The URL can be used to link to this page

CONTRACT 7020 Vender AgreementAgreement No. 7020 0 Order Form (#Q-62299)(5ervice Account Number: 305868 ) Renewal - City of El Segundo, CA Account Rep Maya Arastuie Customer City of El Segundo, CA Email mahya.arastuie@smarsh.com Service Address 350 Main St Prepared on 18-Apr-2024 El Segundo, California 90245-3813 Valid until 16-Jun-2024 Billing Contact Jose Calderon Contact Phone 310.524.2392 Start Date 17-Jun-2024 Contact Email jcalderon@elsegundo.org Renewal Date 17-Jun-2025 Technical Contact Jose Calderon Billing Frequency Annual Order Type Renewal Services Unit Price Minimum Minimum Quantity Commitment Unified Platform - Professional Archive - SMG $ 648.90 1 $ 648.90 AT&T Mobile Message - Professional Archive Capture $ 96.94 150 $ 14,541.00 Smarsh Support 1 Professional Support - Basic 1 Smarsh University 1 Smarsh U - SMB - Full Access $ 1,044.75 1 $ 1,044.75 Annual Recurring Service Fees Subtotal $ 16,234.65 One -Time Fees Subtotal $ 0.00 Notes US:+1(866)762-7741 UK:+44(0)800-048-8612 www.smarsh.com Agreement No. 7020 to Terms & Conditions The Services are subject to the terms and conditions of this Order Form and (i) the Smarsh Service Agreement available at www.smarsh.com/legal/ServiceAgreement, (ii) the Service Specific Terms referenced in or attached to this Order Form, and (iii) any exhibits or attachments to this Order Form that may amend, supersede, or append the terms referenced herein (collectively "Agreement"): SERVICE SPECIFIC TERMS • Smarsh U Service Specific Terms available at: https://www.smarsh.com/legal/SSTSmarshUniversity; • The Professional Archive Service Specific Terms available at https://www.smarsh.com/legal/SSTProfessionalCloud; • Mobile Channels Service Specific Terms available at https://www.smarsh.com/legal/SSTMobileChannels; TERM The Term of the Services shall begin on the Start Date set forth above, or if no Start Date is set forth above, the execution date of this Order Form, and shall continue for the Subscription Term specified above. For Services added during Client's existing Term, the Term of the Services will sync to and co -terminate upon Client's Renewal Date set forth above. Renewal of the Services shall be subject to the terms of the Agreement. INVOICING The Recurring Service Fees and One -Time Fees ("Fees") shall be invoiced at the billing frequency set forth on page 1 of this Order Form. For usage overages, Smarsh will invoice Client for any usage over the minimum quantities at the same per unit rate as indicated in the first page of this Order Form on a regular basis in arrears. Client agrees that the Recurring Services Fees set forth in this Order Form are Client's minimum commitment for the Term. DATA MANAGEMENT FEES If not priced above or set forth on a separate Order Form between Smarsh and the Client for the applicable data management services requested by the Client, the following standard data import, conversion (if applicable), and storage Fees for data imports Client's Professional Archive shall apply to data imports during the Client's term: • Data Imports - One-time Fee (25 GB Minimum) - $10/GB thereafter • Import Data Conversion fees (25 GB Minimum) - $3/GB • DataStorage—Annual - $2.50/GB US:+1(866)762-7741 UK:+44(0)800-048-8612 www.smarsh.com Agreement No. 7020 Amendment to the Smarsh Service Agreement This Amendment ("Amendment") amends the Smarsh Service Agreement located at bttp J`wtvw„sr-narsh.con^bflwggal am rvjc Agreement between Smarsh Inc. ("Smarsh") and City of El Segundo, CA Client") ("Agreement"). This Amendment is effective as of the date last signed below, or on the date (i) the Client signs the Order Form to which this Amendment is attached. Capitalized terms not defined in this Amendment have the meaning provided in the Agreement. WHEREAS, Client has requested certain modifications to the Agreement, and Smarsh has agreed to such modifications as set forth below; THEREFORE, Client and Smarsh agree as follows: 1) Conflict. In the event of a conflict between this Amendment and the Agreement, the terms of this Amendment shall control with respect to the clauses and language modified by this Amendment. 2) Section 6.3 of the Agreement is hereby deleted and replaced with the following language: 6.3. Renewals & Non -Renewal - Limited Term. The Services that are provided on a recurring basis will not renew automatically for an additional, successive 12-month Service Term. The Services may be renewed by Client for an additional, successive 12-month Service Term (each a "Renewal Term") upon the execution of a renewal Order Form prior to the expiration of the then current Service Term. Smarsh may elect not to renew a Service by providing no less than 30 days written notice to the Client prior to the end of the then current Service Term. 3) Section 7.7 of the Agreement is hereby deleted and replaced with the following language: 7.7Taxes. All Fees payable by Client under this Agreement are exclusive of taxes and similar assessments. Smarsh acknowledges that Client is tax-exempt. 4) Section 8.2 of the Agreement is hereby deleted and replaced with the following language: 8.2. Obligations with Respect to Confidential Information. Each party agrees: (a) that it will not disclose to any third party, or use for the benefit of any third party, any Confidential Information disclosed to it by the other party except as expressly permitted by this Agreement; and (b) that it will use reasonable measures to maintain the confidentiality of Confidential Information of the other party in its possession or control but no less than the measures it uses to protect its own confidential information. Either party may disclose Confidential Information of the other party: (i) pursuant to the order or requirement of a court, administrative or regulatory agency, or other governmental body, provided that the receiving party, if feasible and legally permitted to do so, gives reasonable notice to the disclosing party to allow the disclosing party to contest such order or requirement; (ii) to the parties' agents, representatives, subcontractors or service providers who have a need to know such information provided that such party shall be under obligations of confidentiality at least as restrictive as those contained in this Agreement ("Agents"); or (iii) pursuant to a public records request under those laws applicable to the Client and only to the extent that such confidential information is not subject to an exemption from such public record request, provided that the Client gives notice to Smarsh in a reasonable amount of time to allow Smarsh the opportunity to seek a protective order preventing such disclosure. Each party will promptly notify the other party in writing upon becoming aware of any unauthorized use or disclosure of the other party's Confidential Information. 5) Section 11.1 of the Agreement is hereby deleted and replaced with the following language: US:+1(866)762-7741 UK:+44(0)800-048-8612 www.smarsh.com Agreement No. 7020 0 11.1. Client Indemnification. To the extent permitted by those laws applicable to the Client, and without in any mannerwaiving its rights to sovereign immunity or increasing the limits of liability thereunder, Client will defend and indemnify Smarsh, its officers, directors, employees, and agents, from and against all third party claims, losses, damages, liabilities, demands, and expenses (including fines, penalties, and reasonable attorneys' fees), arising from or related to (i) Client Data and Client's use of Client Data, (ii) Smarsh's use of Client Data in accordance with this Agreement, and (iii) Client's use of the Services in violation of this Agreement or applicable laws, rules, and regulations. Smarsh will (a) provide Client with prompt written notice upon becoming aware of any such claim; except that Client will not be relieved of its obligation for indemnification if Smarsh fails to provide such notice unless Client is actually prejudiced in defending a claim due to Smarsh's failure to provide notice in accordance with this Section; (b) allow Client sole and exclusive control over the defense and settlement of any such claim; and (c) if requested by Client, and at Client's expense, reasonably cooperate with the defense of such claim. 6) Section 13.5 of the Agreement is hereby deleted and replaced with the following language: 13.5. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of California, without regard to conflict/choice of law principles. 7) Section 13.11 of the Agreement is hereby deleted and replaced with the following language: 13.11. Amendments. This Agreement may only be modified, or any rights under it waived, by a written document executed by both parties. 8) The following language is added to the Agreement as Section 14- SLED Additional Terms. 14.1 Insurance. Smarsh shall, on a primary basis and at its sole expense, maintain in full force and effect at all times during the life of this Agreement, insurance coverage and limits, including endorsements, necessary and appropriate to provide the Services under this Agreement. Smarsh agrees to provide, once every 12 months and upon written request by the Client, a summary of Smarsh's insurance coverage for review by the Client. In addition, Smarsh agrees to use commercially reasonable efforts to provide at least 30 days prior written notice of any material adverse changes to Smarsh's insurance coverage. 