround is available.

(iv) Priority 4: Although an Error exists, the Error causes minor inconveniences (such as cosmetic problems) and it does not impact the operation of the Offering because an acceptable workaround is available. Priority 4 Errors include all Errors that are not classified as Priority 1, Priority 2, or Priority 3.

2.2 “Error Correction” means a bug fix, error correction, patch, or other modification or addition that, when made or added to the Offering, corrects an Error.

2.3 Response Times. Provider will comply with the following response times and resolution deadlines:

(a) Priority 1 Error. In the event of a Priority 1 Error, Provider will, within thirty (30) minutes of notification, acknowledge and commence work on resolving the Error with an Error Correction. Provider will work continuously around-the-clock to provide a workaround for the Error within two (2) hours after such notification and an Error Correction within twenty-four (24) hours after such notification. Provider will provide [*] with periodic reports (no less frequently than once every two (2) hours) on the status of the Error Correction.

(b) Priority 2 Error. In the event of a Priority 2 Error, Provider will, within two (2) hours of notification, acknowledge and commence work on resolving the Error with an Error Correction. Provider will provide a workaround for the Error within twenty-four (24) hours after such notification and an Error Correction within forty-eight (48) hours after such notification. Provider will provide [*] with periodic reports (no less frequently than every four (4) hours) on the status of the Error Correction.

(c) Priority 3 Error. In the event of a Priority 3 Error, Provider will, within twenty-four (24) hours of notification, acknowledge and commence work on resolving the Error with an Error Correction. Provider will provide a workaround for the Error within one (1) week after such notification and an Error Correction within two (2) weeks after such notification. Provider will provide [*] with periodic reports on the status of the Error Correction.

(d) Priority 4 Error. In the event of a Priority 4 Error, Provider will acknowledge and commence work on resolving the Error with an Error Correction within one (1) week of notification. Provider will use best efforts to provide an Error Correction with the next maintenance release of the applicable software.

2.4 Maintenance. Provider will issue Error Corrections and other updates to the Offering (or applicable portions, applications, components or features thereof) (collectively, “Updates”) from time to time according to its development schedule, for which Provider maintains exclusive control. Provider will apply all Updates promptly.

[*] Confidential

Contract # ____________

Exhibit D

Travel and Expense Policy

[*] requires all members of any supplier (“Supplier”) providing services for [*] to exercise its best efforts to control reimbursable expenses and to follow these guidelines. The following guidelines will establish [*]’s policies regarding reimbursable and non-reimbursable expenses, proper forms of documentation for expense reimbursement, and limitations on reimbursement. These guidelines will act as a quick reference sheet listing certain acceptable and non-acceptable reimbursable expenses for Suppliers. These lists are not intended to be inclusive.

Under no circumstances will a Supplier be authorized to expense items for which a full-time staff member would not be authorized to expense. Additionally, it should not be assumed Supplier personnel will be reimbursed for every expense a full-time staff member would be reimbursed for.

International Travel

A.	Medical Coverage and Duty of Care: During international travel, it is Supplier’s responsibility to provide sufficient coverage to Supplier personnel, as described below. Under no circumstances will [*] be liable for offering or paying for such coverage.

Medical coverage includes, but is not limited to:

	a)	Appropriate immunizations
	b)	MBA (medical benefits abroad)
	c)	Comprehensive global health insurance from any global service provider covering health, life, accident, dental, medical insurance and related health services

ii)

Duty of Care includes, but is not limited to:

	a)	Medical care and assistance
	b)	Emergency services, including emergency reporting and evacuation services
	c)	Rescue services
	d)	Security services
	e)	Critical plan operations
	f)	Alarm notification systems and training
	g)	Applicable Supplier duties under the Duty of Care plan
	h)	Supplier accounting

Supplier will bear the cost of Duty of Care services, inclusive of systems, tools, protective equipment, and training for Supplier personnel.

B.	Travel Documentation: Supplier will be responsible for obtaining all required travel documents for Supplier personnel including, but not limited to, visas and travel permits.

Domestic Travel

Duty of Care includes, but is not limited to:

	a)	Medical care and assistance
	b)	Emergency services, including emergency reporting and evacuation services
	c)	Rescue services

	d)	Security services
	e)	Critical plan operations
	f)	Alarm notification systems and training
	g)	Applicable Supplier duties under the Duty of Care plan
	h)	Supplier accounting

Supplier will bear the cost of Duty of Care services, inclusive of systems, tools, protective equipment, and training for Supplier personnel.

[*] Confidential

Contract # ____________

Domestic and International Travel:

Reimbursable Expenses (Not Inclusive)

Airfare: On domestic and North America flights Suppliers will fly via coach class to meeting site from assignment base. When flying internationally, excluding Canada and Mexico, Suppliers will fly one level above coach. First class air travel will not be accepted by []. Airline receipt required- itinerary, alone, is not sufficient. [] has the option to arrange airfare through [] travel if it will be a cost savings. A [] staff member must charge this expense if arrangements are made by us.		Hotel: [] has the option to arrange accommodations through [] travel if it will be a cost savings. Individuals will use their credit card for payment. Room charges and tax are reimbursable.

Transportation: e.g., taxi to and from airport to hotel, and hotel to office, if applicable.		Meals (for self only): reasonable costs for breakfast & dinner while traveling on [*] business.

Phone: [*] related calls only, including local and long distance.		Cell Phone: [*] related calls only; no monthly charges.

Car Rental: not to exceed mid-size		Mileage (when applicable): 58.5 cents per mile or as defined in current IRS Mileage rates

Non-Reimbursable Expenses (Not Inclusive)

Expenses without receipts, regardless of value		Any expense not in connection with [*] business

Any estimated or unexplained expenses		Cell phones except as provided

Meal expenses not directly related to [] business, unless as outlined above during business travel or lunch while travelling on [] business.		Expenses incurred for personal business such as clothing/household items, travel items, etc.

Travel insurance including lost baggage ins.		Home computers, printers, related equipment

Extravagant meal expenditures		Electronic organizers

Fines for traffic or parking violation		Home Internet access

Laundry expenses		Theft of personal property

Airline club memberships		Lost airline ticket

Cost of beepers & pagers, unless specifically required by [*]		Expenses for staying at private residence of a friend or family member.

Personal phone calls		Upgrades on airline tickets

Expenses over 60 days		Car Rental of 2-Door Sports Vehicles, Sports Utility Vehicles, Vans and Minivans, Premium and Luxury Vehicles

Documentation

	All costs will be verified by appropriate backup documentation in the form of original invoices and receipts. Photocopies or other forms of documentation will be accepted only when no other form of documentation is available, e.g., car services.
	Reimbursement for airfare requires the boarding pass. Airline costs will not be reimbursed if the sole form of documentation is a travel itinerary or credit card billing slip.
	An original itemized hotel bill is required for documenting lodging expenses. All hotel charges other than the basic room charge and tax will be identified separately on the hotel bill and expense report as follows: other room charges, tax, meals (breakfast or dinner), other charges (such as parking). Provide the business purpose of each lodging expense. Movie, mini-bar and similar charges are not reimbursable.
	Restaurant expenses may be documented with original receipts; “tabs” or “chits” from the bottom of restaurant order pads are not acceptable documentation.
	In the occasional event of the loss of a receipt, Supplier will document the expenditure with the best evidence available, usually a credit card statement receipt, and indicate on the statement that the receipt was lost.
	Only actual costs will be reimbursed. No mark-up is permitted.

[*] Confidential

Contract # ____________

Reimbursable Expenses

Reimbursable costs will be documented in a form acceptable to [*], as outlined in this Exhibit. The following are acceptable reimbursable costs, subject to any limitations listed below.

	Postage, and Next Day Express Mail charges when necessary.
	Filing fees necessary to secure approvals of authorities having jurisdiction.
	Charges for the normal and necessary reproduction of drawings or other documents needed for the Services. Reproduction charges for work done in-house by Supplier will not exceed charges for comparable work done by outside reproduction companies.
	Renderings, models, or special photographic presentations, when requested in advance by the [*] local representative.
	Standard photocopies or printings.
	Miscellaneous supplies used in the preparation of presentation boards, drawings, etc.
	Necessary long distance calls.
	Conference calls arranged by Supplier.
	Travel Expenses. The following travel, lodging and meal expenses will be reimbursable when Supplier is traveling outside of the Services city area, in connection with the Services and as approved by the [] authorized representative, subject to the guidelines set forth below: Supplier will be responsible for attending an annual review meeting at no cost to [].

