License Agreement

Last updated: June 2024

This License Agreement (this "Agreement"), effective as of the date of signature (as mentioned in the Order Form) of both parties (the “Effective Date”), is made by and between you (the "Customer"), and Formidium Corp., a Delaware Corporation ("Formidium" or the “Company”) (each sometimes referred to as a “Party” and together, the “Parties”).

WHEREAS, Formidium is a professional services and financial technology provider who owns all rights and interest in the Software (as defined in Exhibit A);

WHEREAS, Formidium makes the Software available through Formidium’s online cloud-based portal;

WHEREAS, the Customer is desirous of utilizing the Software and Formidium is willing to license the Software to the Customer; and

WHEREAS, the specific Software you order will be set forth in the ordering documents (including any online form) issued by Formidium specifying the Product to be provided under these terms (“Order Forms”). To be eligible to use any Product, you must review and accept the terms set forth in this Agreement by executing the applicable Order Form provided by us and/or checking on the “I Agree” button or other mechanism provided. Your authorization to access and use any Formidium Product is conditioned on your acceptance of and compliance with the terms of this Agreement.

NOW, THEREFORE, in consideration of the premises and mutual covenants herein contained, it is agreed between the Parties hereto as follows:

1. Agreement

This Agreement shall govern the use of the Software by the Customer and services subscribed for the Customer, including systems, equipment, infrastructure, networks, hosting and other outsourced functions that the Company or any subcontractor (whether owned by the Company, a subcontractor, or a third party) uses (the "Services"). The Software and the Services are together referenced as the “Products”.

2. License To Use The Products

2.1 Formidium hereby grants to the Customer a non-exclusive, non-assignable, non-transferable and revocable worldwide right (“License”) to access and use the Products subject to the terms of this Agreement, including Exhibit A attached hereto and any other documents which may be provided along with the Order Form, the terms of which are incorporated herein by reference.

2.2 The Customer, and each user given access by the Customer, is licensed to access the Products.

2.3 The Company may update the Products from time to time. If the Company changes the Products in a manner that materially reduces their functionality, the Company will inform the Customer via the email address associated with the Customer’s account as provided by the Customer. Such a material reduction in functionality shall constitute a material breach and the Customer shall have the right to terminate this Agreement as per the terms of Section 6.1.

2.4 The Company may provide the Customer with support related to the Products (“Support Services”). Any supplemental software code provided to the Customer as part of the Support Services shall be considered a part of the Software and subject to the terms and conditions of this Agreement. With respect to technical information the Customer provides to the Company as part of the registration of the Customer's License to the Software or in connection with the Support Services, the Company shall only use such information, which shall constitute Customer Data (as defined in Section 4.2 of this Agreement), for legitimate business purposes, including for product support and development.

3. Customer Obligations

3.1. The Customer is responsible for use of the Products by its users. The Customer will obtain from users any consent necessary to engage in the activities described in this Agreement and to allow the Company to provide the Products. The Customer will comply with laws and regulations applicable to the Customer's use of the Products, including but not limited to those laws related to data privacy, international communications, and the transmission of technical or personal data.

3.2. The Customer may specify users as “Administrators.” Administrators may have the ability to access, disclose, restrict, or remove Customer Data in or from the Products. Administrators may also have the ability to monitor, restrict, or terminate access to the Products. The Company’s responsibilities do not extend to the internal management or administration of the Products.

The Customer is responsible for:

3.2.1. maintaining the confidentiality of passwords and Administrator accounts;

3.2.2. managing access to user and Administrator accounts; and

3.2.3. ensuring that users and Administrators' use of the Products complies with this Agreement.

3.3. The Customer will prevent unauthorized use of the Products by its users and terminate any unauthorized use of or access to the Products, or their use for illegal or unlawful purposes, or infringe any legal rights, in any jurisdiction. The Customer’s use will not promote any viruses or other harmful software. The Customer will promptly notify the Company of any unauthorized use of or access to the Products.

3.4. The Customer may not rent, lease, copy or lend the Software. The Customer may not reverse engineer, decompile, or disassemble the Software or otherwise attempt to derive the source code of the Software. The Customer may not remove, modify or obscure any copyright, trademark or other proprietary notices contained in the Software. The Customer will not use the Software in any way that violates the terms of this Agreement or for any purpose or in any manner that is unlawful or prohibited by this Agreement.

