End User License Agreement This End User License Agreement (“EULA”) governs the use of software, software-based services, and data provided by SpyCloud, Inc., a Delaware corporation with offices at 2130 S. Congress Ave., Austin, TX 78704. By using the Products or by entering into an agreement to which these terms are appended, you agree to be bound by this EULA. 1. DEFINITIONS (a) “Credentials” means any user accounts, passwords and other authentication credentials associated with your use of the Products. (b) “Customer Facilities” means Credentials and any account, hardware, system or other facility within your custody or control. (c) “Data Subjects” mean any: (i) your employees; (ii) your users who sign up for user accounts to purchase or use your products or services; or (iii) users who provide personal information to you to use or purchase your products or services. (d) “Emergency Security Issue” means any: (i) use of the Products by you or End Users in violation of the terms and conditions of this Agreement that disrupts or is reasonably likely to disrupt the availability of the Products to other users; or (ii) access to the Products by any unauthorized third party through use of any your Facilities. (e) “End Users” means your employees and contractors. (f) “Intellectual Property” means all rights associated with patents and inventions; copyrights, mask works and other works of authorship (including moral rights); trademarks, service marks, trade dress, trade names, logos and other source identifiers; trade secrets; software, databases and data; and all other intellectual property and industrial designs. (g) “Products” means SpyCloud’s proprietary software-based services (as may be updated from time to time) for detecting potential breaches of data security through monitoring of activities occurring online. (h) “Professional Services” means implementation services, consulting services or other related services provided under an Order Form, as further specified in a Statement of Work (“SOW”). 2. GRANT OF RIGHTS AND RESTRICTIONS (a) Grant of Rights . During the term of this Agreement and subject to your compliance in all material respects with the terms and conditions of this EULA, SpyCloud hereby grants you a limited, non- exclusive, non-sublicensable right to access and use the Products only in the form made available by SpyCloud and only as necessary for End Users to monitor or investigate potential breaches of data security involving you or Data Subjects. All rights granted to Customer may only be exercised by Customer for Customer’s internal business purposes and in accordance with the license granted herein. (b) Restrictions . Except as expressly permitted under this Agreement, you shall not, nor shall you permit any other party to: (i) reproduce, modify, translate, adapt or create derivative works based upon the Products; (ii) reverse engineer, decode, decompile, disassemble or otherwise attempt to access or derive the source code or architectural framework of the Products; (iii) access the Products for purposes of benchmarking or developing, marketing, selling or distributing any product or Products that competes with or includes features substantially similar to the Products; (iv) rent, lease, lend, sell or sublicense the Products or otherwise provide access to the Products to any third party who is not an End User or as part of a Products bureau or similar fee-for-Products purpose; or (v) use the Products in any way that does not comply with all applicable laws and regulations. (c) Changes . You acknowledge and agrees that SpyCloud may improve, modify, add or remove functions or features to or from the Products from time to time, with or without notice. (d) Professional Services . Any Professional Services to be provided will be specified in an SOW, which shall describe the scope of such services and the fees, costs, and expenses payable by Customer in connection with the performance of such Professional Services. Each SOW shall be subject to the terms of this Agreement and any Order Form. SpyCloud is responsible for all SpyCloud personnel providing Professional Services and for the payment of their compensation, including, if applicable, withholding of income taxes, and the payment and withholding of social security and other payroll taxes, unemployment insurance, workers' compensation insurance payments, and disability benefits. 