	○	Air Travel. Supplier is encouraged to seek competitive airfares and wherever possible to schedule air travel in advance to take advantage of reduced fares. In most instances this is assumed to be two to three weeks in advance of travel where such notice is available. When flying domestically and to Canada and Mexico, the difference between coach and first class travel will be at Supplier’s expense. When flying internationally, excluding Canada and Mexico the difference between business class (one level above coach) and first class travel will be at Supplier’s expense.
	○	Automobile Rental/Public Transportation/Taxi/Car Service. These methods of transportation are all reimbursable transportation expenses when traveling out-of-town, subject to proper documentation. Generally, the least expensive appropriate transportation mode should be used. The use of cabs or radio dispatched car service is permitted where other transportation facilities are not available or are inappropriate to the circumstances; unsafe or dearly inconvenient. The cost of luxury limousine service will not be reimbursed.
	○	Lodging. [*] intends that Supplier will select lodging accommodations in a cost- efficient manner that is both comfortable and safe. Movie, mini-bar and similar charges are not reimbursable.
	○	Meals. Meals, with the exception of lunch, while traveling out-of-town on Services-related business are reimbursable, subject to proper documentation. Lavish or extravagant costs will not be reimbursed where circumstances do not warrant such expense.

Non-Reimbursable Expenses

Standard Overhead Expenses. The following standard overhead expenses are not reimbursable:

○

Laundry

	○	Telephone access fees
	○	Beepers/pagers, unless required and approved in advance by the [*] local representative
	○	Cellular mobile phones for other than long-distance calls (as expressly provided herein)
	○	Faxes
	○	Stationery and supplies
	○	Rent
	○	Taxes
	○	Office equipment, telephone equipment
	○	Office utilities, telephone service, internet service, computer hardware, computer software
	○	Electronic organizers (smartphones, tablets, PDAs, etc.)

Other Non-Reimbursable Expenses

	○	Expenses older than 60 days
	○	Personal entertainment
	○	Airline club memberships
	○	Membership rewards programs
	○	Finance charges from any source, such as late fees, penalties or service charges on personal credit cards or lost or stolen credit cards fees
	○	Cost of home computers, printers or related equipment
	○	Home internet access costs
	○	Theft of personal property, including articles stolen from a personal or rental car
	○	Expenses incurred when staying at the private residence of a friend or family member
	○	Lost airline ticket/processing fees for lost tickets
	○	Hotel/motel mini bar, late night snacks, cocktails, movies, personal toiletry needs, newspapers and other incidentals personal in nature
	○	Lavish or extravagant costs (e.g., very expensive restaurants or exclusive hotels) not warranted by the circumstances
	○	Luxury limousine service
	○	Fines for traffic or parking violations
	○	Expenses incurred in connection with personal business, including clothing/household items (e.g., weather-related items such as umbrellas, overshoes, overcoats, etc.), personal expenses associated with travel (e.g., babysitters, kennel fees and house-sitters), and travel items (e.g., briefcases, luggage)
	○	Any estimated or unexplained expenses

[*] Confidential

Contract # ____________

Exhibit E

Third Party Supplier Information Security Requirements

References in this Exhibit to: (a) “Supplier” will be deemed to be references to Provider, and (b) “[*]” and “[*] member firm” will be deemed to be references to the [*] Entities.

1. Definitions.

The following terms used in this Exhibit have the following meanings:

1.1 “anonymised” means data from which all personal data has been removed, so that it is no longer possible to re- identify an individual from the information; taking into account all means reasonably likely to be used by the supplier or anyone else to re-identify an individual.

1.2 “data breach” means a breach of security leading to the accidental, unlawful, or unauthorised destruction, loss, alteration, disclosure of, or access to, [*] member firm data.

1.3 “Demilitarized Zone” means a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network (e.g. the Internet). An external network node can only access what is exposed in the DMZ, while the rest of the network is firewalled.

1.4 “personal data” means any information, including information in electronic form, relating to a living person who can be identified (a) from those data or (b) from those data and the use of additional information, taking into account all means reasonably likely to be used by anyone to identify the person directly or indirectly; and includes, without limitation, first and last names, ID numbers, including government-issued identifiers, personal dates such as birthdates, email addresses, location data, internet protocol address or other online identifiers and information concerning race, ethnicity or mental or physical health. For clarity, personal data includes personal data that is publicly available and excludes personal data that has been anonymised so that it is no longer possible to re-identify an individual from the information; taking into account all means likely reasonably to be used by the supplier or anyone else to re-identify an individual.

1.5 “Privileged User” means a user who has been allocated powers within the computer system which are significantly greater than those available to the majority of users.

1.6 “processing” means any operation or set of operations performed upon [*] member firm information, including personal data, whether or not by automatic means. This includes operations such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.7 “risk assessment” means a planned activity undertaken to identify information security risks, evaluate their potential impact and likelihood, including their impact on individuals who are the subject of any personal data, and compare to established risk criteria for acceptance or remediation.

1.8 “risk treatment” means actions taken to address identified information security risks, such as implementing or enhancing controls to remediate risks or accepting risks based on risk criteria.

1.9 “sanitized” means when data in a development or test environment is disguised by overwriting it with realistic looking, but false, data of a similar type (e.g. by masking or substitution techniques, etc.)

2. Information Security Controls

A. Risk Assessment and Treatment

A.1 Supplier must perform a risk assessment periodically and upon significant organisational, IT or other relevant changes. Supplier must document results of the risk assessment.

A.2 Supplier must document and implement a risk treatment plan based on the results of the risk assessment.

[*] Confidential

B. Management Direction for Information Security

B.1 Supplier must implement an information security policy that is:

a. Comprehensive in nature, addressing the information security risks and controls identified through the risk assessment process, for each area of information security (i.e. user access, system development and change, business continuity, etc.) Supplemental policies should be developed and implemented as appropriate.

b. Reflective of the requirements of applicable laws, including applicable data protection laws.

c. Approved by management.

d. Published and communicated to all employees and, as appropriate, third-party contractors.

e. Reviewed and updated at least annually to address (i) relevant organisational changes, (ii) contractual requirements owed to [*], (iii) identified threats or risks to information assets, and (iv) relevant changes in applicable laws and regulations.

B.2 Supplier must have a specific function, composed of suitably qualified information security specialists, to lead the information security management programme. The specific function must be ratified and supported by the Supplier business leadership. Responsibilities must include:

a. Developing and maintaining the security policy and any supplemental requirements; and

b. Identifying accountability for the execution of information security activities.

B.3 Supplier management must require employees and third-party contractors with access to [*] member firm information to commit to written information security, confidentiality, and privacy responsibilities with respect to that information. These responsibilities must survive termination or change of employment or engagement.

B.4 Conflicting duties and areas of responsibility must be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of [*] member firm information.

C. Human Resource Security

C.1 Background verification checks on employees or third-party contractors that have access to [*] member firm data, including personal data, must be performed in accordance with relevant laws, regulations and ethical requirements and must be performed for each individual at least upon initial hire, unless prohibited by law. The level of verification must be appropriate according to the role of the employee or third-party contractor, the sensitivity of the information to be accessed in the course of that person’s role, and the risks that may arise from misuse of the information. The following checks must be performed for each individual at least upon initial hire, unless prohibited by law:

a. Identity verification;

b. Criminal history;

c. Employment history; and

d. Education verification.

C.2 Supplier must provide information security awareness training to employees and relevant third-party contractors upon hire and at least annually thereafter. Training must:

a. Be updated to include changes in organizational policies and procedures.

b. Be relevant to trainee job functions.

c. Communicate the formal disciplinary process in effect when personnel commit an information security breach or data breach.

d. Include specific data protection training for personal data, where required by law or regulation.

e. Include phishing awareness either by simulations or explicitly in an annual course.

D. Access Control

User Access Management

D.1 Supplier must implement formal, documented access control policies to support creation, amendment and deletion of user accounts for systems or applications holding or allowing access to [*] member firm information.

D.2 Supplier must implement a formal, documented user account and access provisioning process to assign and revoke access rights to systems and applications. User account privileges must be allocated on a “least privilege” basis and must be formally authorized and documented.

D.3 The use of “generic” or “shared” accounts must be prohibited without system controls enabled to track specific user access and prevent shared passwords.

[*] Confidential

D.4 Privileged User access must be:

a. Restricted to users with clear business need.

b. Assigned to a separate user account, to be used only for the time period required to complete the necessary task.

c. Segregated appropriately (e.g. code migration, security administration, audit log permissions, production support administration, etc.)

d. Captured by system logs and periodically reviewed.

e. Accomplished via multi-factor authentication.

D.5 Supplier must monitor and restrict access to utilities capable of overriding system or application security controls. Administrator access rights to workstation endpoints must be restricted.

D.6 System and application owners must review user access rights for appropriateness, at least on a quarterly basis.

a. Inappropriate access must be revoked upon identification.

b. Accounts on systems and applications storing or enabling access to [*] member firm information must be disabled upon 30 days of inactivity. All other accounts must be disabled upon 90 days of inactivity.

c. Access modification confirmation must be communicated to system owners when complete.

D.7 User access rights to systems and applications storing or allowing access to [*] member firm information must be removed upon termination or change of employment responsibilities. Specifically, user access rights must be:

a. Removed within 24 hours, upon termination of employment.

b. Reviewed and adjusted within one week, upon change of employment responsibilities.

