USER AGREEMENT IMPORTANT – READ CAREFULLY BEFORE USING THIS SOFTWARE BY CLICKING “I AGREE”, ELECTROINCALLY ACCEPTING THIS USER AGREEMENT, OR USING THIS SOFTWARE IN ANY WAY, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS USER AGREEMENT (“AGREEMENT”), THAT YOU UNDERSTAND IT, AND THAT YOU AGREE TO BE BOUND BY ITS TERMS AND TO BIND THE ORGANIZATION FOR WHOSE BENEFIT YOU ARE USING THE QOGNIFY SOFTWARE (THE “SOFTWARE”), TO THIS USER AGREEMENT. THE TERM “YOU” AND “YOUR” COLLECTIVELY REFER TO THE ORGANIZATION AND TO THE INDIVIDUAL USING THE QOGNIFY SOFTWARE FOR THE BENEFIT OF THE ORGANIZATION. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THIS AGREEMENT AND THE TERMS OF A SEPARATE WRITTEN AGREEMENT SIGNED BETWEEN QOGNIFY AND YOU, THE TERMS OF SUCH SEPARATE AGREEMENT SHALL GOVERN YOUR USE OF THE QOGNIFY SOFTWARE. FOR THE PURPOSE OF THIS AGREEMENT, THE CAPITALIZTED TERM “USE”, “USING” (AND ITS COGNATE TERMS) SHALL INCLUDE, WITHOUT LIMITATION, OPERATING, COPYING, INSTALLING, ACCESSING THE FEATURES AND FUNCTIONALITY OF, AND UTILIZING (EACH AS PERMITTED HEREUNDER) THE SOFTWARE IN. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE. QOGNIFY WILL NOT ALLOW YOU TO USE THE SOFTWARE AND DOCUMENTATION IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, IN WHICH CASE, YOU MUST IMMEDIATELY CEASE ANY USE OF THE SOFTWARE AND, WHERE APPLICABLE, RETURN THE SOFTWARE TO QOGNIFY. ANY REFERENCE IN THIS AGREEMENT TO “QOGNIFY” SHALL MEAN QOGNIFY LIMITED AND ANY OF ITS DIRECT AND INDIRECT SUBSIDIARIES AND AFFILIATES, UNLESS SPEFICALLY AGREED OTHERWISE WITH YOU. 1. Software License Terms. (a) QOGNIFY grants to you one of the following, as applicable pursuant to your proposal (or any applicable document) from QOGNIFY or a QOGNIFY-authorized reseller or distributor: (i) a non-exclusive, non-transferable license to Use this Software (in object code form only), where one or more copies of the object code of the Software are provided to you for installation and execution on your computers and servers (the “On-Premises Offering”); or (ii) a non-exclusive, non-transferable right to remotely access and Use the Software’s features and functionality, where the Software is running and hosted on a cloud environment (the “SaaS Offering”); and in each of (i) and (ii) above, together with the specifications and user documentation that accompany this Software (collectively “Software Documentation”), for the total number of licenses (in case of (i)) or access rights during the annual subscription cycle (in case of (ii)) you have purchased from QOGNIFY or a QOGNIFY-authorized reseller or distributor. Such Use shall be in accordance with and subject to the terms and conditions set forth herein. (b) The Software and Software Documentation contain material that is protected by United States and international intellectual property laws, including copyright law, trade secret law, and by international treaty provisions. No title or ownership of the Software or Software Documentation is transferred to you by way of this Agreement. Ownership of the Software, Software Documentation, and all modifications, enhancements, improvements, adaptations, translations and any derivative works thereof and any other intellectual property rights therein and thereto remain at all times with QOGNIFY and its licensors. All rights not expressly granted to you herein are reserved to QOGNIFY and its licensors. You shall not remove any proprietary notice of QOGNIFY and its licensors from the Software or Software Documentation (c) You may make a reasonable number of copies of the Software Documentation, provided such reproductions shall include any copyright or proprietary labels, legends or notices placed upon or included in the Software Documentation by QOGNIFY. If you are licensed under the On-Premises Offering, then you may make one (1) back-up archival copy of the Software, provided you reproduce all confidentiality and proprietary notices on such copy. (d) You shall not publish, disclose, rent, lease, modify, loan, distribute, alter or create derivative works of any kind based on the Software, Software Documentation or any part thereof. You shall not: (i) reverse engineer, decompile, unbundle, translate, adapt, or disassemble the Software; (ii) attempt to re-create the source code from the object code for the Software; or (iii) access or circumvent any features or functionalities of the Software that are undocumented, or disabled or not covered under your purchase order from QOGNIFY or a QOGNIFY-authorized reseller or distributor. (e) Without prejudice to QOGNIFY’s obligations under the separately provided Software Level Agreement (SLA) or Software Maintenance Agreement (SMA), QOGNIFY warrants that, during the period beginning on the date of shipment of the Software to you, or the commencement of your first subscription cycle for the Software (whichever of the foregoing is applicable), and ending on the date that is ninety (90) days thereafter (“Warranty Period”), the Software will operate substantially in accordance with the applicable Software Documentation. No return of the Software shall be allowed. Should the Software fail to comply with the warranty set forth in this Section during the Warranty Period, your sole and exclusive remedy and QOGNIFY’s sole obligation with respect to Software shall be, in QOGNIFY’s sole discretion, to correct or replace any portion of the Software not in compliance with this Section at no additional charge to you. The warranty provided in this Section does not include damage to Software resulting from a cause other than a defect or malfunction, including: (i) installation, maintenance, servicing or modification of the Software or part thereof by anyone other than QOGNIFY or a QOGNIFY-authorized technician; or (ii) use of the Software other than in accordance