Terms of Service

These Terms of Service, which we'll refer to simply as the "Terms", set out the rules by which you may use our Site, Platform and/or Services (which are defined below). The Terms explain how our Site, Platform and Services work and provide you with a list of the "dos and don'ts" when using them. These Terms are more than just rules though – they form a legally binding contract between us and you that you accept when you continue to use our Site, Platform and/or Services. Please read through this document carefully and make sure these Terms are acceptable to you. If you don't agree to any of these Terms, do not continue using the Site, Platform and/or Services. If you have any questions, please don't hesitate to contact us at support@native.security.

1. Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party. “Customer Data” means any data, content, information, or materials that Customer or its users provide to Native for processing, storage, or use in connection with the Services. “Documentation” means Native’s then-current user guides or manuals for the Services. “Order Form” means a document executed by the Parties that references this Agreement and sets forth Services, fees, payment terms, subscription start/end dates, and other transaction-specific terms. “Services” means Native’s cloud-based software, platform (the “Platform”), and related services identified in an Order Form, including any implementation assistance and support services as described herein. “Subscription Term” means the Initial Subscription Term and any applicable Renewal Terms set forth in the Order Form.

2. Access to Services; Use Rights

2.1 Provision of Services. Subject to the terms of this Agreement and the applicable Order Form, Native will make the Platform and related Services available to Customer during the Subscription Term.

2.2 Customer Use Rights. Customer may access and use the Platform and Services solely for its internal business purposes, in accordance with the Documentation and this Agreement. No implied rights are granted. Native reserves all rights not expressly granted.

2.3 Restrictions.Customer may not do or attempt to do or allow a third party to do any of the following: (a) decipher, decompile, disassemble, or reverse-engineer any of the code or software used to provide the Platform and/or Services, including framing or mirroring the Platform and/or Services; (b) copy, modify, or distribute the Platform and/or Services; (c) circumvent or interfere with security-related features of the Platform and/or Services or features that restrict use of or access to any Content (as defined below); (d) use any robot, spider, site search or retrieval application, or any other process to retrieve, index, and/or data-mine the Content or otherwise circumvent the navigational structure of the Platform and/or Services; (e) use another user’s account without permission; (f) remove, alter, or conceal any copyright, trademark, service mark or other such notices incorporated in the Platform and/or Services; (g) use the Platform and/or Services in any manner not permitted by applicable law, including all applicable export laws and regulations to (re)export the Platform and/or Services and/or any related materials in violation of such laws or use in countries subject to sanctions under applicable law; or (h) use the Platform and/or Services for competitive benchmarking, competitive intelligence gathering, monitoring Native’s business, products, services, customers, or operations for a competitive purpose, or otherwise to develop, support, or market a competing product or service. Any use of the Platform and/or Services in violation of Section 2.3(h) is strictly prohibited and will entitle Native to immediately suspend Customer’s access to the Platform and/or Services, and Native may terminate this Agreement pursuant to Section 12.2, in each case in addition to any other remedies available under this Agreement or applicable law.

Additionally, Customer represents, warrants, and covenants that it is responsible for ensuring that its cloud environment and any content, data, or materials stored or processed therein do not: (a) infringe any third party’s intellectual property rights, privacy rights, or other proprietary rights; (b) contain any malware, viruses, worms, Trojan horses, or other malicious code; (c) contain any content that is unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, or otherwise objectionable; (d) violate any applicable laws or regulations, including without limitation export control laws, sanctions regulations, anti-corruption laws, or data protection laws; or (e) interfere with or disrupt the integrity, security, or performance of the Platform and/or Services or any third-party systems.

2.4 Compliance with Law. Customer may not use the Platform and/or Services if doing so is unlawful. Native will cooperate with any law enforcement authorities or court orders requesting that it discloses the identity, behavior, or content of anyone believed to have violated this Agreement or to have engaged in illegal behavior in connection with the Platform and/or Services.

3. Implementation; Connectivity; Customer Responsibilities

3.1 Connectivity Requirements. Native will provide Customer with written technical requirements and instructions necessary to connect the Platform to Customer’s cloud environment. Customer is responsible for establishing and maintaining its own network connections and for meeting Native’s connectivity requirements.

3.2 Assistance. Native may, at no additional charge, provide reasonable remote assistance to aid Customer’s connection of the Platform to Customer’s cloud environment, provided that such assistance does not include custom development or on-site services unless separately agreed in writing.