D.8 User access to systems and applications storing or allowing access to [*] member firm information must be controlled by a secure logon procedure. To support this, Supplier must implement the following controls for user authentication:

a. Each user account ID must be unique.

b. Each user account must have a password.

c. Passwords must be echo-suppressed on screen or masked on print-outs.

d. If set by system administrator, initial password issued must be random and must be changed by the user upon first use.

e. Users should set their own passwords as part of a password management system.

f. Passwords must be treated as confidential data and must be encrypted upon transmission.

g. Password policy must:

i. Restrict reuse of passwords for at least eight (8) previous versions.

ii. Enforce password changes at least every 90 days.

iii. Enforce account lock-out after five (5) failed login attempts.

iv. Require password complexity. Passwords must be a minimum of 10 alphanumeric characters and must include a mix of upper- and lowercase characters with at least one (1) numeric and one (1) special character.

h. Passwords must be stored using a one-way encryption mechanism.

i. Service account passwords must be at least 20 characters in length and must be configured to prevent interactive logon.

j. For [*] end users, Supplier must support either integration with [*] approved authentication mechanisms or multi-factor authentication.

Physical Access Management

D.9 Physical access to facilities where [*] member firm information is stored or processed must be restricted to authorised personnel.

Controls must include all of the following, unless prohibited by law:

a. Strong locks enabled by key pads or swipe card technology;

b. Locked windows and doors for vacant facilities and for facilities during non-operating hours;

[*] Confidential

c. Functional alarm systems and on-premise security guards at all times;

d. Photographic identification cards worn visibly, clearly designating employee, third-party contractor, or visitor;

e. Visitor registration by on-premise security guards;

f. Visitor escort at all times while in areas where [*] member firm information is stored or processed;

g. Documented periodic review of physical access logs and access control lists; and

h. Employed surveillance techniques (e.g. CCTV) to monitor sensitive physical locations (e.g. delivery and loading areas). Sensitive physical locations should be isolated from the rest of the facility where possible.

Protection of Equipment

D.10 Equipment storing or processing [*] member firm information must be located within a dedicated, secured and isolated facility (e.g. data centre, server room). Power and telecommunications cabling carrying data or supporting information services must be protected from interruption, interference, or damage.

D.11 Information processing equipment and storage media containing [*] member firm information must be protected during physical transport. In particular:

a. Authorized couriers must be used.

b. Adequate insurance must be maintained.

c. Packaging must be secured appropriately, based upon the relevant data classification.

d. Transportation of [*] member firm information must be approved by the member firm.

D.12

Users must protect unattended sessions and equipment. After, at most, 20 minutes of inactivity:

a. System and application sessions must automatically terminate.

b. Password protected screen savers (e.g. locked screens) must activate. Additionally, a clear desk and clear screen policy must be enforced.

D.13 Printers must require authentication controls to reduce the opportunity for unauthorized access to [*] member firm information.

D.14 Controls must be implemented to protect equipment, information, and assets located off-premise and/or during remote access sessions such as teleworking or remote administration.

a. Teleworking, mobile device, and removable media policies must be implemented and enforced.

b. Supplier must encrypt remote access communications to systems or applications containing [*] member firm data and must require a minimum of multi-factor authentication, Virtual Private Networking (VPN) device access or equivalent, and restricted ports and protocols.

c. Personally owned and managed equipment must not be used to access or store [*] member firm data. A BYOD model must be controlled by the Supplier and contain controls commensurate with those on corporate- owned devices.

d. Removable and/or mobile device drives storing [*] member firm data must be encrypted.

D.15 Supplier must implement procedures to ensure that [*] member firm information, including personal data, is securely destroyed when no longer needed for the purposes authorised by [*]. In particular:

a. Secure erasure of [*] member firm information must be confirmed prior to asset destruction and disposal.

b. Supplier must maintain records of destruction.

c. Supplier must require any third parties engaged to process [*] member firm information to securely dispose of the information when no longer needed for the services they are required to deliver.

Environmental Control

D.16 Supplier must implement environmental controls to protect personnel and equipment used to process or store [*] member firm information, including personal data. These controls must include all of the following, unless prohibited by law:

a. Fire suppression systems must be installed, actively maintained, and periodically tested.

b. Temperature and humidity controls must be installed within a data centre or server room environment.

c. Arrangements must maintained with authorities for active response to civil unrest or natural disasters.

[*] Confidential

d. Backup power technology (e.g. Uninterruptible Power Supply, diesel generator, separate grid connection) must be installed, actively maintained, and periodically tested.

D.17 Supplier must perform an assessment of environmental risks before processing any [*] member firm information, which must include assessment of the threats of natural and man-made disasters. Appropriate physical protections for facilities storing [*] member firm information must be implemented, taking into account the results of the environmental risk assessment, state-of-the-art technology available, and the costs of implementing such measures.

E. Asset Management

E.1 Assets that store or process [*] member firm data must be identified and included within an asset register. At a minimum, version, license, and ownership information, must be included for each asset within the register.

E.2 Information assets must be classified according to asset value, criticality, sensitivity, and the risks resulting from unauthorised disclosure of the information. Procedures for labelling and handling information assets must be developed for each asset classification.

E.3 Employees and third-party contractors must agree to documented policies for the acceptable use and handling of assets. Assets must be returned immediately upon termination of employment, and return of assets must be tracked and verified.

E.4 Supplier must implement formal, documented system hardening procedures and baseline configurations. Unsupported software or hardware must not be used.

F. Communications Security

Network Security

F.1 Supplier must segregate network systems containing [*] member firm data from network systems supporting internal or other activity.

F.2 Supplier must logically segregate [*] member firm data within a shared service environment.

F.3 Supplier must secure network segments from external entry points where [*] member firm data is accessible.

a. External network perimeters must be hardened and configured to prevent unauthorized traffic.

b. External connections must terminate in a Demilitarized Zone (DMZ) and connections must be recorded in event logs.

c. Inbound and outbound points must be protected by firewalls and intrusion detection systems (IDS). Communications must be limited to systems strictly allowed, and if possible, intrusion prevention systems (IPS) must be used.

d. Ports and protocols must be limited to those with specific business purpose.

e. Web and application servers must be separated from corresponding database servers by the use of firewalls and separate physical hardware.

F.4 Supplier must implement access controls on wireless networks commensurate with the security level of external virtual private network (VPN) access points. Strong encryption and strong authentication (e.g. WPA2) must be used.

F.5 Supplier must synchronize system clocks on network servers to a universal time source (e.g. UTC) or network time protocol (NTP).

F.6 Supplier must implement Internet filtering procedures to protect end user workstations from malicious websites and unauthorized file transfers outside the network.

Cryptographic Controls

F.7 [*] member firm data, including personal data, must be encrypted at rest.

F.8 Supplier must implement cryptographic key management procedures that include:

a. Generation of cryptographic keys with approved key lengths.

b. Secure distribution, activation and storage, recovery and replacement / update of cryptographic keys.

c. Immediate revocation (deactivation) of cryptographic keys upon compromise or change in user employment responsibility.

[*] Confidential

d. Recovery of cryptographic keys that are lost, corrupted or have expired.

e. Backup and archive of cryptographic keys and maintenance of cryptographic key history.

f. Allocation of defined cryptographic key activation and deactivation dates.

g. Restriction of cryptographic key access to authorised individuals.

h. Complying with local legal and regulatory requirements.

Information Exchange and Transfer

F.9 [*] member firm data, including personal data, must be encrypted during transmission across networks, including over untrusted networks (e.g. public networks) and when writing to removable devices. Supplier must use platform and data-appropriate encryption (e.g., AES-256) in non-deprecated, open/validated formats and standard algorithms. SSL certificates used for encryption in transit must be obtained from an acknowledged certification authority.

Cloud Controls

F.10 Supplier must encrypt data during transmission between each application tier and between interfacing applications.

F.11 Cryptographic keys must be supplied and governed by the [*] member firm (e.g. creation, rotation, and revocation). Management and usage of cryptographic keys must be segregated duties.

F.12 Where technically feasible, Supplier must integrate with [*]’s Cloud Access Security Broker (CASB).

G.	*Operations Security*

Service Management

G.1 Supplier must implement formal operating procedures for system processes impacting [*] member firm data. Procedures must track author, revision date and version number, and must be approved by management.

G.2 Supplier must define capacity requirements and monitor service availability.

Vulnerability Management

G.3 Supplier must perform annual penetration testing for systems and applications that store or allow access to [*] member firm data, including personal data. Identified issues must be remediated within a reasonable timeframe.

G.4 Supplier must implement a patch and vulnerability management process to identify, report and remediate vulnerabilities by:

a. Implementing vendor patches or fixes.

b. Developing a remediation plan for critical vulnerabilities. The plan must be approved by the risk owner and implemented within 30 days.

G.5 Supplier must implement controls to detect and prevent malware, malicious code and unauthorised execution of code. Controls must be updated regularly with the latest technology available (e.g. deploying the latest signatures and definitions).

Logging and Monitoring

G.6 Supplier must generate administrator and event logs for systems and applications that store or allow access to [*] member firm data.

a. Logs must be archived for a minimum of 180 days.

b. Logs must capture date, time, user ID, device accessed and port used.

c. Logs must capture key security event types (e.g. critical files accessed, user accounts generated, multiple failed login attempts, events related to systems that have an internet connection).

d. Access to modify system logs must be restricted.

e. Logs must be provided to [*] upon request.