with the Software Documentation. (f) EXCEPT AS SET FORTH IN SECTION 1(e) ABOVE, QOGNIFY OFFERS THE SOFTWARE ON AN “AS IS” BASIS AND MAKES NO WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. WITHOUT LIMITING THE FOREGOING, QOGNIFY DOES NOT WARRANT THAT THE SOFTWARE IS OR WILL BE ACCURATE, ERROR- FREE OR UNINTERRUPTED OR MEET OR WILL MEET YOUR REQUIREMENTS. QOGNIFY MAKES NO IMPLIED WARRANTY OF MERCHANTABILITY OR QUALITY OR IMPLIED WARRANTY OF FITNESS FOR ANY PARTICULAR PURPOSE, AND NO IMPLIED WARRANTY ARISING BY USAGE OF TRADE, COURSE OF DEALING OR COURSE OF PERFORMANCE. ACCORDINGLY, QOGNIFY DISCLAIMS ANY AND ALL LIABILITY RESULTING FROM OR RELATED TO SUCH EVENTS. THE SOFTWARE MAY CAUSE YOUR COMPUTER TO AUTOMATICALLY CONNECT TO THE INTERNET. THE SOFTWARE MAY ALSO REQUIRE ACTIVATION OR REGISTRATION. (g) Where your use of the Software under the SaaS Offering is based on the cloud solutions of ORock Technologies, Inc. (which provides cloud storage services), the Cloud Services Agreement posted at https://go.orocktech.com/Cloud-Services-Agreement (“CSA”) applies as a legally binding contract between you and ORock Technologies, Inc. Your rights and obligations regarding the cloud solutions of ORock Technologies are governed exclusively by the CSA, and the provisions of this User Agreement shall not apply thereto. 2. Confidentiality; Data Protection. (a) The Software is the confidential and proprietary information and property of QOGNIFY, and you shall not disclose the Software or its features, functionalities and performance information to any third party without QOGNIFY’s prior express written consent, except to your employees, advisors and contractors who need to know this information in furtherance of your proper use of the Software in accordance with this User Agreement, and who you’ve ensured are bound by appropriate confidentiality obligations protective of this information and its restricted use. (b) Where the Software or QOGNIFY’s provision of support services for the Software, entail personal data processing, you and QOGNIFY shall be bound by the QOGNIFY Data Processing Agreement appended as Appendix B to this User Agreement. 3. Limitation of Liability. SUBJECT TO THE NEXT PARAGRAPH, IN NO EVENT WILL QOGNIFY BE LIABLE TO YOU WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE, ARISING UNDER OR IN CONNECTION WITH THIS AGREEMENT FOR: (a) ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES OR LOSSES, INCLUDING WITHOUT LIMITATION, LOSS OF USE, LOSS OF OR DAMAGE TO RECORDS OR DATA AND/OR CORRUPTION OF INFORMATION, COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY, LOST REVENUE, PROFITS AND/OR SALES, LOSS OF ANTICIPATED SAVINGS, LOSS OF BUSINESS OPPORTUNITY, GOODWILL OR REPUTATION, SUSTAINED OR INCURRED REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT OR OTHERWISE, INCLUDING NEGLIGENCE, STRICT LIABILITY, INDEMNITY OR OTHERWISE, AND WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN AND REGARDLESS OF WHETHER YOU RECEIVED NOTICE OR HAD BEEN ADVISED, OR KNEW OR SHOULD HAVE KNOWN, OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES; OR (b) DIRECT DAMAGES IN EXCESS OF THE AMOUNTS PAID BY YOU TO QOGNIFY (OR THE QOGNIFY-AUTHORIZED RESELLER OR DISTRIBUTOR) FOR THE SOFTWARE LICENSES OR ACCESS RIGHTS. NOTWITHSTANDING THE FOREGOING PARAGRPAH, NOTHING IN THIS AGREEMENT SHALL LIMIT OR EXCLUDE OUR LIABILITY FOR: (A) MATTERS THAT CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW; AND (B) QOGNIFY’s INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS PURSUANT TO SECTION 6 BELOW. ADDITIONALLY, NOTWITHSTANDING THE FOREGOING PARAGRPAH QOGNIFY’S LIABILITY FOR DIRECT DAMAGES ARISING FROM ITS BREACH OF THE DATA PROCESSING AGREEMENT SHALL BE CAPPED AT A TOTAL AND AGGREGATE OF 500,000 US DOLLARS. YOU HEREBY WAIVE CALIFORNIA CIVIL CODE §1542, WHICH PROVIDES: “A GENERAL RELEASE DOES NOT EXTEND TO CLAIMS WHICH THE CREDITOR DOES NOT KNOW OR SUSPECT TO EXIST IN HIS FAVOR AT THE TIME OF EXECUTING THE RELEASE, WHICH IF KNOWN BY HIM MUST HAVE MATERIALLY AFFECTED HIS SETTLEMENT WITH THE DEBTOR.” 4. Compliance. (a) You shall not export the Software, Software Documentation, or information about the Software and Software Documentation other than in accordance with and in compliance with all applicable laws, rules, regulations, orders, or other restrictions. (b) You shall comply with all applicable laws, including without limitation anti-bribery and anti-corruption laws and regulations. (c) The Software is subject to the export control and sanctions laws and regulations of the United States, European Union, United Kingdom, and other countries that may prohibit or restrict access by certain persons or from certain countries or territories currently including, but not limited to, Cuba, the Crimea region of the Ukraine and Sudan, Iran, North Korea, and Syria (“Trade Restrictions”). You represent and warrant that you are not: (i) located in an embargoed country or territory, (ii) under the control of an entity organized in or a resident of an embargoed country or territory, (iii) listed on any U.S., U.K., E.U. or other governmental list of persons or entities with which certain persons are prohibited from transacting. You are solely responsible for complying with Trade Restrictions for the Software. 