3.5. Subject to any restrictions on termination during the Initial Term provided in the Order Form of the respective Software and without prejudice to any other rights, each Party may terminate this Agreement as provided in Section 6.1 if the other party commits a material breach with respect to the terms and conditions of this Agreement and such failure remains uncured for a period of 30 days (or longer by mutual written agreement of the Parties) from the Notice Date (as defined in Section 6.1). In such event, the Customer and the Company shall comply with the provisions of Section 6 regarding the effects of such termination.

3.6 The Customer shall: (a) notify Formidium, in writing, immediately of any unauthorized use of any password or user id or any other known or suspected breach of security, (b) report, in writing, to Formidium immediately and use reasonable efforts to stop any unauthorized use of the Software that is known or suspected by the Customer, and (c) not provide false identity information to gain access to or use the Software.

4. Intellectual Property Rights & Copyright

4.1. No title or rights of ownership, copyright, or any other intellectual property in the Products, including all upgrades, modifications, new versions, and releases of the Products, is or will be transferred to the Customer. All title and copyrights in and to the Software (including, without limitation, any images, photographs, animations, video, audio, music, text, and applets incorporated into the Software), the accompanying media and printed materials, and any copies of the Software are owned by the Company. The Software is protected by copyright laws and international treaty provisions. Therefore, the Customer must treat the Software like any other copyrighted material, and not allow any act which is likely to prejudice the Intellectual Property, subject to the provisions of this Agreement.

4.2. “Customer Data” means all Customer related information processed or stored through or by way of the Products or on the Customer’s behalf. Customer Data includes, without limitation, information and data provided by the Customer’s employees, directors, officers, agents and other users and by other third parties, other information/data generated through use of the Products by or on Customer’s behalf and any information/data based on Customer’s data, and copies of all such information rendered onto paper or other non-electronic media. The Company recognizes and agrees that the Customer possesses and retains all rights, title, and interest in and to Customer Data, and the Company’s use and possession thereof is solely on the Customer’s behalf. The Customer hereby grants the Company a limited license to reproduce and otherwise manage Customer Data during the duration of the Agreement solely as specifically authorized herein.

5. Fees & Payment

5.1. The Customer will pay all applicable fees, as set out in the Order Form. License fees, as set out in the Order Form, are payable in advance and are non-refundable except as required by law. The Customer is responsible for providing complete and accurate billing and contact information to the Company. The Company may suspend or terminate the Services if fees are due past 30 days after the Customer’s receipt of the invoice or due past notice from the Company, whichever is earlier.

5.2. The Customer is responsible for all taxes. The Company will charge tax when required to do so. If the Customer is required by law to withhold or deduct any taxes, the Customer must provide the Company with an official tax receipt or other appropriate documentation and will always make an additional payment to the Company in order to ensure that the Company always receives the amount it would have received had such amount not been withheld or deducted.

5.3. If the Customer requires the use of a purchase order or purchase order number, the Customer:

5.3.1. must provide the purchase order number at the time of purchase; and

5.3.2. agrees that any terms and conditions on the Customer purchase order will not apply to this Agreement and are null and void.

5.4. All undisputed invoices are payable 30 days after receipt. Undisputed payments which are not received when due will be considered late and will remain payable by the Customer together with interest from the due date at the lesser of the statutory rate applicable or 1% per month. This interest will accrue on a daily basis. Customer will pay the undisputed part of any disputed invoice within the timeframe mentioned in aforementioned sentence.

6. Term & Termination

6.1. Subject to any restrictions on termination during the Initial Term provided in the respective Order Form, this Agreement may be terminated within 30 days by the Parties for convenience by providing a notice in writing , with effect from 30 days from the receipt of such notice (“Notice Date”), if the Customer fails to pay any sums due under this Agreement by the due date and/or becomes unable to pay its debts as they fall due or any material breach by the Parties (including any Security Breach due to the acts or omissions of the Company) and such failure to pay or the material breach remains uncured for 30 days (or longer by mutual agreement of the Parties each behaving reasonably) from the Notice Date.

6.2. On termination of this Agreement the Customer will be obliged to certify in writing to the Company within 30 days of termination that it has stopped using the Product.

7. Internal Use

7.1. This Agreement grants the Customer a license for its business purposes only (including those of its Affiliates), the Customer shall be entitled to use the relevant Services granted under the license only in relation to its business (including those of its Affiliates) and such license shall not permit the Customer:

a) to use all or any part of such Services to provide any service or product to any third party; or

b) to give or allow access to, or to otherwise disseminate, all or any part of such Services in any manner whatsoever to any third party.

c) “Affiliates” shall include (however will not be limited to) subsidiaries, sister organizations or companies, parent companies, partners & special purpose vehicles and the use of the term Customer in this Agreement or Exhibit A includes Affiliates, where applicable and relevant. For the avoidance of doubt, the Customer may designate any number of users to use the Product amongst the directors, officers and employees of the Customer or its Affiliates.

