SOFTWARE AS A SERVICE AGREEMENT FOR VMRAY SOFTWARE VERSION 13

THIS SOFTWARE AS A SERVICE AGREEMENT (“SAASA”) IS A LEGALLY BINDING
AGREEMENT BETWEEN CUSTOMER AND PROVIDER. IT COVERS THE TERMS AND
CONDITIONS FOR CUSTOMER’S POTENTIAL USE OF VMRAY SOFTWARE AS A SERVICE ON
SERVERS CONTROLLED BY PROVIDER.

PROVIDER AND CUSTOMER SHALL BE REFERRED TO COLLECTIVELY AS "PARTIES" OR
INDIVIDUALLY AS "PARTY". NOTWITHSTANDING ANYTHING ELSE STATED HEREIN, IF
CUSTOMER AND PROVIDER HAVE EXECUTED A DIFFERENT WRITTEN AGREEMENT
REGARDING THE PROVISION OF AFOREMENTIONED SERVICES ("SIGNED AGREEMENT"),
THEN THE TERMS OF THE SIGNED AGREEMENT SHALL GOVERN AND CONTROL AND THIS
SAASA SHALL HAVE NO EFFECT.

Definitions:
Access Credentials: Any API-key, access email, user name, identification number, password,
security token, PIN, or other security code, method, technology, or device used, alone or in
combination, to verify an individual’s identity and authorization to access and use the
Subscription Services.

Affiliate: Any person or entity which directly or indirectly owns, controls, is controlled by, or
is under common control with a Party, where control is defined as owning or directing more
than fifty percent (50%) of the voting equity securities or a similar ownership interest in the
controlled entity.

Analysis: Analyzing Samples in different ways to generate Verdicts or Analysis Reports. One
Analysis involves one or multiple Analysis Jobs, which depending on the configuration and
Service are either executed sequentially or in parallel.

Analysis Job: One single task to analyze a Sample with a specific method and configuration
in order to generate Verdicts or Analysis Reports. Available methods include Reputation
Lookup, Static Analysis, Dynamic Analysis, and others.

Analysis Report: Set of human and machine-readable files describing security relevant
findings for a Sample, e.g., threat indicators, related network traffic, or Verdict.

Confidential Information: Any information, maintained in confidence by the disclosing Party,
communicated in written or oral form, marked as proprietary, confidential or otherwise so
identified, and/or any information that by its form, nature, content or mode of transmission
would to a reasonable recipient be deemed confidential or proprietary, including, without
limitation, Service specification, documentation, pricing, and any benchmark data and results
produced.

Customer: The entity, including its Affiliates, entering into this SAASA with Provider.

Dynamic Analysis: Analyzing a Sample in a controlled execution environment by executing it
directly (in case of an executable) or opening it within an associated application (in case of a
data document) to log and analyze its behavior and identify potentially harmful activities.

Hash Value: Numeric value to represent and identify a (potentially large) block of data
without the need to share the actual data itself and generated by using one way hash
functions such as SHA256 making it impossible to reconstruct the original data.

Provider: Either VMRay, Inc., a Delaware United States of America (“U.S.”) corporation,
located in 22 Boston Wharf Road, 7th Floor Boston, MA 02210 (U.S.) or VMRay GmbH, a
German company, located in Universitätststraße 142, Bochum (Germany), as specified in the
invoice which relates to this SAASA. In the absence of such invoice, Provider shall be VMRay,
Inc., if Customer resides in the Americas (North, Central and South America), or VMRay
GmbH, if Customer resides outside of the Americas.

Reputation Data: Network indicators (URLs, domain names, IP addresses) and Hash Values
observed during Analysis that can be used with Reputation Lookups to increase the efficacy
and efficiency of an Analysis.

Reputation Lookup: Looking up Reputation Data in a database of known good and known
bad values.

Reseller: An authorized third party who distributes the Services to Customer under the terms
of an agreement between Customer and such Reseller (“Reseller Agreement”).

Sample: Data submitted by Customer for Analysis (e.g., Office file, executable, URL, Hash
Value, or email) and optional analysis instructions and configuration settings (e.g., command
line parameters or prescripts).

Service: The provision of VMRay software as well as all accompanied components
(executables, documentation, and all other files provided) as a service under this SAASA and
its parts, in particular Annexes, purchase orders and invoices.

