End User License Agreement

Last Updated: 19 September 2022

This End User License Agreement (this “Agreement”) is a legal agreement between [Keyfactor, Inc., a Delaware corporation] (“Vendor”), and you, either as an individual, company or other legal entity (“Client”), effective as of the date of the last signature affixed to the Order Form (the “Effective Date”). Vendor and Client may be collectively referred to herein as the “Parties,” and each may be referred to individually as a “Party.”

BY OPERATING, DOWNLOADING, INSTALLING OR OTHERWISE USING THE SOFTWARE, CLIENT REPRESENTS THAT CLIENT PURCHASED THE SOFTWARE FROM AN APPROVED SOURCE AND CLIENT AGREES TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF CLIENT IS ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON, COMPANY OR OTHER LEGAL ENTITY, CLIENT REPRESENTS AND WARRANTS THAT CLIENT HAS FULL AUTHORITY TO BIND THAT PERSON, COMPANY OR LEGAL ENTITY TO THESE TERMS. IF CLIENT DECLINES TO ACCEPT ALL TERMS AND CONDITIONS SET FORTH HEREIN, CLIENT SHALL REFRAIN FROM OPERATING, DOWNLOADING, INSTALLING, REGISTERING, OPTING INTO OR OTHERWISE USING THE SOFTWARE.

Article 1. Definitions

The following terms when used herein shall have the respective meanings set forth below:

Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by, or under common control with a party hereto, for so long as such control lasts. Control of a legal entity shall exist through the direct and indirect (i) control of more than 50% of the nominal value of the issued equity share capital of such legal entity; or (ii) control of more than 50% of such legal entity’s equity shares entitling the holders of such shares to vote for the election of directors or persons performing similar functions.

Aggregated Anonymized Data” means data and information derived from Client’s use of the Software that is used by Vendor in an aggregate and anonymized manner to improve the provision and operation of the Software.

Authorized User(s)” means Client’s employees, consultants, contractors, Affiliates and agents (i) who are authorized by Client to access and use the Software under the rights granted to Client pursuant to this Agreement and (ii) for whom access to the Software has been purchased hereunder. For Software that is specifically designed to allow Client’s customers, suppliers or other third parties to access the Software to interact with Client, such third parties will be considered “Authorized Users” hereunder.

CCPA” means the California Consumer Privacy Act of 2018, as amended.

CPRA” means the California Privacy Rights Act, as amended.

Client Assignment” shall have the meaning given in Section 9.08.

Client Data” means, other than Aggregated Anonymized Data, information, data, and other content, including Client Personal Data (as that term is defined in the GDPR) and/or Client Personal Information (as that term may be defined in the CCPA, PIPEDA and/or other U.S. state-based legislation or comparable legislation in Canada), in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Client or an Authorized User through the Software.

Confidential Information” shall have the meaning given in Section 4.01.

Data Protection and Privacy Laws” means all country, federal, state and foreign laws, rules, regulations, directives and governmental or data protection authority decisions, in each case, having the force of law applicable to the collection, processing, use, storage, transmission and/or disclosure of Personal Data, Personal Information, personally identifiable information, sensitive personal information and Special Categories of Personal Data, including, without limitation, the GDPR, CCPA, CPRA, PIPEDA, the California Privacy Rights Act, the Privacy and Electronic Communications Directive 2002 (or “ePrivacy Directive”), the (UK) Data Protection Act 2018, the (Swiss) Federal Act on Data Protection of 19 June 1992, Title V of the Gramm-Leach-Bliley Act of 1999, all of which as they may be amended and/or superseded from time to time.

Documentation” means user manuals, handbooks, guides, training materials and other written or visual materials or documentation relating to the Software provided by Vendor to Client either electronically or in hard copy form.

Feedback” shall have the meaning given in Section 5.04.

Force Majeure Event” shall have the meaning given in Section 9.04.

GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.

Initial Term” shall have the meaning given in Section 7.01.

Intellectual Property Rights” means copyrights (including rights in software), patents, trademarks, trade names, service marks, business names (including internet domain names), design rights, database rights, semi-conductor topography rights, rights in undisclosed or confidential information (such as know-how, trade secrets and inventions, whether patentable or not) and all other intellectual property or similar proprietary rights of whatever nature (whether registered or not and including applications to register or rights to apply for registration) which may now or in the future subsist anywhere in the universe.

International Data Transfer Agreement,” or “IDTA,” means the United Kingdom’s agreement for the transfer of Personal Data outside the UK that came into force on 21 March 2022. Its counterpart “Addendum” serves as a supplement to the EU’s Standard Contractual Clauses or SCCs.

