GENERAL TERMS AND CONDITIONS FOR THE USE AND PROVIDING OF WHITE HAT IT SECURITY SERVICES These general terms and conditions (GTC) apply if a company, organizations or private person (hereinafter referred to as: Customer, Client or Partner) enters into agreement with White Hat IT Security for the purchase and use of services provided by White Hat IT Security (Registered / head office: 1021 Budapest, Ötvös János u. 3.; Co. registry nr.: 01-09-326869; VAT nr.: HU26373643; Represented by: Sándor FEHÉR CEO) (hereinafter referred to as White Hat, Provider or Company). By singing an Agreement with White Hat, Customer orders and White Hat accepts the purchase order of White Hat security services and related services, in accordance with the details described in the specific Agreement, Framework Agreement, Individual Contract, PO, official Quote or other legally binding document (hereinafter mutually referred to as Agreement). The detailed description of the specific terms and conditions conducted in the scope are defined in the Agreement. The provisions of this GTC shall be binding regarding all Agreements and Individual Contracts without any further statement of the Parties. This GTC shall be considered as an inseparable appendix of each and every Agreement. The complete contractual will of the Parties regarding their legal relationship is included in both the Agreement entered into mutually and this GTC together. Should the provisions of this GTC and any Agreement differ then the regulations of the Agreement are applicable. In any matter, though, which is not regulated in the Agreement the provisions of this GTC apply. In this GTC are recorded the general provisions of an Agreement regarding the IT security-related services to be fulfilled by the Provider (e.g. the making and termination of Individual Contracts, and the rights and obligations of the Parties arising from them, the deadline for fulfilling contractual obligations, and the settlement of accounts and the payment of contractual fees and expenditure) adding that the Parties shall enter into an actual Agreement for the fulfilment of the actual tasks; the specific obligations of each task as well as deadlines, service fees and the unique conditions and parameters shall be defined in the Agreement. The provisions of this GTC shall be binding regarding all Agreements without any further statement of the Parties. This GTC shall be considered as an inseparable appendix of each and every Agreement. The complete contractual will of the Parties regarding their legal relationship is included in both the Agreement and this GTC together. Should the provisions of this GTC and any of the Agreement differ then the regulations of the Agreement are applicable. In any matter, though, which is not regulated in the Agreement the provisions of this GTC apply. 1. SUBJECT AND DURATION OF THE GTC By signing an Agreement, the Client orders and Provider accepts to undertake IT Security services according to the provisions and conditions of an Agreement and for a fee agreed by the Parties. The detailed description of the specific tasks conducted in this scope are defined specifically for each Agreement. The Provider shall prepare a documentation detailing the Agreement’s results („Report”) regarding each and every Agreement which shall include data and information regarding the tasks that the Provider fulfilled in the scope of the very Agreement. Provider agrees to use reasonable effort to perform the duties agreed upon in the Agreement, whereas Client acknowledges that Provider makes no express or implied warranties regarding the result of the Projects. The terms and conditions set forth in this document apply from the first contractual relationship between Provider and Client for an indefinite period that shall commence on the date of mutual signature of the first Agreement. The Agreement shall include the specific tasks and obligations that are to be fulfilled in the scope of the contract for services and the amount of the fee payable for the services. It may also include Individual Contacts to detail and define non-continuous and extra services. The Individual Contracts shall be concluded by the Parties as follows: 1) The Client shall send the Provider a call for proposal of the desired task in writing that shall include at least the description of the task to be fulfilled and the requested deadline for completion. 2) The Provider, based on the call for proposal, shall make and send to the Client in writing a Proposal for the given task that shall include all necessary elements of the Agreement. The task description can include the project timeframe, schedule, weekly or monthly sub tasks and tasks (and the pre-conditions of each task if applicable), project milestones, project objectives, written or oral reporting obligations, relevant deadlines and also the fees of engineering hours valid throughout the Agreement and details of compensation of work according to the procedures detailed above that shall make the basis of the Service Fee. 3) The Parties shall consult regarding the details of the Proposal in writing if necessary. 4) The Agreement shall be considered as in effect whenever the Client accepts the Provider’s written Proposal in writing and this statement of acceptance is delivered to the Provider. Concerning the conclusion of the Agreements, the Parties mutually and expressly consider the e-mails sent from and to the e-mail addresses of the representatives of the Parties as appointed in an Agreement as written legal statements. 