7.2 In the event that the Customer is involved in any merger or acquisition with another company or organization then the Company reserves the right to update, and potentially increase (“Fee Hike”), the applicable fees to accommodate any increases in usage and processed volumes, provided that if the Customer disagrees with the Fee Hike, the Customer shall have the right to terminate this Agreement with effect from the date of such Fee Hike.

8. Warranties

8.1. EXCEPT FOR THE LIMITED SERVICE LEVEL COMMITMENTS SET FORTH IN SECTION 8.2, THE CUSTOMER AGREES AND ACKNOWLEDGES THAT, FORMIDIUM DISCLAIMS ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SOFTWARE, THE SERVICES PROVIDED OR THE AVAILABILITY, FUNCTIONALITY, PERFORMANCE OR RESULTS OF USE OF THE SOFTWARE. WITHOUT LIMITING THE FOREGOING, EXCEPT AS SPECIFICALLY SET FORTH IN THIS SECTION, FORMIDIUM DISCLAIMS ANY WARRANTY THAT THE SOFTWARE, THE SERVICES PROVIDED BY FORMIDUM, OR THE OPERATION OF THE SOFTWARE ARE OR WILL BE ACCURATE, ERROR-FREE, VIRUS-FREE OR UNINTERRUPTED. FORMIDUM MAKES NO, AND HEREBY DISCLAIMS, ANY IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE OR ARISING BY USAGE OF TRADE, COURSE OF DEALING OR COURSE OF PERFORMANCE.

8.2 Formidium does not guarantee network availability between the Customer and the Formidium hosting servers. Formidium will not be liable for any downtime caused in whole or part by a third-party data center provider nor for any downtime that the Customer experiences as a result of the Customer’s network connectivity issues. If the Customer experiences an outage and is unable to access the Software, the Customer must immediately contact Formidium’s help desk, providing any/all necessary information that may assist Formidium in determining the cause of the outage. Formidium will determine in good faith whether the outage was within Formidium’s reasonable control. THIS SHALL BE CUSTOMER’ SOLE REMEDY, AND FORMIDIUM’S SOLE AND ENTIRE LIABILITY, FOR FORMIDIUM’S FAILURE TO PROVIDE AVAILABILITY TO THE SOFTWARE.

8.3 The Customer confirms that it has not, in entering into this Agreement, relied on any condition, warranty, or representation by Formidium to any other entity regarding the Software.

9. Limitation of Liability

9.1. FORMIDIUM'S TOTAL AGGREGATE LIABILITY TO CUSTOMER FOR ANY REASON INCLUDING WITHOUT LIMITATION, BREACH OF CONTRACT, NEGLIGENCE, STRICT LIABILITY, MISREPRESENTATIONS, AND OTHER TORTS, IS LIMITED TO ALL FEES PAID TO FORMIDIUM BY THE CUSTOMER DURING THE TWELVE MONTHS IMMEDIATELY PRECEDING THE EVENTS GIVING RISE TO THE LIABILITY. Formidium shall not be liable for any loss of data or functionality caused directly or indirectly by the users. The Customer assumes all risks arising from the use of the Products, including any private or confidential data, or other private information provided to Formidium, including the risk of any inadvertent disclosure or unauthorized access thereto.

Formidium shall use commercially reasonable efforts to correct all Software error, to provide a reasonable workaround, and to maintain reasonable availability of the Software. The Customer shall provide such access, information, and support as Formidium may reasonably require for error support. Formidium has no other liability to the Customer for Software errors or unavailability of the Software. Without limiting the foregoing, Formidium is not obligated to correct any Software errors or provide any other support if such Software errors or need for support was created in whole or in part by: (i) the Customer’s acts, omissions, negligence or willful misconduct, including any breach of applicable law, rule or regulation or this Agreement or any changes to the Customer’s operating environment; or (ii) any failure or defect of the Customer’s or a third-party’s equipment, software, facilities, applications, or internet connectivity.

The provisions of this section allocate the risks under this Agreement between the parties, and the parties have relied on these limitations in determining whether to enter into this Agreement.