3.3 Customer Responsibilities. Customer is solely responsible for its configuration of the Platform, the manner in which it uses and relies on the Platform and/or Services, and the accuracy, quality, and legality of Customer Data. Customer will ensure that its users comply with this Agreement and the Documentation.

4. Support; Service Levels

4.1 Support. During the Subscription Term, Native will provide standard support during business days, with an initial response target of within twenty-four (24) hours after receipt of a support request submitted through the designated support channel. Native will use commercially reasonable efforts to address support requests but does not guarantee resolution timeframes, outcomes, or that all issues can be resolved.

4.2 Service Levels (General). Native will use commercially reasonable efforts to maintain availability of the Platform and/or Services, excluding planned maintenance, emergency maintenance, and downtime caused by Customer systems, internet service providers, or events beyond Native’s reasonable control.

5. Fees; Payment; Taxes

5.1 Fees. Customer will pay the fees set forth in each applicable Order Form.

5.2 Billing and Payment Terms. Unless otherwise stated in the Order Form, fees for the full Initial Subscription Term are billed in advance. Payment terms are “Net 30” from signing of the MSA, meaning payment is due within thirty (30) days following the end of the calendar month in which the Order Form is fully executed or the Effective Date occurs (as specified in the Order Form). All amounts are payable in the currency stated in the Order Form.

5.3 Taxes. Fees are exclusive of any applicable sales, use, VAT, GST, withholding, or other taxes or governmental charges. Customer is responsible for such taxes, excluding taxes based on Native’s net income. Customer will make payments free and clear of any withholding; if withholding is required by applicable law, Customer will either (i) gross-up payments so that Native receives the full amount stated in the Order Form, or (ii) provide Native with official tax receipts or certificates evidencing such withholding within thirty (30) days of payment.

5.4 Late Payments. Overdue amounts may accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law. Native may suspend Platform and/or Services for non-payment after reasonable notice if Customer fails to cure.

6. Intellectual Property and Privacy

6.1 Ownership. Native (and its licensors) retains all right, title, and interest in and to the Platform and/or Services, Documentation, and any enhancements, modifications, or derivatives thereof, including any deliverables or developments made for Customer unless otherwise expressly agreed in a statement of work.

6.2 Feedback. Customer may provide feedback to Native. Native may freely use and incorporate feedback without restriction and without any obligation to Customer and Customer hereby assigns and transfers and will assign and transfer all rights in and to the same to Native.

6.3 Customer Data. As between the Parties, Customer retains all right, title, and interest in Customer Data. Customer grants Native a non-exclusive, worldwide, royalty-free license to process Customer Data as necessary to provide the Platform and/or Services, improve security and performance, troubleshoot issues, and operate, maintain, and enhance the Platform and/or Services. Native may use aggregated or anonymized data for analytics and service improvement, provided it does not identify Customer or any natural person.

6.4 Data Protection; Privacy.

(a) Privacy Notice. Native’s collection, use, and protection of Personal Data (as defined in Native’s Privacy Notice) is governed by Native’s Privacy Notice, available at https://legal.native.security/privacy-statement, which is incorporated herein by reference. Native may update its Privacy Notice from time to time in accordance with applicable law.

(b) Customer Data Protection Obligations. If Customer provides Native with any Personal Data, including data regarding Customer’s employees, customers, end users, or data in Customer’s cloud environment, Customer represents, warrants, and covenants that: (i) Customer has provided all necessary notices and has, and will maintain, all necessary rights, consents, and legal bases required under applicable data protection laws to provide such Personal Data to Native for processing in accordance with this Agreement and Native’s Privacy Notice; (ii) Customer will maintain records of such legal bases as required under applicable data protection laws; (iii) Customer will not provide Native with any sensitive or special categories of data that are subject to heightened protections under applicable law, including without limitation data regarding children (as defined under applicable law), financial account information, payment card information, protected health information, biometric data, genetic data, or any other categories of sensitive personal data as defined under applicable privacy laws (collectively, “Sensitive Data”), unless Customer has obtained Native’s prior written consent and entered into appropriate data processing addenda; and (iv) Customer’s provision of Personal Data to Native complies with all applicable data protection and privacy laws, including without limitation the EU General Data Protection Regulation (GDPR), UK GDPR, and any other applicable privacy regulations. The Data Protection Agreement (“DPA”) attached hereto as Exhibit A and incorporated herein by reference shall apply to the processing of Personal Data.