G.7 Supplier must review system logs periodically (minimum every 30 days) to identify system failures, faults, or potential security incidents affecting [*] member firm information. Corrective actions must be taken to resolve or address issues within any required timeframes.

[*] Confidential

H. System Development, Acquisition, and Maintenance

H.1 The hardware, software, and service procurement process must be documented and include identification and evaluation of information security risks.

H.2 Supplier must implement formal, documented change control procedures to manage changes to information systems, supporting infrastructure, and facilities.

a. Major changes impacting [*] member firm data or supporting systems must be communicated to [*] 30 days prior to implementation.

b. Acceptance criteria must be established for production change approval and implementation.

c. Stakeholder approval must be provided prior to change implementation.

H.3 Supplier must logically or physically separate environments for development, testing, and production. User access to environments and [*] member firm information, including personal data, must be restricted and segregated, based on job responsibilities. User access to program source code must be restricted and tracked.

H.4 Secure system engineering and coding practices must be established, documented and integrated within the system development life cycle (SDLC). Developers must attend secure development training periodically.

H.5 System and application changes must undergo testing and meet defined acceptance criteria prior to implementation. Testing must include relevant security controls.

H.6 [*] member firm production data must not be used within a test environment. If usage is unavoidable, data must be sanitized, and any personal data must be anonymised, prior to use.

H.7 Source code must undergo security scan and vulnerability remediation prior to implementation.

H.8 Post-implementation testing must occur subsequent to system changes, to validate that existing applications and security controls were not compromised.

H.9 Supplier must monitor outsourced system development activities, subject to third party supplier management controls.

I. Third Party Supplier Management

I.1 Supplier contractual agreements with third parties handling [*] member firm information must include appropriate information security, confidentiality, and data protection requirements, as detailed in the Agreement. Agreements with such parties must be reviewed periodically to validate that information security and data protection requirements remain appropriate.

I.2 Supplier must review its third parties’ information security controls periodically and validate that these controls remain appropriate according to the risks represented by the third party’s handling of [*] member firm information, taking into account any state-of-the-art technology and the costs of implementation.

I.3 Supplier must restrict third party access to [*] member firm data, including personal data. When access to [*] member firm data is necessary for performance of the contracted service, Supplier must:

a. Provide the [*] member firm a list of third parties with required access to [*] member firm data, including personal data.

b. Permit access to [*] member firm data, including personal data, only as necessary to perform the services that the third party has contractually agreed to deliver.

c. Record third party access to [*] member firm data, including personal data, within system logs, subject to Supplier controls for logging and monitoring.

J. Incident Management

J.1 Supplier must implement a formally documented incident management policy that includes:

a. Clearly defined management and user roles and responsibilities.

b. Reporting mechanism for suspected vulnerabilities and events affecting the security of [*] member firm data, including personal data (including reporting of suspected unauthorised or unlawful access, disclosure, loss, alteration, and destruction of [*] member firm data).

c. Procedures for assessment of, classification of, and response to, security incidents. Response procedures must be implemented within a reasonable timeframe and proportionate to the nature of the security incident and the harm, or potential harm, caused.

[*] Confidential

d. Procedures for notification to relevant authorities as required by law and the [*] member firm, within the timeframes specified in the Agreement.

e. Procedures for forensic investigation of a security incident.

f. A process for incident and resolution analysis designed to prevent the same, or similar, incidents from happening again.

J.2 Supplier must maintain a security incident tracking system that documents the following items for each security incident affecting [*] member firm data:

a. Incident type, including how and where the incident occurred;

b. Whether there has been any unauthorised or unlawful access, disclosure, loss, alteration or destruction of [*] member firm data, including personal data;

c. The [*] member firm data affected by the incident, including the categories of any personal data affected;

d. The time when the incident occurred, or is estimated to have occurred; and

e. Remediation actions taken to prevent the same, or similar, incidents from happening again.

Incident documentation must be reviewed quarterly to validate response and resolution.

J.3 Supplier must support any investigation (e.g. by the [*] member firm, law enforcement or regulatory authorities) that involves [*] member firm data. Forensic procedures must be developed to support incident investigation.

a. Engagement with a forensic specialist should be considered.

b. Integrity of event and system log data must be forensically maintained.

c. Local legal requirements must be followed.

K. Resilience

K.1 Supplier must perform business continuity risk assessment activities to determine relevant risks, threats, impacts, likelihood, and required controls and procedures.

K.2 Based on risk assessment results, supplier must document, implement, annually test and review Business Continuity and Disaster Recovery (BC/DR) plans to validate the ability to restore availability and access to [*] member firm data in a timely manner, in the event of a physical or technical incident that results in loss or corruption of [*] member firm data. BC/DR plans must include:

a. Availability requirements for [*] member firm services, specifying critical systems and agreed upon recovery points (RPO) and recovery time objectives (RTO).

b. Clearly defined roles and responsibilities.

c. Provisions for a geographically separate alternate site subject to physical and environmental controls.

d. Backup and restoration procedures that include sanitation, disposal or destruction of data stored at the alternate site.

K.3 Information backup procedures and media must include:

a. Strong encryption technology.

b. Integrity validation.

c. Reconciliation with disaster recovery requirements.

d. Secure offsite storage supporting availability requirements.

L. Audit and Compliance

L.1 Supplier must periodically review whether its systems and equipment storing or enabling access to [*] member firm data, including personal data, comply with legal and regulatory requirements and contractual obligations owed to [*].

L.2 Supplier must allow [*] member firm to monitor and assess adherence to contractual requirements, including information security controls. Supplier must make relevant documentation, reports, and/or evidence available for review upon [*]’s request.

[*] Confidential

L.3 Supplier management must review the technical and organisational controls implemented to protect [*] member firm data for compliance with agreed-upon information security controls at least annually and report results to senior management.

L.4 Supplier must maintain current independent verification of the effectiveness of its technical and organisational security measures (e.g. ISO certification, SOC2 Type 2, or other relevant industry recognized independent security review report.) The independent information security review must be performed at least annually.

L.5 Supplier must comply with a documented termination or conclusion of service process.

a. Non-disclosure and confidentiality responsibilities with respect to [*] member firm information, including personal data, must remain in place following service agreement termination or conclusion.

b. A primary point of contact must be identified to support the service termination process.

c. Supplier must communicate agreement termination or conclusion to relevant employees and stakeholders.

d. Supplier must revoke access to systems and applications storing or allowing access to [*] member firm data promptly upon completion or termination of the service agreement.

e. Supplier must return hardware, software, middleware, documents, data, information and other assets owned or leased from the [*] member firm.

f. Supplier must issue certificates confirming the return and/or destruction of all copies of [*] member firm data, including personal data, in supplier’s possession or control, including any information stored on backup media to the [*] member firm. Supplier will obtain certification of destruction of [*] member firm data from third-party contractors.

g. Supplier must cancel or return software licenses to the [*] member firm.

3. Additional IT Security Obligations

3.1 Supplier Access to [*] Network. All Supplier connectivity to [*] computing systems and/or networks and all attempts at same will be only through [*]’s security gateways/firewalls and only through [*] approved security procedures. Supplier will not access, and will not permit unauthorized persons or entities to access, [*] computing systems and/or networks without [*]’s express written authorization (and any such actual or attempted access will be consistent with any such authorization). Supplier will use the latest available, most comprehensive virus detection/scanning program as specified by [*] prior to any attempt to access any of [*]’s computing systems and/or networks and upon detecting a virus, all attempts to access [*]’s computing systems and/or networks will immediately cease and will not resume until any such virus has been eliminated.

3.2 Supplier Access to [*] Systems. Supplier personnel will have such reasonable access to [*] offices, computing systems and network as and to the extent necessary to provide the Services in accordance with the terms of this Agreement, as long as it provides reasonable prior notice to [*] in writing of such needs and [*] approves same, or as set forth in the applicable Order or SOW.

3.3 Disaster Recovery. Throughout the Term, Supplier will maintain a commercially reasonable disaster recovery plan, periodically update and test the operability of its plan no less than every twelve (12) months and will certify to [*] following such update and testing that the disaster recovery plan is fully operational. Such plan will include, at a minimum, that (i) Supplier will notify [*] in writing within four (4) hours of any disaster that could materially and negatively impact [*]’s access to the Services (the “Disaster Notice”); (ii) Supplier will provide [*], within twenty- four (24) hours of such Disaster Notice, a plan to continue providing the Services in accordance with this Agreement; and (iii) the Services will be fully operational within seventy-two (72) hours of the initial Disaster Notice. In the event of a disaster (including any event that constitutes a force majeure event), Supplier will implement all necessary disaster recovery plans. In the event of such a disaster, Supplier will not increase any fees charged under this Agreement. [*] reserves the right to audit Supplier’s compliance with such disaster recovery plan once per year during the Term.