10. Indemnity

10.1 Indemnification by Formidium. Formidium shall defend, indemnify and hold harmless the Customer from and against any final judgment, including an award of reasonable attorney’s fees, that may be awarded by a court of competent jurisdiction against the Customer, resulting from any third-party claim, suit or proceeding that arises from the Customer’s use of the Software in accordance with this Agreement that infringes or misappropriates any U.S. trade secret, trademark, or copyright (“Claim”).

Notwithstanding the foregoing Formidium will have no indemnity obligation to the Customer if the alleged infringement or misappropriation is based on (i) any combination, operation, or use of the Software with products, services, information, materials, technologies, business methods or processes not furnished by Formidium to the extent the infringement or misappropriation is based on such combination, operations or use; (ii) any modification (other than by Formidium) to the Software to the extent the infringement or misappropriation is based on such modification; (iii) use of the Software in violation of or outside the scope of this Agreement, (iv) an allegation that the Software consists of a function, system or method traditionally utilized in a similar Software that is not commercially unique to the Software, and the commercially unique aspects of the Software are not identified in the allegation giving rise to the Claim, (v) user interface or related user design elements not provided by Formidium, (vi) fraud, wilful misconduct or gross negligence by the Customer, (vii) breach or default by the Customer under this Agreement, or (viii) an ordinary and usual expense of such Customer.

The foregoing and following indemnity is subject to the Customer: notifying Formidium in writing within thirty (30) days of becoming aware of any such Claim; giving Formidium sole control of the defense or settlement of such a Claim; and providing Formidium with any and all information and assistance reasonably requested by Formidium to handle the defense or settlement of the Claim.

Notwithstanding the foregoing, in the event of such a claim, or if Formidium believes that such a Claim is likely, Formidium may, at its sole option and expense: (a) modify the Software or provide the Customer with a substitute that is non-infringing; or (b) obtain a license or permission for the Customer to continue to use the Software, at no additional cost to the Customer; or (c) if neither (a) nor (b) is, in Formidium’s judgment, commercially practicable, terminate the Customer’s access to the Software (or to a portion of the Software as necessary to resolve the claimed infringement) and refund any prepaid but unused fees covering use of the Software after termination. THIS SECTION 10.1 STATES FORMIDIUM’S ENTIRE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY CLAIM PROVIDED FOR UNDER THIS SECTION 10.1.

10.2 Indemnification by Customer. The Customer will indemnify, defend and hold Formidium, any and each of its affiliates, and their directors, officers, shareholders, shareholders, subsidiaries, partners, contractors, employees, service providers, licensors, and agents (the “Formidium Parties”) harmless, at the Customer’s expense, against any third-party claim, suit, action, or proceeding (each, an "Action") brought against the Formidium Parties by a third-party to the extent that such Action is based upon or arises out of: (a) unauthorized or illegal use of the Software by the Customer or its affiliates or any user, (b) the Customer or its affiliates' or any users’ noncompliance with or breach of this Agreement, (c) the Customer or its affiliates' or its users’ use of third-party products, or (d) the unauthorized use of the Software by any other person using the Customer or user information.

10.3 Conditions for Indemnification. A party seeking indemnification under this section shall (a) promptly notify the other party of the claim, (b) give the other party sole control of the defense and settlement of the claim, and (c) provide, at the other party’s expense for out-of-pocket expenses, the assistance, information and authority reasonably requested by the other party in the defense and settlement of the claim.

11. Information Security

11.1. Definitions

11.1.1. "Security Breach” or “Breach of Security"

11.1.1.1. Any unauthorized access to or use of the Product and/or any confidential and proprietary data contained in the Company systems and all other information and data compilations used by the Company whether or not in electronic form (the “Company Data”) /Customer Data;

11.1.1.2. Any loss, corruption, or unauthorized disclosure of any Company Data/Customer Data; and/or

11.1.1.3. Any poor configuration, incorrect system management, unpatched vulnerabilities and/or other flaws impacting the Products.

11.1.2. "Security Assessments"

11.1.2.1. Pen testing, segmentation testing or vulnerability scanning carried out to identify whether there are any potential security gaps in respect of Customer Data and/or Company Products/data.

11.2. The Company acknowledges the values of confidentiality, integrity, availability, security, and dependability of Customer Data and systems, as well as Company Products.