9) Except as otherwise set forth in this Amendment, the Agreement will remain unchanged and in full force and effect. This Amendment, together with the Agreement is the entire agreement between the parties, and supersedes all prior agreements between them, whether written or oral in nature US:+1(866)762-7741 UK:+44(0)800-048-8612 www.smarsh.com Agreement No. 7020 SMARSH SERVICES AGREEMENT This Smarsh Services Agreement (the "Agreement") constitutes a binding agreement between Smarsh Inc. ("Smarsh") and the company signing either this Agreement ("Client") or the Order Form or other similar ordering document accepted by Smarsh that references this Agreement ("Order Form"). This Agreement includes all exhibits, appendices, or other addenda, including all Order Forms, that reference this Agreement, and incorporates any applicable Service Specific Terms, Service Level Agreements, or Documentation by reference. Services. Smarsh will provide the services specified in each Order Form ("Services") according to (i) the terms of the Agreement, (ii) with respect to any software ("On-Prem Software") or software -as - a -service ("SaaS Service") provided by Smarsh , the applicable Service Specific Terms for such SaaS Service, (iii) with respect to any implementation professional services, the applicable statement of work ("SOW") or onboarding package documentation provided by Smarsh to the Client, and (iv) with respect to any support services, the applicable Service Level Agreement or support package documentation provided by Smarsh to Client. Service Documentation can be found at can be found at Ipl„„ _ rr rgi rnarst �:orn under Production Documentation ("Documentation"). 1.1. Orders. Client may amend or order new Services provided under this Agreement by executing a new Order Form for Services through Smarsh (each upon Smarsh's acceptance). The Service Term will be set forth on the applicable Order Form ("Service Term"). The Service Term for any additional services purchased after or during the Client's existing Service Term will co -term to, sync with, and renew based upon Client's then current Services Term for the Services to which Client has subscribed (the "Recurring Services"). 1.2. Access & Use. Subject to the terms of the Agreement and as applicable to the Service, Client may license, access and use the applicable Service during the Service Term. Smarsh reserves the right to temporarily suspend Client's access to a Service (i.e., disable login credentials) or any User's access to the SaaS Service if (i) Smarsh reasonably believes that (a) Client is in material breach of the Agreement or Order Form, or (b) a User is in breach of the Agreement or Order Form, (ii) with respect to a SaaS Service, a User or Client's use of a SaaS Service is likely (in Smarsh's reasonable opinion) to negatively affect the availability, security, or performance of Smarsh's systems or such SaaS Service; or (iii) Smarsh in good faith suspects that an unauthorized third party has gained access to the Service using credentials issued to the Client by Smarsh. With respect to Documentation or a Service that requires a license, Smarsh grants Client a revocable, non-exclusive, worldwide license to use the Documentation or such Service for the duration of the applicable Service Term. 1.3. Restrictions. The Client will not (and will not knowingly permit any third party, including its Users, to): (a) use the Service to develop a similar or competing product or service; (b) reverse engineer, decompile, disassemble, or seek to access the source code, algorithms, or non-public APIs to the Service or any related features; (c) modify or create derivative works of the Service or any element of the Service; (d) copy, rent, lease, distribute, assign (except as authorized under this Agreement), or otherwise transfer rights to the SaaS Service or any part thereof, for the benefit of a third party, or remove any proprietary notices or labels from the SaaS Service or any part thereof; (e) use the Service to perform or publish benchmarks or performance information about the Service; (f) provide access to or sublicense the Service to a third party except as authorized under the Agreement, (g) transmit, or allow any Third Party Service to transmit on Client's behalf to Smarsh any data that is subject to PCI (e.g., Payment Card Industry Security Standards) data protection requirements, (h) use the SaaS Service in a manner that (i) violates applicable laws, rules, or regulations, or (ii) negatively affects the availability, security, or performance of the SaaS Service, or (i) use the Services (i) in excess of the scope of its licensing, Smarsh Services Agreement I Page 1 of58 Agreement No. 7020 (ii) contrary to the particular SaaS Service's Service Specific Terms, or (iii) to circumvent another service offered by Smarsh, such as subscribing to email archiving for the purpose of archiving email marketing data. The Client will not, directly or indirectly, in whole or in part, use or knowingly permit the use of any security testing tools in order to probe, scan or attempt to penetrate or ascertain the security of the Services. 1.4. Updates. Smarsh may, in its sole discretion, update or modify the SaaS Service by making available updates or modifications which may add new or eliminate existing features or functions to the SaaS Service, so long as such update or modification, does not materially degrade the SaaS Service. For clarity, elimination of an existing material feature or function shall be replaced with a feature or function with similar effect unless Smarsh provides reasonable advance notice of said elimination and said elimination (1) is in furtherance of accepted industry practice, or (ii) is made pursuant to applicable law. I.S. Upgrades. Smarsh may upgrade the SaaS Services used by Client to new versions of such SaaS Service, or install patches, service packs, security updates or the like to the SaaS Services. For upgrades substantially impacting the functionality of the SaaS Services (i.e., those which may require the Client to retrain its Users or update a connection), Smarsh will provide Client with written notice prior to upgrade. Certain upgrades may introduce new functionality modules which will be made available to Client on an optional basis for an additional fee and Client will be given prior notice of any additional fees that may apply for such new modules, and an option to accept or reject use of such new modules. 1.6. Replacements. Smarsh may, upon reasonable advance notice to the Client, sunset, end of life, deprecate, retire, or replace any Service or feature thereof upon reasonable advance written notice to Client, provided that Smarsh makes a substantially similar Service or feature available to Client for the remainder of Client's then current Service Term at no additional charge. If Smarsh is unable or determines in good faith that is economically infeasible to provide a substantially similar Service or feature, then Smarsh will issue Client a credit for the unused portion of any pre -paid Feesthat are attributableto the discontinued Service orfeature. Refunds will not apply to any modifications to Services or features that are made by Smarsh to comply with applicable law or address a material security risk. 2. Support & User Groups. Smarsh Central, located at bt_t:,gi,, /ppntriij, l.Lirsj'tcgj is where Client can access support resources for the Services as well as engage with other end users in online forums regarding the Services. 2.1. Smarsh Central. Support FAQ's and other support resources are available on Smarsh Central. Client may initiate support requests by submitting support tickets on Smarsh Central. Changes to Smarsh's support policies will be made available on Smarsh Central, provided, however, that any such changes shall not materially degrade the support services. 2.2. Groups. Smarsh Central also provides online forums and related features to Users of the Services (as defined below) for discussion, feedback, and general Q&A purposes (such forums and related features are collectively called "Groups"). Smarsh grants Client and its Users a revocable, non- exclusive, non -transferable license to access and use Groups within Smarsh Central in connection with Client's use of the Services. Client or Users may post comments or content to Groups ("Groups Content"). Client hereby grants Smarsh a worldwide, exclusive, royalty -free, irrevocable license to access, use, reproduce, make derivatives of, and incorporate Groups Content into Smarsh products or services for commercial use. Client acknowledges that Groups Content is not confidential and is subject to the terms of use for Groups. Smarsh may delete Groups Content without prior notice. Client is responsible for all Groups Content posted by its Users. Smarsh disclaims all liability arising from Groups Content and use of Groups, including exposure to content that is potentially offensive, indecent, inaccurate, objectionable, or Smarsh Services Agreement I Page 2 of 58 Agreement No. 7020 otherwise inappropriate. Smarsh may suspend or discontinue Groups at any time. Smarsh provides Groups without charge and Groups is not part of the Services. 3. Trial Services. If a trial period is indicated on an Order Form, Smarsh will provide Client with a temporary account to those Services ("Trial Account"). The Trial Account will be accessible for the trial period set forth in the Order Form, or if no trial period is stated, the Trial Account period will be thirty (30) days. DURING THE TRIAL PERIOD, THE TRIALACCOUNT AND ASSOCIATED SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" AND WITHOUT REPRESENTATION OR WARRANTY OF ANY KIND. 4. Third Party Data Sources & Client Data. To capture or archive data, the Services are dependent on receiving data from Third Party Data Sources or Client's own systems. 4.1. Third Party Data Sources. The Services may receive Client Data from third party data sources on behalf of the Client, such as Microsoft, telecommunication companies (such as Verizon or AT&T), social media networks (e.g. Facebook), or other business content management providers or customer relationship management software (e.g. Salesforce), including but not limited to those third parties' APIs or platforms ("Third Party Data Sources"). 4.1.1. The Client understands that Third Party Data Sources are not offered, controlled, or provided by Smarsh, and thus, Smarsh is not responsible for any outages, lost data, service interruptions, or failures caused by, or that are the result of, any action or failure to act by a Third Party Data Source. Smarsh does not control and is not responsible or liable for how a Third Party Data Source transmits, accesses, processes, stores, uses, or provides data to Smarsh. Smarsh expressly disclaims all liability related to or arising from any Third Party Data Sources, including the Client's use thereof, or liability related to or arising from any updates, modifications, outages, delivery failures, corruption of data, loss of data, discontinuance of services, or termination of the Client's account by the Third Party Data Source. 