3. CUSTOMER RESPONSIBILITIES (a) Technical Requirements . You are solely responsible for obtaining, configuring and maintaining any hardware, network connectivity and third-party software required to access the Products, including computers, operating systems, web browsers and storage devices (“Facilities”). (b) Protection . You are solely responsible for protecting the confidentiality of Credentials and all activities undertaken using your Facilities. If you become aware of any unauthorized access to or use of the Products through use of your Facilities, you shall immediately give written notice to SpyCloud of such unauthorized use and make reasonable efforts to eliminate it. You shall at all times implement appropriate security policies and procedures and access control methodologies to safeguard access to the Products through your Facilities. All such measures shall comply with prevailing industry standards but in no case consist of less than reasonable care. (c) Policies . Your access to and use of the Products and Professional services shall comply with and be subject to: (i) SpyCloud's Privacy Policy (located at https://spycloud.com/legal-and-privacy-center/privacy-policy/); (ii) any usage limits set forth in any Order Form; and (iii) any terms of service, acceptable use policy, privacy policy, end user license agreement and other guidelines instituted by SpyCloud's licensors or service providers that are provided to Customer prior to or contemporaneously with access to the Service or agreed to in writing by Customer (collectively, “Policies”). 4. INTELLECTUAL PROPERTY (a) Responsibility for Data . All information, data, and other materials accessible through the Products (“Data”) are the sole responsibility of the party from whom such materials originated. You acknowledge and agrees that: (i) the Products may provide access to or rely on Data from third parties, and such third parties, and not SpyCloud, are entirely responsible for such Data; (ii) you, are entirely responsible for all Data that you and End Users submit, upload, email, transmit or otherwise make available through the Products (“Customer Data”); and (iii) you are solely responsible for giving all required notices and obtaining all necessary consents (including all required permissions from Intellectual Property holders) before submitting Customer Data through or to the Products. You shall not submit, upload, email, transmit or otherwise make available through the Products any Data not owned or managed by you. (b) SpyCloud Ownership . SpyCloud owns all right, title, and interest (including all intellectual property rights) in and to Products. (c) Customer Ownership . You own all right, title, and interest (including all intellectual property rights) in and to Customer Data. You hereby grant SpyCloud and its service providers a worldwide, royalty-free, non-exclusive license to use, process, transmit and reproduce Customer Data as necessary for SpyCloud to provide the Products to you and End Users. (d) Suggestions . If you elect to provide or make available to SpyCloud any suggestions, comments, ideas, improvements or other feedback relating to the Products (“Suggestions”), SpyCloud shall be free to use, disclose, reproduce, have made, modify, license, transfer and otherwise utilize and distribute Suggestions in any manner, without credit or compensation you. (e) Intellectual Property Notices . You shall not remove, obscure or modify in any way any copyright or trademark notices or other notices or disclaimers that appear within the Products. (f) Reservation of Rights . Each of the parties reserves all rights not expressly granted under this Agreement. 5. SUSPENSION AND TERMINATION (a) Suspension . SpyCloud reserves the right to suspend your access to the Products in the event of an Emergency Security Issue. SpyCloud will make commercially reasonable efforts to limit suspension to the minimum extent and duration necessary to eliminate the Emergency Security Issue. (b) Termination . The license shall terminate: (i) upon a material breach of this EULA, which breach is not cured within thirty (30) days after receipt of written notice from SpyCloud; or (ii) at the same time as any master services or similar agreement to which this EULA is appended. (c) Events Upon Termination . Upon termination of this Agreement for any reason: (i) all rights granted by the parties under this Agreement shall immediately terminate; (ii) you shall immediately cease all use of the Products. You shall: (1) cease use of and delete all copies data transmitted via the Products; and (2) provide SpyCloud with a written certification attesting to your compliance. (d) Survival . Any provision that, by its terms, is intended to survive the expiration or termination of this Agreement shall survive such expiration or termination. 6. WARRANTIES; DISCLAIMER (a) Each party each represents and warrants to the other that: (a) it has the necessary power and authority to enter into this EULA; (b) the execution and performance of this EULA has been authorized by all necessary corporate or institutional action; (c) entry into and performance of this EULA will not conflict with any provision of law or the certificate of incorporation, bylaws or comparable organizational documents of such party; (d) no action by any governmental organization is necessary to make this EULA valid and binding upon such party; and (e) it possesses all governmental licenses and approvals necessary to perform its obligations under this EULA. SpyCloud further represents and warrants that it shall perform any Professional Services using personnel of required skill, experience, and qualifications and in a professional