Order Form” means the ordering instrument—whether a Vendor sales order form or quote, or an invoice or other ordering document provided to Client by a Vendor-authorized reseller—utilized to facilitate Client’s purchase of the applicable Software and/or Professional Services.

Personal Data” means any information relating to an identified or identifiable natural person (i.e., data subject) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

PIPEDA” means the (Canada) Personal Information Protection and Electronic Documents Act, as may be amended from time to time.

Professional Services” means the training, implementation and implementation related services and comparable services described in any Statement of Work or Order Form.

Purchase Order means any order that Client issues to Vendor for the purpose of purchasing Software.

Renewal Term” shall have the meaning given in Section 7.01.

Software” means each software product/module described in an Order Form.

Standard Contractual Clauses” means the Standard Contract Clauses for the transfer of Personal Data to Third Countries (each as defined in the GDPR) pursuant to the GDPR and issued under European Commission Implementing Decision (EU) 2021/914 on 4 June 2021.

Statement of Work” means a document that establishes the scope of Professional Services to be performed, if any, and defines the context, describes specific tasks, activities and deliverables, and identifies the responsibilities of the Parties.

Taxes” shall have the meaning given in Section 9.02.

Term” shall have the meaning given in Section 7.01.

Vendor IP” means the Software, the Documentation, and any and all intellectual property provided to Client or any Authorized User in connection with the foregoing, including but not limited to Vendor’s platforms and related integration. “Vendor IP” includes Aggregated Anonymized Data and any information, data, or other content derived from Vendor’s monitoring of Client’s access to or use of the Software but does not include Client Data.

Article 2. Access and Use

2.01 Access to the Software. Subject to and conditioned on Client’s payment of fees and compliance with all other terms and conditions of this Agreement, Vendor hereby grants Client a non-exclusive, non-transferable internal right to access and use the Software during the Term, solely for use by Authorized Users in accordance with the terms and conditions herein. If the Software will be hosted in Client’s environment, Vendor grants Client a non-exclusive, non-sublicensable and non-transferable internal license to install the Software during the Term in accordance with this Agreement and the Documentation. Such Software may only be downloaded to the number of Client’s servers authorized in the Order Form. Vendor shall provide to Client the passwords and network links, as applicable, necessary to enable Client to access the Software.

2.02 Documentation License. Subject to the terms and conditions of this Agreement, Vendor hereby grants to Client a non-exclusive, non-sublicensable, non-transferable internal license to use the Documentation during the Term solely for Client’s internal business purposes in connection with its use of the Software. Client may, for the purposes of training, translation, Client’s internal backup, operational support or internal distribution, as well as any other business purpose reasonably related to the Client’s use of the Software under this Agreement, copy or allow others to copy any part of the Documentation

2.03 Use Restrictions. Client shall not use the Software for any purpose beyond the scope of the access granted in this Agreement. Client shall not at any time, directly or indirectly, and shall not permit any person to

(a) Copy, modify, or create derivative works or improvements of the Software or Documentation, in whole or in part;

(b) Rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Software or Documentation;

(c) Reverse engineer, disassemble, decompile, decode, adapt, make machine code human readable or otherwise attempt to derive or gain access to any software component of the Software, in whole or in part;

(d) Remove any proprietary notices from the Software or Documentation;

(e) Use the Software or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right, privacy right or other right of any person, or that violates any applicable law, rule or regulation;

(f) Commercially exploit the Software or permit anyone who is not an Authorized User to access or use the Software, including for purposes of accessing or using any data, information or reports generated by the Software;

(g) Falsely imply any sponsorship or association with Vendor;

(h) Introduce, transmit or store malicious or harmful code in the Software;

(i) Create, benchmark, gather or use intelligence from or about the Software for a competitive offering;

(j) Frame, scrape, link or mirror any content forming a part of the Software, other than Client’s own intranets or otherwise for its own internal use; or

(k) Use the Software or Documentation in any manner that may menace or harass any person or cause damage or injury to any person or property.

2.04 Client Responsibilities. Client is responsible and liable for all uses of the Software and Documentation that arise out of Client’s direct or indirect provision of access to such Software and Documentation, whether or not Client’s provision of such access or use is permitted by this Agreement. Any act or omission by an Authorized User that would constitute a breach of this Agreement if undertaken by Client will be deemed a breach of this Agreement by Client. Client shall use commercially reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Software and to cause Authorized Users to comply with such provisions.