4.1.2. Client is solely responsiblefor ensuring that Client complies with all Third Party Data Source terms and conditions. Client acknowledges that certain Third -Party Data Sources do not represent that they are suitable for sensitive communications and do not encrypt messages sent over such Third Party Data Source networks, including social media providers, telecommunication carriers and certain messaging platforms. Client agrees that if Client transmits sensitive health, financial, or personal information via these unsecured Third Party Data Source networks, Client assumes all risk associated with such transmission and is responsible for any damages or losses incurred with respect to transmitting such sensitive data over such networks and to Smarsh. 4.2. As used in this Agreement, the term "Client Data" means: (a) the data that the SaaS Services capture or archive from Client's systems or from Client's Third Party Data Sources (as defined below), (b) Client's historical data provided by or on behalf of Client that is ingested into the SaaS Services, and (c) all content, data, and information, that is submitted, posted, uploaded, captured, or otherwise transmitted to a SaaS Service by or on behalf of the Client from Client's Systems or Third Party Data Sources. Client hereby grants Smarsh a limited, non-exclusive license to access and use Client Data as necessary to provide support and improve the Services on behalf of the Client, or as otherwise authorized hereunder or by Client in writing to Smarsh. Telemetry data generated by the Client's use and operation of the SaaS Services is usage data and is not Client Data ("Usage Data"). Smarsh shall only use Usage Data to provide, improve, or support the Services. S. Client Obligations. S.1. Because Smarsh does not have access to Client's systems, nor does Smarsh control or have access to Client's Third Party Data Sources, Client is solely responsible for monitoring the data Smarsh Services Agreement I Page 3 of 58 Agreement No. 7020 within the Services, Client's systems, and Third Party Data Sources to ensure that all such data is being captured accurately by the Service. Client will promptly notify Smarsh of any inconsistencies or inaccuracies in the capturing of Client Data, as well as of any delivery failures or outages of Client's systems or Client's Third Party Data Sources, that could affect the transmission or capture of Client Data by the Services. 5.2. It is Client's responsibility to protect and encrypt (i) all data sent to the Services from Client's systems and Client's Third Party Data Sources, and (ii) historical data sent to Smarsh by Client or on behalf of Client for ingestion into the Services. Smarsh will have no responsibility or liability for any data that Client, or any third party on behalf of Client, transmits to Smarsh in an unencrypted format. Smarsh is not responsible or liable for any update, upgrade, patch, maintenance or other change to Client's systems or Third Party Data Source that affects the transmission or capture of Client Data to the Services. Client is solely responsible for ensuring that the Services are configured to capture data from authorized end -user accounts, devices, web domains, as applicable. 5.3. Client is solely responsible for all Client Data. Client represents and warrants that (a) Client Data will not (i) infringe any third party right, including third party rights in patent, trademark, copyright, or trade secret, or (ii) violate the rights of any third parties, including any right that may exist under contract or tort theories. Client will comply with all applicable local, state, national, or foreign laws, rules, regulations, or treaties in connection with Client's use of the Services, including those related to data privacy, data protection, communications, SPAM, or the transmission, recording, or storage of technical data, personal data, or sensitive information. 5.4. Client is responsible for creating an account within the Services and ensuring that (a) Client's account registration information is complete and accurate; and (b) Client's account credentials remain confidential. Client will notify Smarsh immediately of any unauthorized use of Client's account or account credentials, or any other known or suspected breach of the security of Client's account. Client is responsible for the activity that occurs within Client's account and for the actions or omissions of Client's employees, contractors or agents, whether such person is or was acting within the scope of their employment, engagement, or agency relationship. 5.5. Client may provide Representatives with access to the Services or where Client is required to review Representative communications, Client may use the Services to meet such requirement. A "Representative" means any entity (a) that Client controls or that is under common control with Client; or (b) on behalf of which Client has a regulatory requirement to archive or review communications data. Representatives' use of the Services is subject to the terms of this Agreement. Client is responsible for the actions or omissions of each Representative whether such person is or was acting within the scope of their employment, engagement, or agency relationship. 5.6. Client may designate user roles with different levels of access for use or support of the Services. An "Authorized User" is the administrative user with the highest level of access and is responsible for managing the Services for Client. Only Authorized Users may appoint other Authorized Users, request or agree to changes to the Services, add or remove users, make billing inquiries, contact support, or take other, similar actions. A "User" is any individual who is granted login credentials to the Services. Users may not share account login credentials with any other third party. 5.7. Privacy Jurisdictions. Reasonably prior to the Services ingesting Client Data, the Client shall inform Smarsh in writing if Client Data is subject to any data protection rules and regulations, including Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 ("Privacy Rules"). If Client plans to capture and archive any Client Data subject to any Privacy Rules not currently contemplated by this Agreement, Client shall promptly notify Smarsh and the parties will work in good faith to update the Agreement, including the applicable Data Protection Addendum (or other similar document) to address such new privacy jurisdictions. Smarsh Services Agreement I Page 4 of 58 Agreement No. 7020 6. Term & Termination. 6.1. Agreement Term. The Agreement will begin on the execution date of this Agreement, or the applicable Order Form, and will remain in effect until terminated by either party in accordance with this Section. Termination of the Agreement will terminate all associated Order Forms and sows. 6.2. Service Term. The Service Term for a Service will begin as set forth in the Order Form and will continue for the Service Term specified on the Order Form, unless agreed otherwise in writing. 6.3. Renewals & Non -Renewal. Services that are provided on a recurring basis will renew automatically for additional, successive 12-month terms, unless Smarsh or Client provides the other party with written notice of non -renewal or termination in accordance with this Section. At least 90 days prior to the end of the then current Service Term, Smash will provide the Client with written notice of the pending renewal of the recurring services ("Renewal Notice"). If Client does not provide written notice of its intent to cancel the Services sixty (60) days prior to the end of the then current Service Term, Client shall be deemed to have accepted the renewal of such Services based on the Minimum Commitments set forth in the Renewal Order Form. Smarsh may elect not to renew a Service by providing no less than 30 days written notice to the Client prior to the end of the then current Service Term. 6.4. Termination for Breach. Either party may terminate this Agreement if the other party materially breaches its obligations under this Agreement and such breach remains uncured for a period of thirty (30) days following the non -breaching party's receipt of written notice thereof. Smarsh reserves the right to temporarily disable or suspend Client's access to the Services in the event of a breach of this Agreement until such breach is cured, and will not be liable for any damages resulting from such suspension. 6.5. Termination of an Order Form, or Statement of Work. Either party may terminate the Services provided under an Order Form, or Statement of Work if the other party materially breaches its obligations under such Order Form, , or Statement of Work, and such breach remains uncured for a period of thirty (30) days following a party's receipt of written notice thereof. 6.6. Termination without Cause. In the event of a situation where there are no active Services provided under this Agreement by Smarsh to Client, either party mayterminate this Agreement upon ninety (90) days written notice to the other party. 6.7. Termination for Bankruptcy. This Agreement will terminate immediately, upon written notice, where (a) either party is declared insolvent or adjudged bankrupt by a court of competent jurisdiction; or (b) a petition for bankruptcy or reorganization or an arrangement with creditors is filed by or against that party and is not dismissed within 60 days. 6.8. Effect of Termination. Upon any termination or expiration of the Agreement: (a) all rights and licenses to the Services granted to Client by Smarsh will immediately terminate; (b) Client will pay any Fees due and payable up to the date of termination, except in the case of Smarsh's termination for Client's breach, and in such case, Clientwill paythe Fees owing forthe remainder of the then -current Term; and (c) upon request, each party will return to the other or delete the Confidential Information of the other party (except Client Data, the return and deletion of which is handled separately as detailed below or as covered in the applicable Statement of Work). 