Secureframe Terms of Service

Last Updated: May 22, 2020

Terms of Service (“ Agreement ”) constitute a contract between Secureframe, Inc. (“ Secureframe ”), and you, the customer that has signed up for the Services and agreed to the terms of this Agreement (“ Customer ”). Secureframe wishes to provide and you wish to have the right to access pursuant to the terms of this Agreement, a subscription service. This Agreement includes and incorporates the Order Form with which you purchased the Services and any subsequent Order Forms (submitted in written or electronic form). By accessing or using the Services, you agree to be bound by this Agreement. If you are entering into this Agreement on behalf of a company, organization or other entity, you represent that you have such authority to bind such entity and are agreeing to this Agreement on behalf of such entity. If you do not have such authority to enter into this Agreement or do not agree with these terms and conditions, you may not use the Services.

1. Definitions

1.1 The following terms, when used in this Agreement will have the following meanings:

“ Confidential Information ” means any information or data disclosed by either party that is marked or otherwise designated as confidential or proprietary or that should otherwise be reasonably understood to be confidential in light of the nature of the information and the circumstances surrounding disclosure. However, “Confidential Information” will not include any information which (a) is in the public domain through no fault of receiving party; (b) was properly known to receiving party, without restriction, prior to disclosure by the disclosing party; (c) was properly disclosed to receiving party, without restriction, by another person with the legal authority to do so; or (d) is independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information.

“ Documentation ” means the printed and digital instructions, on-line help files, technical documentation and user manuals made available by Secureframe for the Services, which Secureframe may modify from time to time.

“ Order Form ” means an invoice, order form, quote or other similar document that sets forth the specific Services and pricing therefor, and that references this Agreement and is mutually executed by the parties.

“ Services ” means the SaaS-based platform and Software products ordered by or made available to Customer under an Order Form (collectively with the described services in the applicable Order Form or Documentation).

“ Software ” means Secureframe proprietary software which may integrate with Customer’s Third Party Services, network or applications, as provided in the Documentation and any updates, fixes or patches developed from time to time.

2. Services

2.1 Provision of Secureframe Platform. Subject to the terms and conditions of this Agreement, Secureframe hereby grants Customer and its registered employees and contractors (“ Users ”) a non- exclusive, non-sublicensable, non-transferable license to use and access the Services. The Services are subject to modification from time to time at Secureframe’s sole discretion, provided the modifications do not materially diminish the functionality of the Services provided by Secureframe.

2.2 Data Security. Secureframe maintains a commercially reasonable security program that is designed to (i) ensure the security and integrity of Customer data uploaded by or on behalf of Customer to the Services (“ Customer Data ”); (ii) protect against threats or hazards to the security or integrity of Customer Data; and (iii) prevent unauthorized access to Customer Data. Solely if and to the extent Secureframe processes Customer Personal Data (as defined in the DPA) that is subject to the GDPR (as defined in the DPA), the GDPR Data Processing Addendum provided on https://secureframe.com/dpa will apply (“DPA”). Solely if and to the extent Secureframe processes Customer Personal Information (as defined in the CCPA Addendum) that is subject to the CCPA (as defined in the CCPA Addendum), the CCPA Addendum provided on https://secureframe.com/ccpa will apply.

2.3 Limitations. The rights granted herein are subject to the following restrictions (the “ License Restrictions ”). Customer will not directly or indirectly:

(a) reverse engineer, decompile, disassemble, modify, create derivative works of or otherwise create, attempt to create or derive, or permit or assist any third party to create or derive, the source code, object code or underlying structures, ideas or algorithms of the Services or any data related to the Services;

(b) attempt to probe, scan or test the vulnerability of the Services, breach the security or authentication measures of the Services without proper authorization or wilfully render any part of the Services unusable;

(c) use or access the Services to develop a product or service that is competitive with Secureframe’s products or Services or engage in competitive analysis or benchmarking;

(d) share, transfer, distribute, resell, lease, license, or assign Services or otherwise offer the Services on a standalone basis; or

(e) otherwise use the Services outside the scope expressly permitted hereunder and in the applicable Order Form.

2.4 Secureframe reserves the right to suspend Customer’s (or any User’s) access to the Services immediately (i) in the event that Customer breaches this Section 2.3 or Section 4 of this Agreement, or breaches any other provision of this Agreement and fails to correct that breach within the applicable cure period; or (ii) as it deems reasonably necessary to respond to any actual or potential security or availability concern that may affect customers or Users.Customer Responsibilities.