6.5 Data Retention; Backup Obligations.

(a) Not a Data Retention Service. Customer acknowledges and agrees that Native is not a data retention, archival, or backup service. Native’s provision of the Platform and/or Services does not constitute a commitment to retain, archive, or backup Customer Data for any particular period of time beyond what is necessary to provide the Services.

(b) Customer’s Backup Responsibility. Customer is solely responsible for maintaining backup copies of all Customer Data and any other data or materials Customer provides to or stores within the Platform. Customer will implement and maintain appropriate backup procedures to prevent data loss.

7. Confidentiality

7.1 Definition. “Confidential Information” means information disclosed by a Party that is marked or otherwise identified as confidential or should reasonably be understood to be confidential given the nature of the information and circumstances of disclosure. For the avoidance of doubt, the pricing, roadmap, system information, security measures, and non-public business information regarding the Platform and/or Services will be deemed Native’s Confidential Information.

7.2 Obligations. The receiving Party will use Confidential Information solely to perform this Agreement, will protect it with at least the same degree of care it uses to protect its own similar information (but no less than reasonable care), and will limit access to personnel and contractors with a need to know and written obligations of confidentiality.

7.3 Exceptions. Confidential Information does not include information that (as can be evidenced by contemporaneous documentation): (a) is or becomes publicly available through no fault of the receiving Party; (b) was lawfully known to the receiving Party prior to disclosure; (c) is rightfully received from a third party without restriction; or (d) is independently developed without use of the disclosing Party’s Confidential Information.

7.4 Compelled Disclosure. The receiving Party may disclose Confidential Information if required by law, subpoena, or court order, provided it gives prompt notice (where legally permitted) and cooperates to seek protective treatment.

8. POC Terms

If the applicable Order Form designates the Services as a “trial,” “proof-of-concept,” “POC,” “pilot,” or similar designation, the following additional terms apply: (a) Native may, in its sole discretion, extend or shorten the trial period with reasonable notice to Customer; (b) Trial Services may be limited to certain features or functionality and may not include all features available in paid subscriptions; (c) Native may modify or discontinue trial offerings at any time; (d) Unless otherwise specified in the Order Form, trial Services may be provided at no charge or at a discounted rate; and (e) Trial Services are provided “AS IS” and are excluded from any warranties, service levels, or support obligations except as expressly stated in the Order Form.

9. Warranties; Disclaimers

9.1 Mutual Authority Warranty. Each Party represents that it has full power and authority to enter into this Agreement and that this Agreement has been duly authorized by all necessary corporate action.

9.2 Customer Warranty. Customer represents that it has the necessary rights and consents to provide Customer Data to Native for use in accordance with this Agreement.

9.3 Disclaimer. Except as expressly stated in this Agreement, the Platform and/or Services and Documentation are provided “as is.” To the maximum extent permitted by law, Native disclaims all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement.

10. Indemnification

10.1 By Native. Native will defend and indemnify Customer against any third-party claim alleging that the Platform and/or Services, as provided by Native and used by Customer in accordance with this Agreement, infringe such third party’s intellectual property rights, and will pay damages and costs finally awarded by a court of competent jurisdiction or agreed in settlement. Native’s obligations do not apply to claims arising from: (a) Customer’s modification, combination, or use of the Platform and/or Services not in accordance with the Documentation; (b) Customer Data or third-party content; or (c) Customer’s breach of this Agreement. If the Platform and/or Services are or may become subject to an infringement claim, Native may (at its option and expense) procure rights for Customer’s continued use, modify the Platform and/or Services to be non-infringing, or terminate affected Platform and/or Services with a refund of prepaid, unused fees for the terminated portion of the Subscription Term.

10.2 By Customer. Customer will defend and indemnify Native and its Affiliates against any third-party claim arising from or relating to Customer Data or Customer’s use of the Platform and/or Services in violation of law or this Agreement, and will pay damages and costs finally awarded or agreed in settlement.

10.3 Procedure. The indemnified Party must promptly notify the indemnifying Party of the claim, provide reasonable cooperation at the indemnifying Party’s expense, and allow the indemnifying Party sole control of the defense and settlement (provided settlement cannot impose obligations or liability on the indemnified Party without its consent, not to be unreasonably withheld).