2.05 Payment of Fees. Client agrees to pay all fees in accordance with each Order Form. If Client purchases Software through a reseller, Client agrees that it will pay the reseller in accordance with the contract between Client and the reseller.

2.06 Professional Services. Vendor shall provide the Professional Services set forth in the Statement of Work or Order Form. The Parties acknowledge and agree that Professional Services shall exclude consulting services, data management services and the creation of custom or bespoke deliverables (for which Client and Vendor shall enter into an amendment to this Agreement and a new Order Form for such services). For the avoidance of doubt, neither the Software nor any Professional Services or other deliverables provided hereunder shall constitute “work product” or “works made for hire” as defined under U.S. copyright law or similar laws in other jurisdictions, and Vendor shall retain all right, title and interest in any deliverable or service provided hereunder.

Article 3. Representations and Warranties

3.01 Vendor Representations and Warranties. Vendor represents and warrants to Client that Vendor: (i) has the right, power, and ability to enter into and perform its obligations under this Agreement; (ii) has all necessary rights to grant the rights and licenses that it has granted to Client under this Agreement; (iii) will perform its obligations under this Agreement in compliance with all applicable laws; and (iv) will maintain all licenses, permits and other permissions necessary to provide the Software. As Client’s sole and exclusive remedy and Vendor’s entire liability for any breach of this Section 3.01, Vendor will: (a) use reasonable efforts to remedy or cure such breach; or (ii) if unable to provide such remedy or cure, terminate the Order Form(s) affected, portion(s) of the Order Form(s) affected, or this Agreement, if applicable, and refund to Client (or the authorized reseller) a pro rata amount of the fees paid to Vendor for the applicable unused subscription Term.

Article 4. Confidential Information

4.01 Confidential Information

(a) From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, customers, services, confidential intellectual property, trade secrets, third-party confidential information, Personal Information, Personal Data and other sensitive or proprietary information. Such information, all of which the Parties shall treat as confidential, may be disclosed or made available to the receiving Party in any of the following formats: orally, in writing or media-based; electronic, paper-based or other form; and marked “confidential” or unmarked, designated confidential or not so designated, or identified as “confidential” or not so identified (collectively, “Confidential Information”). For the avoidance of doubt, Confidential Information shall include any information that a receiving Party knows or should reasonably recognize and understand to be confidential and/or proprietary owing to, by way of example but not limitation, the circumstances surrounding the other Party’s disclosure of the information or the character or nature of the information. Confidential Information does not mean and shall not include information that, at the time of disclosure is:

i. In the public domain in the absence of the receiving Party’s breach of any obligation owed to the disclosing Party and in the absence of any wrongdoing by the receiving Party or any third party;

ii. Rightfully in the possession of the receiving Party prior to disclosure by the disclosing Party;

iii. Lawfully obtained by the receiving Party on a non-confidential basis from a third party; or

iv. Independently developed by the receiving Party without reference to the disclosing Party’s Confidential Information.

(b) The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees or other Authorized Users who need to know the Confidential Information in order to enable the receiving Party to exercise its rights or perform its obligations under this Agreement. The receiving Party is, however, permitted to disclose relevant aspects of such Confidential Information to its officers, employees, attorneys, auditors and/or law enforcement agencies, on a need-to-know-basis, in order to perform its obligations under the Agreement, provided that the receiving Party requires all such persons or entities to protect the Confidential Information to at least the same extent as required under this Article IV (including during the terms of their employment or engagement and thereafter). The receiving Party shall implement technical, managerial, organizational and operational measures to mitigate risks and implement the controls necessary to protect the confidentiality of the other Party’s Confidential Information. Such controls shall be no less protective than those measures it uses to protect the confidentiality of its own confidential or proprietary information of a similar nature (and, in no event, less than commercially reasonable measures). The receiving Party shall give the disclosing Party notice immediately upon learning of any unauthorized use or disclosure of Confidential Information. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required:

i. To comply with the order of a court, other governmental or regulatory body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given sufficient written notice to the other Party to allow such Party an opportunity to obtain a protective order. Failing that, the Party making the disclosure shall also make a commercially reasonable effort to obtain a protective order on behalf of the other Party. To the extent not prohibited by law, the receiving Party shall promptly provide to the disclosing Party notice of all available details of the legal requirement and shall reasonably cooperate with the disclosing Party’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action as the disclosing Party may deem appropriate.; or

ii. To enforce a Party’s rights under this Agreement, including to make required court filings.