6.8.1. Client Data Transition - Professional Archive. Upon the termination of this Agreement or the applicable Order Form, Client will cease to have access to the SaaS Services (and the Client Data stored within the SaaS Services. Client may request that Smarsh perform professional services to export or migrate the Client Data remaining in the SaaS Services subject to the execution of (1) a statement of work covering such export or migration services between the Client and Smarsh and the applicable fees, and (ii) as applicable, and Order Form covering any fees for maintaining Client's data and access to the SaaS Services during the duration of the professional services. Any export or migration services will be Smarsh Services Agreement I Page 5 of 58 Agreement No. 7020 performed at Smarsh's then current rates for professional services. Unless agreed otherwise in writing by the parties or prohibited by applicable law, if Client has not made plans to retrieve its data Smarsh shall delete all Client Data 6 months following termination of the Agreement or Order Form. 6.8.2. Transition Services - In General. If requested in writing by the Client prior to termination of this Agreement or non -renewal of an Order Form for archive services, Smarsh shall provide the Client with transition assistance for up to twelve (12) months (or such longer period as mutually agreed) subject to the execution of an Order Form or other agreement to facilitate the orderly transfer of Client Data to the Client or its third party designee ("Transition Assistance"). In the event that the Transition Assistance includes access to the SaaS Services or the extension of other Services, Smarsh shall provide such Services at the then current rates for the Services. If the Transition Assistance includes professional services for the migration or export of Client Data, such services shall be subject to the then current rates for such professional services and the execution of a data migration statement of work. The Term & Termination section shall survive the termination of this Agreement 7. Fees & Payment. Client will pay the fees for the Services as set forth in the Order Form ("Fees"). Upon execution of the Order Form, Smarsh will invoice Client for the Fees for the Recurring Services, One- time Fees and Fees for professional services per the terms of the Order Form, or in the case of one- time fees, the applicable statement of work. Fees for a Renewal Term will be invoiced upon renewal. Client shall pay Fees within thirty (30) days of the date of the invoice. If Client requires a purchase order to facilitate an invoice payment, Client must provide said purchase order upon execution of the applicable Order Form. 7.1. Third Party API Usage. In the event that any Third -Party Service charges any API usage service fees or passes through any costs to Smarsh that are (i) in connection with the Client's use of a Service and such Third Party Service, and (ii) Smarsh can reasonably demonstrate that such costs are directly allocated to the Client, Smarsh reserves the right to pass those costs along to the Client ("Third Party Fees"). The Client agrees to pay all such Third -Party Fees when Smarsh invoices the Client for such fees, which will include a breakdown and description of the fees. 7.2. Disputes & Failure to Pay. If Client disputes any invoice or portion thereof, Client must notify Smarsh within 30 days of the date of invoice. Invoices not disputed within 30 days from the date of invoice will be deemed accepted by Client. Smarsh may charge a late fee of 1.5% per month on any amount not paid when due. In the event Client fails to pay invoiced amounts when due. Smarsh may suspend (i) Client's access to the Services upon written notice and a 1S day cure period, provided, however, that (a) such suspension of access shall not suspend the Service's capture of Client Data, and (b) Smarsh shall facilitate to the best of its ability, and not impede or prevent, the examination, access, download, or transfer of Client Data by a representative or designee of a regulator with jurisdiction over Client; and (ii) certain professional or support services until that time when Client pays such unpaid Fees. 7.3. Uplift & Discount Expiration. At renewal of the applicable Services, if Client is no longer entitled to a discount it received at the initial purchase of the Services or in a prior renewal of the Services, Smarsh reserves the right to increase the Fees for the affected Service(s) to the then current price for such Service(s). Smarsh also reserves the right to apply uplift to the recurring Fees for the Services upon each Renewal Term, or for multi -year subscriptions, each subscription year, provided that any such uplift will not exceed (a) seven percent (7%), or (b) the current Consumer Price Index for Information Technology, Hardware and Services at the time of the Renewal, whichever is greater ("Uplift"). For the sake of clarity, Uplift is separate and distinct from any price increases that may occur (i) as the result of an expiration of prior discount pricing, or (ii) subject to the Third Party Service Price Changes section. 7.4. Third Party Service Price Changes. Client recognizes that Smarsh is unable to control the commercial model(s) of the Third Party Data Sources used by Client or Smarsh's partners (with respect to resold Services). In the event that a Third Party Data Source or Smarsh partner Smarsh Services Agreement I Page 6 of 58 Agreement No. 7020 changes their pricing and such change impacts the commercial feasibility of Smarsh's Fees for the applicable Service, Smarsh will provide the Client with reasonable advanced written notice of such change(s), including any known impact of such change on the Client's Service(s) and any price increase for the impacted Service. Any resulting price increase will become effective upon the next annual term of the affected Service, unless set forth otherwise by Smarsh in its written notice to the Client. 7.5. Usage Limitations. Client's use of the Services is subject to those usage limitations, Minimum Commitments, and performance constraints set forth in the Agreement or Order Form. Client shall not exceed any usage limitations set forth in the Services' Documentation, Agreement or Order Form. If Client exceeds such usage limitations, Client will be subject to, and agrees to pay promptly upon being invoiced by Smarsh, additional usage based overage Fees. 7.6. Minimum Commitment & Invoice of Overages. Client agrees that the Recurring Services Fees and quantities for the Services in the applicable Order Form are Client's minimum purchase commitment during the Initial Term and, upon renewal, each Renewal Term. The minimum commitment is the total sum of the Recurring Services Fees set forth in the applicable Order Form. For Fees invoiced based on usage, (a) if Client's usage exceeds the minimum commitment specified in the Order Form, Smarsh will invoice, and Client will pay the additional Fees due for such usage at the rates specified in the Order Form; and (b) if Client's usage during a month is less than Client's minimum purchase commitment, Smarsh will invoice Client for the minimum purchase commitment. Client understands that even if Client terminates prior to the end of the Term or any Renewal Term, such minimum commitment shall be due to Smarsh. 7.7. Taxes. All Fees payable by Client under this Agreement are exclusive of taxes and similar assessments. Client is responsible for all sales, service, use and excise taxes, utility user's fees, VAT, 911 taxes, or universal service fund fees or taxes, taxes assessed on the use of software or any other similar -taxes, duties and charges of any kind imposed by any federal, state or local governmental or regulatory authority on any amounts payable hereunder, other than any taxes imposed on Smarsh's income. If Client is tax-exempt, Client is responsible to provide a copy of their current tax-exempt certificate upon execution. The Fees & Payment section shall survive the termination of this Agreement. 8. Confidentiality. 8.1. "Confidential Information" means (a) the non-public information of either party, including but not limited to information relating to either party's product plans, present or future developments, customers, designs, costs, prices, finances, marketing plans, business opportunities, software, software manuals, personnel, research, development, or know-how; (b) any information designated by either party as "confidential" or "proprietary" or which, under the circumstances, would reasonably be deemed to be confidential; and (c) the terms of this Agreement. "Confidential Information" does not include information that: (i) is in, or enters, the public domain without breach of this Agreement; (ii) the receiving party lawfully receives from a third party without restriction on disclosure and without breach of a nondisclosure obligation; (iii) the receiving party knew prior to receiving such information from the disclosing party, as evidenced the receiving party's records; or (iv) the receiving party develops independently without reference to the Confidential Information. 