[*] Confidential

3.4 Application Data Security. Supplier will allow [*] to perform a source code review (or Supplier will, at Supplier’s cost, allow a mutually agreed upon third party to perform static analysis of) applicable source code prior to the initial transfer of any live [*] data or information into the Supplier environment. Supplier will provide [*] with results summarizing the raw data results, including vulnerability totals and brief descriptions of the results. Supplier will not adjust the risk ratings of any issues without a full explanation to [*] of the reasoning for adjustments.

a. [*]’s source code review (or the third party static source code analysis), [*]’s review of the analysis results, service level standards for vulnerability remediation and verification of remediated vulnerabilities must be complete and satisfy [*] security requirements prior to any transfer of [*] information to the Supplier environment.

b. The [*] source code review (or third party static source analysis, at Supplier’s costs) and subsequent [*] review of the results will be performed again each time there is a major release of the code which affects databases schema and/or user access parameters. Supplier will inform [*] of any such release and take such steps as necessary to remediate any identified vulnerabilities. [*] at its own expense may request a source code review of the Software at any time (and Supplier will allow [*] to conduct such review).

c. Any vulnerabilities discovered during any such analysis that are defined by [*] as “critical” or “high” severity findings must be remediated within thirty (30) days. All other vulnerabilities that do not fall within these categories must be remediated within ninety (90) days. If Supplier fails to remedy any “critical” or “high” severity findings vulnerability to [*]’s satisfaction within thirty (30) days from its discovery and/or [*]’s written request, [*] may terminate this Agreement for Supplier’s uncured breach.

3.5 Network and Application Attack; Penetration Testing and Application Vulnerability Scans. Supplier will perform network and application penetration testing at least annually or when significant changes have been made to the network and/or Offering. Application vulnerability scans must be performed on a monthly basis. Upon request by [*], Supplier will provide complete testing results (which will include the number of critical, high and medium findings, the name of the third party tester and date of such third party testing) of (i) network and application penetration testing, and (ii) application vulnerability scans. Any vulnerability discovered during the testing or scanning which is defined by [*] as “critical” or “high” must be remediated within thirty (30) days. All other vulnerabilities that do not fall within these categories must be remediated within ninety (90) days. If Supplier fails to remedy any “critical” or “high” severity findings to [*]’s satisfaction within thirty (30) days from its discovery and/or [*]’s written request, [*] may terminate this Agreement for Supplier’s uncured breach.

3.6 Supplier Audit. Notwithstanding any contrary provision herein, [*]’s internal and external auditors, attorneys, accountants and Regulators (as defined below), in connection with an examination of [*] or to ensure compliance with the terms of this Agreement, will each have the right to (i) examine all records and materials of Supplier pertaining to the Services provided under this Agreement, including, to the extent applicable to the Services provided under the Agreement, an examination of the operation of Supplier’s equipment, (ii) take extracts from any such records and materials (redacted to remove references to matters other than those related to the Services provided under this Agreement), (iii) visit and inspect Supplier’s premises, (iv) interview employees and subcontractors of Supplier, (v) run computer programs and perform any other functions necessary for control assessment and/or investigations, (vi) verify the integrity of [*]’s data, (vii) examine the systems that process, store, support and transmit that data, and

(viii) examine Supplier’s performance of its duties and Services under this Agreement, including, to the extent applicable to this Agreement, audits of practices and procedures, systems, applications development and maintenance procedures and practices, general controls (e.g., organizational controls, input/output controls, system modification controls, processing controls, system design controls, and access controls) and security practices and procedures, disaster recovery and back-up procedures. Supplier will provide to such auditors, attorneys, accountants and Regulators such assistance as they reasonably require, including installing and operating audit software. For the purposes of this Section, “Regulators” means any representatives of any regulatory agency, any taxing authority, or any private entity that functions in a quasi-regulatory manner, having jurisdiction over [*] in connection with the agency’s, authority’s, or entity’s regulatory functions, including bank examiners, securities regulators, and their examiners, and futures regulators and their examiners.

Supplier will prioritize remediation efforts according to the severity of the risk findings identified during any audit by [*] and take prompt action to address all identified “high” or “critical” risk findings. Supplier will remediate or mitigate such “high” or “critical” risk findings within thirty (30) days of the completion of the audit by [*]. Supplier will correct “medium” risk findings within ninety (90) days of the completion of the audit by [*]. Supplier will correct all other identified vulnerabilities within one hundred eighty (180) days of the audit by [*].

[*] Confidential

3.7 Third Party Attestations. Supplier will provide a SOC2 Type II (“SOC”) audit report from independent auditors on an annual basis. The Trust Principles must include Security and Availability, and the scope must cover both the hosting facility and the Offering. Supplier will deliver the report to [*] annually upon its written request. Supplier will correct any “material weakness” and high or critical findings identified in such report and notify [*] of the correction of the deficiencies within thirty (30) days of the report. Supplier will provide [*] with a description of the plans to address any “significant deficiency” (SD) or medium risk findings noted in any report and reasonably remediate such findings within thirty (30) days of reporting to the extent practicable, and in no event later than ninety

(90) days following reporting, and will provide [*] with a status report as to the execution of the plan on request. All control deficiencies (CD) or low risk findings must be remediated within ninety (90) days of reporting. Supplier will, within thirty (30) days of a [*] request, provide a letter identifying any significant changes in the control processes (including any additional security safeguards implemented or eliminated) since the date of the last SOC audit report delivered to [*] for the interim period between the date of such report and the end of such year (whether or not exceptions or qualifications were noted in the SOC audit report(s) for such fiscal year). In addition, Supplier will maintain an ISO 27001 certification. No more than annually and upon request from [*], Supplier will provide this certification along with confirmation of the asset scope and Statement of Applicability (SOA).

3.8 Availability of Reports to [*] Third Party Service Providers and Clients. To facilitate [*]’s ability to respond to certain requests relating to [*]’s use of the Offering, during the Term, and for as long as Supplier maintains [*] information as requested by [*], Supplier will furnish its then current SOC audit report(s) to governmental regulatory agencies, [*]’s third party service providers and no more than fifty (50) strategic clients designated by [*] each calendar year under [*]’s written confidentiality provisions with the client or third party which is no less protective than the standard of care [*] uses to protect its own Confidential Information; provided, that no such confidentiality requirement will apply to governmental regulatory agencies. Any additional requests by [*] for Supplier to provide its audit report(s) to more than fifty (50) of [*]’s strategic clients in any given year will be subject to Supplier’s consent, which will not be unreasonably withheld. To the extent that [*] or its third party service providers or clients have additional questions related to Supplier’s security audit attestations, Supplier will reasonably address such questions without delay.

3.9 Geographic Storage and Processing. Supplier acknowledges and agrees that [*] information may not be stored or processed outside the US unless requested by Supplier and approved by [*] in writing in an Order, SOW or amendment to this Agreement.

3.10 Access to System Records. Supplier will maintain (for an agreed upon length of time) and provide reasonable access to, all system records and logs processed through Supplier’s hosting environment on behalf of [*]. [*] will have the right to review and inspect any record of system activity relating to [*] upon reasonable prior notice.

[*] Confidential

Exhibit F

Insurance Requirements

Provider will procure and maintain for the duration of the contract insurance against claims for injuries to persons or damage to property which may arise from or in connection with the performance of the work hereunder by Provider, its agents, representatives, or employees. Provider will procure and maintain for the duration of the contract insurance for claims arising out of their professional services and including, but not limited to, loss, damage, theft or other misuse of data, infringement of intellectual property, invasion of privacy and breach of data. Coverage will include:

Type of coverage		Minimum Policy Limit

Commercial General Liability, Including Bodily Injury and Property Damage Liability, Independent Contractors Liability, Contractual Liability, Product Liability and Completed Operations Liability		$1,000,000 each occurrence, $2,000,000 general aggregate

Commercial Automobile Liability: Combined Single Limit including coverage for owned, hired and non owned vehicles		$1,000,000 each accident 1,000,000 for bodily injury and property damage

Workers’ Compensation		Statutory

Employers Liability: Bodily Injury by Accident		$1,000,000 each accident

Employers Liability: Bodily Injury by Disease		$1,000,000 each employee


Employers Liability: Bodily Injury by Disease		$1,000,000 policy limit

Umbrella or Excess Liability Coverage		$5,000,000 per occurrence and in the aggregate.

Technology Professional Liability (Errors and Omissions) Insurance or Cyber Risk Insurance		$5,000,000 per claim to be maintained for the duration of the contract and for five years following its termination. Coverage will be sufficiently broad to respond to the duties and obligations as are undertaken by Provider in this Agreement and will include, but not be limited to, claims involving infringement of intellectual property, including but not limited to, infringement of copyright, trademark, trade dress, invasion of privacy violations, information theft, damage to or destruction of electronic information, release of private information, alteration of electronic information, extortion and network security. The policy will provide coverage for breach response costs as well as regulatory fines and penalties as well as credit monitoring expenses with limits sufficient to respond to these obligations.