Static Analysis: Analysis of a Sample by examining its structure and content to identify
potentially harmful elements.

Updates: Upgrades, updates, patches, and hotfixes of the Service that replace or supplement
the original Service.

Verdict: Grade of maliciousness of a Sample, usually represented as numeric values (e.g.
number between 0 and 100) and textual descriptions (e.g., “malicious” or “suspicious”). For
the sake of clarity: Verdict does not contain any data provided by Customer, and it is
technically impossible to reconstruct from it any Customer data.

IF CUSTOMER ACQUIRES THE SERVICE FROM A RESELLER THEN THE TERMS OF THE
RESELLER AGREEMENT SHALL GOVERN CUSTOMER’S USE OF THE SERVICE AND NOT THIS
SAASA. RESELLERS MAY ONLY GRANT RIGHTS, AND MUST PASS THROUGH CONDITIONS,
CONSISTENT WITH THIS SAASA.

ANY INVOICE RELATING TO THIS SAASA IS DEEMED TO BE PART OF THIS SAASA AND IS
HEREBY INCORPORATED INTO THIS SAASA BY REFERENCE.

PROVIDER DOES ONLY IN EXCEPTIONAL CASES OFFER THE SERVICE TO INDIVIDUALS (E.
G. RESEARCHER ACCOUNTS), AS IT IS AN ENTERPRISE SOLUTION.

IF YOU DO NOT AGREE TO BE BOUND BY THIS SAASA DO NOT USE THE SERVICE. ONCE
THE SERVICE HAS BEEN USED, ALL PROVISIONS OF THIS SAASA APPLY. ANY USE OF THE
SERVICE BY THE CUSTOMER SHALL CONSTITUTE UNQUALIFIED ACCEPTANCE OF THIS
SAASA.

1. Service, Restrictions and Support.
1.1 Subject to the terms hereof, the Service is provided on a temporary-use, non-exclusive,
non-assignable, and non-transferable basis.
1.2 Provider shall install Updates as they come available. If possible and reasonable, Provider
shall inform Customer of a predictable Service downtime caused by such an Update.
1.3 The Service may only be used during the agreed Term or Trial Period.
1.4 The Service may only be used for its intended purpose of improving security and
protecting computing infrastructure.
1.5 The Service may not be used: (i) in any way that is unlawful, illegal, fraudulent or harmful,
(ii) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity, (iii) for
benchmarking studies, or (iv) for the purpose of competing with Provider in any manner.
1.6 Customer may not modify, disassemble, reverse compile, or reverse engineer the Service.
1.7 This Service is granted to Customer for internal use only. Customer may not: (i) sell, lend,
assign, lease, or transfer in any other way this SAASA, the related Account or Access
Credentials, (ii) create any derivative works or other works that are based upon or derived
from the Service in whole or in part, or (iii) to attempt to do any of the foregoing, except, and
only to the limited extent, that any of the forgoing is expressly permitted by applicable law.
The aforementioned prohibited circumventions of the internal use restriction include, but are
not limited to: (i) providing a mechanism enabling third parties to submit Samples, (ii)
providing Analysis Reports and Verdicts created by the Service to third parties, or (iii)
providing services or products to third parties, where malware detection and analysis
capabilities are built in whole or in part on Service. Any behavior in violation of this provision
is not allowed and Provider may terminate the Service, in addition to any other remedies and
damages allowed by law and with no refund of any fees paid.
1.8 Customer acknowledges that the Service may not be available: (i) after the Term has
expired, (ii) if Customer fails to pay fees as required, or (iii) if Customer is in material breach
of this SAASA in any other manner and has failed to cure such violation after respective
request in accordance with Section 12.4 hereof.
1.9 Detailed specifications of the Service are defined in ANNEX A (“Service Specifications”)
and the support provisions are set forth in ANNEX B (“Support Provisions”), hereby
incorporated into this SAASA by reference.

2. Account.
2.1 As soon as practicable following the closing of this SAASA, Provider will enable the
Customer to set up an account for the use of the Service (“Account”).
2.2 The Service offers a user management, by means of which Customer can allow a certain
number of other authorized users to use the Account. Authorized users in this sense are only
those: (i) who clearly belong to the organizational unit of Customer as referenced in the
invoice, and (ii) who the Service can identify.
2.3 It is Customer’s sole responsibility to protect the Account and the Access Credentials
from: (i) any unauthorized access; or (ii) any unauthorized use. If - for any reason - Customer
becomes aware of: (i) any unauthorized access; or (ii) any unauthorized use; or (iii) any
incidents that may lead to an unauthorized use, it is Customer’s duty to immediately inform
Provider. For sake of clarity, the sharing of Access Credentials within the Customer’s
organization to exceed user limits shall be regarded as unauthorized access and use.