11.3. Accordingly, the Company will:

11.3.1. perform obligations under this Agreement with the highest focus on the security of Company Data and systems, as well as on Customer Data;

11.3.2. perform security requirements compliance as specified in this Agreement;

11.3.3. ensure that the security measures used to protect Customer Data, as well as Products, follow industry best practices and are in compliance with applicable laws;

11.3.4. respond to any specific threats to the security of Customer Data, as well as Products, proactively and promptly; and

11.3.5. for security related incidents, provide a fair level of access to pertinent assets, personnel and subcontractors if required by Customer. Final decision on this request will be made at the Company’s IT security team’s discretion.

11.4. Security Breach

11.4.1. The Company will inform the Customer promptly if there is a security breach (if proven) that affects the Products. The Company will take all reasonable steps, including actions / changes reasonably required by the Customer, at no additional expense to the Customer necessary to:

11.4.1.1. reduce the impact of the security breach;

11.4.1.2. remediate or mitigate the security breach to the extent possible and protect the confidentiality, integrity, and availability of applicable Services;

11.4.1.3. implement stringent security controls to prevent a further security breach in the future exploiting the same root cause; and

11.4.1.4. provide an uncorrupted copy of Customer Data affected by the security breach to the firm (upon request) in an encrypted format and within an agreed upon timeframe and without charge; and as soon as reasonably possible and where required by Customer provide full investigation details of the Breach of Security, including a root cause analysis.

11.5. Security Testing

11.5.1. The Company agrees that it will:

11.5.1.1. where a security remediation is not immediately available, implement interim mitigation steps to known exploitable vulnerabilities;

11.5.1.2. pro-actively and regularly scan the Products for vulnerable components and promptly address discovered vulnerabilities (including after major design or architecture change);

11.5.1.3. rerun any applicable security tests once any necessary corrective/preventive/detective action has been performed within the timeframe agreed with the Customer;

11.5.1.4. follow accepted industry standards for vulnerability assessments, prioritization, and remediation.

11.5.2. The Company confirms that security testing will be planned and implemented without affecting Services delivery (unless otherwise agreed with Customer in writing and in advance).

11.5.3. Upon request, the Company will provide Customer with a security test sanitized summary (as it reasonably relates to the Services). Final decision on this request will be made at the Company’s IT security team’s discretion.

11.6. Mobile Access

11.6.1. When Company Data/Customer Data is kept on a mobile, detachable, or uncontrollable Company device, the Company will guarantee that the data is encrypted in accordance with industry standards.

11.6.2. Devices used to access or administer Customer Data and/or systems will be securely managed by the Company.

11.6.3. Secured configurations will be followed in accordance with industry standards and before being provisioned.

11.7. Vulnerabilities and Patch Management

11.7.1. The Company understands that vulnerabilities in the Products may be discovered, and that unless they are addressed, they will pose an unacceptable risk to the Services and/or Customer Data.

11.7.2. Threats/vulnerabilities will be categorized by the Company in line with the industry's best practices including severity ratings: Critical, High, Medium, Low & Informational.

11.7.3. The Company will apply security patches to vulnerabilities in the Products within the timelines below:

11.7.3.1. Security patches categorized as “Critical” or “High’” as soon as possible however within one month after release.

11.7.3.2. Other applicable security patches should be prioritized based on risk and applied within an appropriate timeframe.

11.7.3.3. By exception, the Customer may agree a different maximum time after consulting with the Company on a case-by-case basis.

11.7.3.4. If the Company is unable to address the vulnerability within the timeframes outlined above, the Company will notify the Customer in writing promptly.

11.7.4. All Products (whether its own proprietary Software or 3rd Party software) will be kept up to date, including Software being no more than one major version level below the latest release during the term of the Agreement unless otherwise agreed by Customer in writing, and subject to appropriate endpoint and remote access protection.

11.7.5. The Company will use industry standard baseline hardening practices such as deleting or disabling interfaces, services, and capabilities that are not required for the supply of the Products.

11.7.6. The Company will ensure that malware and unauthorized software running on the underlying servers/platform do not compromise the Products.