(c) On the expiration or termination of this Agreement, the receiving Party shall, at the disclosing Party’s written election, promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, and/or destroy all such copies and upon request of the disclosing Party certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five (5) years from the date first disclosed to the receiving Party; provided, however, that, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under any applicable law worldwide.

(d) Where the receiving Party may be considered a Processor or Sub-Processor (as those terms may be defined and/or understood under the GDPR), such receiving Party shall implement appropriate technical and organizational measures to provide an adequate level of security and protect Personal Data against unauthorized or unlawful processing or a Personal Data Breach as those terms are defined in the GDPR.

5. Intellectual Property Ownership

5.01 Vendor IP. Client acknowledges that, as between Client and Vendor, Vendor owns all right, title, and interest, including all Intellectual Property Rights, in and to the Vendor IP, including, but not limited to, the Vendor platforms and related integrations.

5.02 Client Data. Vendor acknowledges that, as between Vendor and Client, Client owns all right, title, and interest, including all Intellectual Property Rights, in and to Client Data. Client hereby grants to Vendor a non-exclusive, royalty-free, worldwide license to reproduce, distribute, transmit, store and otherwise use and display Client Data and perform all acts with respect to Client Data as may be necessary for Vendor to provide the Software and/or Professional Services to Client, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Client Data incorporated within the Aggregated Anonymized Data.

5.03 Trademarks and Logos. Except where otherwise stated in an Order Form, Client hereby grants Vendor the right to utilize Client’s name, logo and/or trademarks—as well as statements and/or testimonials about Client’s experience(s) with Vendor and the Software—for reference purposes and in connection with certain promotional materials that Vendor may disseminate to the public (e.g., advertising, print marketing and online marketing materials). Vendor may utilize Client’s name, logo and trademarks without providing notice to Client of its intent to do so or requesting Client’s consent.

5.04 Feedback. From time to time, Client may choose to submit comments, information, questions, data, ideas, description of processes, or other information to Vendor, including in the course of receiving support or maintenance (“Feedback”). Vendor may freely use, copy, disclose, license, distribute and exploit any Feedback in any manner without any obligation, royalty or restriction based on intellectual property rights or otherwise. No Feedback will be considered Client’s Confidential Information, and nothing in this Agreement limits Vendor’s right to independently use, develop, evaluate, or market products, whether incorporating Feedback or otherwise.

5.05 Reservation of Rights. Vendor reserves all rights not expressly granted to Client in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Client or any third party any Intellectual Property Rights or other right, title, or interest in or to the Vendor IP.

Article 6. Indemnification; Limitation of Liability

6.01 Indemnification by Vendor.

(a) Vendor shall indemnify, defend, and hold harmless Client from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (“Losses”) incurred by Client resulting from any third-party claim, suit, action, or proceeding (“Third-Party Claim”) arising out of an allegation that the Software, or any use of the Software in accordance with this Agreement, infringes or misappropriates such third party’s Intellectual Property Rights, provided that Client promptly notifies Vendor in writing of the claim, cooperates with Vendor, and allows Vendor to exercise sole authority to control the defense and settlement of such claim.

(b) If such Third-Party Claim is made or appears possible, Vendor, at Vendor’s sole discretion, may: (a) modify or replace the Software, or component or part thereof, thereby rendering it non-infringing; (b) obtain the right for Client to continue use of the Software; or (c) terminate this Agreement in its entirety or with respect to the affected component or part, effective immediately on written notice to Client.

(c) This Section 6.01 will not apply to the extent that the alleged infringement arises out of: (a) Client’s or an Authorized User’s use of the Software in combination with data, software, hardware, equipment, or technology not provided by Vendor or authorized by Vendor in writing; (b) Client’s or an Authorized User’s modifications to the Software that are neither developed nor authorized by Vendor; (c) Client’s, an Authorized User’s or another person’s unauthorized access to, use of, or performance of work on or in connection with the Software at Client’s or an Authorized User’s direct or indirect instruction; or (d) Client’s or an Authorized User’s unauthorized access, use, processing, storage and/or transfer of Client Data.

6.02 Indemnification By Client. Client shall indemnify, hold harmless, and, at Vendor’s option, defend Vendor and its Affiliates from and against any Losses resulting from any Third-Party Claim that Client Data, or any use of Client Data in accordance with this Agreement, infringes or misappropriates such third party’s Intellectual Property Rights and any Third-Party Claims based on Client’s or any Authorized User’s:

(a) Negligence or willful misconduct;

(b) Use of the Software in a manner not authorized by this Agreement;

(c) Use of the Software in combination with data, software, hardware, equipment or technology not provided by Software or authorized by Software in writing; or

(d) Modifications to the Software not made by Vendor;

provided that Client may not settle any Third-Party Claim against Vendor unless Vendor consents to such settlement, and further provided that Vendor shall have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

6.03 Sole Remedy; Limitation of Liability.

(a) THIS ARTICLE 6 SETS FORTH CLIENT’S SOLE REMEDIES AND VENDOR’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SOFTWARE OR USE THEREOF INFRINGES, MISAPPROPRIATES, OR OTHERWISE VIOLATES ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.