3. Data Processing; Data protection.
3.1 The Service stores all data (including an access logs) that is necessary for the purposes
of this SAASA. Except as provided otherwise herein such data may be used for the purposes
of this SAASA only.
3.2 Customer acknowledges and agrees that the use of the Service involves a necessary
data transfer between the Affiliates VMRay GmbH and VMRay, Inc., and that the transfer of
any personal data between these Affiliates takes place on the basis of a Data Processing
Agreement (“DPA”), in compliance with the provisions of the General Data Protection
Regulation (“GDPR”). The transfer of any personal data from VMRay GmbH to VMRay, Inc. is
additionally protected by an Agreement on the Standard Contractual Clauses (“EU Model
Clauses”). Provider agrees that it will upon request enter into a further DPA with Customer, to
document the adequate level of data protection for any personal data that may be
transferred.
3.3 The Service may collect and utilize statistical information generated by Customer’s use
of the Service (“Usage Statistics”), but only for purposes of research and development for
future VMRay products and for the improvement of the Service. For clarification, Usage
Statistics do not include Samples, Analysis Reports and/or personal data. Nothing in this
section shall permit Provider to provide Usage Statistics to any third party other than as
expressly permitted by this SAASA.
3.4 To enhance reaction time and accuracy, the Service is able to utilize Reputation Lookups
and integrate their results into Analysis Reports and Verdicts. If activated (and only then)
Reputation Data may be transferred to external service providers of VMRay GmbH (“VMRay
ESPs”) and/or of Customer (“Customer ESPs”).
3.4.1 VMRay ESPs may be located outside of Germany and/or the U.S. are bound by DPA
and/or EU Model Clauses to process any Reputation Data only in accordance with data 
protection standards not less restrictive than the terms and conditions of this SAASA. When
utilizing VMRay ESPs the Reputation Lookup is always originating from VMRay GmbH’s
server and thus the identity of the Customer is not disclosed.
3.4.2 When utilizing Customer ESPs, the Service may transfer Reputation Data directly to the
activated Customer ESPs under Customer’s own responsibility.
3.5 The Service is able to integrate certain program features performed by additional external
service providers of Customer. If actively enabled by Customer in the Service (and only then),
the Service may directly transfer data to such external service providers and Customer shall
be solely responsible for this data transfer.
3.6 All data transferred under Providers responsibility will be protected by Provider against
unauthorized access and disclosure using the same degree of care Provider uses to protect
its own information of like importance, but in no case less than a reasonable degree of care.
3.7 Provider may disclose any data stored or information received in the course of exercising
its rights and obligations under this SAASA only to the extent required by law or any
applicable regulatory or government authority, and then only after providing prior written
notice to Customer, provided there is reasonable time and possibility to send such notice.
3.8 Customer has no right to inspect Provider’s premises, Service or related data systems.