11.8. Systems & Architecture

11.8.1. Where the Company processes Customer Data, the Company is committed to:

11.8.1.1. on reasonable request, provide Customer Data in the industry standard format and in a secured manner;

11.8.1.2. have established protocols in place to ensure that Customer Data is available if the Company ceases to operate;

11.8.1.3. the availability of Customer Data in the event of the Company ceasing to service;

11.8.1.4. secured destruction of all media that has held Customer Data at the end of life of that media in line with good industry practice;

11.8.1.5. secured erasure of any or all Customer Data held by the Company when requested to do so by the Customer;

11.8.1.6. ensure business data is securely communicated (e.g., encrypted) through any public and internal network (including the internet, mobile networks, and workplace networks) in accordance with good industry practice.; and

11.8.1.7. where required by the Customer, Customer Data must be encrypted at rest and in motion in line with the good industry practice;

11.8.1.8. where Customer information is encrypted, data security key/secrets management methods, such as secure key/secrets production, distribution, rotation, and storage, must be followed in accordance with industry standards;

11.8.1.9. Customer Data should be appropriately segregated from other Company clients;

11.8.1.10. ensure all locations where Customer Data is stored are fully documented; and

11.8.1.11. not use any business data for any reason other than to fulfil the Company’s duties under this Agreement.

11.8.2. The Company will ensure that all physical facilities that process Customer Data are secure in accordance with industry best practices.

11.8.3. To maintain confidentiality and integrity of data in the communication channel, the Company agrees to use only secured and encrypted means of communications channels during the sharing of data.

11.9. Identity Access Management

11.9.1. The Company certifies that an access control policy is in place and that all Company users and Administrators are uniquely identified and authenticated.

11.9.2. Regular reviews of user access to Customer Data and the Products is in place. Records of the review are stored securely.

11.9.3. Industry best practices for password policies are in place (e.g., password composition, complexity, history, change, revocation, storage).

11.9.4. When Company suppliers and subcontractors having access to Customer Data or any systems holding Customer Data no longer need it or depart the organization, access permissions will be terminated immediately.

11.10. Secured Software Development Lifecycle

11.10.1. Where software development is required for integration with Customer systems/applications, secure development practices are to be followed. This includes:

11.10.1.1. threat modelling as per the Company’s defined internal Secured Software Development Lifecycle (“SSDLC”) framework;

11.10.1.2. using secure coding frameworks and standards;

11.10.1.3. security testing prior to deployment;

11.10.1.4. applying the concept of least privilege in relation to the Products integrating with services and systems leveraged by Customer; and

11.10.1.5. engagement of the security team during each stage of SSDLC.

11.11. Security Monitoring

11.11.1. The Company will ensure sufficient monitoring of the Products to facilitate the detection of behaviors that would be indicative of a Breach of Security. This should include (as applicable):

11.11.1.2. security events generated in the Products such as account logon and logoff events, the commencement and termination of remote access sessions, security alerts from desktop and server operating systems, and security alerts from third-party security software;

11.11.1.3. logs from other network devices such as firewalls, proxy servers, web servers, web application firewalls and intrusion detection/prevention devices;

11.11.1.4. any other records relating to monitoring requirements of the Products which may be agreed between the parties from time to time; and

11.11.1.5. retention of audit records for a period of at least one (1) year, and upon reasonable request make audit records available to the Customer in case of a security or technical incident.

11.12. Personnel Training

11.12.1. The Company confirms that all Company personnel and subcontractors' personnel with access to Customer Data or any systems in the Products holding Customer Data undergo appropriate Information security training.

11.12.2. If the Customer assigns email addresses to the Company and/or subcontractor staff, the Company will guarantee that the emails are exclusively used to carry out the Company’s obligations under this Agreement.

11.13. Company Security Policies/Processes

11.13.1. The Company confirms that on entry into this Agreement the following internal documents are in place:

11.13.1.1. Information Security policies covering the Company’s security governance.

11.13.1.2. Security incident management processes.

11.13.1.3. Security Incident Response plan.

11.13.1.4. Risk Management Framework.

11.13.1.5. Third Party Risk Management policy and its annual review to ensure they reflect good industry practice.

11.13.1.6. Vulnerability & Patch management policy which includes processes for prioritization, testing, and application of security patches; and reporting and audit provisions related to the patching process to assess its effectiveness.

11.13.1.7. Processes for identification of Breaches of Security along with methodology to assess the actual and potential impact on the services of any new Breach of Security.

11.13.2. The Company confirms compliance with the Company’s policies/processes when providing the Services, and otherwise in the context of the obligations under this Agreement

11.14. Data Privacy

11.14.1. The Company ensures the following practices in relation to Data Privacy:

11.14.1.1. Maintain appropriate physical, technical and administrative measures to ensure that processing of Personally Identifiable Information (the “PII”) data carried out by the Company in connection with this Agreement meets and ensures protection of the rights of individuals under the EU GDPR 2016 / 679 or UK Data Protection Act 2018.

11.14.1.2. Process the PII data only to the extent and in the manner required for the permitted purpose and in accordance with the Customer's written instructions (including the instructions set out in this Agreement), and not for any other reason.