5. Governing Law. If you are located in a European country, this Agreement shall be governed, construed, and interpreted in accordance with the laws of England and Wales. If you are not located in a European country, this Agreement shall be governed, construed, and interpreted in accordance with the laws of the State of New York without regard to conflict of laws principles. Notwithstanding the foregoing, either party may seek interim or temporary injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of such party’s intellectual property rights. Both Parties hereby exclude the application of the Uniform Computer Information Transactions Act (“UCITA”), the United Nations Convention on the International Sale of Goods (“CISG”), and any law of any jurisdiction that would apply UCITA or CISG or terms equivalent to UCITA or CISG to this Agreement. To the extent not prohibited by applicable law that cannot be waived, the Parties hereby waive, and covenant that they will not assert any right to trial by jury in any action arising in whole or in part under or in connection with this Agreement. 6. Intellectual Property Indemnity by QOGNIFY. (a) QOGNIFY shall indemnify, defend, and hold you harmless from and against any loss, cost, expense, or liability (“Losses”) resulting from or arising out of a claim brought by a third party (“Third Party Claim”) against you to the extent that such Third Party Claim alleges the infringement of such third party’s patent, copyright or other intellectual property rights by the Software. The foregoing indemnity shall not apply in the event the infringement arises out of: (a) specifications or designs furnished by you and implemented by QOGNIFY at your request; (b) the Software being modified by, combined with, added to, interconnected with or used with any equipment, apparatus, device, data, software or service not supplied or approved by QOGNIFY in writing; or (c) use of the Software other than in accordance with its Software Documentation. (b) If a Third Party Claim for which you are entitled to indemnification under Section 6(a) above has occurred, or in QOGNIFY’s opinion is likely to occur, QOGNIFY shall, at QOGNIFY’s expense, do one of the following: (a) procure for you the right to continue using the affected Software; (b) replace with non-infringing alternatives or modify the Software so that it becomes non-infringing but its functionality after modification is substantially equivalent; (c) in case of the On-Premises Offering, accept the return of the affected Software, and have you refunded for the fees for the affected Software depreciated or amortized by an equal annual amount over a three (3) year period beginning from the date of shipment of the affected Software; or (d) in case the SaaS Offering, cease providing access to the Software and refund any prepaid fees applicable to the period after access to the Software was ceased. The collective obligations of QOGNIFY pursuant to Section 6(a) and this Section 6(b) represent the sole and exclusive liability of QOGNIFY, and your sole and exclusive remedy, with respect to any intellectual property infringement or misappropriation. (c) Promptly after you obtain knowledge of the existence or commencement of a Third Party Claim for which you may be entitled to indemnification under Section 6(a) above, you will notify QOGNIFY of such Third Party Claim in writing, provided, however, that any failure to give such notice will not constitute a waiver of any of your rights, except to the extent that the rights of QOGNIFY are actually prejudiced or liability increased thereby. QOGNIFY will have sole control of the defense and settlement of such Third Party Claim; provided, however, that you may join in the defense and settlement of such Third Party Claim and retain separate counsel at your own expense, and will reasonably cooperate with QOGNIFY in the defense and settlement of such Third Party Claim and, provided further, that the ultimate decision making authority and control of such defense shall remain solely with QOGNIFY. QOGNIFY may settle any Third Party Claim without your consent unless such settlement: (a) does not include a release of all covered claims pending against you; (b) contains an admission of liability or wrongdoing by you; or (c) imposes any obligations upon you other than an obligation to cease using any infringing items. 7. Term and Termination (a) The term of this User Agreement commences as specified in your proposal (or any applicable document) from QOGNIFY or a QOGNIFY-authorized reseller or distributor. (b) If the On-Premises Offering applies, this User Agreement continues until terminated in accordance with this Section 7. (c) If the SaaS Offering applies, this User Agreement continues for the subscription period specified in your proposal (or any applicable document) from QOGNIFY or a QOGNIFY-authorized reseller or distributor, and automatically renews for successive subscription cycles of equal length unless: (i) you give written notice to QOGNIFY or you QOGNIFY-authorized reseller or distributor of your intention not to renew the subscription, at least thirty (60) days prior to the end of the then-current subscription term; (ii) QOGNIFY gives you written notice of its intention not to renew the subscription, at least one-hundred and twenty days (120) days prior to the end of the then-current subscription term; or (iii) otherwise terminated earlier in accordance with this Section 7. (d) Either party may terminate this User Agreement for a material breach of this User Agreement by the other party (including, but not limited to, breach of the anti-corruption and anti-bribery provisions of this User Agreement, your failure to pay the specified license fees for the Software when due or your failure in any other material respect to comply with your obligations regarding the use and protection of the Software), upon written notice to the other party setting forth the effective date of termination, provided the other party fails to cure the material breach of this User Agreement, within thirty (30) days after receiving written notice thereof. (e) This User Agreement will terminate, effective upon delivery of written notice by either party to the other party: (a) upon the commencement or institution of insolvency, receivership, or bankruptcy proceedings or any other