4. Confidentiality.
4.1 The Service includes significant non-public elements, including its structure, algorithms,
logic, flow, know-how, programming techniques, ideas, and design that are protected and
maintained as proprietary trade secrets, which may also be protected under copyright and
other intellectual property laws and treaties. Customer shall not use or disclose any such
trade-secret protected information to third parties during and after the term of this SAASA
and for so long thereafter as such trade secret-protected information remains protected as
trade secrets under applicable law.
4.2 The Parties agree that when receiving Confidential Information from the disclosing Party,
the receiving Party shall hold it in confidence and shall not disclose or use such information
except as necessary to carry out the purpose of this SAASA. The receiving Party shall treat
the disclosing Party’s Confidential Information confidentially and in the same manner as it
treats its own proprietary and/or Confidential Information, which shall not be less than a
reasonable standard of care. Confidential Information may be disclosed to receiving Party’s
employees, Affiliates, agents, financial advisors, contractors and attorneys on a need-to
know basis, and the receiving Party shall ensure that such persons are: (i) obligated to
maintain professional secrecy, or (ii) subject to signed confidentiality agreements that are at
least as restrictive as the terms of the SAASA.
4.3 The receiving Party may disclose Confidential Information in connection with a judicial or
administrative proceeding to the extent that such disclosure is required under applicable law
or court order, provided that the receiving Party shall, where reasonably possible, give the
disclosing Party prompt and timely written notice of any such proceeding and shall offer
reasonable cooperation in any effort of the disclosing Party to obtain a protective order.
4.4 Confidential Information shall exclude: (i) information which the receiving Party has been
authorized in writing by the disclosing Party to disclose without restriction; (ii) information
which was rightfully in the receiving Party’s possession or rightfully known to it prior to 
receipt of such information from the disclosing Party; (iii) information which was rightfully
disclosed to the receiving Party by a third party having proper possession of such
information, without restriction; (iv) information which is part of or enters the public domain
without any breach of the obligations of confidentiality by the receiving Party; and (v)
information which is independently developed by the receiving Party without use or reference
to the disclosing Party’s Confidential Information.
4.5 Nothing in the SAASA will: (i) preclude Provider from using the ideas, concepts and knowhow which are developed in the course of providing any services to Customer or (ii) be
deemed to limit Provider’s rights to provide similar services to other customers. Customer
agrees that Provider may use any feedback provided by Customer related to any Provider
service for any Provider business purpose, without requiring consent including reproduction
and preparation of derivative works based upon such feedback, as well as distribution of
such derivative works.
4.6 The receiving Party agrees, upon request of the disclosing Party, to return to the
disclosing Party all Confidential Information in its possession or certify the destruction
thereof.
4.7 In the event of a breach of the obligations in this section, the disclosing Party may not
have an adequate remedy at law. The Parties therefore agree that the disclosing Party may
be entitled to seek the remedies of temporary and permanent injunction, specific
performance or any other form of equitable relief deemed appropriate by a court of
competent jurisdiction.

5. Confidential Vulnerability Notification.
In the event Customer becomes aware of attack scenarios that could lead to an exploitable
vulnerability of the Service, Customer shall immediately notify Provider and shall keep such
information strictly confidential unless specific written authorization has been granted by
Provider to Customer: (i) allowing Customer to disclose this information to third Parties, and
(ii) enabling Provider to follow a responsible disclosure process towards Provider’s
customers. Customer acknowledges that irreparable damage may result to Provider, its
business, property and goodwill in the event of a breach or threatened breach by Customer of
this Section.
6. Service Level Commitments; Limited Warranties; Disclaimers
6.1 Provider warrants that the Service will be available to the Customer in accordance with
the Service Level Commitments in ANNEX C (“Service Level Agreement”) incorporated into
this SAASA by reference.
6.2 Provider warrants that the Service itself contains no malware.
6.3 Provider warrants: (i) that the Service will be provided substantially in accordance with
the specifications found in ANNEX A, and (ii) that Provider will perform its obligations under
this SAASA with reasonable care and expertise.
6.4 The Service examines the content, structure and behavior of unknown – and most
probably malicious – Samples. Despite Provider’s commercially reasonable care, Analysis
may cause: (i) incomplete or incorrect Analysis Reports as well as incorrect Verdicts (i.e., 
benign Samples incorrectly marked as malicious and/or malicious Samples incorrectly
marked as not malicious), and/or (ii) the exploitation of vulnerabilities unknown at the time.
Provider does not give a respective warranty, condition, undertaking, indemnity or other
comfort.
6.5 Customer’s sole and exclusive remedy for the breach of the limited warranty as set forth
in this Section 6 shall be, at Provider’s option, either a reasonable refund for the fees paid for
the use of the non-conforming Service during, and limited to, the period in question (less any
taxes, shipping fees, etc.), or the prompt repair or replacement of any non-conforming
Service.