[*] and its officers, partners, employees, and volunteers are to be covered as additional insureds on the Commercial General Liability and Commercial Automobile insurance policies with respect to liability arising out of work or operations performed by or on behalf of the Provider. Such insurance must be primary as to any other valid and collectible insurance.

Provider hereby grants to [*] a waiver of any right to subrogation which any insurer of Provider may acquire against [*] by virtue of the payment of any loss under the Commercial General Liability, Commercial Automobile or Workers Compensation Insurance policies. Provider agrees to obtain any endorsement that may be necessary to affect this waiver of subrogation, but this provision applies regardless of whether or not [*] has received a waiver of subrogation endorsement from the insurer.

Any liability coverages on a “claims made” basis should be designated as such on the certificate.

Coverages and limits are to be considered as minimum requirements and in no way limit the liability of Provider.

Each insurance policy required above will provide that coverage will not be cancelled, except with notice to [*].

All policies will be written by carriers authorized to conduct business in the particular state in which the services will be provided and rated at least “A-” in A.M. Best’s Key rating Guide.

Renewal certificates of insurance will be provided prior to commencing the services and annually thereafter until all work is completed.

[*] Confidential

Exhibit G

Background Screening Requirements

References in this Exhibit to “Supplier” will be deemed to be references to Provider.

Supplier will conduct background screening for any employee or subcontractor prior to deployment to a [*] site or a [*] client site; any employee or subcontractor who will have access to [*] networks or computing systems or [*] client networks or computing systems; and any employee or subcontractor who may have access to [*] data or [*] client data, including any support roles that may have access to or modify [*] data or client data, pursuant to this Agreement. Supplier will complete the background investigation of its employees and subcontractors prior to the individual’s start date with [*]. All background investigations must be completed with satisfactory results prior to allowing Supplier personnel and subcontractors to start with [*]. All background checks must be current within six (6) months of deployment of the Supplier employee or subcontractor. Additionally, Supplier shall ensure that Supplier’s background screening vendor conducts criminal checks using direct searches at local court and district level. Upon receipt and review of the results of the background investigation, Supplier will determine, based on the report, the individual’s skill set, prior experience, references and other job-related factors, whether the individual is suitable for a particular position with [*]. The decision should be made consistent with applicable state, federal and local laws, good judgment, and reasonable and sound business ethics. Should Supplier wish to place an individual with discrepant information* on their background report, they must escalate the case to [*]’s US OnBoarding Team. Supplier will ensure their background screening process is in compliance with all Fair Credit Reporting Act guidelines and all applicable state and local law. The background check disclosure and authorization form must state that the Supplier employee or Subcontractor also authorizes Supplier to share the results of any background check with any Supplier clients or customers with whom the employee or Subcontractor may be considered for engagement. Furthermore, Supplier agrees to indemnify [*] from any and all claims brought against [*] for any alleged violations of the Fair Credit Reporting Act and all similar applicable state and local laws.

BACKGROUND SCREENING REQUIREMENTS

The background investigation must, at a minimum, consist of the following search criteria:

	✓	Social Security Number Trace
	✓	Criminal History Records - 7 years

	●	County Level
	●	Federal Level
	●	State Level
	●	National Criminal Records Locator

	✓	Department of Motor Vehicle Records
	✓	Education Verification - highest degree earned
	✓	Employment Verification- 5 years
	✓	Government Watch Lists
	✓	Professional License/Certification, if applicable to assignment
	✓	National Sex Offender Registry

SCOPE OF SCREENING CRITERIA

Social Security Number Trace

This inquiry consists of a trace of the subject’s social security number in order to verify the subject’s identity (including other names used), valid Social Security Number issued by the Social Security Administration, current and previous address(s), and current and previous employer(s), when available.

* Discrepant information includes:

●	DOB not verified
●	SSN Number is listed on the death index
●	Name Not Verified
●	SSN Not Validated
●	SSN Not Verified

[*] Confidential

Criminal History Records

This inquiry consists of a criminal history record search under the subject’s name and all other names stated by the subject or developed during the course of the investigation. Searches will be conducted for the location of the subject’s stated and developed residence(s), employment and education location(s) during the past seven years and will cover the following:

County Level Criminal Records

This inquiry will cover criminal records and reports of misdemeanor and felony convictions and pending prosecutions for violations of local law

Federal Level Criminal Records

This inquiry will cover criminal records and reports of misdemeanor and felony convictions and pending prosecutions for violations of federal law

State Level Criminal Records

This inquiry will cover criminal records and reports of misdemeanor and felony convictions and pending prosecutions for violations of state & local law

National Criminal Records Locator

This inquiry will cover a database search which contains over 400 million records nationwide which are obtained from county, state, and federal entities.

*Discrepant information includes:

●	Any felony conviction.

●	Any misdemeanor conviction involving theft, financial impropriety, crimes of violence, weapons, and sale or distribution of controlled substances.

●	Any pending prosecutions for violations of local, federal, and state law.

National Sex Offender Registry

This inquiry consists of a nationwide review of registered sex offenders inclusive of 48 U.S. states, the District of Columbia, Puerto Rico and Guam. This search accesses public records information from each state regarding the presence or location of offenders, who, in most cases, have been convicted of sexually-violent offenses against adults and children.

*Discrepant information includes:

●	A confirmed listing on the national sex offender registry.

Department of Motor Vehicle Records

This inquiry consists of a state-wide check of the appropriate motor vehicle files based on the state of license issuance. The inquiry will cover the following:

a)	verification of valid license

b)	history of accidents and traffic violations and convictions

*Discrepant information includes:

●	An alcohol and/or drug related driving offense within the previous twenty-four month period.

●	Refusal to submit to a Blood Alcohol Content (BAC) test within previous twenty-four month period.

●	Conviction for Reckless Driving within previous twenty-four month period

●	Any combination of three or more moving violations or chargeable (at fault) accidents within the most previous twenty-four month period.

●	Leaving the scene of an accident as defined by state laws within the last seven years.

●	At fault in a fatal accident within the last seven years.

●	Felony committed involving a vehicle (Vehicular Homicide) within the last seven years.

●	Suspended, Revoked and Expired license.

●	A non-administrative restriction within the last twenty-four months (e.g., previous suspension, revocation due to drug related offense, reckless driving offense).

Note: In the event that a subject is considered a High Risk Driver, based on information developed as a result of this search, the subject will be required to complete a Motor Vehicle Safe Driving course in order to satisfy [*]’s requirements.

[*] Confidential

Education Verification

This inquiry consists of a verification of the highest diploma/degree earned by the subject. Additional academic experience will be verified upon request of the hiring practice unit. The inquiry will attempt to verify the following:

a)	Period(s) of attendance

b)	Period(s) of enrolment

c)	Degree/diploma awarded

d)	Major course of study

e)	Overall GPA

*Discrepant information includes:

●	Degree cannot be confirmed.

●	Degree is from an unaccredited school or university.

●	Major course of study confirmed by school or university differs than what was reported by subject.

Employment

This inquiry attempts to verify all employment history during the last five years and verify the following:

a)	Job title and salary

b)	Dates of employment

c)	Job performance and evaluation

d)	Reason for separation

e)	Eligibility for re-hire

*Discrepant information includes:

●	Employment cannot be verified.

●	Significant discrepancies in the dates of employment.

●	Significant discrepancies in the title.

●	Negative rehire status.

Government Watch Lists

This inquiry consists of a review of numerous government watch lists which include individuals, organizations, and companies that have been placed on a watch status by the United States Government, European Union, United Nations Security Council, World Bank or foreign governments. This search includes a review of the following lists, at a minimum, but may include others:

a)	OFAC (Office of Foreign Asset Control)

This inquiry consists of a review of OFAC records consistent with the USA Patriot Act which requires that all Persons/Companies doing business in the U.S. comply with this requirement. OFAC is responsible for administering and enforcing economic and trade sanctions against certain nations, entities and individuals. OFAC maintains a listing of these restricted counter parties in a document called the Specially Designated Nationals and Blocked Persons List.

b)	FBI - List of Ten Most Wanted Fugitives and Most Wanted Terrorists

c)	OIG (Office of Inspector General) - List of Excluded Person’s/Entities in the delivery of health care services.

d) GSA (US General Services Administration) - List of Parties Excluded from Federal Procurement and Non- procurement Programs.

e) Denied Persons List - List of individuals and entities that have been denied export privileges. Any dealings with a party on this list, that would violate the terms of its denial order, are prohibited.

*Discrepant information includes:

●	A confirmed listing on any of the Government watch lists.

OPTIONAL SEARCHES, IF APPLICABLE TO THE ASSIGNMENT

Professional Licenses/Certificates

This inquiry will consist of verification of all professional licenses or certificates reported by the personnel. Supplier will verify the following information for each such license or certificate:

a)	The type of license or certificate (i.e., CPA, etc.)

b)	The license or certificate number

[*] Confidential

c)	The date of issuance and expiration of the license or certificate

d)	The state of issuance of the license or certificate

e)	The license or certificate status (e.g., active and in good standing).

*Discrepant information includes:

●	Required license or certificate cannot be verified.