and workmanlike manner in accordance with industry standards for similar services and shall devote adequate resources to meet its obligations under this EULA. (b) ALL PRODUCTS AND PRODUCTS PROVIDED UNDER THIS AGREEMENT ARE PROVIDED “AS IS,” “AS AVAILABLE” AND “WITH ALL FAULTS.” EACH PARTY, TO THE MAXIMUM EXTENT PERMITTED BY LAW, EXPRESSLY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS, EXPRESS OR IMPLIED, INCLUDING: (A) THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE; AND (B) ANY WARRANTY WITH RESPECT TO THE QUALITY, ACCURACY, CURRENCY OR COMPLETENESS OF THE PRODUCTS AND PRODUCTSS PROVIDED UNDER THIS AGREEMENT, OR THAT USE OF SUCH PRODUCTS AND PRODUCTSS WILL BE ERROR-FREE, UNINTERRUPTED, FREE FROM OTHER FAILURES OR WILL MEET YOUR OR END USERS’ REQUIREMENTS. 7. INDEMNITY (a) By SpyCloud . SpyCloud shall indemnify you against any loss, damage, cost, liability and expense (including reasonable attorneys’ fees) finally awarded by a court of competent jurisdiction or paid in settlement to the extent arising from any action or claim of a third party (collectively, “Losses”) asserting that you or your End Users’ use of the Products and/or any Professional Services infringes the Intellectual Property of such third party; provided that SpyCloud shall have no obligation to indemnify you from any Losses to the extent they arise from: (i) your use of the Service in any manner that does not comply in all material respects with the terms and conditions of this Agreement or any Policies or applicable laws or regulations; (ii) your use of the Service in combination with any hardware or software not provided or approved by SpyCloud; (iii) modifications made to the Service by you that are not authorized by SpyCloud; or (iv) any Customer Data (Sections 8(a)(i) through 8(a)(iv), collectively, “Customer Acts”). In the event that any part of the Service becomes the subject of a Loss or SpyCloud reasonably determines that any part of the Products is likely to become the subject of a Loss, SpyCloud may, at its sole discretion: (1) procure for you a license as necessary for you to exercise the rights granted by SpyCloud under this Agreement; (2) modify or replace the Products to avoid infringement, provided, that the Products as modified or replaced retains materially the same or better features and functionality; or (3) terminate this EULA and provide a pro rata refund of the fees paid by you for the unused portion of the Initial Term or Renewal Term, as applicable. (b) By Customer . You shall indemnify SpyCloud against any Loss to the extent arising from: (i) Customer Acts or your breach of Sections 2(b), 3, 5 or 9; and (iii) any violation of applicable data protection laws or regulations by you or your End Users. If you are a U.S. Government Customer (as defined in Section 12), your indemnification obligations under this section will only apply to the extent permitted by applicable law. (c) Procedure . The indemnified party shall: (i) give the indemnifying party prompt written notice of any Loss or threat of Loss; provided that failure of the indemnified party to give such prompt written notice shall not relieve the indemnifying party of any obligation to indemnify pursuant to this Section 8, except to the extent the indemnifying party has been prejudiced thereby; (ii) cooperate fully with the indemnifying party, at the indemnifying party’s expense, in the defense or settlement of any Loss or threat of Loss; and (iii) give the indemnifying party sole and complete control over the defense or settlement of any Loss or threat of Loss; provided that any settlement must include a complete release of the indemnified party without requiring the indemnified party to make any payment or bear any obligation. 8. LIMITATION OF LIABILITY TO THE MAXIMUM EXTENT PERMITTED BY LAW, OTHER THAN WITH RESPECT TO A PARTY’S INDEMNIFICATION OBLIGATIONS HEREUNDER OR BREACH OF SECTION 2(b) OR 9: (A) IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR LOST PROFITS OR COST OF COVER, INCLUDING DAMAGES ARISING FROM ANY TYPE OR MANNER OF COMMERCIAL, BUSINESS OR FINANCIAL LOSS OCCASIONED BY OR RESULTING FROM ANY USE OF OR INABILITY TO USE THE PRODUCTS AND SERVICES PROVIDED UNDER THIS Agreement, SUCH AS ANY MALFUNCTION, DEFECT OR FAILURE OF THE SERVICE OR ITS DELIVERY VIA THE INTERNET, EVEN IF SUCH PARTY HAD ACTUAL OR CONSTRUCTIVE KNOWLEDGE OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE; AND (B) IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY UNDER THIS Agreement EXCEED THE AMOUNT OF FEES RECEIVED BY SPYCLOUD FROM CUSTOMER UNDER THIS Agreement IN THE TWELVE (12)-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE ON WHICH THE EVENTS GIVING RISE TO LIABILITY AROSE. 