7. General Warranty Disclaimers.
7.1 THE SERVICE UTILIZES DYNAMIC ANALYSIS TO OBSERVE THE BEHAVIOR OF SAMPLES
AND IDENTIFY SUSPICIOUS AND MALICIOUS ACTIVITY. TO ACHIEVE THE BEST POSSIBLE
RESULTS, NO EFFORTS ARE TAKEN TO SUPPRESS, BLOCK OR WEAKEN ANY ACTION,
INCLUDING WITHOUT LIMITATION, ANY POSSIBLY MALICIOUS OR DESTRUCTIVE EFFECTS.
7.2 EXCEPT AS EXPRESSLY PROVIDED IN SECTION 6, TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, THE SERVICE IS PROVIDED "AS IS". PROVIDER HEREBY
DISCLAIMS ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING WITHOUT
LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, PERFORMANCE, CORRECTNESS, COMPLETENESS OF RESULTS. THIS
DISCLAIMER SHALL APPLY EVEN IF THE LIMITATIONS SET FORTH HEREIN FAIL OF ITS
ESSENTIAL PURPOSE.
7.3 THE SERVICE IS NOT DESIGNED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRING
FAIL-SAFE PERFORMANCE, SUCH AS, WITHOUT LIMITATION, IN THE OPERATION OF
NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR
TRAFFIC CONTROL, DIRECT LIFE SUPPORT SYSTEMS, MEDICAL SYSTEMS, TRANSPORT
MANAGEMENT SYSTEMS, OR WEAPON OR COMBAT SYSTEMS, IN WHICH THE FAILURE OF
THE SERVICE COULD LEAD TO PERSONAL INJURY, DEATH, OR PROPERTY OR
ENVIRONMENTAL DAMAGE. PROVIDER DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY
OF FITNESS FOR SUCH USES.

8. Indemnification.
8.1 Provider will indemnify, defend and/or, at its option, settle any third party claims that
Customer’s use of the Service infringes any valid patent or copyright within the jurisdictions
where Customer is authorized to use the Service at the time of delivery, provided that: (i)
Customer gives Provider prompt written notice thereof and reasonable cooperation,
information and assistance in connection therewith; (ii) Provider shall have sole control and
authority with respect to defense or settlement of any claim; and (iii) Customer takes no
action that is contrary to Provider’s interest. Provider may, at its option and expense, as
Provider’s sole obligation: (a) procure for Customer the right to continue to use the Service;
(b) repair, modify or replace the Service so that it is no longer infringing; or (c) terminate the
SAASA, in which case Provider shall provide a pro-rated refund of the fees paid for the
Service (directly or through any participating Reseller) which gave rise to the indemnified
claim, such pro-rated refund to be calculated against the remainder of the Term from the
date it is established that Provider is notified of the third party claim. 
8.2. Provider shall have no liability arising out of this Section 8 or otherwise: (i) in the event
the claim is a result of a modification of the Service not made by Provider, if: (ii) the Service
is not being used in accordance with Provider’s specifications, related documentation and
guidelines, (iii) the alleged infringement is subject to any limitation of warranty or disclaimer
set forth in Section 6 and/or 7, (iv) the alleged infringement is a result of use of the Service in
combination with any third party product, or (v) the applicable fees have not been paid or
Customer is otherwise in breach of this SAASA. The indemnifications contained herein shall
not apply and Provider shall have no liability in relation to any Service produced by Provider
at the specific direction of Customer. TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW, THE FOREGOING PROVISIONS STATE THE ENTIRE LIABILITY AND
OBLIGATION OF PROVIDER REGARDING CLAIMS OF INFRINGEMENT, AND THE EXCLUSIVE
REMEDY AVAILABLE TO CUSTOMER REGARDING ANY ACTUAL OR ALLEGED
INFRINGEMENT OR MISAPPROPRIATION OF ANY INTELLECTUAL PROPERTY OR OTHER
PROPRIETARY RIGHTS.
8.3. Each Party shall indemnify the other against all damages, fees, (including reasonable
attorney’s fees) fines, judgments, costs and expenses finally awarded as a result of a third
party action alleging: (i) bodily injury or death to persons, or (ii) damage to tangible property,
which arises under the SAASA, provided that such liabilities are the proximate cause of gross
negligence or intentional misconduct on the part of the indemnifying Party.
8.4. Customer shall indemnify Provider against any claim that any data, materials, items or
information supplied to Provider by Customer under the SAASA infringes any patent,
copyright or trademark within the jurisdictions where Provider is provided with such
information.