2. RIGHTS AND OBLIGATIONS OF THE PARTIES Provider agrees to provide its services in compliance with the requirements of the Client. Client’s right to issue instructions does not include the power to organise Provider’s activities, to define the Provider’s detailed Project schedule or define the steps through which the tasks shall be completed and cannot make fulfilment of the Agreement or its tasks more burdensome for the Provider. Should Client issue instructions that are impractical, counterproductive, or inappropriate Provider shall give a written warning thereof. However, if Client maintains the instruction(s) Provider has the right of withdrawal, or to conduct the Project or its task in compliance with Client’s instruction at Client’s risk. Should Client issue instructions that are or the execution of which is in violation of any laws or regulations, or would endanger the person or property of others, Provider shall refuse compliance. If in order to complete the Project or its tasks Provider needs additional information not included in this Agreement or the Individual Contracts, Provider shall immediately notify Client. Client agrees that is shall provide any and all information reasonably requested by Provider and needed for the Project completion without delay. Provider shall notify Client without delay of any circumstances that hinder or render impossible the efficiency of the services or the Project completion within the agreed upon timeframe. Any consequential damages of the delay or absence of the notification shall be borne by Provider. Client shall notify Provider in writing without delay of any circumstances or change of conditions that could have an effect on the services or the fulfilment of the Agreement. May the Client be in default with the fulfilment of any of its contractual obligations then the regarding deadlines for the fulfilment of the Provider’s tasks shall automatically be extended by the term of the Client’s delay. Client acknowledges that if the fulfilment of any weekly (or monthly) tasks are deferred or rendered impossible due to failure in fulfilment of Client’s tasks mutually defined as prerequisite thereof, following the second such week of service or task failure through no fault of its own Provider has the right to charge the engineering hours allocated at any such week as fulfilled, and include those charges on the monthly invoice to be paid by Client. Provider shall not transfer any of its obligations under this Agreement or the Individual Contracts but has the right to hire third persons (subcontractors, service providers etc.). Provider is liable for the work of any such rightfully utilised third person as for its own. Parties are obliged to cooperate mutually in good faith and following fair business practice under the entire duration of Agreement. They shall, therefore, notify and inform each other not only of fulfilment of any tasks under this Agreement but also of any relevant issues that may have an effect on fulfilment of Agreement. Should any Party violate its obligation of cooperation and notification, that Party is obliged to compensate any damage caused to the other Party as a consequence according to the standard terms of contractual liability. White Hat may apply security technologies and procedures to help protect against unauthorized access or during the use or providing of the White Hat Services. Provider does not guarantee the success of such technologies and procedures. Client is solely responsible for the security, protection and backup of Client’s data related to using the White Hat Services, and any other data, software or services in connection with the White Hat Services. Client is responsible for maintaining the confidentiality of any non-public authentication credentials associated with its use of any White Hat Services. Client must keep their accounts and passwords confidential and must promptly notify Provider about any possible misuse of their accounts or authentication credentials, or any security incident related to the White Hat Services or any Agreement. 3. WARRANTIES White Hat warrants to Client that it will perform its obligations to the best of its abilities and in a workmanlike manner. The remedies, if any, applicable to a particular portion of the White Hat Services are Client’s sole and exclusive remedies with respect to such portion of the White Hat Security Services related to the failure to meet any standards set forth in an Agreement. White Hat does not warrant that the White Hat Services will detect and prevent all possible threats and vulnerabilities or that such services will render Client’s network and systems invulnerable to security breaches or vulnerabilities. This limited warranty is subject to the following limitations: (a) any implied warranties, guarantees, or conditions not able to be disclaimed as a matter of law will last one year from the start of the limited warranty; (b) this limited warranty does not cover problems caused by accident, abuse, or use of the White Hat Services in a manner inconsistent with an Agreement or any documentation or guidance provided by White Hat, or resulting from events beyond Provider’s reasonable control: (c) this limited warranty does not apply to problems caused by a failure to meet minimum system requirements. For any third-party products and/or services incorporated as part of the White Hat Services, Client will receive only the warranties offered by such third party to the extent White Hat may pass on such warranties to Client. Client represents and warrants that (a) it has and will continue to have all rights, power, permissions and authority necessary to have White Hat perform the White Hat Services in the Client environment (including, without limitation, all rights, power, permissions, authority and network user consents necessary in respect of any IP address assigned to a supported device and any consent needed from its network users with respect to any logging and monitoring activities conducted by White Hat relating to such White Hat Service), and (b) will not provide any data records to White Hat for purposes of White Hat’s performance of a White Hat Service unless such provision of data records is specifically contemplated by the Agreement and the parties have entered into a business associate agreement covering the provision of such data records. Client assumes the sole responsibility for the accuracy of the IP addresses and domains provided to White Hat. Client will be liable for all costs and expenses from any third-party claims of loss, damage (including reasonable attorneys’ fees) and liability of any kind that may be incurred as a result of Client’s breach of the foregoing warranty. 