proceedings for the settlement of debts of the other party; (b) upon the making of an assignment for the benefit of creditors by the other party; or (c) upon the dissolution of the other party. (f) Upon the termination of this User Agreement, you shall: (i) within thirty (30) days after the date of termination of the license, and at QOGNIFY’s option, destroy or return to QOGNIFY all copies of the Software and Software Documentation and permanently discontinue any access to the Software’s features and functionalities; and (ii) upon the destruction, or return of all copies of the Software and Software Documentation, certify to QOGNIFY in writing that you have either destroyed or returned to QOGNIFY all copies of the Software and Software Documentation and permanently discontinued any access to the Software’s features and functionalities. (g) The following sections of this User Agreement will survive termination: 1(b), 1(d), 2(a), 3, 4(b), and 5. 8. General. (a) QOGNIFY may transfer and assign its rights and obligations under this Agreement to any other organization or affiliate but this will not adversely affect your rights or our obligations under this Agreement. (b) If the SaaS Offering applies, QOGNIFY may seek to amend this User Agreement by notifying you of the amended terms least one-hundred and twenty days (120) days prior to the end of the then-current subscription term. Your continued use or access to the SaaS Offering in the subsequent subscription term constitutes your assent to the amended terms. Except as set forth above, all other modifications and amendments to this User Agreement must be in writing and signed by both parties hereto. (c) You may only transfer your rights or your obligations under this Agreement to another person if QOGNIFY agrees in writing. The parties hereto are independent contractors and will so represent themselves in all regards. Neither party is the agent of the other, and neither may make commitments on the other’s behalf. (d) If QOGNIFY fails to insist that you perform any of your obligations under this Agreement, or if QOGNIFY does not enforce its rights against you, or if QOGNIFY delays in doing so, that will not mean that QOGNIFY has waived its rights against you and will not mean that you do not have to comply with those obligations. If QOGNIFY does waive a default or breach by you, QOGNIFY will only do so in writing, and that will not mean that QOGNIFY will automatically waive any subsequent default or breach by you. (e) Each of the conditions of this Agreement operates separately. If any court or competent authority decides that any of them are unlawful or unenforceable, the remaining conditions will remain in full force and effect. (f) This User Agreement, along with its Appendices and your proposal (or any applicable document) from QOGNIFY or a QOGNIFY-authorized reseller or distributor, constitute the entire agreement between the parties hereto, and supersedes all other prior agreements and understandings, both written and oral, between the parties with respect to the subject matter hereof. (g) The Software may include third parties’ components, which are licensed to you pursuant to the applicable third party license agreements (the “Third Party EULA(s)”). BY USING THE SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THE APPLICABLE THIRD PARTY EULAs, UNDERSTAND THEM, AND AGREE TO BE BOUND BY THEIR TERMS. (h) This Section 8(g) is applicable only for U.S. Government End Users. You agree that the Software under this Agreement is Commercial Computer Software, as that term is defined in 48 C.F.R. § 2.102 and 48 C.F.R. § 252.227-7014(a)(1), was developed exclusively at private expense, and is subject to copyright protection in the United States and certain other countries. The Software is provided to civilian agencies of the U.S. Government only with the rights specified in this Agreement, pursuant to 48 C.F.R. §12.212(b). If the Software is provided to a non-civilian agency of the U.S. Government, then it is provided only with the rights specified in this Agreement, pursuant to 48 C.F.R. § 227.7202-3 (2008). If any Software under this Agreement is determined by a court of competent jurisdiction to be other than copyright protected Commercial Computer Software, then all such Software is deemed provided subject to the restricted rights set forth in this Agreement. (i) Neither party shall be deemed to be in default of any provision of this User Agreement, or for failure in performance of its obligations hereunder (excluding payment obligations), resulting from acts or events beyond the reasonable control of such party, including acts of God, civil or military authority, acts or threats of terrorism, civil disturbance, war, riot, strike or labor dispute (not related to either party’s workforce), fires, floods, any act of government, natural disaster, national general shortage of materials, epidemics, pandemics or outbreak of any virus or disease, quarantines, national or regional lockdown or emergencies (each a “Force Majeure Event”). Such Force Majeure Event, to the extent it prevents a party’s performance or any other undertaking under this User Agreement, will extend the time for performance for as many days beyond the applicable performance date as is required to correct the effects of such Force Majeure Event 9. Service Level. You and QOGNIFY will comply with the Service Level Addendum (SLA) appended as Appendix A to this User Agreement, or Software Maintenance Agreement (SMA) separately conveyed to you. APPENDIX A Service Level and Technical Support & Maintenance Addendum (SLA) for the Qognify-managed cloud infrastructure of the SaaS solution About this document QOGNIFY’s software is offered for use either in an on-premises deployment on the customer’s self-hosted platform or in a SaaS