(b) NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY (IN EACH CASE REGARDLESS OF WHETHER SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE)

i. CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES

ii. INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS

iii. LOSS OF GOODWILL OR REPUTATION

iv. USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY OR

v. COST OF REPLACEMENT GOODS OR SERVICES.

(c) EXCEPT FOR BREACH OF CONFIDENTIALITY OBLIGATIONS, INTELLECTUAL PROPERTY CLAIMS, GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE SHALL EXCEED THE TOTAL AMOUNTS PAID TO VENDOR (INCLUDING ITS AFFILIATES) UNDER THIS AGREEMENT IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

(d) AN INDEMNIFYING PARTY SHALL NOT BE REQUIRED TO SPEND MORE THAN $1,000,000 PURSUANT TO SECTIONS 6.01 (INDEMNIFICATION BY VENDOR) OR 6.02 (INDEMNIFICATION BY CLIENT) INCLUDING, WITHOUT LIMITATION, ON ATTORNEYS’ FEES, COURT COSTS, SETTLEMENTS, JUDGMENTS AND/OR REIMBURSEMENT OF COSTS.

Article 7. Terms and Conditions

7.01 Term. The initial term of an Order Form executed pursuant to this Agreement begins on the effective date set forth in the Order Form and, unless terminated earlier pursuant to this Agreement’s express provisions, will continue in effect for the specified time period from such date described therein (the “Initial Term”). This Agreement shall remain in effect for as long as any active Order Form exists between the Parties. Each Order Form shall automatically renew for a period of one (1) year following the Initial Term and each successive term thereafter (each, a “Renewal Term” and together with the Initial Term, collectively, the “Term”) unless either Party gives the other written notice of termination at least sixty (60) days prior to expiration of the Initial Term or Renewal Term, as applicable.

7.02 Termination. In addition to any other express termination right set forth in this Agreement:

(a) Vendor may terminate this Agreement, effective on written notice to Client, if Client breaches any of its obligations under Article II (Access and Use) or Article IV (Confidential Information). Vendor will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Client or any Authorized User may incur as a result of a termination in accordance with this Section 7.02(a).

(b) Either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach: (a) is incapable of cure; or (b) being capable of cure, remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach.

(c) Either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (a) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (b) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (c) makes or seeks to make a general assignment for the benefit of its creditors; or (d) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.

7.03 Effect of Expiration or Termination. Upon expiration or earlier termination of this Agreement:

(a) Client shall immediately discontinue use of the Vendor IP. Without limiting Client’s obligations under Article II (Access and Use) or Article IV (Confidential Information) of this Agreement, Client shall, at Vendor’s written election, delete, destroy, and/or return all copies of the Vendor IP, and upon Vendor’s request, certify in writing to Vendor that the Vendor IP has been deleted or destroyed; and

(b) Vendor shall immediately discontinue use of the Client Data. Without limiting Vendor’s obligations under Article IV (Confidential Information) of this Agreement, Vendor shall, at Client’s written election, delete, destroy, and/or return all copies of the Client Data, and upon Client’s request, certify in writing to Client that the Client Data has been deleted or destroyed.

7.04 Suspension. In addition to the other rights and remedies set forth herein, Vendor may suspend Client’s and any Authorized User’s access to any portion or all of the Software if Vendor determines that:

(a) Client breaches any of its obligations under Article II (Access and Use);

(b) Client’s or an Authorized User’s access to or use of the Software is the source of a threat to or attack upon any Vendor IP or to any other Client or vendor of Vendor;

(c) Subject to applicable law, Client has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or

(d) Vendor’s provision of the Software to Client or any Authorized User is prohibited by applicable law.

In the event of a suspension pursuant to this Section 7.04, Vendor shall immediately provide written notice of the suspension to Client. Vendor shall resume providing access to the Software immediately after it determines that the event giving rise to the suspension is cured. Vendor will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Client or any Authorized User may incur as a result of a suspension in accordance with this Section 7.04.