4. ASSUMPTION OF RISK Network scanning risks White Hat Services involve the use of network scanning technology that has inherent risks, including, but not limited to, the loss, disruption, or performance degradation of Client’s or a third party’s business processes, telecommunications, computer products, utilities, or data (the “scanning risks”). When Client requests network scanning, or any vulnerability research, penetration testing or managed security services component utilizing network scanning, Client authorizes White Hat to perform the network scanning and assumes all risk for adverse consequences resulting from or associated with such component of the White Hat Services. White Hat will take all reasonable steps to mitigate Scanning Risks; however, Client understands that Scanning Risks are inherent in the provision of certain computer security services and the use of certain computer security products and cannot be eliminated. Client will indemnify and defend White Hat for all costs and expenses related to a third party’s claim of loss, damages and liabilities (including legal expenses and the expenses of other professionals) incurred by White Hat, resulting directly or indirectly from any claim attributable to or arising out of White Hat’s use of network scanning technology, including, without limitation, the use by White Hat of network scanning technology to analyse assets that are not controlled directly by Client, including, without limitation, servers hosted by third parties. This obligation of Client in connection with a scanning claim will not apply if White Hat’s gross negligence or wilful misconduct gave rise to such scanning claim. Modification and encryption When Client requests any White Hat Service that results in the encryption or similar modification of any drive or other storage device, Client will ensure that all data on drives and storage devices to be encrypted or otherwise modified is appropriately backed up prior to the initiation of such White Hat Service and assumes all risk for adverse consequences resulting from or associated with the encryption or similar modification of one or more drives or storage devices. White Hat will take reasonable steps to mitigate risks associated with such White Hat Service; however, Client understands that these risks are inherent in the provision of certain computer security services and that White Hat will have no liability for data lost or damaged due to the encryption or similar modification of any drive or storage device as a result of the performance of such White Hat Service. 5. FULFILMENT OF AN AGREEMENT, HANDOVER PROCEDURE Parties mutually state that any agreed upon written documentation created during the fulfilment of an Agreement constitutes an integral part of the Agreement even if it is not physically appended to them and shall be binding for both Parties. The tasks or sub tasks of any partial fulfilment deadlines defined in the Agreement, or the Annexes thereof shall be considered as fulfilled if all sub tasks are completed in accordance with the given Agreement and they meet the appropriate requirements regarding quality and quantity. The following baseline regulations are in place as default – unless otherwise specified by the Agreement (End-User Service Agreement, Framework Agreement or Individual Contract) between the Parties. Based on fulfilment of tasks or sub tasks Provider issues a Performance Report detailing said tasks posteriorly, monthly until the 15th calendar day of the month that follows the subject month or within 15 days of completion of non-monthly Project and shall send it to the Client. The Client is obliged to accept and acknowledge the contractual performance. The Client is obliged to make a statement whether the Client acknowledges the performance of the Provider as written in the Performance Report as contractual and proper or if the Client disputes the performance of the Provider, within 5 (five) working days of receiving the Performance Report. The Client appoints a person specified in the Agreement who shall be entitled to approve or dispute the performance. In case the Client disputes the performance of the Provider, the Client shall (within the same 5-working day deadline) give a detailed reasoning for why and in what amount the Client disputes the performance in written form. The Parties shall negotiate the dispute within 15 days from the receipt of the dispute by the Provider. In case the negotiations turn out to be unsuccessful, the Provider becomes entitled to suspend the performance of the given Agreement until the Parties reach an agreement; the term of such suspension is not included in the agreed term of performance of the given Agreement. In case the Client does not dispute the given performance of the Provider then the Client becomes obliged to approve the performance of the contractual obligations of the Provider for the given month or performance in writing within the 5-working day deadline above (hereinafter referred to as: Certificate of Performance). In case the Client