deployment on a cloud-hosted platform that QOGNIFY has set-up. This Service Level and Technical Support & Maintenance Addendum (“SLA”) document outlines QOGNIFY’s commitments to its customer (the legal entity acting through its representatives and authorized users) that uses the Solution pursuant to QOGNIFY’s User Agreement to which this SLA is appended (“you”, “your” or “yours”). This SLA is subject to the QOGNIFY User Agreement and it outlines QOGNIFY’s commitments for the Solution’s availability, updates and de-support and scheduled and unscheduled downtime for maintenance. The “Solution” referred to in this SLA refers only to the Qognify-managed cloud infrastructure of the SaaS deployment model and this SLA document applies only if you use the Solution in the SaaS deployment model and applies only to the Qognify-managed cloud infrastructure of the SaaS deployment model. Support and maintenance of QOGNIFY’s software, whether deployed on the customer’s self-hosted platform or in a SaaS deployment on a cloud-hosted platform that QOGNIFY has set-up, is subject to QOGNIFY’s separate Software Maintenance Agreement (SMA) policy. Availability Commitment “Availability” means that the Qognify-managed cloud infrastructure of the SaaS deployment model is operating and accessible in terms of connectivity, computing, and storage capacity. The Solution’s target Availability is 99.5% per calendar-month and Availability is calculated as follows: x = (y – z)/y (x) is the Availability during such month (expressed as a percentage) (y) is the total number of hours in such month minus the number of hours during such month in which the non-Availability is in circumstances that are Excluded (as defined below). (z) is the number of hours in such month during which the Solution is not operating and accessible in terms of connectivity, computing and storage capacity (other than for reasons in the definition of “y” above) whilst no workaround, a hot fix or, a patch release was implemented which alleviates the issue, provided that QOGNIFY has been notified or is otherwise aware (or reasonably should be aware) of the issue. “Excluded” circumstances are any of the following: Planned Maintenance and Unplanned Maintenance for the Solution, as specified below under the title “Scheduled and Unscheduled Downtime for Maintenance”. Subscription to the Solution which is free-of-charge or for which you have not paid the applicable subscription fees. Issues outside QOGNIFY’s reasonable control, such as force majeure events, issues with your third-party infrastructure or hardware providers (e.g., internet access provider) or broad-scope internet failures. The Solution’s non-Availability is due to your failure to follow the Solution’s documentation or use-policies, or you use of the Solution in a manner inconsistent with the Solution’s features and functions. Your continued use of the Solution in contravention of QOGNIFY’s recommendations to you regarding such use. Issues arising from your own wrongdoing or violations of the Solution’s use agreement. The Solution’s non-Availability is due to actions of malicious third parties (e.g., hackers). Law enforcement activity or an order by a governmental agency or authority. Commencing upon the first full calendar-month that follows the first 90 days of your initial use of the Solution, and subject to the provisions of this “Performance Commitments” section, if the Availability of the Solution, measured by QOGNIFY as per the above, falls below 99.5% for the calendar-month, you will be entitled to a credit of 10%. To clarify, non-availability of the QOGNIFY software, as opposed to non-Availability of the Qognify-managed cloud infrastructure of the SaaS deployment model, is not covered by this Availability Commitment, and does not entitle you to any credit. QOGNIFY, in is discretion, will determine whether an issue arises from non-availability of the QOGNIFY software or from non-Availability of the Qognify-managed cloud infrastructure. You may only: Claim Credit in the event the Availability falls below the figure set forth above; and Redeem such Credit (but not a refund) when you subsequently renew your annual subscription to the Solution, such that the period specified in the claimed Credits approved by QOGNIFY will be provided to you without charge during the renewed annual subscription and you will only be billed for the annual subscription fees pro-rated to the period of the annum remaining after the period specified in the claimed Credits (the “Discount”). To claim Credits, you must submit a written claim, through your authorized sales channel, to QOGNIFY, no later than at the end of the calendar-month following the month in which the Availability fell below the figure set forth above. The determinative information regarding the time and duration of Availability issues during the calendar-month for which Credits are claimed is as documented in QOGNIFY’s records. When QOGNIFY receives your claim, QOGNIFY will evaluate it together with all information available to QOGNIFY and will make a good-faith determination whether to approve the claim and as to and Credit(s) are owed (if any) according to the Credits set forth below. By and no later than 30 days following receipt of your claim, QOGNIFY will provide a reasoned notification through your authorized sales channel to you, in writing, as to whether the claim(s) are approved, and the aggregated amount of Credits (if any) owed therefrom, expressed as time calculated by multiplying the total number of hours in the month in which the Credit claim arose by the Credit percentage set forth in the above table for the level of reduced Availability corresponding to the claim. Pursuant to the abovementioned notification by QOGNIFY, QOGNIFY will provide the Discount through your authorized sales