1. Duration of Subscription To be offered on a case-by-case basis. 2. Access and Use of the SaaS Services / Intellectual Property Rights (IPR) As part of this Commercial Proposal, Customer is offered to receive access to the SaaS Services, and not any sale or license to use any software or any other intellectual property rights (e.g. patents, copyrights, and/or know-how), “IPR”, as a result of the SaaS Services. All IPR vested in the systems, software etc. over which the relevant SaaS Services are being provided, whether existing, enhanced or new IPR, i.e. any modifications and add-ons, are IDEMIA’s or IDEMIA vendor’s property only. IDEMIA does not sell to Customer its IPR and technology/know-how in connection with the offered SaaS Services or the development of any new services that would imply that the Customer owns the development results. As a general principle, IDEMIA sells SaaS Services that fulfils a certain IDEMIA’s specification. IDEMIA has invested considerable amounts in development of new technology/know-how in relation to the SaaS Services and such technology/know-how is protected by certain IPR. IDEMIA does not warrant that its SaaS Services do not infringe any third party intellectual property rights, and offers a “defend and pay” type of indemnity to protect Customer against any third party IPR infringement claims. Recoverable damages are limited to amounts awarded by a final court against the Customer or settlement amounts pre-approved by IDEMIA. IDEMIA may require inbound indemnities from Customer related to third party claims addressing Customer’s content processed via the SaaS Services. 3. Liquidated Damages & Service Credits While the offered Set-up Services have committed delivery milestones, the SaaS Services and Support & Maintenance Services are subject to the fulfillment of offered Service Levels / performance that are measured over the time. Mechanisms of “liquidated damages” applicable in case of delivery delays as well as “service credits” applicable in case of failure to meet the offered Service Levels over the time are associated to the present Commercial Proposal. Liquidated damages and service credits are financial compensation for delay / failure to meet the offered Service Levels, which is fixed in advance, and which applies regardless of the existence and the size of any damage caused by the delay or failure to perform according to the Service Levels. The benefit for Customer is that liquidated damages and service credits represent an immediate financial remedy in the event of a delay or Service Levels breach, without having to prove any loss or damage. In return, liquidated damages and service credits serve as the sole and exclusive financial remedy for delays or for any failure to meet the offered Service Levels measured over the time, i.e. no other liabilities or penalties apply up to the offered cap of liquidated damages and service credits. Liquidated damages and service credits are capped at a percentage of the price of the affected Services. If and to the extent that the cap of liquidated damages or service credits has been reached, IDEMIA is deemed in severe or persistent failure, and Customer is entitled to terminate the Services or any part of the affected Services and to be compensated for any proven damages on the terms of the general liability offered in the present Commercial Proposal. Liquidated damages or service credits are not available if the delay or failure is due to force majeure, as described in this Commercial Proposal, or any circumstance for which IDEMIA is not responsible. As for delays in the delivery of the Set-up Services, only one single milestone is the trigger for liquidated damages, which is IDEMIA’s declaration that the Set-up Services are Ready for Acceptance (“RFA” milestone). As for failure to meet committed performance, IDEMIA undertakes to provide a good visibility, tracking and governance around Service Levels as part of the Services. Liquidated damages amounts are in coherence with offered prices. 4. General Limitation of Liability IDEMIA’s present Commercial Proposal is based on the assumption that all costs and liabilities are defined and measurable. IDEMIA is therefore not liable for "indirect or consequential damages" that do not flow proximately from the breach, and for the following types of damages, whether or not they are considered as direct or indirect damages: loss of production, loss of use, loss of business, loss of data, loss of access, loss of market share, loss of revenue, loss of savings, loss of profit. These limitations shall not apply in case of breach of confidentiality and breach related to access and use of the SaaS Services. IDEMIA’s maximum aggregate liability per Year shall not exceed the total amount invoiced by IDEMIA during such Year for the Services offered herein. “Year” shall mean each 12 months period calculated from the anniversary date of the commercial contract between the Customer and IDEMIA. Liquidated damages and service credits do not count towards the offered limitation of liability indicated in the previous paragraph, since they are regulated separately, serving as a pre-set amount of compensation that covers both direct and indirect damages. 5. Suspension of Service IDEMIA reserves the right to suspend the offered Services in situations where Customer puts IDEMIA, its platform or services at risk of: a) a technical or security threat; b) third party claims due to infringing or illegal content or data; c) exposing IDEMIA to some other liability or risk or d) persistent delayed payments by Customer. This right of suspension is balanced as it is qualified as the remedy of last resort i.e.: a) IDEMIA allows Customers a reasonable time period (unless immediate suspension is critical to avoid harm or IDEMIA is compelled by law to suspend the Services) to fix / eliminate or mitigate the relevant issue before suspension occurs, and b) IDEMIA only undertakes suspension under circumstances that are not reasonably capable of other mitigations or remedies. IDEMIA also undertakes to only suspend the directly affected Services, provided that such partial suspension is technically feasible and otherwise reasonable. IDEMIA will restore the suspended Service(s) as soon as possible after the cause of the suspension has been corrected or eliminated and will continue to charge during any such period of suspension. 