fails to issue the Certificate of Performance in deadline but does not dispute the performance either then the performance of the Provider for the given month shall be automatically considered approved and certified by the Client upon the expiry of the 5 working day deadline. The Provider is entitled and obliged to issue its invoice for the Service Fee on the basis of the approved performance regarding the given month’s or performance’s tasks of the given Agreement based on the actual engineer’s hours or days. Upon fulfilment of a given Agreement the Parties shall execute a handover procedure in scope of which the Provider shall hand over to Client the Report. The approval of the Report by the Client shall be considered as the formal closure of the given Agreement or Project. The Provider’s contractual obligations regarding an Agreement Project shall be considered as fulfilled in deadline if the hand-over procedure starts within the deadline for performance mutually agreed upon in the Agreement. Parties hereby agree that if any of the Parties shall be in default with the performance of its contractual obligations then this default excludes the possibility of the other Party’s performance of any of its obligations that is related to the obligation in default. 6. SERVICE FEE, PAYMENT CONDITIONS Service Fee regarding each Project or Agreement shall be defined and mutually agreed upon the Agreement regarding the Project and - if agreed so in the Agreement - shall also include any reimbursement necessary for the fulfilment of the Agreement. Parties agree that payment of the Service Fee shall occur posteriorly on a monthly basis or following fulfilment of Project or task, based on partial fulfilment or fulfilment of tasks or sub tasks, according to the following procedure: 1) Based on the approved performance of the monthly tasks (Certificate of Performance) the Provider shall issue its invoice monthly or posteriorly with the service fee based on the previously agreed upon fee of engineering hours and the amount of engineering hours invested in the Agreement throughout that month or period. The Provider shall send the invoice to the Client without any delay, the latest in 2 (two) working days from the date of issue. 2) The Client shall pay the service fee against the invoice of the Provider within 15 (fifteen) days of receipt of Provider’s invoice, via bank transfer to Provider’s bank account as set forth in the Agreement or on the invoice. Service fee payment is considered settled on the day the amount arrives at Provider’s account. 3) In case the Client fails to pay the service fee in deadline and following Provider’s written notice thereof the Client also becomes obliged to pay a default interest of 5% regarding the unpaid amount for the whole term of delay. 4) In case the Client is in default with its payment obligation for more than 15 days then the Provider becomes entitled to suspend the performance of every and all Agreements or Projects until the payment of every overdue payment obligation by the Client. The Provider shall inform the Client in writing without hesitation of such suspension of performance. The term of such suspension of performance shall not be included in the deadline of performance of the Agreement. If Client unilaterally and without due cause terminates an Agreement before its fulfilment or expiry despite that Provider is providing the Services as per the Agreement, or if Provider is forced to terminate the Agreement prematurely due to Client’s late payment exceeding 30 days following the receipt of the Provider’s written notice thereof, or other material breach of contract of the Client, Client is obliged to pay as liability the amount of the sum of the full service fees applicable until the fulfilment of Agreement. Provider does not unilaterally and without due cause modify the service fee set forth in an Agreement (i.e., raise service price) during the fulfilment of contract except in case of a Framework Agreement valid for multiple project and individual contracts, where Provider will automatically raise any service fee to follow relevant annual inflation rate – with an amount up to the amount of the rate of the annual inflation. 7. INABILITY TO PERFORM CONTRACTUAL OBLIGATIONS If fulfilment of contractual obligations of either Party is rendered impossible through no fault or liability of either Party, and a) the inability occurred related to the interest of the Provider, Provider is entitled to compensation only regarding the last closed partial fulfilment; b) the inability occurred related to the interest of the Client or not related to the interest of either Party or in connection with both Parties, then Provider is entitled for the whole service fee and expenditure related to the given tasks or its sub tasks and the costs thereof. 8. TERMINATION OF THE AGREEMENT Parties have the right to withdraw from an Agreement at any time before beginning of fulfilment. Both Parties are entitled to terminate any Agreement until its mutual fulfilment with a 30-day notice in writing, without the obligation to give reasons for such termination. The termination of any Agreement does not affect the effectivity of this GTC. In case of waiver or termination of an Agreement by Client according to the relevant section above, Client is obligated to compensate for any fulfilled or partially fulfilled sub tasks or engineer hours invested by Provider until that point as well as for any damage caused by termination of an Agreement. Client and Provider both have the right to terminate an Agreement without giving any reasons thereof, in writing and with a 30-days’ notice. Both Parties are entitled to terminate an Agreement in case of any serious breach of contractual obligations by the other Party