9. U.S. GOVERNMENT MATTERS (a) Each party represents that it is not named on any United States government list of persons or entities restricted from doing business with any United States company. You shall not directly or indirectly access or use the Products in violation of any United States or international export embargo, prohibition or restriction (b) If you are a U.S. federal government department or agency (“U.S. Government Customers”), the Products are a “Commercial Item” as that term is defined at 48 C.F.R. §2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation”, as those terms are used in 48 C.F.R. §12.212 or 48 C.F.R. §227.7202. All U.S. Government Customers acquire subscriptions to the Service only as a “Commercial item” and only with those rights that are granted to all other end users pursuant to the terms and conditions of this Agreement, consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.72021 through 227.72024. U.S. Government Customers may only use the Service for a governmental-related purposes 10.MISCELLANEOUS (a) Independent Contractors . The relationship between SpyCloud and you established by this EULA is solely that of independent contractors. Neither party is in any way the partner or agent of the other, nor is either party authorized or empowered to create or assume any obligation of any kind, implied or expressed, on behalf of the other party, without the express prior written consent of such other party. (b) Notice . All notices, demands, and other communications under this EULA must be in writing and will be considered given upon: (i) delivery by traceable courier or mail (delivery confirmation/return receipt requested); or (ii) the first business day after sending by email. Notices to SpyCloud should be sent to contracts@spycloud.com or to SpyCloud’s Contracts Department at the address specified above. (c) Assignment . You may not assign this Agreement, or sublicense, assign or delegate any right or obligation hereunder, by operation of law or otherwise without the prior written consent of SpyCloud which will not be unreasonably withheld. This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors and permitted assigns. (d) Interpretation . For the purposes of this Agreement: (i) the words “such as,” “include,” “includes” and “including” shall be deemed to be followed by the words “without limitation;” (ii) the word “or” is not exclusive; and (iii) the words “herein,” “hereof,” “hereby,” “hereto” and “hereunder” refer to this Agreement as a whole. This Agreement shall be construed without regard to any presumption or rule requiring construction or interpretation against the party drafting an instrument or causing any instrument to be drafted. (e) Entire Agreement . This EULA contains the entire agreement of the parties with respect to the subject matter hereof and supersedes all previous or contemporaneous oral or written negotiations or agreements with respect to such subject matter. In the event of any conflict between this EULA and any other instrument, the terms and conditions of this EULA shall take precedence. (f) Severability . If any provision of this EULA shall be held to be invalid or unenforceable under applicable law, then such provision shall be construed, limited, modified or, if necessary, severed to the extent necessary to eliminate its invalidity or unenforceability, without in any way affecting the remaining parts of this Agreement. (g) Dispute Resolution . The parties shall use good faith, reasonable efforts to resolve any dispute before initiating legal action. (h) Contract for Products . This Agreement is a contract for the provision of software-based services and not a contract for the sale of goods. The provisions of the Uniform Commercial Code (UCC), the Uniform Computer Information Transaction Act (UCITA), or any substantially similar legislation as may be enacted, shall not apply to this Agreement. If you are located outside of the territory of the United States, the parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not govern this Agreement or the rights and obligations of the parties under this Agreement. (i) No Waiver . Any waiver of the provisions of this EULA, or of any breach or default hereunder, must be set forth in a written instrument signed by the party against which such waiver is to be enforced. APPENDIX I: DATA PROTECTION This Appendix I is attached to and incorporated by reference in the SpyCloud EULA. 1. DEFINITIONS (a) “Applicable Privacy and Data Protection Laws” means any privacy and/or data protection law that apply to the Processing of Personal Data under this Agreement, or to the privacy of electronic communications, including but not limited to U.S. Data Protection Laws. (b) “Controller” shall have the meaning given to it under Applicable Privacy and Data Protection Laws. (c) “Customer Personal Information” means any Personal Information provided in Customer Data that is processed by SpyCloud solely on your behalf in its performance under the EULA. SpyCloud Personal Information is excluded from Customer Personal Information, even if such information is identical to any Customer Personal Information (d) “Personal Information” means any information relating, directly or indirectly, to an identified or identifiable natural person. (e) “Processing” shall have the meaning given to it under Applicable Privacy and Data Protection Laws. (f) “SpyCloud Personal Information” means any Personal Information provided by you to SpyCloud in its performance under the EULA. (g) “U.S. Data Protection Laws” means all federal and state laws and regulations of the United States of America applicable to the processing of Personal Information. 