11. Limitation of Liability

11.1 Exclusion of Certain Damages. To the maximum extent permitted by law, neither Party will be liable for indirect, consequential, special, exemplary, or punitive damages, or for lost profits, revenues, goodwill, or data, arising out of or related to this Agreement, even if advised of the possibility of such damages.

11.2 Liability Cap; Carve-Outs. Except as set forth below, each Party’s aggregate liability arising out of or related to this Agreement will not exceed the total fees paid or payable by Customer under the applicable Order Form in the twelve (12) month period preceding the event giving rise to the claim. The foregoing cap will not apply to a Party’s willful misconduct or gross negligence.

12. Term; Termination; Renewal

12.1 Term Options. The Parties will select in the Order Form one of the following: (a) Shortened Term (for POCs); (b) One-Year Term (No Renewal); or (c) One-Year Term with Renewal, in which case the Agreement remains in effect for an Initial Subscription Term of twelve (12) months and will automatically renew for additional twelve (12) month Renewal Terms unless either Party gives written notice of non-renewal at least thirty (30) days before the end of the then-current Subscription Term. Renewal fees and pricing for each Renewal Term will be stated up front in the Order Form.

12.2 Termination for Cause.Either Party may terminate this Agreement upon written notice if the other Party materially breaches this Agreement (including without limitation under Section 2.3(h)) and fails to cure within thirty (30) days after receipt of written notice.

12.3 Effect of Termination. Upon termination or expiration, Customer will cease all use of the Platform and/or Services. Sections that by their nature should survive will survive, including Sections 5–11, 12.3, and 17–18.

13. Publicity

Unless otherwise provided in an Order Form, Native may identify Customer as a Native customer and use Customer’s name and logo in marketing materials consistent with Customer’s trademark guidelines, subject to reasonable approval not to be unreasonably withheld. If Customer requires confidentiality, an Order Form may delete or limit publicity rights.

14. Suspension

Native may suspend Customer’s access to the Platform and/or Services for: (a) a security or integrity threat to the Platform and/or Services; (b) unlawful activity; (c) non-payment beyond any applicable grace period; or (d) Customer’s use of the Platform and/or Services for competitive benchmarking, competitive intelligence gathering, monitoring Native’s business, products, services, customers, or operations for a competitive purpose, or otherwise to develop, support, or market a competing product or service, in each case after providing notice where practicable and limit the suspension to the necessary scope.

15. Force Majeure

Neither Party will be liable for any failure or delay in performing its obligations under this Agreement (other than payment obligations) to the extent such failure or delay is caused by events beyond its reasonable control, including natural disasters, acts of God, war, terrorism, riots, pandemics, government actions, or failures of third-party telecommunications or internet services. The affected Party will promptly notify the other Party and use reasonable efforts to resume performance. Payment obligations may be delayed due to a Force Majeure event but will not be excused. If a Force Majeure event continues for more than thirty (30) consecutive days, either Party may terminate the affected Order Form upon written notice.

16. Assignment; Subcontracting

Neither Party may assign this Agreement without the other Party’s prior written consent, not to be unreasonably withheld; provided that either Party may assign this Agreement without consent to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets or the relevant business line. Native may use subcontractors to provide portions of the Platform and/or Services and remains responsible for their performance.

17. Governing Law; Dispute Resolution

This Agreement is governed by the laws of the State of New York, without regard to conflict of laws principles. The Parties consent to the exclusive jurisdiction and venue of the courts located in New York, New York. Either Party may seek injunctive relief in any court of competent jurisdiction to protect its intellectual property or Confidential Information.

18. Miscellaneous

Entire Agreement; Order of Precedence. This Agreement, together with all Order Forms and the Data Protection Agreement attached hereto as Exhibit A (the “DPA”), constitutes the entire agreement between the Parties regarding the subject matter. In the event of a conflict, this Agreement controls, then the Order Form (unless the Order Form contemplates a conflict and references a specific term), then the Documentation. The DPA governs with respect to data privacy and security matters. Amendments must be in writing and signed. No waiver is effective unless in writing. If any provision is held invalid, the remaining provisions remain in full force. The Parties are independent contractors. Notices must be in writing and sent to the addresses in the Order Form.

19. Exhibits

The following exhibit is attached hereto and incorporated herein by reference: Exhibit A – Data Processing Agreement.