9. Limitation of Liability.
9.1 EXCEPT FOR A BREACH OF SECTION 4 (CONFIDENTIALITY) AND OF THIRD PARTY
CLAIMS ARISING UNDER SECTION 8 (INDEMNIFICATION), TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, PROVIDER AND CUSTOMER, INCLUDING ANY OF THEIR
DIRECTORS, OFFICERS, EMPLOYEES, CONTROLLED OR CONTROLLING ENTITIES, OR SUBCONTRACTORS, SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE,
INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, BUSINESS
INTERRUPTION, LOST REVENUE, LOST PROFITS, REPLACEMENT GOODS, LOSS OF
TECHNOLOGY, RIGHTS OR SERVICES, LOSS OF DATA, INTERRUPTION, LOSS OF USE OF
SERVICE OR EQUIPMENT, ETC.) ARISING OUT OF OR IN ANY WAY CONNECTED WITH THIS
SAASA OR CUSTOMER'S USE, OR THE INABILITY OF CUSTOMER TO USE, THE SERVICE,
EVEN IF THE PARTY CAUSING SUCH DAMAGES HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES, WHETHER ARISING UNDER THEORY OF CONTRACT, TORT (INCLUDING
NEGLIGENCE), STRICT LIABILITY OR OTHERWISE. THESE LIMITATIONS WILL APPLY
NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
THE WARRANTY RESTRICTIONS AND DISCLAIMERS PROVIDED IN SECTIONS 6 AND 7
ABOVE ARE EXPRESSLY INCORPORATED INTO THIS LIMITATION OF DAMAGES.
9.2 IN ANY CASE, PROVIDER’S AND ANY OF ITS DIRECTORS’, OFFICERS’, EMPLOYEES’,
CONTROLLED OR CONTROLLING ENTITIES’, OR SUBCONTRACTORS’ ENTIRE AGGREGATED
CUMULATIVE LIABILITY OBLIGATION TO CUSTOMER FOR ALL LOSSES, DAMAGES, CLAIMS,
OR SUITS OF ANY KIND WHATSOEVER ARISING OUT OF, RESULTING FROM, OR RELATED 
TO THE PERFORMANCE OR BREACH OF THIS SAASA SHALL BE, TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW, LIMITED TO THE AMOUNT ACTUALLY PAID BY
THE CUSTOMER FOR THE SERVICE UNDER THE PURCHASE ORDER GIVING RISE TO THE
LIABILITY IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT
GIVING RISE TO SUCH LIABILITY. .
9.3 PROVIDER SHALL NOT BE LIABLE FOR ANY EXTERNAL SERVICE PROVIDERS OF
CUSTOMER OR THE RESULTS OF THEIR SERVICES AND CUSTOMER EXPRESSLY DECLARES
THAT NO CLAIMS WILL BE ASSERTED AGAINST PROVIDER IN THIS REGARD.
9.4 NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN AND TO THE
MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY SHALL BE BARRED FROM MAKING
ANY CLAIM AGAINST THE OTHER AFTER TWELVE (12) MONTHS FROM THE ACCRUAL OF
THE CLAIM.

10. U.S. Government End Users.
The Service is a "commercial item," as that term is defined in 48 C.F.R. 2.101, consisting of
"commercial computer software", “computer database”, and "commercial computer software
documentation", as such terms are used in 48 C.F.R. 12.212. Consistent with 48 C.F.R.
12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (or an equivalent provision, e.g., in
supplements of various U.S. Government Agencies, as applicable), all U.S. Government End
Users, whether this concerns GSA Multiple Award and Federal Supply Schedule acquisitions,
FAR acquisitions, DOD acquisitions or other acquisitions whatsoever, acquire the Service
only as “commercial items” and only with those rights as are granted to all other end users
pursuant to the terms and conditions set forth herein, as provided in FAR 12.212, and DFARS
227.7202-1(a), 227.7202-3(a), 227.7202-4, as applicable.

11. Limitation on Exports.
11.1 In some jurisdictions, using the Service, or materials provided related to or generated
with the Service, may be subject to export or import regulation. Customer represents and
warrants to comply with all such regulations and obtain all governmental approvals,
consents, licenses, authorizations, declarations, filings and registrations as may be
necessary or advisable for the use of the Service or related materials provided with, related
to, or generated with the Service.
11.2 Customer acknowledges that Customer is not: (i) ordinarily resident in, located in, or
organized under the laws of any country or region subject to economic or financial sanctions
or trade embargoes imposed, administered, or enforced by the European Union or the U.S.;
(ii) an individual or entity on any sanctions or restricted persons lists maintained by the
European Union or the U.S.; or (iii) otherwise the target or subject of any Sanctions and
Export Control Laws.