7.05 Survival. This Article VII, Articles I, IV, V, VI, VIII and IX shall survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.

Article 8. Security; Privacy

8.01 Security Procedures. Vendor implements security procedures to help protect Client Personal Data and Client Personal Information against security attacks. Client understands that use of the Software necessarily involves transmission of Client Personal Data and Client Personal Information over networks that are not owned, operated or controlled by Vendor. Notwithstanding the foregoing, Vendor acknowledges and confirms that it has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures to help secure Client Personal Data against accidental, unauthorized or unlawful processing, destruction, loss, damage or disclosure as well as adequate security programs and procedures to ensure that unauthorized persons or parties do not have access to any equipment used to process such information or data. Vendor also agrees that it shall:

(a) Scan the Software for any code or device which is designed or intended to impair the operation of any computer or database or prevent or hinder access to, or the operation of, any program or data, using detection software generally accepted in the industry;

(b) Secure its computing environments according to generally accepted industry standards to ensure that the Software cannot be accessed by any unauthorized person or malicious software; and

(c) Promptly remedy and notify Client of any security breach of Client Personal Information or Personal Data Breach of Client Personal Data about which Vendor becomes aware.

8.02 Processing of Personal Data. The Parties acknowledge that, in addition to other data protection legislation that may govern Vendor’s processing of Client Personal Information, personally identifiable information or Client Personal Data (as those terms are defined in applicable regulatory frameworks), the GDPR, the CCPA and/or PIPEDA may apply to some or all of the Client Personal Data or Client Personal Information. Client Data may include Personal Information and/or Personal Data such as names, contact details, location data, online identifiers (e.g., IP addresses), among other types of Personal Information and/or Personal Data. Consequently, the Parties agree to the following:

(a) Vendor may, by way of example and without limitation, be acting as the Processor (as defined in the GDPR) of Client Personal Data. Vendor and Client agree that they will enter into (i) the Standard Contractual Clauses should Client determine that Vendor will be required to transfer Client Personal Data out of the European Union or European Economic Area (EU/EEA) for processing purposes under this Agreement and (ii) an International Data Transfer Agreement and/or IDTA Addendum should Client determine that Vendor will be required to transfer Client Personal Data out of the United Kingdom for processing purposes under the Agreement.

(b) Vendor shall comply with all applicable Data Protection and Privacy Laws in the processing of Client Personal Data. Vendor shall not process Client Personal Data other than on Client’s documented instructions unless processing is required by applicable laws to which Vendor is subject, in which case Vendor shall, to the extent permitted by applicable law, inform Client of that legal requirement before the relevant processing of that Client Personal Data.

(c) Vendor shall give Client prior written notice of the appointment of any new Sub-Processor (as defined in the GDPR) that would possess access to Client Personal Data, including full details of the processing to be undertaken by the Sub-Processor. If, within fourteen (14) days of Vendor’s issuance of such notice, Client should notify Vendor in writing that it objects to the proposed appointment, Vendor shall work with Client in good faith to make available a commercially reasonable change in the provision of the Software which circumvents the use of that proposed Sub-Processor. Where Vendor cannot effectuate such a change within fourteen (14) days of Vendor’s receipt of Client’s notice, Client may, by written notice to Vendor with immediate effect, terminate the Agreement to the extent that it relates to Software that requires the use of the proposed Sub-Processor.

(d) Vendor shall ensure that the arrangement between Vendor and any Sub-Processor that is governed by a written contract includes terms that offer at least the same level of protection for Client Personal Data as those set out in this Agreement.

(e) Vendor shall, taking into account the nature of the processing and by appropriate technical and organizational measures, assist Client with responding to data subjects’ requests to exercise their rights under the Data Protection and Privacy Laws. Vendor shall promptly notify Client if it receives a request from a data subject under any Data Protection and Privacy Law in respect of Personal Data contained in Client Data. Vendor shall also refrain, with the exception of acknowledging receipt of the same, from responding to such requests except on the documented instructions of Client or as required by applicable laws to which Vendor is subject. In such an event, Vendor shall, to the extent permitted by applicable laws, inform Client of that legal requirement before Vendor responds to the request.

(f) Vendor shall, taking into account the nature of the processing and the information available to Vendor, provide reasonable assistance to Client in ensuring compliance with the Parties’ obligations pertinent to securing Client Personal Data, breach notification matters, data protection impact assessments and/or transfer impact assessments, where and to the extent applicable.