EXHIBIT A

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Master Services Agreement to which it is attached as Exhibit A (the “Agreement”), entered into by and between Customer (“Controller”) and Native Security Inc. (“Processor”). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

Whereas, in connection with the performance of its obligations under the Agreement, Processor may Process certain limited Controller Personal Data (both as defined below) on behalf of the Controller, whether by itself or its Affiliate, as defined below; and

Whereas, the parties wish to set forth the mutual obligations with respect to the Processing of Controller Personal Data by the Processor, specifically with respect to Configuration Data and limited employee information;

Now therefore, intending to be legally bound, the parties hereby agree as follows:

1. Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:

1.1 “Affiliate” means Native Security Ltd., or any other entity that directly or indirectly controls, is controlled by, or is under common control with Native Security Inc. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest in the subject entity.

1.2 “Controller Personal Data” means Configuration Data (as defined below) and employee names and email addresses Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement.

1.3 “Data Protection Laws” means all applicable US federal or state data privacy laws, including but not limited to the California Consumer Privacy Act of 2018, as amended by the California Consumer Privacy Rights Act of 2020 (collectively, “CCPA”), the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Oregon Consumer Privacy Act (OCPA), Texas Data Privacy and Security Act (TDPSA), Montana Consumer Data Privacy Act (MCDPA), Delaware Privacy Act (DPDPA), and any other data protection or privacy laws of any US state or federal jurisdiction where the Services are delivered or as agreed in writing between the Parties.

1.4 “Sub Processor” means any person (excluding an employee of Processor or any Processor Affiliate) appointed by or on behalf of Processor or any Processor Affiliate to Process Controller Personal Data on behalf of the Controller in connection with the Agreement.

1.5 “Data Subject” shall mean the person whose Personal Data is Processed, including employees or users of the Controller.

1.6 “Personal Data” shall have the applicable meaning under Data Protection Laws and shall include “Personal Information” as defined under the CCPA, in each case, as applicable.

1.7 The terms “Processing”, “Controller”, “Personal Data Breach”, and “Processor” shall have the meanings ascribed to them in Data Protection Laws.

1.8 The terms “Business”, “Sell”, “Share”, and “Service Provider” shall have the meanings ascribed to them in the CCPA.

1.9 “Configuration Data” means cloud configuration metadata and policy information collected by Processor and its Affiliates from Controller’s cloud environments, and does not include any content or data stored within Controller’s databases or cloud storage, except for such configuration metadata and policy information. For the avoidance of doubt, Processor and its Affiliates do not collect, access, or process any Controller content or data stored within Controller’s databases or cloud storage, except for Configuration Data as defined above. Processor and its Affiliates may also collect employee names and email addresses solely for the purpose of providing user authentication, user notifications, and access to the Services.

2. Roles of the Parties

The Controller is the Controller of the Controller Personal Data. However, when Controller Personal Data is subject to the CCPA, Controller serves as a Business with respect to such Personal Data and Processor serves as a Service Provider on its behalf.

3. Processing of Controller Personal Data

3.1 Instructions. Processor shall Process Controller Personal Data on Controller’s behalf and at Controller’s instructions as specified in the Agreement and in this DPA. Any other Processing shall be permitted only in the event that such Processing is required by any Data Protection Laws to which the Processor is subject. In such event, Processor shall, unless prohibited by such Data Protection Laws on important grounds of public interest, inform Controller of that requirement before engaging in such Processing.

3.2 Authorized Processing. Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) (i) to Process Controller Personal Data for the provision of the services, as detailed in the Agreement (“Services”) and as otherwise set forth in the Agreement and in this DPA, and/or as otherwise directed by Controller; and (ii) to transfer Controller Personal Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Data Protection Laws.

3.3 Details of Processing. Controller sets forth the details of the Processing of Controller Personal Data in Schedule 1 (Details of Processing of Controller Personal Data), attached hereto. Notwithstanding any provision to the contrary, Processor may Process and use aggregated or anonymized data for its own purposes, such as analytics and service improvement (“Aggregate Data”).

3.4 No Sale or Share. Processor undertakes that it shall not Sell or Share Personal Data when Processing Personal Data as a Service Provider and shall not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services to Controller and as otherwise permitted under the Agreement and Data Protection Laws.