in writing by extraordinary termination without notice, if the violating Party fails to remedy the contractual and lawful state within a 15-day deadline starting from the delivery of the aggrieved Party’s related written notice. The violating Party shall be liable for all damages and expenditure caused to the aggrieved Party with regard to the termination of the Agreement. The Parties are entitled to amend or terminate an Agreement any time by mutual agreement. In case an Agreement is terminated the Parties have the mutual obligation to settle their accounts within 15 days starting from the termination date. 9. CONFIDENTIALITY, INTELLECTUAL PROPERTY AND DATA PROTECTION Parties mutually state that a non-disclosure obligation is in force regarding and valid for the entire cooperation of Parties. This non-disclosure obligation is modified by present GTC only in the aspect that both Parties may use the fact of cooperation (but no details thereof) as reference of work in front of any third parties and for an indefinite amount of time. Regarding all other data and information (including but not limited to for example the service fee, the disclosed vulnerabilities, business secrets of either Party and any methodology or tools used by either Party and other Intellectual Property) are subject to and shall be governed by the provisions of the relevant non-disclosure obligation. In compliance with the provisions thereof Provider shall keep one copy of all documentation created during the cooperation or the fulfilment of any Project or Agreement with the knowledge and consent of Client (for future verifiability during for instance for any official enquiry or examination by an authority). The Parties agree that unless they agree differently in an Agreement, the Provider is the sole and exclusive owner and beneficiary of all and every intellectual property of any kind created during, resulted by or arising from the performance of the Agreement(s). The Parties take mutual obligation to respect and keep the provisions of any Hungarian and/ or EU legal regulation and internal regulation regarding data protection and persona data, as well as to run the relating records and registers lawfully. The Parties take mutual obligation to fully co-operate in these matters. Provider acknowledges that in the course of performing the Agreement Provider may have access to data of Client’s employees, customers or other natural persons’ data stored in Client’s systems the Provider might have access to, which are subject to the relevant data protection legislation, in particular the protection of natural persons with  regard to the processing of personal data and the free movement of such data pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL repealing EC directive 95/46  (General Data Protection Regulation) is personal data. Client grant White Hat limited access rights, secure and maintain all other rights to Client Data necessary to provide the Services without violating the rights of any third party and such rights may only be granted as long as they are needed to enable and necessary to provide the Services agreed upon in an Agreement. Provider is entitled to use this data only in the course of performing an Agreement as Client’s data processor solely for the purposes of performing its tasks specified in the Agreement. Provider acknowledges and undertakes to: 1) Delete the personal data after the performance of the Agreement immediately in a way that the personal data cannot be restored anymore, which shall be confirmed by Provider in a written declaration.  2) Handle the personal data separately from its own databases and will not create any database from it for its own purposes and takes all organizational and technical measures necessary to ensure data security under the General Data Protection Regulation. Provider further warrants that only its employees involved in the performance of this Agreement will have access to personal data only to the extent necessary.  3) Personal data may only be used for the purpose of performing the Agreement, to the extent necessary for that purpose. 4) Provider shall immediately notify Client in writing of any data protection incident related to personal data and assist Client in taking immediate action to investigate and take the necessary action. Provider’s full privacy policy is available on its website or upon request via email at any point. 10. MISCELLANEOUS AND FINAL PROVISIONS Any legal disputes are to be settled primarily by peaceful means and shall only be escalated to court of justice if those fail to produce result. Any modification or amendment of any Agreement is only possible in writing and with the mutual agreement of Parties. If an Agreement or any of its provisions may be found or become invalid or against any legal provision, Parties attempt to make the Agreement valid or legal in 30 (thirty) days from acknowledging the cause, by negotiations and by modifying an Agreement. All written notices regarding an Agreement sent to the address of the other Party’s registered seat shall be considered as delivered to the other Party on the 5th working day starting from the certifiable sending date of such notice by first class (registered) mail even if the mail is not actually deliverable out of any reason (especially but not exclusively if the mail is returned to the sender with the comment “unclaimed by the recipient” or “moved to unknown address”). For any matters not or partly regulated or covered by the Agreement the relevant Hungarian and EU regulations shall apply. Should the Annexes of an Agreement differ from this GTC in wording, regulations or any other aspect, the regulations and wording of the document agreed upon mutually by Parties at a later time shall apply.