Article 9. Miscellaneous

9.01 Entire Agreement. This Agreement, and any other documents incorporated herein by reference, constitute the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, whether written or oral, with respect to such subject matter. In the event of any inconsistency between the provisions of this Agreement and any other documents incorporated herein by reference, the provisions of this Agreement shall govern. Each Party acknowledges that, in entering into this Agreement, it does not rely on any statement, representation, or warranty other than those expressly set out in this Agreement. Except as set out in this Agreement, all warranties, representations, conditions, terms and undertakings, express or implied, whether by statute, common law, custom, trade usage, course of dealings or otherwise (including, without limitation, as to quality, performance or fitness or suitability for purpose) in respect of the Software and Professional Services are excluded to the fullest extent permitted by law. In no event shall any other provisions, terms or conditions set forth on a Purchase Order be binding on Vendor unless signed by duly authorized representatives of each Party.

9.02 Taxes. Client shall be responsible for any taxes, duties, fees, charges or assessments of any nature appropriately levied by any governmental authority against the Software in Client’s possession or in connection with the sale or import of Software or provision of Professional Services to Client (collectively, “Taxes”). If Vendor is required to pay any such Taxes and/or fines, penalties or assessments as a result of Client’s failure to comply with any laws or regulations governing payment of such Taxes, the amount of any payments so made, plus the expense of currency conversion (if applicable), shall be promptly reimbursed by Client upon submission of Vendor’s invoice thereof. If Client is required to pay any withholding tax on the use of the Software, Client agrees to promptly make such additional payment such that Vendor shall receive fees due hereunder in full and free of any deduction for any such withholding tax.

9.03 Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and addressed to the Parties at the addresses set forth in the applicable Order Form (or to such other address as a Party may designate by giving Notice in accordance with this Section 9.03). All Notices must be delivered by: (1) personal delivery by a nationally recognized overnight courier (with all fees pre-paid); (2) email (with confirmation of receipt); or (3) via certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise expressly provided in this Agreement, a Notice is effective only: (a) upon receipt and acknowledgment by the receiving Party; and (b) if the Party giving the Notice has complied with the requirements of this Section 9.03.

9.04 Force Majeure. In no event shall either Party be liable to the other Party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond such Party’s reasonable control. Such circumstances shall include, but not be limited to, acts of God, communication line failures, power failures, flood, fire, earthquake, explosion, other natural or man-made disasters, all occurrences similar to the foregoing, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns, other industrial disturbances, acts or failures to act of any governmental or regulatory body (whether civil or military, domestic or foreign), governmental regulations superimposed after the fact, or passage of law or any action taken by a governmental or public authority, including imposing an embargo, or declaring the implementation of a quarantine or the onset or resurgence of an epidemic or pandemic (any of the foregoing, a “Force Majeure Event”). The affected Party shall notify the other Party in writing within ten (10) days after the beginning of any such event that would affect its performance. Notwithstanding the foregoing, if a Party’s performance of its obligations under this Agreement is delayed for a period exceeding thirty (30) days from the date that such Party issues notice to the other Party about the occurrence of a Force Majeure Event, the non-affected Party shall have the right, without any liability to the other Party, to terminate this Agreement.

9.05 Equitable Relief. Each Party acknowledges and agrees that a breach by such Party of any of its obligations under Article IV (Confidential Information) or, in the case of Client, Article II (Access and Use), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy. The Parties further agree that, in the event of such a breach, the other Party would be entitled to pursue equitable relief, including, where and to the extent permitted under applicable law, a restraining order, an injunction, specific performance and any other relief that may be available from a court of competent jurisdiction. The Party seeking relief would possess the right to do so without the necessity of: posting a bond or other security; proving actual damages; or proving that monetary damages are not an adequate remedy. Such remedies are not exclusive and would be available to the Party seeking relief in addition to all other remedies that may be available at law, in equity or otherwise.

9.06 Severability. Should any provision of this Agreement be held invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability shall not affect the validity, legality or enforceability of any other term or provision of this Agreement, nor shall it invalidate or render unenforceable such term or provision in any other jurisdiction. Following a determination by any court or tribunal of competent jurisdiction that any term or other provision of this Agreement is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify such term or provision to achieve their original intent as closely as possible and in order that the transactions contemplated hereunder be consummated as originally contemplated to the greatest extent possible.