(a) Customer will only use the Services in accordance with the Documentation and as set forth in this Agreement. Customer acknowledges that Secureframe’s provision of the Services is dependent on Customer providing all reasonably required cooperation (including the prompt provision of access to Customer’s applications, software systems, personnel, cooperation and materials as reasonably required and any other access as may be specified in the applicable Order Form), and Customer will provide all such cooperation in a diligent and timely manner.

(b) Customer will (i) be responsible for all use of the Services under its account (whether or not authorized), (ii) use commercially reasonable efforts to prevent unauthorized access to or use of the Services and notify Secureframe promptly of any such unauthorized access or use and (iii) be responsible for obtaining and maintaining any equipment, software, and ancillary services needed to connect to,

access or otherwise use the Services, including as set forth in the Documentation. Customer will be solely responsible for its failure to maintain such equipment, software and services, and Secureframe will have no liability for such failure (including under any service level agreement, if applicable). In addition, Customer will be responsible for ensuring that its systems (e.g., APIs) have sufficient bandwidth to use the Services.

(c) Customer will not use the Services to transmit or provide to Secureframe any financial or medical information of any nature, or any sensitive personal data (e.g ., social security numbers, driver’s license numbers, birth dates, personal bank account numbers, passport or visa numbers and credit card numbers).

(d) Customer’s use of third party products or services that are not licensed to Customer directly by Secureframe (“ Third Party Services ”) shall be governed solely by the terms and conditions applicable to such Third Party Services, as agreed to between Customer and the third party. Secureframe does not endorse or support, is not responsible for, and disclaims all liability with respect to Third Party Services, including without limitation, the privacy practices, data security processes or other policies related to Third Party Services. Customer agrees to waive any claim against Secureframe with respect to any Third Party Services.

(e) Customer may enable integrations between the Services and Third Party Services (each, an “ Integration ”). By enabling an Integration between the Services and its Third Party Services, Customer is instructing Secureframe to share the Customer Data necessary to facilitate the Integration. Customer is responsible for providing any and all instructions to the Third Party Service provider about the use and protection of Customer Data. Secureframe and Third Party Service providers are not subprocessors of each other.

(f) Customer acknowledges that the Services will require Users to share with Secureframe certain information which may include personal information regarding Users (such as usernames, passwords, email address and/or phone number) solely for the purposes of providing and improving the Services. Prior to authorizing an individual to become a User, Customer is fully responsible for obtaining the consent of that individual, in accordance with Applicable Law, to the use of his/her information by Secureframe, which use is described in Secureframe’s Services Privacy Notice, located at https://secureframe.com/privacy. Customer represents and warrants that all such consents have been or will be obtained prior to authorizing any individual to become a User.

(g) Customer will be fully responsible for Users’ compliance with this Agreement and any breach of this Agreement by a User shall be deemed to be a breach by Customer. Secureframe’s relationship is with Customer and not individual Users or third parties using the Services through Customer, and Customer will address all claims raised by its Users directly with Secureframe.

3. Fees

3.1 Fees. Customer will pay Secureframe the fees set forth in the Order Form. Except as otherwise specified herein or in any applicable Order Form, (a) fees are quoted and payable in United States dollars and (b) payment obligations are non-cancelable and non-pro-ratable for partial months, and fees paid are non-refundable. Secureframe reserves the right to change the fees or applicable charges and to institute new charges and fees at the end of the initial term, as specified in the Order Form, or then current renewal term, upon thirty (30) days prior notice to Customer (which may be sent by email).

3.2 Late Payment. Secureframe may suspend access to the Services immediately upon notice if Customer fails to pay any amounts hereunder at least fifteen ( 1 5) days past the applicable due date.

3.3 Taxes. All amounts payable hereunder are exclusive of any sales, use and other taxes or duties, however designated (collectively “ Taxes ”). Customer will be solely responsible for payment of all Taxes, except for those taxes based on the income of Secureframe. Customer will not withhold any taxes from any amounts due to Secureframe.

4. Proprietary Rights and Confidentiality

4.1 Proprietary Rights. As between the parties, Secureframe exclusively owns all right, title and interest in and to the Services and Secureframe’s Confidential Information, and Customer exclusively owns all right, title and interest in and to the Customer Data and Customer’s Confidential Information.

4.2 Feedback. Customer may from time to time provide Secureframe suggestions or comments for enhancements or improvements, new features or functionality or other feedback (“ Feedback ”) with respect to the Services. Secureframe will have full discretion to determine whether or not to proceed with the development of any requested enhancements, new features or functionality. Secureframe will have the full, unencumbered right, without any obligation to compensate or reimburse Customer, to use, incorporate and otherwise fully exercise and exploit any such Feedback in connection with its products and services.