11.14.1.3. Process the PII data in accordance with the UK Data Protection Act 2018 and will not put itself or the Customer in violation of it.

11.14.1.4. The Company shall promptly provide a copy of all Customer Data it holds in the format and on the media reasonably requested by the Customer upon written request.

11.14.1.5. The Company may only authorize a third party or sub-contractor to process the personal data if it enters into a written agreement with sub-contractors who will be processing personal data that reflects the requirements of the UK Data Protection Act 2018 and with similar obligations as are imposed on the Company by this Agreement and provided that the sub-contractor's right to process Customer’s personal data terminates automatically on termination of this Agreement for any reason.

11.14.2. The Company shall upon request and at its own cost:

11.14.2.1. make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this Agreement;

11.14.2.2. allow for and contribute to audits, including inspections, conducted by or on behalf of the Customer or by any Regulatory Authority pursuant to Article 58(1) of the UK Data Protection Act 2018 for the purposes of accessing the Company’s compliance with its obligations under this Agreement and the UK Data Protection Act 2018.

11.14.3. Any subcontracting or transfer of personal data permitted by the Customer shall not relieve the Company of any of its liabilities, responsibilities, and obligations under this Agreement to the Customer and the Company shall remain fully liable for the acts and omissions of its permitted Sub-contractors.

11.14.4. Notwithstanding anything to the contrary in these terms, the Company may monitor, collect, use and store anonymous and aggregate statistics and/or data regarding use of the Products solely for internal business purposes (including, but not limited to, improving the Products, and creating new features) and such anonymized and aggregate data shall not be considered Customer Data.

11.15. Data Hosting

11.15.1. Customer Data may be processed and/or hosted by the Company or its authorized third-party service providers in the United Kingdom, United States, European Union, European Economic Area, Switzerland, or other locations around the world, unless otherwise agreed by the Parties.

11.16. Customer privacy is extremely important to Formidium. Please read Formidium’s Privacy policy which explains how Formidium treats and protects personal data when the Customer uses the Software.

12. Corruption & Bribery

12.1. Both Parties agree that neither it nor any associated person has given or offered any payment or gift to anybody employed by the other party as an inducement or reward for awarding this agreement to the other party.

12.2. Without prejudice to any rights the Parties may have arising from a breach of Section12.1, all Products shall be revoked unless otherwise mutually agreed by both the Parties if at any time there is evidence to show that the other party or any associated person is offered or given a bribe of any kind or any gift as an inducement or reward for doing or refraining from doing any act in relation to this Agreement in relation to

12.2.1. anyone employed by the other party; or

12.2.2. anyone employed by the Customer.

13. Force Majeure

13.1. Force Majeure refers to an act or event affecting the performance by a party of its obligations hereunder:

13.1.1. arising from natural catastrophes such as floods, earthquakes, hurricane tornado etc. (acts of God), war, pandemic, insurgency, sabotage, strikes, lock outs, or other industrial action and any other occurrences beyond the reasonable control of the party thus affected.

13.1.2. if and to the extent that any delay or failure to perform any of its obligations under this Agreement is due to Force Majeure, neither party shall be liable to the other, provided that the affected party gives the other party written notice, takes steps in accordance with agreed security and operational controls to resume full services of its obligations, and uses reasonable efforts to mitigate. The liability protection offered by this Section is only for the length of the Force Majeure event.

14. Right to audit

14.1. The Company agrees to allow, with 30 days advance written notice and no more than once every six months, the Customer, or any other authorized representative of the Customer or regulatory authority access to the Company’s premises, data, or personnel for the purpose of assessing the Company's compliance with its obligations under this Agreement.

14.2. Regular (no more than twice per year) security meetings can be conducted between the Parties to provide compliance adherence assurance. These meetings should not be considered as an audit but an opportunity to provide a security overview.

15. Confidentiality

15.1. The Customer acknowledges that the Products constitute and incorporate confidential and proprietary information developed or acquired by or licensed to the Company. The Customer hereby undertakes to the Company to receive and hold the Products in the strictest confidence and further to take all reasonable security precautions in the safekeeping of the Products and in preventing its unauthorized disclosure to third parties, applying no lesser security measures to it than to its own confidential information.