channel. Where multiple Credits are approved as per the foregoing for a given month or throughout different months, they are added to past approved Credits and shall apply consecutively. Credits that you do not claim as set forth (within the timelines set forth above) above and Credits not approved by QOGNIFY as set forth above will expire, and may not be claimed, redeemed or rolled over to any subsequent subscription terms. Credits for an occasion of Availability issues may not be claimed or redeemed more than once. Credit eligibility is the sole and exclusive remedy for QOGNIFY failure to meet the Solution’s Availability commitment. Updates QOGNIFY will maintain the Solution with software updates which QOGNIFY generally makes available to all its SaaS customers. These updates generally enhance the Solution’s features and performance or resolve bugs and errors in the Solution. These updates do not include any releases of program that QOGNIFY licenses separately to Customer. QOGNIFY retains full discretion regarding the frequency and scope of such updates. Scheduled and Unscheduled Downtime for Maintenance QOGNIFY may suspend the operation of the Solution for planned maintenance work (‘Planned Maintenance’) or for rectifying critical emergency issues (‘Unplanned Maintenance’). QOGNIFY will only suspend the operation of the Solution for Planned Maintenance during off-peak business hours and will provide you with a prior written notice of at least 14 calendar-days before the Planned Maintenance. The notice will include information about the time and expected duration of the Planned Maintenance. QOGNIFY will only suspend the operation of the Solution for Unplanned Maintenance to rectify critical emergency issues that in QOGNIFY’s determination warrant prompt resolution that cannot be delayed until the next Planned Maintenance. QOGNIFY shall endeavour to provide you with such prompt or prior notice as is reasonably practicable in the circumstances. The notice will include information about the time and expected duration of the Planned Maintenance. Other Terms This SLA is subject to change at QOGNIFY’s discretion; however, QOGNIFY policy changes will not result in a material reduction in the level of the services provided for the Solution. In the event of any conflict or inconsistency between this SLA and any commercial agreement between the parties, the terms of the applicable commercial agreement shall govern. APPENDIX B QOGNIFY Data Processing Addendum This Data Processing Addendum (“DPA”) is entered into between QOGNIFY and the organization using the QOGNIFY-developed software-based physical security measures (the “Organization” and the “Solution”, respectively). WHEREAS, QOGNIFY is involved in providing to the Organization certain, installation, implementation, training, maintenance, support, hosting, Software-as-a-service (SaaS) or other services that relate to the Solution; WHEREAS, the foregoing activities involve processing certain personal data, and the parties wish to regulate QOGNIFY’s processing of such personal data, through this DPA. THEREFORE, the parties have agreed to this DPA, incorporated by reference into the QOGNIFY User Agreement, and consisting of two parts: Part 1 applies with respect to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and supplementary GDPR legislations in EU member states). Part 2 applies with respect to the UK’s Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). Part 3 applies with respect to the California Consumer Privacy Act of 2018 (CCPA). Part 1 1. Capitalized terms used in this Part 1 but not defined elsewhere in the DPA have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR). 2. This Part 1 applies only where QOGNIFY is Processing Personal Data as a Processor on behalf of the Organization and under the Organization’s instructions, where the Organization is either a Controller or Processor subject to the GDPR with respect to the Personal Data that QOGNIFY Processes. It does not apply to QOGNIFY’s Processing Personal Data of the Organization’s representatives to operate the Solution, to market or promote its products, to administer the business or contractual relationship between QOGNIFY and the Organization, or in other instances where QOGNIFY operates as the Controller. 3. The Organization and QOGNIFY hereby assent to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN), for MODULE TWO (transfer controller to processor) where the Organization is a Controller, or MODULE THREE (transfer processor to processor) where the Organization is a Processor, as follows: 3.1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO (Transfer controller to processor) and MODULE THREE (transfer processor to processor): The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 business days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). 3.2. In Section IV (Final Provisions), Clause 17 – 3.2.1. For MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Organization is established, or, if the Organization is not established in any EU member state, then the law of the Republic of Ireland. 3.2.2. For MODULE THREE: Transfer processor to processor: The Parties agree that this shall be the EU member state in which the Organization’s Controller is established, or, if the Organization’s Controller is not established in any EU member state, then the law of the Republic of Ireland. 3.3. In Section IV (Final Provisions), Clause 18(b) – 3.3.1. For MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Organization is established, or, if the Organization is not established in any EU member state, then the courts of Dublin, Ireland. 3.3.2. For MODULE THREE: Transfer processor to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Organization’s Controller is established, or, if the Organization’s Controller is not established in any EU member state, then the courts of Dublin, Ireland. 