●	Required license or certificate is assigned to another person.

●	Required license or certificate is expired, revoked, or suspended.

●	Required license or certificate has disciplinary actions.

ESCALATION PROCESS FOR DISCREPANT INFORMATION

If Supplier develops discrepant information on the background investigation for an individual they wish to place at [*], Supplier will be required to follow the required FCRA process and obtain the facts and circumstances related to the discrepant finding prior to escalating the matter to [*]’s US OnBoarding Team.

Supplier will then need to contact [*]’s US OnBoarding Team at [*] to arrange a meeting where the case can be discussed. Supplier should not provide [*] with any personal information related to the Supplier’s employee or subcontractor.

[*] US OnBoarding Team and Supplier will review and evaluate each case containing discrepant information on an individual basis to determine if Supplier’s employee or subcontractor is suitable for placement.

THE REMAINDER OF THIS PAGE IS INTENTIONALLY LEFT BLANK

[*] Confidential

CERTIFICATION OF BACKGROUND SCREENING

Upon review and approval of an individual’s background screening report, Supplier will complete the attached “Certification of Background Screening” letter, and return to [*], via e-mail, to the following addresses:

[*]

The e-mail subject line should include the contractor’s full name and Supplier’s company name, as follows: Subject: Certification of Background Check for John Doe from ABC Company For questions regarding this process, please contact a member of the [*]’s US Security Team at:

[*]

THE REMAINDER OF THIS PAGE IS INTENTIONALLY LEFT BLANK

[*] Confidential

[To be placed on Supplier’s letterhead]

Certification of Background Screening

To:

[*]

From:

Date:

RE: [Name of Supplier] Certification of Background Screening

This letter will serve as certification to [*] that [Name of Supplier] (“Supplier”) has conducted background screening on its personnel or subcontractor listed below who will be assigned to [*] site or a [*] client site; who will have access to [*] networks or computing systems or [*] client networks or computing systems; who may have access to [*] data or [*] client data, in conformance with the areas of inquiry set forth in the Agreement dated [Date] between Supplier and [*].

Supplier further certifies that the results of the screening produced no discrepant information sufficient to disqualify the placement of such personnel under contract to [*]. In conducting the foregoing screening, Supplier complied with the Fair Credit Reporting Act and all applicable state & local laws.

In addition, this letter certifies that the personnel listed below have complied with the employment eligibility verification requirements of the Immigration Reform and Control Act of 1986 (including obtaining a fully completed I-9 form, if applicable). Further, Supplier certifies that it is unaware of any facts to lead us to believe that same personnel is/are not authorized to work in the United States.

Name of Personnel Screened

Date Screening Completed

Name of Vendor

Name of Authorized Representative: ______________________________________________________

Title: _________________________ Tel. #: _______________________________________________

E-mail address: ______________________________________________________________________

Signature of Authorized Representative: ___________________________________________________

[*] Confidential

Exhibit H

DATA PROTECTION ADDENDUM

This Data Protection Addendum (this “Addendum”) is attached to and made a part of the Software-As-A-Service Agreement entered into between [*] (“[*]”) and Xyvid, Inc. (the “Supplier”), dated August 7, 2018, as amended, supplemented or otherwise modified by [*] and Supplier from time to time (the “Agreement”), under which the Supplier has agreed to provide [*] with the products and services (the “Services”).

If there is an inconsistency between any of the provisions of this Addendum and any other terms in the Agreement, the provisions of this Addendum will prevail. This Addendum will continue in force until the termination of the Agreement.

1.	For the purposes of this Addendum, the following terms will have the following meanings:

1.1	“*Controller” will have the meaning given to it by Regulation (EU) 2016/679 (General Data Protection Regulation) (the “Regulation*”);

1.2	“*Data Subjects*” will have the meaning given to it by the Regulation;

1.3

“Personal Data” includes any information defined as personal data by the Regulation, and any other information, including information in electronic form, relating to a living person who can be identified (a) from those data or (b) from those data and the use of additional information, taking into account all means reasonably likely to be used by anyone to identify the person directly or indirectly; and includes, without limitation, first and last names, ID numbers, including government-issued identifiers, personal dates such as birthdates, email addresses, location data, internet protocol address or other online identifiers and information concerning race, ethnicity or mental or physical health;

1.4	“*Personal Data Breach*” will have the meaning given to it by the Regulation; and

1.5	“*Process” or “Processor*” will have the meaning given to them by the Regulation.

Supplier will comply with all data protection legislation applicable to it (“Data Protection Law”) and will not cause [*] to violate Data Protection Law. In the event of any ambiguity in this Addendum, it will be construed in a manner that allows the parties to comply with applicable Data Protection Law.

3.	[], or a client of [], is the Controller and the Supplier is the Processor or sub-Processor in respect of all Personal Data Processed by the Supplier (“*Protected Personal Data*”) under the Agreement. The description of the Processing is set out in Annex 1 to this Addendum.

The Supplier will, and will procure that any of its employees or agents will, only Process Protected Personal Data in accordance with the Agreement and documented instructions received from [*] and solely for the purpose(s) for which such Personal Data was disclosed by [*]. If the Supplier is legally required to Process Protected Personal Data other than as instructed by [*], it will notify [*] in writing before such Processing occurs unless the law requiring such Processing prohibits Supplier from notifying [*], in which case it will notify [*] as soon as that law permits it to do so.

The Supplier will implement appropriate technical and organizational security measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Protected Personal Data. Those security measures will include the requirements set forth in the Agreement, including without limitation Exhibit E of the Agreement (Third Party Supplier Information Security Requirements) (the “Information Security Requirements”). For the avoidance of doubt, Supplier’s obligations under this Addendum will be in addition to, and will not limit, Supplier’s Information Security Requirements.

[*] Confidential

The Supplier will: (a) assist [*] with the fulfilment of [*]’s obligation to respond to requests exercising a data subject’s rights as set out in Data Protection Law; (b) assist [*] in ensuring compliance with the Regulation, including with [*]’s obligations to investigate, remediate and provide information to regulators or Data Subjects about Personal Data Breaches without undue delay, to carry out data protection impact assessments and to consult with regulators regarding Processing which is the subject of a data protection impact assessment; (c) make available to [*] or [*]’s client, as applicable, all information necessary to demonstrate compliance with Data Protection Law, including all required records of Processing; and (d) allow for and contribute to audits, including inspections and information requests, conducted by [*] or an auditor mandated by a supervisory authority, [*] or [*]’s client, as applicable.

7.	The Supplier will promptly notify [] in writing about any instruction from [] which, in its opinion, infringes Data Protection Law.

The Supplier is permitted to subcontract its Processing of Protected Personal Data on behalf of [*] in accordance with all relevant provisions of the Agreement to the approved sub-contractors named in Annex 1. Upon written notification, the Supplier may change or add to the list of approved sub-contractors provided that [*] does not object to the proposed new sub-contractor. Supplier will impose the same obligations as set forth on this Addendum on any subcontractor that Processes Protected Personal Data on behalf of Supplier under the Agreement.

The Supplier may provide the Services in and from locations outside the European Economic Area (the “EEA”), and [*] authorizes the Supplier to Process Protected Personal Data outside the EEA. The Standard Contractual Clauses for the transfer of Personal Data to Processors established in third countries approved by European Commission Decision of 5 February 2010, and contained in Annex 2 (“EU Model Clauses”) are deemed incorporated into this Addendum will apply to any Processing of Protected Personal Data that takes place outside the EEA. For the purposes of the EU Model Clauses, [*] will be regarded as the data exporter, and the Supplier will be regarded as the data importer. To the extent of any inconsistency between this Addendum or the Agreement and the EU Model Clauses, the EU Model Clauses will prevail.

The Supplier will (a) Process all Protected Personal Data that has been transferred pursuant to the Privacy Shield, if any, solely in accordance with the principles of the EU-US Privacy Shield Framework (available at https://www.privacyshield.gov/EU-US-Framework), including, without limitation, the principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability, and the supplemental principles (collectively, the “Privacy Shield Principles”); and (b) process all Protected Personal Data solely in a manner consistent with [*]’s obligations under the Privacy Shield Principles.

10.	The Supplier agrees to notify [*] without undue delay in the event that the Supplier is no longer able to meet any of the obligations in this Addendum and will immediately cease Processing and remediate any such inabilities to come into compliance with the requirements set forth in this Addendum.

11.

In addition to the obligations detailed above, [*] and Supplier have agreed to other terms in the Agreement, which may impose obligations on Supplier relating to Supplier’s Processing of Protected Personal Data. The following provisions in this Section 11 apply only to the extent they either (a) do not exist in the Agreement or (b) provide more protection to [*] or Protected Personal Data than existing provisions in the Agreement, in which case the more protective portions of each respective provision will apply to Supplier’s Processing of Protected Personal Data.