8.2. Obligations with Respect to Confidential Information. Each party agrees: (a) that it will not disclose to any third party, or use for the benefit of any third party, any Confidential Information disclosed to it by the other party except as expressly permitted by this Agreement; and (b) that it will use reasonable measures to maintain the confidentiality of Confidential Information of the other party in its possession or control but no less than the measures it uses to protect its own confidential information . Either party may disclose Confidential Information of the other party: (i) pursuant to the order or requirement of a court, administrative or regulatory agency, or other governmental body, provided that the receiving party, if feasible and legally permitted to do so, Smarsh Services Agreement I Page 7 of 58 Agreement No. 7020 gives reasonable notice to the disclosing party to allow the disclosing party to contest such order or requirement; or (ii) to the parties' agents, representatives, subcontractors or service providers who have a need to know such information provided that such party shall be under obligations of confidentiality at least as restrictive as those contained in this Agreement (its "Agents"). A party shall remain fully liable under this Agreement for any breach of this Section by its Agents. . Each party will promptly notify the other party in writing upon becoming aware of any unauthorized use or disclosure of the other party's Confidential Information. 8.3. Remedies. Each party acknowledges and agrees that a breach of the obligations of this Section by the other party may result in irreparable injury to the disclosing party for which there maybe no adequate remedy at law, and the disclosing party will be entitled to seek equitable relief, including injunction and specific performance, in the event of any breach or threatened breach or intended breach by the recipient of Confidential Information. 8.4. Feedback. Feedback is not Confidential Information. Nothing in the Agreement will restrict Smarsh's right to make use of Feedback in any way Smarsh sees fit and is not required to compensate or credit Client or the individual who provided such Feedback. "Feedback" is any suggestion or idea for improving or otherwise modifying Smarsh's products or services. If Feedback contains Client's Confidential Information, Smarsh may only use that portion of the Feedback that is not Client's Confidential Information. The Confidentiality section shall survive the termination of this Agreement. 9. Intellectual Property. As between Smarsh and Client, all right, title and interest in and to the Services, the information technology infrastructure including the software, hardware, databases, electronic systems, networks, and all applications, APIs or Client -Side Software (as defined in the Service Specific Terms) required to deliver the Services, or made available or accessible to Client by Smarsh, including all documentation regarding the use or operation of the Services (collectively "Intellectual Property") are the sole and exclusive property of Smarsh. Except as expressly stated herein, nothing in this Agreement will serve to transfer to Client any right in or to the Intellectual Property. Smarsh retains all right, title and interest in and to Intellectual Property. As between Smarsh and Client, Client Data is the sole and exclusive property of Client and other than the limited license to Client Data granted hereunder, nothing in this Agreement will serve to transfer to Smarsh any intellectual property rights in Client Data. The Intellectual Property section shall survive the termination of this Agreement. 10. Representations and Warranties; Warranty Disclaimer. 10.1. Performance Warranty. Smarsh represents and warrants that it will use commercially reasonable efforts to provide the Services in accordance with generally accepted industry standards. 10.2. Authority. Each party represents and warrants that it has the right and authority to enter into this Agreement and that the performance of its obligations under this Agreement will not breach, or conflict with, any other agreement to which itis a party. 10.3. Compliance with Laws. Each party represents and warrants that it will comply in all material respects with the laws and regulations applicable to the operation of their business. 10.4. Warranty Disclaimer; No Guarantee. EXCEPT AS SET FORTH ABOVE, SMARSH MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND IN CONNECTION WITH THE SERVICES, PROFESSIONAL SERVICES OR SOFTWARE, INCLUDING, WITHOUT LIMITATION, ANY INFORMATION OR MATERIALS PROVIDED OR MADE AVAILABLE BY SMARSH. SMARSH HEREBY DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON -INFRINGEMENT. SMARSH DOES NOT REPRESENT OR WARRANT THAT THE SERVICES OR SOFTWARE WILL BE AVAILABLE OR ERROR -FREE. SMARSH WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE Smarsh Services Agreement I Page 8 of 58 Agreement No. 7020 FAILURES OR OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET, ELECTRONIC COMMUNICATIONS, OR OTHER SYSTEMS OUTSIDE THE REASONABLE CONTROL OF SMARSH. SMARSH DOES NOT GUARANTEE THAT USE OF THE SERVICES BY CLIENT OR THE ADVICE, CONSULTING OR PROFESSIONAL SERVICES PROVIDED TO CLIENT WILL ENSURE CLIENT'S LEGAL COMPLIANCE WITH ANY FEDERAL, STATE, OR INTERNATIONAL STATUTE, LAW, RULE, REGULATION, OR DIRECTIVE. THE SOFTWARE IS NOT DESIGNED OR INTENDED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, INCLUDING BUT NOT LIMITED TO ANY APPLICATION IN WHICH THE FAILURE OF THE SOFTWARE COULD LEAD DIRECTLYTO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR PROPERTY DAMAGE. THIS SECTION SHALL SURVIVE THE TERMINATION OF THIS AGREEMENT. 11. Indemnification. 11.1. Client Indemnification. Client will defend and indemnify Smarsh, its officers, directors, employees, and agents, from and against all third party claims, losses, damages, liabilities, demands, and expenses (including fines, penalties, and reasonable attorneys' fees), arising from or related to (i) Client Data and Client's use of Client Data, (ii) Smarsh's use of Client Data in accordance with this Agreement, and (iii) Client's use of the Services in violation of this Agreement or applicable laws, rules, and regulations. Smarsh will (a) provide Client with prompt written notice upon becoming aware of any such claim; except that Client will not be relieved of its obligation for indemnification if Smarsh fails to provide such notice unless Client is actually prejudiced in defending a claim due to Smarsh's failure to provide notice in accordance with this Section ; (b) allow Client sole and exclusive control over the defense and settlement of any such claim; and (c) if requested by Client, and at Client's expense, reasonably cooperate with the defense of such claim. 11.2. Smarsh Indemnification. Smarsh will defend and indemnify Client, its officers, directors, employees, and agents, from and against all third party claims, losses, damages, liabilities and expenses (including fines, penalties, and reasonable attorneys' fees) arising from a claim that Client's use of the Services in accordance with this Agreement infringes upon any United States patent, trademark or copyright. Client will (a) provide Smarsh with prompt written notice upon becoming aware of any such claim; except that Smarsh will not be relieved of its obligation for indemnification if Client fails to provide such notice unless Smarsh is actually prejudiced in defending a claim due to Client's failure to provide notice in accordance with this Section ; (b) allow Smarsh sole and exclusive control over the defense and settlement of any such claim; and (c) if requested by Smarsh, and at Smarsh's expense, reasonably cooperate with the defense of such claim. Notwithstanding the foregoing, Smarsh will not be liable for any claim that relates to or arises from: (i) custom functionality provided to Client based on Client's specific requirements; (ii) any modification of the Services by Client or any third party not authorized in writing by Smarsh; (iii) the combination of the Services with any technology or other services, software, or technology not provided or authorized in writing by Smarsh; or (iv) Client's failure to use updated or modified versions of the Services made available by Smarsh. 11.3. Sole Remedy.The indemnification obligations contained in this Section are Client'ssole remedy, and Smarsh's sole obligation, with respect to claims of infringement under the Agreement. If the Services are subject to, or Smarsh reasonably believes that the Services may become subject to, a claim of infringement under Section 11.2, Smarsh may, in its sole discretion, either (a) procure for Client the right to continue to use the Services; (b) modify the Services such that they are non -infringing; or (c) if in the reasonable opinion of Smarsh, neither (a) nor (b) is commercially feasible, then Smarsh may, upon thirty (30) days' prior written notice to Client, terminate the applicable Service. The Indemnification section shall survive the termination of this Agreement. Smarsh Services Agreement I Page 9 of 58 Agreement No. 7020 12. Remedies and Limitation of Liability. 12.1. Remedies. 12.1.1. Performance. In the event of a breach of any performance warranty under this Section, Smarsh will use commercially reasonable efforts to provide Client with an error correction or work -around that corrects the reported non -conformity. The foregoing remedy is Client's sole and exclusive remedy for a breach of this Section. In the event that Smarsh is unable to provide an error correction or work -around that corrects the reported non -conformity, Client mayterminate the applicable Service and be entitled to a pro-rata refund of any pre- paid Fees for the duration of time between the termination date of such Service and the end of the applicable Service Term. 12.1.2. Service Levels. In the event of a breach of the applicable Service Level Agreement, Smarsh will provide Client with the credit stated in the Service Level Agreement. The foregoing remedy is Client's sole and exclusive remedy for a breach of the applicable Service Level Agreement. 12.2. Limitation of Liability. 12.2.1. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER, OR TO ANY THIRD PARTY, FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES ARISING FROM OR IN CONNECTION WITH THE SERVICES, WHETHER BASED ON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER THE PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SMARSH WILL NOT BE LIABLE FOR ANY DAMAGES, WHETHER CONSEQUENTIAL OR OTHERWISE, ARISING FROM OR RELATED TO CLIENT'S NON-COMPLIANCE WITH ANY FEDERAL, STATE, OR FOREIGN LAWS RULES, REGULATIONS, OR DIRECTIVES. 