6. Termination of Services & Exit by Customer Customer may terminate the Services for material breach, where IDEMIA materially defaults on the provision of the Services. Customer has the option to call on IDEMIA in the event of termination to provide support for the return of Customer’s data “as is” and in a format that enables Customer to move the data to another supplier. IDEMIA will then securely destroy the data received by Customer while providing the Services offered herein. Termination of Services by Customer prior to the expiry of the relevant Duration of Subscription, for any reason other than termination for cause, shall be subject to the payment of 100% of all future amounts due for the relevant SaaS Services over the remainder of the offered Duration of Subscription. 7. SaaS Services Withdrawal / End of Life by IDEMIA IDEMIA requires the flexibility to withdraw any SaaS Services during the offered Duration of Subscription by providing a prior written notice of twelve (12) months. IDEMIA may offer assistance services for moving to an alternative service provider or technology to be agreed with Customer on a case-by-case basis. 8. SaaS Services Improvement IDEMIA reserves the right to make improvements to the SaaS Services, provided that such improvements are (i) compliant at all time with regulations and laws applicable to the SaaS Services, (ii) not materially detrimental to Customer’s use of the SaaS Services and that the offered security features (Security Assurance Plan) are not degraded. 9. Privacy IDEMIA’s data protection strategy and governance irrigate our Group. These protection strategy and governance are effective and based on our organizational measures, security technical measures and our corporate governance, as all described in detail in IDEMIA Group Privacy Policy (available at Privacy Policy | IDEMIA). The provision of the offered Services may involve the processing of the below indicated personal data of the representatives, employees and contractors of the Customer, acting as “Data Controller” from a privacy law perspective, for the sole purpose of managing the commercial and contractual relationship related to the present Commercial Proposal: • name; • surname; • professional title; • professional email addresses; and • professional phone number. IDEMIA acting as a “Data Processor” and the Customer acting as “Data Controller”, from a privacy law perspective, commit to process the above indicated personal data in accordance with the relevant privacy laws and regulations. To the extent the provision of the SaaS Services and / or the Support & Maintenance Services require IDEMIA to process any personal data on Customer’s behalf, a separate Data Protection Agreement will apply and the Parties agree to comply with its terms and conditions. 10. Audit Rights It is acknowledged that numerous security audits (performed either by customers directly or by varying third parties) may compromise the integrity, security and performance of IDEMIA’s platforms over which the access to the SaaS Services is offered, and therefor impact our customers. As a result, IDEMIA has independent third-party auditors that carry out these annual security audits, and capture their findings in a report, which IDEMIA is able to share with Customer. In case such report is not available, IDEMIA and Customer will agree upon the designation of an independent third party to perform the audit, and its results will be shared in a form of a “customer report”. Physical audits can only be performed by an independent third party, and are remedy of last resort if other methods, such as security audit reports, prove inadequate or insufficient to fulfil mandatory rules according to relevant applicable regulations for personal data protection or any other purposes. When physical audits are envisaged, the commercial contract specifies the type of needed audit (e.g. contract compliance, financial or security), the scope of the audit, its frequency, Customer’s access to the audit results and the allocation of the associated costs between Customer and IDEMIA. 11. Force Majeure IDEMIA is excused from its obligations if IDEMIA’s performance is prevented or delayed by circumstances which remain beyond its reasonable control in spite of the implementation by IDEMIA of business continuity or mitigation measures (event of Force Majeure). The same applies if such event affects a subcontractor of IDEMIA. The result of a Force Majeure event is, primarily, that the time for completion is delayed or the execution of Services is suspended while the circumstances at stake are prevailing. If the Force Majeure event continues for a long period, IDEMIA or Customer have the right to terminate the affected Services. 12. Third Party Services If and to the extent any Services offered to Customer contain a significant portion of “third party services”, then it should be secured that the terms and conditions offered shall be equal to the terms and conditions imposed by the relevant third party to IDEMIA ("reverse back-to-back"). This is the case of such portion of this Commercial Proposal referring to Hosting Services when they are allocated to a Public Cloud Provider such as Microsoft Azure. In such case, the terms and conditions of the Public Cloud Provider related to customers’ audit rights and to security and organizational measures to protect Personal Data prevail over any other terms of the relevant Agreement when it is about audits or Personal Data processing related to Hosting Services being allocated to the Public Cloud Provider. 13. Change Management IDEMIA’s Change Management Procedure is meant to deal with the changes that occur during the execution of any of the Services and sets out the terms and conditions for modification of the scope of the Services to be performed and delivered under the relevant Agreement. 14. Business Ethics IDEMIA conducts its business in compliance with IDEMIA’s Ethics Charter (https://www.idemia.com/wp-content/uploads/2021/03/idemia-ethics-charter-2022.pdf) as well as all relevant applicable laws and regulations, regarding, among others, anti-corruption, anti-bribery and anti-money laundering, whether effective in France or internationally and expects from Customer a reciprocal commitment. Violation of this reciprocal commitment will be a material breach, permitting immediate termination of the relevant Agreement.