4.3 Confidentiality. Each party agrees that it will use the Confidential Information of the other party solely in accordance with the provisions of this Agreement and it will not disclose, or permit to be disclosed, the same directly or indirectly, to any third party without the other party’s prior written consent, except as otherwise permitted hereunder. However, either party may disclose Confidential Information (a) to its employees, officers, directors, attorneys, auditors, financial advisors and other representatives who have a need to know and are legally bound to keep such information confidential by confidentiality obligations consistent with those of this Agreement; and (b) as required by law (in which case the receiving party will provide the disclosing party with prior written notification thereof, will provide the disclosing party with the opportunity to contest such disclosure, and will use its reasonable efforts to minimize such disclosure to the extent permitted by applicable law. Neither party will disclose the terms of this Agreement to any third party, except that Secureframe may confidentially disclose such terms to actual or potential lenders, investors or acquirers. Each party agrees to exercise due care in protecting the Confidential Information from unauthorized use and disclosure. In the event of actual or threatened breach of the provisions of this Section or the License Restrictions, the non- breaching party will be entitled to seek immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it. Each party will promptly notify the other in writing if it becomes aware of any violations of the confidentiality obligations set forth in this Agreement.

4.4 Machine Learning and Aggregation. Customer acknowledges that a fundamental component of the Services is the use of data aggregation and machine learning for the purpose of improving and providing Secureframe’s products and services. Notwithstanding anything to the contrary, Customer agrees that Secureframe is hereby granted the right to use (during and after the term hereof) information submitted using the Services to aggregate personally identifiable information and de- identify such information, including information related to vendors and train its algorithms internally through machine learning techniques for such purpose.

4.5 Performance Metrics. Customer agrees that Secureframe has the right to aggregate, collect and analyze data and other information relating to the access or use of the Services by or on behalf of Customer or any User, including any performance, analytics or statistical data and shall be free (during and after the term hereof) to (i) use such data and other information to improve Secureframe’s products and services, and (ii) disclose such data and other information solely in an aggregated and de-identified format.

5. Warranties and Disclaimers

5.1 Secureframe. Secureframe represents and warrants that it will not knowingly include, in the Services released to Users and provided to Customer hereunder, any computer code or other computer instructions, devices or techniques, including without limitation those known as viruses, disabling devices, trojans, or time bombs, that intentionally disrupt, disable, harm, infect, defraud, damage, or otherwise impede in any manner, the operation of a network, computer program or computer system or any component thereof, including its security or User data. If, at any time, Secureframe fails to comply with the warranty in this Section 5 .1, Customer may promptly notify Secureframe in writing of any such noncompliance. Secureframe will, within 30 days of receipt of such written notification, either correct the noncompliance or provide Customer with a plan for correcting the noncompliance. If the noncompliance is not corrected or if a reasonably acceptable correction plan is not established during such period, Customer may terminate this Agreement and receive a refund of any pre-paid but unearned subscription fees, prorated on a monthly basis, as its sole and exclusive remedy for such noncompliance. This provision does not apply to Customer’s use of free Services.

5.2 Customer. Customer warrants that it has all rights necessary to provide any information, data or other materials that it provides hereunder, and to permit Secureframe to use the same as contemplated hereunder.

5.3 DISCLAIMERS. EXCEPT AS EXPRESSLY SET FORTH HEREIN, EACH PARTY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, NON- INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMER ACKNOWLEDGES THAT THE SERVICES IS BASED ON PREDICTIVE STATISTICAL MODELS, AND ARE INTENDED TO AUGMENT THE EFFICIENCY OF, BUT NOT REPLACE, CUSTOMER’S IT HELPDESK. THE SERVICES MAY CONTAIN BUGS, MAKE ERRORS OR MISINTERPRET IT ISSUES, AND IN SUCH CASES SECUREFRAME CAN DISENGAGE ANY FUNCTIONALITY OF THE SERVICES AT CUSTOMER’S REQUEST. SECUREFRAME DOES NOT REPRESENT OR WARRANT THAT ANY OR ALL IT HELPDESK TICKETS WILL BE RESOLVED OR THAT HUMAN INTERVENTION WILL NOT BE REQUIRED TO RESOLVE AN IT HELPDESK TICKET.