4. Controller

Controller represents and warrants that it has and shall maintain throughout the term of the Agreement and this DPA, all necessary rights to provide the Controller Personal Data to Processor for the Processing to be performed in relation to the Services and in accordance with the Agreement and this DPA. To the extent required by Data Protection Laws, Controller is responsible for obtaining any necessary Data Subject consents to the Processing, and for ensuring that a record of such consents is maintained throughout the term of the Agreement and this DPA and/or as otherwise required under Data Protection Laws.

5. Processor Employees

Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need-to-know and/or access basis and that all Processor employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access to and use of Controller Personal Data.

6. Security

6.1 Technical and Organizational Measures. Processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data as set forth in the Binding Security Document attached hereto as Schedule 2. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by the nature of the Processing and the information available to the Processor.

7. Personal Data Breach

7.1 Notification. Processor shall notify Controller without undue delay and, where feasible, immediately upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data. In such event, Processor shall provide Controller with reasonable and available information to assist Controller in meeting any obligations to inform Data Subjects or relevant state authorities of the Personal Data Breach as required under Data Protection Laws.

7.2 Cooperation. At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or required under Data Protection Laws to assist in the investigation, mitigation and remediation of any Personal Data Breach.

8. Sub Processing

8.1 Authorization. Controller authorizes Processor to appoint (and permits each Sub Processor appointed in accordance with this Section 8 to appoint) Sub Processors in accordance with this Section 8.

8.2 Existing Sub Processors. Processor may continue to use those Sub Processors already engaged by Processor as identified to Controller as of the date of this DPA.

8.3 New Sub Processors. Processor may appoint new Sub Processors and shall give notice of any such appointment to Controller. If, within seven (7) days of such notice, Controller notifies Processor in writing of any reasonable objections to the proposed appointment, Processor shall not appoint the proposed Sub Processor for the Processing of Controller Personal Data until reasonable steps have been taken to address the objections raised by Controller and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections, each of Controller or Processor may, by written notice to the other party and with immediate effect, terminate the Agreement to the extent that it relates to the Services requiring the use of the proposed Sub Processor. In such event, the terminating party shall not bear any liability for such termination.

8.4 Sub Processor Obligations. With respect to each new Sub Processor, Processor shall:

(a) Prior to the Processing of Controller Personal Data by Sub Processor, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that Sub Processor is committed and able to provide the level of protection for Controller Personal Data required by this DPA; and

(b) Ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms that offer a materially similar level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Data Protection Laws.

8.5 Liability for Sub Processors. Processor shall remain fully liable to the Controller for the performance of any Sub Processor’s obligations.

9. Data Subject Rights

9.1 Controller Responsibility. Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Processor shall, at Controller’s sole expense, use commercially reasonable efforts to assist Controller in fulfilling Controller’s obligations with respect to such Data Subject requests, as required under Data Protection Laws.

9.2 Processor Notifications. Upon receipt of a request from a Data Subject under any Data Protection Laws in respect to Controller Personal Data, Processor shall promptly notify Controller of such request and shall not respond to such request except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Data Protection Laws, inform Controller of such legal requirement prior to responding to the request.

10. Deletion or Return of Controller Personal Data

Processor shall promptly and in any event within sixty (60) days of the date of cessation of provision of the Services to Controller involving the Processing of Controller Personal Data, delete, return, or anonymize all copies of such Controller Personal Data, provided however that Processor may retain Aggregate Data for its own purposes, as well as any Controller Personal Data, as permitted by Data Protection Laws.

11. Audit Rights

11.1 Reports and Certifications. Subject to Sections 11.2 and 11.3, Processor shall make available to Controller, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA, including providing a copy of its most recent SOC 2 Type II report and other applicable audit certifications (including ISO certifications and such other certifications as may be obtained from time to time), to demonstrate compliance with this DPA and applicable Data Protection Laws. Such reports and certifications detail Processor’s security measures and controls and are updated periodically. All such reports and certifications will be subject to reasonable confidentiality obligations.

11.2 Satisfaction of Audit Rights. The provision of such reports and certifications shall be deemed to satisfy Controller’s audit and inspection rights under this DPA and applicable Data Protection Laws.

11.3 Notification of Infringing Instruction. Processor shall immediately inform Controller if, in its opinion, an instruction received under this DPA infringes applicable Data Protection Laws.

12. Limitation of Liability

Controller shall indemnify and hold Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Processor and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Data Protection Laws by Controller. Each party’s liability toward the other party shall be subject to the limitations on liability under the Agreement.