12.2.2.EXCEPT WITH RESPECT TO SECTION 11 - INDEMNIFICATION, SMARSH'S AGGREGATE LIABILITY FOR ALL DAMAGES ARISING FROM OR RELATING TO THIS AGREEMENT, NOTWITHSTANDING THE FORM IN WHICH ANY ACTION IS BROUGHT (E.G., CONTRACT, TORT, OR OTHERWISE), WILL NOT EXCEED THE TOTAL FEES ACTUALLY RECEIVED BY SMARSH FROM CLIENT FOR THE APPLICABLE SERVICES IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF THE INCIDENT FROM WHICH THE DAMAGES AROSE. 12.2.3.THE LIMITATION OF LIABILITY SET FORTH ABOVE IS CUMULATIVE; ALL PAYMENTS MADE FOR ALL CLAIMS AND DAMAGES WILL BE AGGREGATED TO DETERMINE IF THE LIMIT HAS BEEN REACHED. The Remedies & Limitation of Liability section shall survive the termination of this Agreement. 13. General Terms. 13.1. Data Security and Privacy. Smarsh shall implement and maintain commercially reasonable and appropriate technical and organizational measures to protect Client Data, including any Personal Information contained within the Client Data, as set forth in Smarsh's Information Security Addendum attached to this Agreement. If Client intends to transmit any Personal Information or Personal Data to Smarsh, the transfer and processing of such Personal Information will be subject to Smarsh's Data Processing Addendum, a copy of which can be requested from privacy@smarsh.com. 13.2. Export Restrictions. Client will comply with the applicable export laws and regulations of the United States and other applicable jurisdictions when using the Services. Client will not transfer the Software, or any other software or documentation provided by Smarsh (a) to any person on a government promulgated export restriction list; or (b) to any U.S.-embargoed countries. Smarsh Services Agreement I Page 10 of58 Agreement No. 7020 Without limiting the foregoing: (a) Client represents that it and its Authorized Users and any other users of the Services are not named on any United States government list of persons or entities prohibited from receiving exports; (b) Client represents that Client will not use the Software or Services in a manner which is prohibited under United States Government export regulations; (c) Client will comply with all United States anti -boycott laws and regulations; (d) Client will not provide the Software or Service to any third party, or permit any user to access or use the Software or Service, in violation of any United States export embargo, prohibition or restriction; and (e) Client will not, and will not permit any user or third party to, directly or indirectly, export, re-export or release the Software or Services to any jurisdiction or country to which, or any party to whom, the export, re-export or release is prohibited by applicable law, regulation or rule. 13.3. Assignment. Neither party may assign this Agreement, in whole or in part, without the other party's prior written consent, except that either party may assign this Agreement without the other's consent in the case of a merger, reorganization, acquisition, consolidation, or sale of all, or substantially all, of its assets ("Change of Control"). Any attempt to assign this Agreement other than as permitted herein will be null and void. This Agreement will inure to the benefit of, and bind, the parties' respective successors and permitted assigns. 13.4. Force Majeure. A failure of party to perform, or an omission by a party in its performance of, any obligation of this Agreement will not be a breach of this Agreement, nor will it create any liability, if such failure or omission arisesfrom any cause or causes beyond the reasonable control of the parties, including, but not limited to the following (each a "Force Majeure Event"): (a) acts or omissions of any governmental entity; (b) any rules, regulations or orders issued by any governmental authority or any officer, department, agency or instrumentality thereof; (c) fire, storm, flood, earthquake, accident, war, rebellion, insurrection, riot, third party strikes, third party lockouts and pandemics; or (d) utility or telecommunication failures; so long as such party the provides prompt notice of the Force Majeure Event, uses reasonable efforts to mitigate the impact of the Force Majeure Event, and uses reasonable efforts to resume performance after any such Force Majeure Event. A Force Majeure Event will not relieve Client's obligation to pay Fees under this Agreement. This section shall survive the termination of this Agreement. 13.5. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict/choice of law principles. This Section shall survive the termination of this Agreement. 13.6. Relationship of the Parties. The parties are independent contractors as to each other, and neither party will have power or authority to assume or create any obligation or responsibility on behalf of the other. This Agreement will not be construed to create or imply any partnership, agency, or joint venture. ' 13.7. Legal Notices. Any legal notice under this Agreement will be in writing and delivered by personal delivery, express courier, certified or registered mail, postage prepaid and return receipt requested, or by email. Notices will be deemed to be effective upon personal delivery, one (1) day after deposit with express courier, five (5) business days after deposit in the mail, or when receipt is acknowledged in the case of email to Smarsh. Notices will be sent to Client at the address set forth on the Order Form or such other address as Client may specify. Notices will be sent to Smarsh at the following address: Smarsh Inc., Attention: Legal, 851 SW 6th Ave, Suite 800, Portland, OR 97204, or in the case of email, to Lcjggifra s� rsh Ojai. 13.8. Publicity. Smarsh may disclose that Client is a customer of Smarsh, provided, however, that Client may revoke, limit, or withdraw its consent at any time by providing Smarsh with written notice to m:ar�i..�.c,. :��rn ism .ars � cr�mrry, 13.9. Severability; Waiver. If for any reason a court of competent jurisdiction finds any provision or portion of this Agreement to be unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible so as to reflect the intent of the parties, and the remainder of this Agreement will continue in full force and effect. Failure of either party to insist on strict performance of any provision herein will not be deemed a waiver of any rights or remedies that Smarsh Services Agreement I Page 11 of 58 Agreement No. 7020 either party will have and will not be deemed a waiver of any subsequent default of the terms and conditions thereof. 13.10.Entire Agreement; Electronic Signatures. This Agreement is the entire agreement between the parties with respect to its subject matter, and supersedes any prior or contemporaneous agreements, negotiations, and communications, whether written or oral, regarding such subject matter. Smarsh expressly rejects all terms contained in Client's purchase order documents and such terms form no part of this Agreement. The parties agree that electronic signatures, whether digital or encrypted, or Client's click -through acceptance of this Agreement, give rise to a valid and enforceable agreement. This Agreement shall become effective as between the Client and Smarsh upon Client's signature of the applicable Order Form referencing this Agreement. 13.11. Amendments. This Agreement may be amended in accordance with this Section. The Parties may amend this Agreement by a writing signed by both parties. For the avoidance of doubt, electronic communications on their own will not amend this Agreement. Smarsh may amend this Agreement (or any Service Specific Terms) by providing Client with written notice of any update to the Agreement (including a general description of the changes), and such update(s) shall be deemed to be effective between the Parties fifteen (15) days after the date of such notice, unless Client objects to such changes in writing within the fifteen -day period. 13.12.Letter of Undertaking. Upon Client's written request and only to the extent that Smarsh is providing an "electronic record keeping system" as described in SEC Rule 17a-4(f)(or similar SEC Rule such as 18a-6), Smarsh agrees to provide the Client with an undertaking that (i) Smarsh's archive software (as applicable) used by Client is an "electronic recordkeeping system," and (ii) that Smarsh will facilitate within its ability, and not impede or prevent, the examination, access, download, or transfer of the Client's records by a representative or designee of the Securities and Exchange Commission as permitted under the law, or a trustee appointed under the Securities Investor Protection Act of1970 (17a-4 Letter"). In the event that Client requires a 17a- 4 Letter, Client represents and warrants to Smarsh that (i) Client (or a Client Affiliate) is subject to the rules of the Securities and Exchange Commission governing the maintenance and preservation of the records (e.g., Client Data) maintained by the SaaS Service, (ii) Client has "independent access" to, and the ability to download, Client Data using the SaaS Service, and (iii) Client consents to Smash fulfilling its obligations with respect to the provision of the Services under this Agreement and to Smarsh providing the required undertakings as set forth in SEC Rule 17a-4(f), including those required by 17a-4(f)(3)(v)(A), 17a-4(i)(1)(ii)(A, or any successor provisions. In the event that Client wishes for Smarsh to act as a "designated -third party" under SEC Rule 17a-4(f)(3)(v)(A), Client must provide Smarsh with advance written notice and the ability to consent to such role, and such consent may require Client to agree to certain reasonable conditions in order for Smarsh to act in such capacity. 13.13. Audits. 