5.4 BETA PRODUCTS. FROM TIME TO TIME, CUSTOMER MAY HAVE THE OPTION TO PARTICIPATE IN A PROGRAM WITH SECUREFRAME WHERE CUSTOMER GETS TO USE ALPHA OR BETA PRODUCTS, FEATURES OR DOCUMENTATION (COLLECTIVELY, “BETA PRODUCTS”) OFFERED BY SECUREFRAME. THE BETA PRODUCTS ARE NOT GENERALLY AVAILABLE AND ARE PROVIDED “AS IS”. SECUREFRAME DOES NOT PROVIDE ANY INDEMNITIES, SERVICE LEVEL COMMITMENTS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, IN RELATION THERETO. CUSTOMER OR SECUREFRAME MAY TERMINATE CUSTOMER’S ACCESS TO THE BETA PRODUCTS AT ANY TIME.

6. Indemnification

6.1 Indemnity by Secureframe. Secureframe will defend Customer against any claim, demand, suit, or proceeding (“ Claim ”) made or brought against Customer by a third party alleging that the use of the Services as permitted hereunder infringes a United States patent or copyright or misappropriates a trade secret and will indemnify Customer for any damages finally awarded against (or any settlement approved by Secureframe) Customer in connection with any such Claim; provided that (a) Customer will promptly notify Secureframe of such Claim, (b) Secureframe will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Secureframe may not settle any Claim without Customer’s prior written consent, which will not be unreasonably withheld, unless it unconditionally releases Customer of all related liability) and (c) Customer reasonably cooperates with Secureframe in connection therewith. If the use of the Services by Customer has become, or in Secureframe’s opinion is likely to become, the subject of any claim of infringement, Secureframe may at its option and expense (i) procure for Customer the right to continue using and receiving the Services as set forth hereunder; (ii) replace or modify the Services to make it non-infringing (with comparable functionality); or (iii) if the options in clauses (i) or (ii) are not reasonably practicable, terminate this Agreement and provide a pro rata refund of any prepaid fees corresponding to the terminated portion of the applicable subscription term. Secureframe will have no liability or obligation with respect to any Claim if such Claim is caused in whole or in part by (A) compliance with designs, guidelines, plans or specifications provided by Customer; (B) use of the Services by Customer not in accordance with this Agreement; (C) modification of the Services by any party other than Secureframe without Secureframe’s express consent; (D) Customer Confidential Information or (E) the combination, operation or use of the Services with other applications, portions of applications, product(s) or services where the Services would not by itself be infringing (clauses (A) through (E), “ Excluded Claims ”). This Section states Secureframe’s sole and exclusive liability and obligation, and Customer’s exclusive remedy, for any claim of any nature related to infringement or misappropriation of intellectual property.

6.2 Indemnification by Customer. Customer will defend Secureframe against any Claim made or brought against Secureframe by a third party arising out of the (i) Customer breach of any laws or regulations (including with respect to privacy); (ii) Customer’s or any User's use of the Services; (iii) Customer’s violation of any agreements it has with any User; or (iv) Excluded Claims, and Customer will indemnify Secureframe for any damages finally awarded against (or any settlement approved by Customer) Secureframe in connection with any such Claim; provided that (a) Secureframe will promptly notify Customer of such Claim, (b) Customer will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Customer may not settle any Claim without Secureframe’s prior written consent, which will not be unreasonably withheld, unless it unconditionally releases Secureframe of all liability) and (c) Secureframe reasonably cooperates with Customer in connection therewith.

7. Limitation of Liability

EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS OR THE BREACH OF SECTION 2. (LIMITATIONS), SECTION 2.4 (CUSTOMER RESPONSIBILITIES) OR SECTION 3 (FEES) UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, WILL EITHER PARTY BE LIABLE TO THE OTHER UNDER THIS AGREEMENT FOR (A) ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES OF ANY CHARACTER, INCLUDING DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOST SALES OR BUSINESS, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, LOST CONTENT OR DATA, EVEN IF A REPRESENTATIVE OF SUCH PARTY HAS BEEN ADVISED, KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, OR (B) EXCLUDING CUSTOMER’S PAYMENT OBLIGATIONS, ANY DIRECT DAMAGES, COSTS, OR LIABILITIES IN EXCESS OF THE AMOUNTS PAID BY CUSTOMER UNDER THE APPLICABLE ORDER FORM DURING THE TWELVE (12) MONTHS PRECEDING THE INCIDENT OR CLAIM.

8. Termination

8.1 Term. The term of this Agreement will commence on the effective date of the initial Order Form and continue until terminated as set forth below. The initial term of each Order Form will begin on the Order Form effective date of such Order Form and will continue for the subscription term set forth therein. Except as set forth in such Order Form, the term of such Order Form will automatically renew for successive renewal terms equal to the length of the initial term of such Order Form, unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the end of the then-current term.