15.2. The Company acknowledges that the Customer Data constitutes and incorporates confidential and proprietary information of the Customer. The Company hereby undertakes to the Customer to receive and hold the Customer Data in the strictest confidence and further to take all reasonable security precautions in the safekeeping of the Customer Data and in preventing its unauthorized disclosure to third parties, except its own employees, Affiliates and shareholders or as may be required by law or by the administrative or regulatory requirements of any stock exchange on which shares of the Company are listed, applying no lesser security measures to it than to its own confidential information.

16. General

16.1. The failure of either party to exercise or enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision. This Agreement, along with Exhibit A, constitutes the entire agreement between the Parties and governs the Customer's use of the Products, superseding any prior agreements between the Customer and the Company (including, but not limited to, any prior versions of this Agreement). A reference to this Agreement includes Exhibit A, unless the context suggests otherwise.

17. Software Support

17.1. The Customer may access personnel employed or otherwise engaged by the Company for the purposes of providing Products support (support personnel) during the times published on the Formidium’s website/portal.

18. Conflict

18.1. In the event of any conflict, contradiction, or ambiguity between the terms and conditions of this Agreement and Order Form, then the terms and conditions of the Order Form shall prevail over this Agreement.

19. Assignment

Formidium may assign, charge, transfer or declare a trust over any of its rights or obligations under this Agreement at any time. The Customer shall not assign, transfer, charge, declare a trust or novate any of its rights under this Agreement, except with the prior written approval of Formidium. The preceding sentence applies to all assignments of rights, except in the event of a voluntary transfer of substantially all assets by the Customer to a transferee which executes Formidium’s form of agreement agreeing to be bound to all the terms and conditions of this Agreement. In such case the Customer will also adhere to Section 7.2 of this Agreement.

20. Notices

Any notice required or permitted hereunder shall be in writing either by letter, facsimile or email and shall be deemed effective on the date of personal delivery (by private messenger, courier service, or otherwise) in case of a letter or upon confirmed receipt of facsimile by the relevant Party, whichever occurs first, or upon confirmation of receipt by the relevant Party if by electronic mail when transmitted (change in address may only be specified by written notice from one Party to the other). The addresses of the Parties are provided at the time of issuing the Order Form.

21. Waiver

No waiver shall be effective unless it is in writing and signed by the waiving party. The waiver by either party of any breach of this Agreement shall not constitute a waiver of any other or subsequent breach. Failure or delay by either Party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.

22. Severability

If any term of this Agreement is held to be invalid or unenforceable, that term shall be reformed to achieve as nearly as possible the same effect as the original term, and the remainder of this Agreement shall remain in full force.

23. Entire Agreement

This Agreement may not be modified or amended by Customer except by an instrument in writing signed by the Parties. Except as stated herein, this Agreement may be modified by Formidium upon 30 days written notice to Customer. Except as stated below with respect to the User Agreement as provided on the Formidium website (the “User Agreement”), this Agreement, together with Exhibit “A”, signature page and the Order Forms, their riders, amendments, and revisions thereof, shall constitute the entire Agreement of the Parties and supersedes all prior agreements and understanding between the Parties relating to the subject matter hereof.

The User Agreement (as amended from time to time), the form of which is linked hereto, shall govern Customer’s use of the Software and shall be read in conjunction with this Agreement. To the extent there is a conflict between this Agreement and the User Agreement, this Agreement shall control, unless the User Agreement specifically acknowledges the conflict and expressly states that the conflicting User Agreement controls.

24. Survival

All provisions regarding indemnification, warranty, liability, and limits thereon, and confidentiality and/or protections of intellectual rights or proprietary rights shall survive the termination of this Agreement.

25. Publicity

Formidium may include Customer’s name and logo in its Customer lists and on its website. Upon signing, Formidium may issue a high-level press release announcing the relationship and the manner in which Customer will use the Software. Formidium shall coordinate its efforts with appropriate communications personnel in Customer’s organization to secure approval of the press release if necessary.

26. Independent Contractor

The parties have the status of independent contractors, and nothing in this Agreement nor the conduct of the parties will be deemed to place the parties in any other relationship. Except as provided in this Agreement, neither party shall be responsible for the acts or omissions of the other party or the other party’s personnel.

27. Governing Law, Jurisdiction and Venue

The laws of the State of Illinois shall govern the validity, interpretation, and performance of this Agreement without regard to conflict of laws and principles. The state and federal courts in the State of Illinois, Dupage County, shall have exclusive jurisdiction over matters arising under or associated with this Agreement. The Parties consent to such courts' exclusive jurisdiction and venue and irrevocably waive any objections thereto.

Exhibit A

List of the Software