9.07 Governing Law; Jurisdiction. This Agreement is governed by and construed in accordance with the laws of the State of Ohio without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Ohio. Any legal suit, action, or proceeding arising out of or related to this Agreement or the rights and licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Ohio, in each case located in the city of Cleveland and County of Cuyahoga, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

9.08 Assignment & Subcontracting.
Neither Party may assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of the other Party to this Agreement; provided, however, that either Party shall have the right to assign this Agreement to any person or entity that acquires all or substantially all of such Party’s business or assets; and provided further that with respect to any such assignment by Client or a change of control of Client (collectively, “Client Assignment”):

(a) Client shall provide Notice to Vendor within thirty (30) days following the consummation of such Client Assignment;

(b) Vendor shall have the right to renegotiate the terms of this Agreement should the size, scope, type, nature, and/or usage of the Software changes as a result of such Client Assignment; and

(c) Vendor shall have the right to enter into new agreements with entities that emerge from Client as a result of partial or full divestitures.

Vendor’s consent to any assignment shall not constitute a waiver of any claims it may have under this Agreement nor otherwise amend or modify any of the terms and conditions of the Agreement. Any purported assignment or delegation in violation of this Section 9.08 will be invalid. Notwithstanding the foregoing, no assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder, and this Agreement will be binding upon and inure to the benefit of the Parties and their respective permitted successors and assigns.

Client hereby gives its general written authorization to Vendor to engage and utilize subcontractors to provide all or part of the Software and/or Professional Services contemplated under this Agreement. Vendor will enter into written agreements with all such subcontractors which will contain obligations and provisions relating to Confidential Information that substantially align with those undertaken by Vendor in this Agreement. Vendor shall remain fully responsible for the performance of the work assigned to any subcontractor and for the fulfillment of all payment obligations owed to such subcontractor.

9.09 Export Regulation. The Software uses software and technology that may be subject to United States, European Union and other jurisdictions’ (as applicable) export control laws, including the United States Export Administration Act and its associated regulations. Client agrees to comply with such laws and complete all required undertakings (including obtaining any necessary export license or other governmental approval), and warrants that it shall not, directly or indirectly, export, re-export, or release the Software or the underlying software or technology to, or make the Software or the underlying software or technology accessible from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Client agrees to provide vendor with the destination of the end use of the Software and location of all Authorized Users.

9.10 Prohibition on Corrupt Practices.

(a) Each of the Parties represents, warrants, and undertakes that it shall not engage in corrupt, unfair or fraudulent practices in connection with the provision or use of the Software hereunder. Such practices shall include, but not be limited to, any circumstance in which a Party or an individual counted among its personnel or Authorized Users, either directly or indirectly, accepts bribes or makes offers, payments, or promises to pay money, gifts, or anything of value to any person, including, but not limited to, an executive, official, employee or agent of the following:

i. A governmental department, agency or instrumentality;

ii. A wholly or partially government-owned or controlled or privately-owned or controlled company or business;

iii. A political party (collectively, with (1) and (2) above, “Public Officials”); or

iv. Any person about whom the Party or Authorized User knows or has reason to know will offer, pay or give all or a portion of such money, gift, or thing of value, whether directly or indirectly, to a Public Official, for the purpose of influencing any act, decision or failure to act by such person or other Public Officials or securing an improper advantage in order to obtain, retain or direct business.

(b) Each Party agrees that it will notify the other Party within five (5) business days should it discover that a member of its personnel or other Authorized User has violated this Section 9.10. Each Party agrees that it will record all payments to governmental entities for permits, licenses, expediting charges, or any similar fees, and retain original receipts of all purchases from such governmental entities as well as, where available, scheduled rate cards for such fees. In addition to the foregoing, Vendor represents and warrants that:

i. The information provided to Client for the purpose of fulfilling its anti-bribery and corruption obligations is complete, accurate and not misleading;

ii. It is not subject to sanctions; and

iii. It is not the subject of any allegations of bribery or corruption.

(c) Vendor hereby agrees to notify Client immediately on learning Vendor or its personnel, directly or indirectly, are subject to regulatory enforcement or scrutiny, judicial or law enforcement investigation or litigation of any kind relating to corrupt (including bribery), unfair or fraudulent practices in connection with the provision of the Software hereunder.

(d) Vendor hereby agrees to:

i. Implement and maintain adequate training, policies and procedures for the prevention of corrupt (including bribery), unfair or fraudulent practices that meet or exceed the requirements to comply with applicable anti-bribery and corruption laws, rules and regulations; and

ii. Notify Client of the absence or failing of training, policies and/or procedures relating to the prevention of corrupt (including bribery), unfair or fraudulent practices in connection with the provision of the Software hereunder.

9.11 Amendment and Modification; Waiver.

(a) No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party.

(b) No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement:

i. No failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof; and

ii. No single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.