13. General Terms

13.1 Governing Law and Jurisdiction

(a) The parties hereby expressly agree that the competent courts detailed in the Agreement shall be the exclusive jurisdiction regarding any disputes hereunder and this DPA shall be governed by the laws stipulated in the Agreement.

(b) Notwithstanding the foregoing in this Section 13.1, the parties to this DPA hereby agree that the competent courts in California shall have exclusive jurisdiction regarding all disputes hereunder relating solely to the CCPA.

13.2 Order of Precedence

Nothing in this DPA reduces Processor’s obligations under the Agreement in relation to the protection of Controller Personal Data or permits Processor to Process (or permit the Processing of) Controller Personal Data in a manner that is prohibited by the Agreement.

This DPA is not intended to, and does not in any way limit or derogate from Controller’s obligations and liabilities towards the Processor under the Agreement and/or pursuant to Data Protection Laws or any law applicable to Controller in connection with the collection, handling and use of Controller Personal Data by Controller or its Affiliates or other processors or their sub processors, including with respect to the transfer or provision of Controller Personal Data to Processor and/or providing Processor with access thereto.

Subject to this Section 13.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement, the provisions of this DPA shall prevail.

13.3 Changes in Data Protection Laws

(a) Controller may, by at least forty-five (45) calendar days’ prior written notice to Processor, request in writing any variations to this DPA if they are required as a result of any change in or decision of a competent authority under any Data Protection Laws in order to allow Controller Personal Data to be Processed (or continue to be Processed) without breach of those Data Protection Laws.

(b) If Controller gives notice with respect to its request to modify this DPA under Section 13.3(a), (i) Processor shall make commercially reasonable efforts to accommodate such modification request and (ii) Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.

13.4 Severance

Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the later date set out below.

Schedule 1: Details of Processing of Controller Personal Data

This Schedule 1 includes certain details of the Processing of Controller Personal Data as required by the Data Protection Laws.

Subject matter and duration of the Processing of Controller Personal Data.

The subject matter and duration of the Processing of the Controller Personal Data are set out in the Agreement, in Processor’s Privacy Notice (“Privacy Notice”), and this DPA.

The nature and purpose of the Processing of Controller Personal Data:

Rendering Services in the nature of cloud configuration management, monitoring, and policy enforcement, as detailed in the Agreement and the Privacy Notice.

The types of Controller Personal Data to be Processed are as follows:

Configuration Data (cloud configuration metadata and policy information) and employee names and email addresses for user authentication, notifications, and access to the Services. No other Controller content or data stored within Controller’s databases or cloud storage is collected, accessed, or processed by Processor or its Affiliates.

The categories of Data Subjects to whom the Controller Personal Data relates are as follows:

Data Subjects who are employees or authorized users of the Controller’s cloud environments.

The obligations and rights of Controller.

The obligations and rights of Controller and Controller Affiliates are set out in the Agreement and this DPA.

Schedule 2: Binding Security Document

Processor maintains technical and organizational measures to protect Personal Data in connection with the Services, consistent with applicable Data Protection Laws and recognized industry standards.

Security Certifications and Assurance

Processor undergoes independent third-party audits and assessments to validate its security controls, including:

• SOC 2 Type II (conducted annually)

• ISO 27001 (or other applicable ISO certifications)

• Such other security certifications and assessments as Processor may obtain from time to time

Documentation Available to Controller

Upon written request and subject to reasonable confidentiality obligations, Processor will provide Controller with:

• Current SOC 2 Type II report

• Applicable ISO certification documentation

• Security summaries and attestations

• Lists of Subprocessors with access to Controller Personal Data

These audit reports and certifications contain detailed descriptions of Processor’s security measures, controls, and practices across all relevant domains, including but not limited to: access controls, encryption, network security, vulnerability management, incident response, business continuity, physical security, and personnel security.

Updates and Continuous Improvement

Processor may update its security measures from time to time to reflect technological developments, evolving threats, and industry best practices, provided such updates do not materially diminish the overall security of the Services. Updated audit reports and certifications will be made available to Controller upon request in accordance with this Schedule.

Shared Responsibilities

Security is a shared responsibility. Controller remains responsible for securing its accounts and configurations, managing user access and permissions, protecting its endpoints and networks, and safeguarding data within the Services.