3.4. In Annex I: 3.4.1. Data Exporter: Organization. 126.96.36.199. Activities relevant to the data transferred under these Clauses: an organization utilizing the Solution which involve processing personal data and seeking of technical support for those measures (including, without limitation, the provision of such data to the data importer, including transfers outside of the European Economic Area). 188.8.131.52. Role: Controller (for MODULE TWO: Transfer controller to processor), or Processor (for MODULE THREE: Transfer processor to processor) 3.4.2. Data Importer: QOGNIFY. 184.108.40.206. Activities relevant to the data transferred under these Clauses: Developer, operator, and provider of the software-based physical security measures, including the provision of technical support for them. 220.127.116.11. Role: Processor. 3.5. Description of Transfer: 3.5.1. Categories of data subjects whose personal data is transferred: employees and contractors of the Organization, visitors to the Organization’s premises, including customers and prospective customers and their representatives and members of the public. 3.5.2. Categories of personal data is transferred: Images of data subjects and metrics monitoring their activities and behavior. 3.5.3. Sensitive data transferred: Only to the extent that images of the data subject reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. 3.5.4. The frequency of the transfer: on a continuous basis (if the Solution used is in a cloud-based configuration managed by QOGNIFY), or at discrete eventualities during technical support inquiries (if the Solution is installed on-premises at the Organization). 3.5.5. Nature of the processing: recording, storage, consultation, use, disclosure by transmission and erasure. 3.5.6. Purpose(s) of the data transfer and further processing: the provision of the Solution functionality to the Organization (if the Solution used is in a cloud-based configuration managed by QOGNIFY), or the provision of technical support for the Solution (if the Solution is installed on-premises at the Organization). 3.5.7. The period for which the personal data will be retained: the period of the engagement agreement for the provision of the Solution (if the Solution used is in a cloud-based configuration managed by QOGNIFY) or for the duration of a technical support request, and until it is completed (if the Solution is installed on-premises at the Organization). 3.5.8. Transfers to (sub-) processors: Subprocessor Subject matter and nature of subprocessing Country and Transfer Safeguard Duration of subprocessing Qognify Ltd. R&D subsidiary supporting the provision of the Solution to the Organization Israel (Adequacy Decision) For the duration of the provision of the Solution to the Organization Microsoft Corporation Email transmission and storage provider USA (SCCs) For the duration of the provision of the Solution to the Organization Amazon Web Services, Inc. Cloud hosting and processing (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) USA (SCCs) For the duration of the provision of the Solution to the Organization Wasabi Technologies LLC Cloud hosting and processing (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) USA (SCCs) For the duration of the provision of the Solution to the Organization Orock Technologies LLC Cloud hosting and processing (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) USA (SCCs) For the duration of the provision of the Solution to the Organization CommIT Ltd. Cloud management services (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) Israel (Adequacy Decision) For the duration of the provision of the Solution to the Organization 3.5.9. Competent Supervisory Authority: 18.104.22.168. For MODULE TWO: Transfer controller to processor: the data protection authority in the EU member state in which the Organization is established, or the Organization’s lead supervisory authority for GDPR purposes, but if the Organization is not established in any EU member state, then the supervisory authority of the EU member state in which the Organization’s EU representative pursuant to Article 27 of the GDPR is located. 22.214.171.124. For MODULE THREE: Transfer processor to processor: the data protection authority in the EU member state in which the Organization’ Controller is established, or the Organization’s Controller’s lead supervisory authority for GDPR purposes, but if the Organization’s Controller is not established in any EU member state, then the supervisory authority of the EU member state in which the Organization’s Controller’s EU representative pursuant to Article 27 of the GDPR is located. 3.6. In Annex II, for MODULE TWO and MODULE THREE (TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): See Exhibit 1 below. 3.7. Annex III: List of Sub-processors (MODULE TWO and MODULE THREE): see Section 3.5.8 above. 4. The Organization will comply with its obligations under the GDPR. 5. If QOGNIFY’s assistance to the Organization under Clause 10 of the SCCs entails material costs, expenses, or resources to Organization, then the parties shall first discuss and agree on the fees payable to Organization for such assistance. 