13.13.1. Annual Due Diligence & Security Audits. Smarsh uses external auditors to verify the adequacy of Smarsh's Security Program ("Security Audits"), Smarsh agrees to conduct Security Audits on an annual basis using independent third party auditors according to ISO 27001 or SSAE 18 standards (or any equivalent standard). Client agrees that Smarsh may satisfy Client's audit requests (which shall in no event be more than once every 12 months) by making available (to the extent applicable and available for the applicable SaaS Service) to Client, Smarsh's most recent (i) standard information gathering questionnaire, (ii) ISO 27001 report (or other similar third party audit report), (iii) annual independent SSAE 18 report (to the extent available), and (iv) an executive summary of Smarsh's most recent annual penetration test for the applicable SaaS Services ("Standard Audit Documentation") to demonstrate its compliance with the terms of this Agreement. Smarsh will use commercially reasonable efforts to respond to such requests for due diligence within 30 days of receiving such request, with, at a minimum, Smarsh's Standard Audit Documentation, and in the case of additional requests for information, a proposed timeframe for response (based on the nature and scope of the requests). Upon written Smarsh Services Agreement I Page 12 of 58 Agreement No. 7020 notice, Smarsh reserves the right to charge and Client agrees to pay for any requests that require more than one (1) hour to complete. 13.13.2. Additional Audits & Due Diligence Questionnaires. If Client requires Smarsh to (i) respond to Client's or a third party's due diligence questionnaires, or (ii) answer questionnaires that are outside the scope of Section 13.12.1 (determined at Smarsh's reasonable discretion) in addition tothe Standard Audit Documentation, such requirement will be referred to as a Non -Standard Audit. In the event Client elects to audit Smarsh using a Non -Standard Audit, Smarsh, at Client's sole expense, will respond to such additional requests for information under the Non -Standard Audit, including additional security questionnaires, subject to Smarsh's standard hourly rate (currently $300/hr) which may be modified by Smarsh from time to time. Prior to answering such additional questionnaire(s) or due diligence, Smarsh will provide Client with an estimate of the cost associated with responding to such questions, and may request a deposit, before beginning such work. Smarsh will use commercially reasonable efforts to respond to such requests for a Non - Standard Audit within 30 days of receiving such request, with, at a minimum, Smarsh's Standard Audit Documentation, and a proposed timeframe for response (based on the nature and scope of the requests). 13.13.3. Regulatory Requests for Information. If Client receives a request for information about Smarsh's provision of Services from a regulator or regulatory authority with jurisdiction over the Client, Smarsh agrees to provide reasonable cooperation and assistance to Client to address any such requests in a reasonable and timely manner, including by making available to the regulator Smarsh's Standard Audit Documentation. For the sake of clarity, a request for information under this section by the Client to answer questions from a regulatory authority about Smarsh's provision of services to Client will not be considered Client's annual Security Audit. This Audits section shall survive the termination of this Agreement. 13.14. Drafting. The Parties have participated jointly in the negotiation and drafting of this Agreement. In the event of an ambiguity or question of intent or interpretation arises, this Agreement shall be construed as if drafted jointly by the Parties and no presumption or burden of proof shall arise favoring or disfavoring any Party by virtue of the authorship of any of the provisions of this Agreement. 13.15.Conflict. In the event of a conflict between the terms of this Agreement, the applicable Data Processing Addendum, the relevant Statement of Work, and the relevant Order Form, the conflict shall be resolved in the following order of precedence with each taking precedence over those listed subsequently, unless specifically set forth otherwise in the applicable agreement or document: 1. The Data Processing Addendum (with respect to the processing of Personal Data); 2. The Agreement; 3. The relevant Order Form; 4. The relevant Statement of Work (if entered into by the parties); Any additional, conflicting, or different terms or conditions proposed by Client in any Client issued document are hereby rejected by Smarsh and excluded herefrom. Smarsh Services Agreement I Page 13 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS EXHIBIT The Service Specific Terms contained herein shall apply to Client during the applicable Service Term if Client uses, or purchases, the applicable Service. Service Specific Terms for Services not purchased nor used by Client shall not apply unless or until that time when Client or a Client Affiliate uses or purchases such Services. The applicable Service Specific Terms are incorporated into this Agreement by reference. These Service Specific Terms shall govern Client's use of the applicable Services. Client's use of the applicable Service shall be deemed to be acceptance of the applicable Service Specific Terms. The Client agrees to comply with the applicable Service Specific Terms for the duration of the Agreement or applicable Service Term for such Service. SERVICE SPECIFIC TERMS Service Specific Terms - Professional Archive Service Specific Terms - Cloud Capture Service Specific Terms- Capture Mobile Service Specific Terms - Web Archive Service Specific Terms - Vendor Risk Management Service Specific Terms - Nuclei (resold by Smarsh) Service Specific Terms - Umony (resold by Smarsh) Service Specific Terms - Business Solutions (resold by Smarsh) Service Specific Terms - Smarsh University Service Specific Terms I Page 14 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS - PROFESSIONAL ARCHIVE Service Description. "Professional Archive" is a SaaS Service that enables Client to capture and archive data from the Client's Third -Party Services. Professional Archive includes additional modules, including a supervision module for compliance review of electronic communications and a discovery module for managing the collection of electronic communications for litigation holds, eDiscovery, and regulatory audits. Professional Archive is licensed by Connections. A "Connection" means one of the following, as applicable to the specific Channel: (a) a user account such as an email mailbox; (b) an instant message account or screen name; (c) a social media page or profile; or (d) a mobile device phone number. 2. Data Retention. Professional Archive is designed to retain Client Data within Professional Archive during the Term of the Agreement for the retention periods set by Client. Unless configured otherwise, the maximum retention period is 7 years. If Client requires Client Data to be retained for longer than 7 years, additional fees will apply. Client is solely responsible for ensuring that the default retention period or any other retention policies implemented by Client within the Professional Archive comply with any applicable legal, regulatory, or Client internal requirements. Data that Client sends on removable media to Smarsh for import into the Professional Archive as Client Data will be subject to import fees and additional storage fees, as specified in the applicable Order Form. Data that is sent from Connected Capture or any other external capture service to the Professional Archive as Client Data will be subject to additional storage fees, as specified in the applicable Order Form. Following termination or expiration of the Agreement, Smarsh will retain Client Data for up to six (6) months to allow time for Client to make alternative arrangements for long-term data storage. Thereafter, Smarsh may delete Client Data in its sole discretion. Client Data Exports. During the Term and subject to certain restrictions, Client may complete self- service exports of Client Data using Professional Archive's standard tools and processes (as set forth in the Documentation). Client may also engage Smarsh to perform exports of Client Data on Client's behalf by signing a separate Order Form and paying the associated Professional Services Fees. Following termination or expiration of the Agreement, Client may maintain access to the Professional Archive and the ability to complete self-service exports by executing a separate historical access agreement. In the alternative, Client may engage Smarsh to perform an export on Client's behalf of all or a portion of the Client Data remaining in the Professional Archive by signing a separate Order Form and paying the associated Professional Services Fees. 4. Client Obligations. Client is responsible for configuring applicable third -party platforms or systems to transmit Client Data to the Professional Archive. If Client wishes to ingest its historical data into the Professional Archive, Client must provide such data in a format acceptable to Smarsh. No later than the second business day of each month, Client shall submit to Smarsh usage reports for the prior month in a format specified by Smarsh. S. Service Environment.The Professional Archive is hosted on a Smarsh-managed service environment in the United States. 6. Service Levels. Professional Archive, and the relevant support services, will be provided in accordance with to the Service Level Agreement attached to this Agreement. For the sake of clarity, in the event of a breach of these SLAs with respect to Professional Archive, Smarsh will provide Client with the credit stated in the SLAs. The foregoing remedy is Client's sole and exclusive remedy for a breach of the applicable SLAS. 9. Mobile Terms. In the event that Client enables the capture of content and electronic data for certain mobile phone carriers (such as Verizon, AT&T), Smarsh is required to pass along additional pass - through terms, and such terms of service shall apply and govern Client's capture and use of such third party capture channel (as between Client and the applicable third party). Client agrees to comply with such additional pass -through terms for the applicable carrier, as applicable and set forth below in the Carrier Pass Through Terms of Use. Service Specific Terms - Professional Archive I Page 15 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS - CLOUD CAPTURE 1. Service Description. The "Capture Platform" is a software as a service platform that enables Client to capture electronic communications (outside of Mobile communications) and other content types from various Third -Party Services, such as email, and transmit such electronic communications to a location designated by the Client, such as (i) Client's own archive system, (ii) Client's archive with Smarsh, or (iii) Client's third -party archive system. 