2. CUSTOMER PERSONAL INFORMATION PROTECTION (a) Roles . Any Processing of Customer Personal Information is performed solely on your behalf. Regarding such Processing, SpyCloud is a “service provider” (or an analogous variation of such term) for the purposes of applicable U.S. Data Protection Laws and receives Customer Personal Information pursuant to the business purpose of providing the Products to you to fulfill its contractual obligations. (b) No Sale of Customer Personal Information to SpyCloud . The transfer of Customer Personal Information from you to SpyCloud so that SpyCloud can fulfill its contractual obligations does not constitute a sale of information to SpyCloud, and nothing in this EULA shall be construed as providing for the sale of Customer Personal Information to SpyCloud. (c) Limitations on Use and Disclosure . SpyCloud is prohibited from using or disclosing Customer Personal Information for any purpose other than the specific purpose of performing its contractual obligations, the permitted business purposes set under applicable law, and as required under Applicable Privacy and Data Protection Laws. SpyCloud hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of applicable U.S. Data Protection Laws. (d) Data Subject Access Requests . SpyCloud will reasonably assist you with any data subject access, erasure or opt-out requests and objections. If SpyCloud receives any request from data subjects, authorities, or others relating to its data processing, SpyCloud will without undue delay inform you and reasonably assist you with developing a response (but SpyCloud will not itself respond other than to confirm receipt of the request, to inform the data subject, authority or other third party that their request has been forwarded to you, and/or to refer them to you, except per reasonable instructions from you). SpyCloud will also reasonably assist you with the resolution of any request or inquiries that you receive from data protection authorities relating to SpyCloud, unless SpyCloud elects to object such requests directly with such authorities. 3. SPYCLOUD PERSONAL INFORMATION PROTECTION (a) Role of the Parties . In performing their respective obligations under the EULA, SpyCloud may transmit, and Customer may receive, SpyCloud Personal Information which may be subject to Applicable Privacy and Data Protection Laws. The Parties acknowledge and agree that each party is a separate and independent Controller in respect of such SpyCloud Personal Information and shall individually determine the purposes and means of its Processing of such SpyCloud Personal Information. (b) Privacy Notices . Each party shall provide all notices and disclosures to Data Subjects required to be provided by such party under Applicable Privacy and Data Protection Laws regarding the Processing of SpyCloud Personal Information. 4. ADDITIONAL TERMS (a) Transfers . Where a lawful Transfer mechanism is required by Applicable Privacy and Data Protection Laws, the parties agree to enter into a separate Data Protection Agreement to ensure that any Transfer it initiates will, where applicable, be subject to a lawful data transfer mechanism and/or appropriate onward transfer agreements. Customer acknowledges and agrees that SpyCloud may store and Process Personal Information in the United States. “Transfer” means the access by, transfer or delivery to, or disclosure to a person, entity, or system of Personal Data where such person, entity or system is in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated. (b) Regulatory Inquiries . Each party agrees to: (i) promptly notify the other party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”), that relates to such other party’s (i) Processing of Personal Information in relation to the Service, or (ii) potential failure to comply with Applicable Privacy and Data Protection Laws; and (b) comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law. (c) Security . Each party warrants and represents that it has implemented reasonable measures to maintain the security of its facilities and networks that are appropriate to its business (“Security Program”). Each party shall make reasonable evidence of it’s Security Program available to the other party upon receipt of written request. Such information shall automatically be deemed Confidential Information of the disclosing party. (d) Confidentiality . The Parties agree to take steps to ensure that any person acting under their authority who has access to the Personal Information is subject to appropriate confidentiality obligations. (e) No Ownership Rights . Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Information that is contrary to the ownership interests and licenses set forth in the EULA.