12. Term, Fees and Termination.
12.1 If not otherwise agreed upon and confirmed in the invoice, and depending on the Service
type chosen by Customer, the regular term (“Term”) of this SAASA shall be twelve (12)
months.
12.2 During the Term, Customer shall pay fees as stated in the invoice issued to Customer.
12.3 Unless agreed upon otherwise, the Term will start on the date specified in the invoice. If
Provider voluntarily enables a use of the Service to Customer before that date, the Term shall
start on the date the use is enabled.
12.4 Either Party may terminate this SAASA immediately by giving written notice to the other
Party for any material breach of this SAASA that is not cured within thirty (30) days after
written notice of such breach.
12.5 At the end of the Term, this SAASA will terminate automatically.
12.6 Upon termination, Provider will block Customer’s access to the Account. Customer will
no longer be able to: (i) use the Service and (ii) download any submitted or generated data.
Termination shall not relieve either Party of obligations incurred prior thereto.
12.7 Termination is not an exclusive remedy and the exercise by either Party will be without
prejudice to any other remedies it may have under this SAASA, by law, or otherwise.

13. Trial Period.
13.1 Provider offers a one-time testing of the Service (“Trial Period”) with the following
differences specified in Section 13.2 below.
13.2 If not otherwise agreed upon between the Parties: (i) the Trial Period shall last thirty (30)
days after the use of the Service is enabled, and (ii) both Parties may terminate the SAASA
immediately for convenience at any given time during the trial by giving written notice to the
non-terminating Party. Additional terms for the Trial Periods of the different VMRay products
are specified in the Service Specifications of ANNEX A.
13.3 At the expiration of the Trial Period, this SAASA will terminate automatically unless
Provider has received a purchase order from Customer.

14. Applicable Law; Place of Jurisdiction; Place of Performance.
14.1 All claims under any theory of liability in any way to this SAASA and all other claims or
aspects whatsoever arising out of or in connection with this SAASA shall be governed and
construed in accordance with the laws of the State of New York, U.S., exclusive of any
provisions of the United Nations Convention on the International Sale of Goods and without
regard to its principles of conflicts of law. The venue for such claims that are not subject to
arbitration shall be heard and determined in any federal court located in the Southern District
of the State of New York or any New York state court located in the Borough of Manhattan.
The Parties hereby irrevocably submit to the exclusive jurisdiction of such courts (and, in the
case of appeals, appropriate appellate courts therefrom) in any such action or proceeding
and irrevocably waive the defenses of lack of personal jurisdiction or any inconvenient forum
to the maintenance of any such action or proceeding.
14.2 Except for claims relating to intellectual property including without limitation trade
secrets, which shall be subject to judicial determinations in accordance with Section 14.1,
the Parties agree to submit any case or controversy arising out of or in connection with the
provisions of this SAASA to settlement proceedings under the ICC ADR Rules. If the dispute
has not been settled pursuant to said rules within forty-five (45) days following the filing of a
request for ADR or within such other period as the Parties may agree in writing, such dispute
shall thereafter be finally settled under the Rules of Arbitration of the International Chamber
of Commerce by one arbitrator appointed in accordance with said rules of arbitration. The
venue for the proceedings in this Section 14.2 shall be New York, New York. The language to
be used in the mediation and arbitration shall be English.
14.3 To the maximum extent permitted by applicable law, the place of performance is
Provider’s registered business address by the time of performance.

15. Modifications to this SAASA.
15.1 This SAASA may be amended: (i) by a written agreement duly executed by the Parties,
or (ii) digital consent in accordance with the following.
15.2 Provider may request an amendment of this SAASA at any time by sending an email to
Customer’s contact person provided in Customer’s Account. The request shall include: (i) a
written proposed amendment titled “Proposed Amendment to the Current Software as a
Service Agreement for VMRay Software Version”, and (ii) a written statement that provides
the Customer with an option to terminate this SAASA with a pro-rata refund of any prepaid
fees if the Customer does not agree to the proposed amendment.
15.3 Provider’s amendment request shall also provide the following instructions:
“Please review this proposed amendment.
• If you agree with the proposed amendment, please reply by email that you consent
and agree with its terms. Your email should also state the following: “I agree that my
electronic signature indicates Customer’s intention to be legally bound by this
consent and agreement.”
• If you do not agree with the proposed amendment, please reply by email that you: (i)
do not consent and agree with its terms, and (ii) you desire to terminate the SAASA
with a pro-rata refund of any prepaid fees, less any related taxes.
• Finally, you should conclude your email with your “electronic signature”, which may
be by any one of the following methods:
- Your typewritten name preceded and followed by a /, such as /your name/
- A scanned image of your actual handwritten signature; or
- Your signature created by a software-based signing tool.
• Send your email reply to the sender of Provider’s amendment request. Upon receipt,
Provider shall confirm: (i) your acceptance of the amendment, or (ii) your option to
terminate the SAASA with a pro-rata refund of prepaid fees (if any).”
• IF YOU FAIL TO REPLY ANY AMENDMENT REQUEST WITHIN A PERIOD OF THIRTY
(30) DAYS OF RECEIPT, YOU SHALL BE DEEMED TO HAVE AGREED TO THE
PROPOSED AMENDMENT.