6. Audits and inspections conducted under Clause 8.9 of the SCCs shall be conducted during ordinary business hours of QOGNIFY and with minimal disruption to QOGNIFY’s ordinary course of business, shall not extend to any activities of QOGNIFY with other customers or parties, and if conducted by an independent auditor, such auditor shall be made subject to appropriate confidentiality undertakings satisfactory to QOGNIFY. If such inspections or audits entail material costs, expenses, or resources to QOGNIFY, then the parties shall first discuss in good faith and agree on the fees payable to QOGNIFY for such inspections or audits. Exhibit 1 to Part 1 This Exhibit 1 specifies the technical and organizational measures that QOGNIFY uses to ensure the security of the personal data: (a) deny unauthorized persons access to processing equipment used for processing (‘equipment access control’). (b) prevent the unauthorized reading, copying, modification or removal of data media (‘data media control’). (c) prevent the unauthorized input of personal data and the unauthorized inspection, modification, or deletion of stored personal data (‘storage control’). (d) prevent the use of automated processing systems by unauthorized persons using data communication equipment (‘user control’). (e) ensure that persons authorized to use an automated processing system have access only to the personal data covered by their access authorisation (‘data access control’). (f) ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (‘communication control’). (g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’). (h) prevent the unauthorized reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’). (I) ensure that installed systems may, in the case of interruption, be restored (‘recovery’). (j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (‘integrity’). (k) implement a process for regularly testing, assessing, evaluating, and enhancing the effectiveness of technical and organizational measures for ensuring the security of the Processing (‘assessments’) Part 2 1. Capitalized terms used in this Part 2 but not defined elsewhere in the DPA have the meaning ascribed to them in the UK’s Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). 2. This Part 2 applies only where QOGNIFY is Processing Personal Data as a Processor on behalf of the Organization and under the Organization’s instructions, where the Organization is either a Controller or Processor subject to the UK GDPR with respect to the Personal Data that QOGNIFY Processes. It does not apply to QOGNIFY’s Processing Personal Data of the Organization’s representatives to operate the Solution, to market or promote its products, to administer the business or contractual relationship between QOGNIFY and the Organization, or in other instances where QOGNIFY operates as the Controller. 3. The Organization and QOGNIFY hereby agree to be bound by Section 3 of Part 1 of this DPA, and assent to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022, including their “part 2: mandatory clauses”), issued by the Commissioner under S119A(1) of the UK Data Protection Act 2018 (https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as follows: 3.1. In Table 1: Parties – 3.1.1. The Start data shall be the date that the Organization and QOGNIFY have entered into the agreement that this DPA is appended to. 3.1.2. The Parties’ details and Key Contact shall be as identified in the agreement that this DPA is appended to, or in another instrument of the Parties. 3.2. In Table 2: Selected SCCs, Modules and Selected Clauses – 3.2.1. The version of the Approved EU SCCs which the International Data Transfer Addendum is appended to, is in Section 3 of Part 1 of this DPA. 3.3. In Table 3: Appendix Information – See Sections 3.4 – 3.7 of Part 1 of this DPA. 3.4. In Table 4: Ending this Addendum when the Approved Addendum changes: Exporter. Part 3 1. Capitalized terms used in this Part 3 of the Data Processing Addendum (“DPA”) but not defined in the DPA or in the Agreement have the meaning ascribed to them in the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §1798.140. 2. This Part 3 applies only where QOGNIFY is processing Personal Information as a Service Provider on behalf of the Organization where the Organization is either a Service Provider or a Business subject to the CCPA. It does not apply to QOGNIFY’s Processing Personal Information of Organization’s representatives to market or promote its products, to administer the business or contractual relationship between QOGNIFY and the Organization or in other instances where QOGNIFY operates in a capacity other that a Service Provider of the Organization. 3. The Parties acknowledge and agree that QOGNIFY is a Service Provider. To that end, and unless otherwise requires by law: 3.1. QOGNIFY is prohibited from retaining, using or disclosing Organization’s Personal Information for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide the Solution to the Organization, or as otherwise permitted under 11 CCR §999.314(c); (b) Selling the Organization’s Personal Information; and (c) retaining, using or disclosing the Organization’s Personal Information outside of the direct business relationship between the Parties, except as permitted under 11 CCR §999.314(c). QOGNIFY certifies that it understands the restriction specified in this subsection and will comply with it. 3.2. If QOGNIFY receives a request from a California Consumer of the Organization, about his or her Personal Information, QOGNIFY shall not comply with the request itself, but shall inform the Consumer that QOGNIFY’s basis for denying the request is that the QOGNIFY is merely a service provider that follows Organization’s instruction and inform the Consumer that they should submit the request directly to the Organization and provide the Consumer with the Organization’s contact information. 4. QOGNIFY shall assist Organization by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Organization’s obligation to respond to requests for exercising Consumer rights under the California Consumer Privacy Act of 2018. 5. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of QOGNIFY’s processing of Personal Information of the Organization, as well as the nature of personal information processed for Organization, QOGNIFY shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).