8.2 Termination. Each party may terminate this Agreement upon written notice to the other party if there are no Order Forms then in effect. Each party may also terminate this Agreement or the applicable Order Form upon written notice in the event (a) the other party commits any material breach of this Agreement or the applicable Order Form and fails to remedy such breach within thirty ( 3 0) days after written notice of such breach or (b) subject to applicable law, upon the other party’s liquidation, commencement of dissolution proceedings or assignment of substantially all its assets for the benefit of creditors, or if the other party become the subject of bankruptcy or similar proceeding that is not dismissed within sixty (60) days.

8.3 Survival. Upon termination of this Agreement all rights and obligations will immediately terminate except that any terms or conditions that by their nature should survive such termination will survive, including the License Restrictions and terms and conditions relating to proprietary rights and confidentiality, disclaimers, indemnification, limitations of liability and termination and the general provisions below.

9. General

9.1 Export Compliance. Each party will comply with the export laws and regulations of the United States, European Union and other applicable jurisdictions in providing and using the Services.

9.2 Publicity. Customer agrees that Secureframe may refer to Customer’s name and trademarks in Secureframe’s marketing materials and website; however, Secureframe will not use Customer’s name or trademarks in any other publicity (e.g., press releases, customer references and case studies) without Customer’s prior written consent (which may be by email).

9.3 Assignment; Delegation. Neither party hereto may assign or otherwise transfer this Agreement, in whole or in part, without the other party’s prior written consent, except that either party may assign this Agreement without consent to a successor to all or substantially all of its assets or business related to this Agreement. Any attempted assignment, delegation, or transfer by either party in violation hereof will be null and void. Subject to the foregoing, this Agreement will be binding on the parties and their successors and assigns.

9.4 Amendment; Waiver. No amendment or modification to this Agreement, nor any waiver of any rights hereunder, will be effective unless assented to in writing by both parties. Any such waiver will be only to the specific provision and under the specific circumstances for which it was given, and will not apply with respect to any repeated or continued violation of the same provision or any other provision.

Failure or delay by either party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.

9.5 Relationship. Nothing contained herein will in any way constitute any association, partnership, agency, employment or joint venture between the parties hereto, or be construed to evidence the intention of the parties to establish any such relationship. Neither party will have the authority to obligate or bind the other in any manner, and nothing herein contained will give rise or is intended to give rise to any rights of any kind to any third parties.

9.6 Unenforceability. If a court of competent jurisdiction determines that any provision of this Agreement is invalid, illegal, or otherwise unenforceable, such provision will be enforced as nearly as possible in accordance with the stated intention of the parties, while the remainder of this Agreement will remain in full force and effect and bind the parties according to its terms.

9.7 Governing Law. This Agreement will be governed by the laws of the State of California, exclusive of its rules governing choice of law and conflict of laws. This Agreement will not be governed by the United Nations Convention on Contracts for the International Sale of Goods.

9.8 Notices. Any notice required or permitted to be given hereunder will be given in writing by personal delivery, certified mail, return receipt requested, or by overnight delivery. Secureframe may provide notice using the information provided in the most recent Order Form and Customer may provide notice using the contact information provided on https://secureframe.com.

9.9 Entire Agreement. This Agreement comprises the entire agreement between Customer and Secureframe with respect to its subject matter, and supersedes all prior and contemporaneous proposals, statements, sales materials or presentations and agreements (oral and written). No oral or written information or advice given by Secureframe, its agents or employees will create a warranty or in any way increase the scope of the warranties in this Agreement. In the event of any conflict between this Agreement and the DPA or CCPA Addendum, the DPA and/or CCPA Addendum, as applicable, will govern

9.10 Force Majeure. Neither Party will be deemed in breach hereunder for any cessation, interruption or delay in the performance of its obligations due to causes beyond its reasonable control (“ Force Majeure Event ”), including earthquake, flood, or other natural disaster, act of God, labor controversy, civil disturbance, terrorism, war (whether or not officially declared), cyber attacks (e.g., denial of service attacks), or the inability to obtain sufficient supplies, transportation, or other essential commodity or service required in the conduct of its business, or any change in or the adoption of any law, regulation, judgment or decree.

9.11 Government Terms. Secureframe provides the Services, including related software and technology, for ultimate federal government end use solely in accordance with the terms of this Agreement. If Customer (or any of its customers) is an agency, department, or other entity of any government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Services, or any related documentation of any kind, including technical data, software, and manuals, is restricted by the terms of this Agreement. All other use is prohibited and no rights than those provided in this Agreement are conferred. The Services was developed fully at private expense.

9.12 Interpretation. For purposes hereof, “including” means “including without limitation”.