11.1

In the event of a Personal Data Breach or other security incident which may affect Protected Personal Data or Supplier’s systems used to Process Protected Personal Data (each a “Security Incident”), the Supplier will notify [*] without undue delay, but no less than 72 hours after becoming aware, in writing upon becoming aware of the Security Incident. Supplier will provide [*] with all information about the Security Incident requested by [*]. After providing notice, the Supplier will investigate the Security Incident; take necessary steps to eliminate, contain, and remediate the impact of the Security Incident; and keep [*] advised of the status of the Security Incident and all related matters.

11.2

The Supplier will ensure that its personnel who have access to Protected Personal Data (a) are informed of the confidential nature of Protected Personal Data and subject to documented confidentiality obligations with respect to Protected Personal Data; (b) have received adequate training and/or instruction on the care and handling of Protected Personal Data; and (c) are aware of the Supplier’s duties and their personal duties and obligations under the Agreement and this Addendum.

11.3

The Supplier will, at [*]’s choice, delete or return all Protected Personal Data after expiration or termination of the Agreement, unless otherwise required by law.

[*] Confidential

Annex 1: Description of Processing

1.	Subject Matter, Nature and Purpose

The processing consists of and is carried out for the following purposes:

To fulfil the duties of the Supplier as set out in the Agreement

The processing may be conducted in the following countries:

All processing of data is in the USA.

2.	Duration

The duration of the processing will be the same as the duration of the provision of Services under the Agreement.

3.	Categories of Individuals

The Personal Data processed relates to the following categories of individuals: [*] employees

4.	Types of Personal Data

The Personal Data processed consists of the following categories:

Information necessary to fulfil the duties of the Supplier as set out in the Agreement, which may include:

Contact Information

	☒

Name

	☒

Email address

	☒

Phone number

	☒

Street address

	☒

[*] Confidential

Personal Information

	☐

Government ID

	☐

Social Security No.

	☐

Driver’s License No.

	☐

Immigration Data (including Passport No.)

	☐

Date of Birth

	☐

Age

	☐

Gender

	☐

Background check/drug screening information

	☐

Emergency contacts

	☐

Photos / Images

	☐

Education Information

	☐

Resumes/References

	☐

Family Information

	☐

Children’s Information

	☐

Administrative Information

	☐

Performance Evaluation, Management and Monitoring Information

	☐

Information re. course transcripts, certifications, assessments, etc.

	☐

Learning and development Information

	☐

Time Tracking and Labor information

	☐

[*] Confidential

Badge Card Information

	☐

Investigation Information

	☐

Financial/Benefit Information

	☐

Financial Information

	☐

Account/Credit/Debit Card Information

	☐

Employee Benefit Information

	☐

Spouse, Dependent, Beneficiary information

	☐

System Asset/Usage Device Information

	☐

IP address

	☐

Passwords/Credentials

	☐

Geolocation Information

	☐

Tracking/Analytics data

	☐

Other Information

	☒

Employee ID or username; other employee contact information as applicable

	☐

Click here to enter item.

	☐

[*] Confidential

Types of Sensitive Personal Data

The Sensitive Personal Data processed consists of the following categories:

Sensitive Information/ Special categories of Personal Data

	☐

Health Information

	☐

Religious or Philosophical Beliefs

	☐

Sexual Orientation, Gender Identification and Expression

	☐

Professional/Trade Union/ Works Council memberships

	☐

Racial or Ethnic Origin

	☐

Political Opinions

	☐

Disabilities

	☐

Criminal convictions

	☐

Biometric/Genetic Information

	☐

Protected Health Information (HIPPA)

	☐

Click here to enter item.

	☐

Click here to enter item.

	☐

5.	Approved Sub-contractors

None.

[*] Confidential

Annex 2: EU Model Clauses

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: [*]

Address: [*]

And

Name of the data importing organisation: Xyvid, Inc.

Address: 1170 Wheeler Way, Langhorne, PA 19047

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

[*]

Clause 1

Definitions

For the purposes of the Clauses:

(a)

‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data¹;

(b)	‘the data exporter’ means the controller who transfers the personal data;

(c)

‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)

‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)

‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)

‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1.	The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

¹Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.

[*]

The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4.	The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)

that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)	that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c)	that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to these Clauses;

(d)

that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)	that it will ensure compliance with the security measures;

(f)	that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)	to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)

to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)	that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)	that it will ensure compliance with Clause 4(a) to (i).

[*]

Clause 5

Obligations of the data importer²

The data importer agrees and warrants:

(a)

to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)

that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)	that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)	that it will promptly notify the data exporter about:

(i)

any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)

any accidental or unauthorised access, and

(iii)

any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)	to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)

at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)

to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)	that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i)	that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

²Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

[*]

Clause 6

Liability

1.	The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1.	The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)

to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)

to refer the dispute to the courts in the Member State in which the data exporter is established.

2.	The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1.	The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.	The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

[*]

The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely Malta.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

Clause 11

Subprocessing

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses³. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

The prior written contract between the data importer and the subprocessor shall also provide for a third- party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3.	The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely Malta.

4.	The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.	The data importer and the subprocessor warrant that upon the request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

[Remainder of page left intentionally blank]

³This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.

[*]

On behalf of the data exporter:

Name (written out in full): [*]

Position:

Address: [*]

Other information necessary in order for the contract to be binding (if any):

Signature

On behalf of the data importer:

Name (written out in full): Xyvid, Inc. Position:

Address: 1170 Wheeler Way, Langhorne, PA 19047

Other information necessary in order for the contract to be binding (if any):

Signature

[*]		Xyvid, Inc.

Signature:	[]*	Signature:	David Kovalcik
	[*]		David Kovalcik (Aug 20, 2018)
Email:	[*]	Email:	dkovalcik@dyventive.com
Title:	[*]	Title:	CEO

[*]

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer): A firm providing professional services.

Data importer

The data importer is (please specify briefly activities relevant to the transfer): See the information set out in Annex 1

Data subjects

The personal data transferred concern the following categories of data subjects (please specify): See the information set out in Annex 1

Categories of data

The personal data transferred concern the following categories of data (please specify): See the information set out in Annex 1

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): See the information set out in Annex 1

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): See the information set out in Annex 1

DATA EXPORTER:		DATA IMPORTER:

[*]		Xyvid, Inc.

Signature:	[]*	Signature:	David Kovalcik
	[*]		David Kovalcik (Aug 20, 2018)
Email:	[*]	Email:	dkovalcik@dyventive.com
Title:	[*]	Title:	CEO

[*]

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The technical and organizational security measures set forth in the Information Security Requirements.

[*]

Exhibit I

Form of Adoption Agreement

This Adoption Agreement (“Adoption Agreement”), effective as of ______, ___ (“Adoption Agreement Effective Date”), is made by and between the undersigned firm (“Adopting Network Firm”) and ___________ (“Provider”).

WHEREAS, [*] (“[*]”) and Provider are parties to that certain Software-as-a-Service Agreement, effective as of , (“Agreement”), which provides that a Network Firm will, upon the execution of this Adoption Agreement, have all of the rights, privileges, obligations and liabilities provided to [*] under the Agreement; and

WHEREAS, Adopting Network Firm wishes to access and use the Software and Services contemplated by the Agreement and have all of the rights, privileges, obligations and liabilities provided to [*]under the Agreement;

NOW, THEREFORE, the parties hereto agree as follows:

(1)	All capitalized terms not defined in this Adoption Agreement will have the meanings set forth in the Agreement.

(2)

Except as otherwise provided in this Adoption Agreement, as of the date of acknowledgment and agreement below, all of the terms and conditions set forth in the Agreement, if applicable, will apply between Provider and the Adopting Network Firm, and will be incorporated into this Adoption Agreement by reference, except that for such purposes, where the context permits, references in the Agreement to “[*]” will be deemed to be references to the Adopting Network Firm. For the avoidance of doubt, as relates to Provider and the Adopting Network Firm, in the event of any conflict or inconsistency between the provisions of this Adoption Agreement and the provisions of the Agreement, the terms of this Adoption Agreement will prevail.

(3)	Provider and Adopting Network Firm acknowledge and agree that each has read and understands the Agreement, including all exhibits.

(4)

Any claim or other legal proceeding of any nature arising from this Adoption Agreement or the Agreement (including claims in negligence, contract or tort) will be brought by Provider against the Adopting Network Firm, and not against any other Network Firm. The parties agree that if the Adopting Network Firm breaches any term of this Adoption Agreement or the Agreement no other Network Firm (including [*]) will have any liability to Provider for such breach.

(5)	This Adoption Agreement is made and entered into and will be interpreted, construed and enforced in accordance with the laws of the State of New York without giving effect to the conflicts of law provisions thereof.

(6)	[This Adoption Agreement will also be subject to the additional provisions set forth in Sections (7) through ([●]) below.]

[Additional provisions to be added if agreed by Adopting Network Firm and Provider.]

IN WITNESS WHEREOF, the parties have caused this Adoption Agreement to be executed and delivered as of the Adoption Agreement Effective Date.

[ADOPTING NETWORK FIRM]			[PROVIDER]

By:			By:
Name:			Name:
Title:			Title:

[*]

Exhibit J

Statement of Work

Intentionally omitted.