16. Miscellaneous.
16.1 All payments that Customer makes shall be net of any applicable withholding tax and/or
other similar levies (collectively “Withholding Taxes”). Any and all Withholding Taxes
required by applicable law shall be paid by Customer. Customer shall render all reasonable
assistance to Provider in connection with such Withholding Taxes as is requested by
Provider (e.g. providing Provider with all required documentation; completing and signing
required forms or other documents; etc.). Customer shall indemnify, keep indemnified and
hold harmless, Provider against all losses incurred or suffered by Provider arising out of
Customer’s: (i) failure to duly and timely provide assistance in accordance with this clause;
(ii) failure to pay any tax to the applicable Tax Authorities or other authorities within the
relevant period in accordance with this clause; (iii) non-compliance or delay with any other
responsibilities in accordance with this Section 16.1.
16.2 Provider and any of its directors, officers, employees, controlled or controlling entities,
or sub-contractors shall not be liable for any default or delay in the performance of its
obligations hereunder if and to the extent such default or delay is caused, directly or
indirectly, by fire, flood, earthquake, pandemic, elements of nature or acts of God,
fundamental technological changes to the underlying hardware or software, or any other
similar cause beyond the reasonable control of Provider. Provider shall use its reasonable
efforts to minimize the duration and consequences of any delay or failure of performance
resulting from a Force Majeure event.
16.3 Except as expressly stated otherwise herein: (i) there are no other agreements,
understandings between the Parties, or obligations of Provider related to the Service, and (ii)
this SAASA, including without limitation each ANNEX, provides the entire agreement of the
Parties and supersedes any prior or present understanding or communications regarding its
subject matter.
16.4 Written notices shall be deemed to have been received when personally delivered, when
received by email transmission (with confirmation of receipt or follow up by another method
of communication as provided in this Section), or two calendar days after being sent by a
generally recognized overnight courier service. If a Party refuses to accept a notice or if a
notice cannot be delivered because of a change in address for which no notice was given,
then it is considered received when the notice is rejected or unable to be delivered.
16.5 If any provision of this SAASA is declared invalid or unenforceable, such provision shall
be deemed modified to the extent necessary and possible to render it valid and enforceable.
In any event, the unenforceability or invalidity of any provision shall not affect any other
provision of this SAASA, and this SAASA shall continue in full force and effect, and be
construed and enforced, as if such provision had not been included, or had been modified as
above provided, as the case may be.
16.6 Failure by either Party to insist on strict compliance with the terms and conditions of
this SAASA shall not be considered a waiver of such terms and conditions.
16.7 The titles and headings of the various sections and paragraphs in this SAASA are
intended solely for convenience of reference and are not intended for any other purpose
whatsoever, or to explain, modify or place any construction upon or on any of the provisions
of this SAASA.
16.8 CUSTOMER ACKNOWLEDGES THAT CUSTOMER HAS READ THIS SAASA AND
UNDERSTANDS IT, AND THAT BY USING THE SERVICE CUSTOMER AGREES TO BE BOUND
BY ITS TERMS AND CONDITIONS.
16.9 CUSTOMER ACKNOWLEDGES AND AGREES THAT CUSTOMER HAS SET ITS PRICES
AND ENTERED INTO THIS SAASA IN RELIANCE UPON THE DISCLAIMERS AND LIMITATIONS
AS SET FORTH HEREIN AND THAT THE SAME REFLECT AN ALLOCATION OF RISK
BETWEEN THE PARTIES, AND THAT THE SAME FORM AN ESSENTIAL BASIS OF THE
BARGAIN BETWEEN THE PARTIES.
---------------------------------------