2. Temporary Data Retention. The Capture Platform is designed to retain Client Data for temporary retention periods ("Temporary Retention Period") of up to 30 days, as designated by the Client in the Capture Platform. The maximum retention period for the Capture Platform is 90 days. 3. Data Deletion. The Capture Platform is designed to delete Client Data after the expiration of the Temporary Retention Period. 4. Service Environment. Smarsh will deploy the Capture Platform in a multi -tenant service environment located in the United States using AWS as a cloud hosting provider. 5. DISCLAIMER. THE CAPTURE PLATFORM IS NOT DESIGNED TO BE USED FOR LONG TERM STORAGE OR AS A DATA ARCHIVE. THE CAPTURE PLATFORM IS NOT DESIGNED TO PERFORM AS AN ARCHIVE OF RECORD ON BEHALF OF THE CLIENT OR TO MEET CLIENT'S RECORD RETENTION REQUIREMENTS. WITH RESPECT TO THE CAPTURE PLATFORM ONLY, SMARSH EXPRESSLY DISCLAIMS ANY RESPONSIBILITY OR OBLIGATION IMPOSED ON THIRD- PARTY RECORD HOLDERS (AS A SERVICE PROVIDER TO THE APPLICABLE REGULATED ENTITY) BY STATUTE OR BY RULE, REGULATION OR OPINION OF ANY GOVERNMENTAL AGENCY, REGULATORY ORGANIZATION OR SIMILAR INSTITUTION, INCLUDING WITHOUT LIMITATION, THE U.S. SECURITIES AND EXCHANGE COMMISSION, THE FINANCIAL INDUSTRY REGULATORY AUTHORITY, OR ANY SECURITIES EXCHANGE. 6. Service Levels. Cloud Capture, and the relevant support services, will be provided in accordance with to the Service Level Agreement attached to this Agreement. For the sake of clarity, in the event of a breach of these SLAs with respect to Cloud Capture, Smarsh will provide Client with the credit stated in the SLAs. The foregoing remedy is Client's sole and exclusive remedy for a breach of the applicable SLAS. 7. Mobile Terms. In the event that Client enables the capture of content and electronic data for certain mobile phone carriers (such as Verizon, AT&T), Smarsh is required to pass along additional pass -through terms, and such terms of service shall apply and govern Client's capture and use of such third party capture channel (as between Client and the applicable third party). Client agrees to comply with such additional pass -through terms for the applicable carrier, as applicable and set forth below in the Carrier Pass Through Terms of Use. Service Specific Terms — Cloud Capture I Page 16 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS - CAPTURE MOBILE 1) MOBILE APP CAPTURE SERVICES. The Capture Mobile Services provided by Smarsh (or one of its affiliates) to Client enables Client to capture electronic communications and other content types from (such service as "Mobile App Capture Services"): i. Certain Consumer Mobile Apps, such as WhatsApp, Telegram, or Signal ("Consumer Mobile Apps") installed on (a) Client's corporate mobile devices, and (b) to the extent authorized, on Client's employees' personal mobile devices. ii. Smarsh's "Bring Your Own Device" (BYOD) Mobile App ("BYOD Mobile App") installed on (a) Client's corporate devices, and (b) to the extent authorized, on Client's employees' personal mobile devices. iii. Smarsh's "Mobile Device App" ("Mobile Device App") installed on Client's corporate devices.' 2) MOBILE CARRIER CAPTURE SERVICES. A. Subject to any applicable Mobile Carrier (defined below) specific requirements, the Capture Mobile Services provided by Smarsh (or one of its affiliates) to Client enables Client to capture electronic communications, and other content types from (such service as "Mobile Carrier Capture Services": i. Certain mobile telecommunication carriers ("Mobile Carriers") located within the United States when using Client's corporate devices registered with such Mobile Carrier, such as Verizon, AT&T, or US Cellular. ii. Certain Mobile Carriers located outside the United States when using Client's corporate devices registered with such Mobile Carrier, such as Bell Canada, Telus, Rogers, 02. B. CLIENT OBLIGATIONS. Client is responsible for configuring any applicable third -party platforms or systems to enable the transmission of Client Data to the Mobile Carrier Capture Services, including any specific requirements of any Mobile Carrier. 3) Additional Terms. In the event that Client leverages the Capture Mobile Service and uses certain Mobile Carriers (such as Verizon, AT&T), Smarsh is required by such Mobile Carriers to pass along such carriers' additional terms of service to the Client set forth below ("Carrier Pass Through Terms of Use"). Those Carrier Pass Through Terms of Use shall be by and between the Client and the applicable Mobile Carrier and only apply to Client's capture and use of such electronic communications and content types from the applicable Mobile Carrier. Client agrees to comply with the Carrier Pass Through Terms of Use of those Mobile Carriers used by Client in connection with these Service Specific Terms. 4) Temporary Data Retention. The Capture Mobile Services are designed to retain Client Data for a temporary retention period of ("Temporary Retention Period") upto 30 days, as configured bythe Client. 5) Data Deletion. The Capture Mobile Services are designed to delete Client Data after the expiration of the Temporary Retention Period. 1 Certain restrictions apply. The Mobile Device App may only be installed on certain mobile devices running select versions of Apple IDS or Android mobile software. Service Specific Terms — Capture Mobile I Page 17 of 58 Agreement No. 7020 6) Service Environment. Unless agreed otherwise by the Parties in writing, the Capture Mobile Services are deployed in a service environment or data center located in the United States. Client Data will be stored and maintained by the Capture Mobile Services within the United States. 7) Capture Mobile Service Documentation. Smarsh will make available to the Client the Capture Mobile Service Documentation in Smarsh's support portal - http://central.smarsh.com ("Documentation"), including any performance constraints or service guidelines, as amended from time to time, or directly upon written request. 8) UNIQUE PHONE NUMBERS2. a) Phone Numbers. The Capture Mobile Services may require Client to use a unique phone number in connection with the Capture Mobile Services in order to send and receive messages and other data using the applicable mobile device application on a Client user's device (generally "Mobile App," and included as part of the "Capture Mobile Services"). Upon written request, Smarsh can provide Client with unique phone numbers which will be allocated to the applicable client device user's account ("Smarsh Numbers"). Provision of Smarsh Numbers is subject to applicable numbering rules and regulatory practices, which may change or be amended from time to time, as well as additional fees associated with such lines. Smarsh reserves the right to change the terms related to Smarsh Numbers accordingly, including without limitation to impose or amend local residency requirements and/or to require the provision of further user information for continued access to defined Smarsh Numbers. b) Smarsh Number Restrictions. The Mobile Apps and Smarsh Numbers do not support any type of emergency calling, nor does it support activation of SMS. Client cannot use Smarsh Numbers to receive messages for the purpose of identity verification, such as activation via SMS or activation calls, and the like. c) Compliance. Client may purchase and allocate Smarsh Numbers to User accounts subject to compliance with the allocation requirements displayed upon subscription to receive a Smarsh Number. Client, and not Smarsh, is responsible for compliance with any requirements related to the residence and/or the location of Client's Users. 9) Notice & Consent. Client is only authorized use the Capture Mobile Services to capture electronic communications (both incoming and outgoing) from mobile devices or corporate mobile accounts linked to Client's current employees and independent contractors (each a "Client Individual"). Prior to capturing electronic communications of the Client Individual, Client shall (i) provide each Client Individual with clear and conspicuous notice of Client's policies regarding Client's receipt, transmission, capture, use and storage of such Client Individual's, and generally Client's employees and independent contractor's electronic communications, (ii) obtain such Client Individual's consent for such capture of their electronic communications, and (iii) ensure that such Client Individual has been made aware of, and understands that, they have no reasonable expectation of privacy with respect to their electronic communications connected to such devices and accounts. To the extent required by applicable law, Client is responsible for ensuring that all Client Individuals using mobile devices or mobile account lines subject to the Capture Mobile Services inform any third parties that such Client Individual's electronic communications are being captured and retained by Client. Client shall process all Personal Data or Personal Information in accordance with all applicable data protection and privacy laws. 10) DISCLAIMER; LIMITATION OF LIABILITY z For clarity, the Mobile Device App may not require a unique Phoner Number and may use Client's corporate device mobile carrier line. Service Specific Terms — Capture Mobile I Page 18 of 58 Agreement No. 7020 a. THE CAPTURE MOBILE SERVICES ARE NOT DESIGNED TO BE USED FOR LONG-TERM STORAGE OR AS A DATA ARCHIVE SERVICE. THE CAPTURE MOBILE SERVICE IS NOT DESIGNED TO PERFORM AS AN ARCHIVE OF RECORD ON BEHALF OF TH E CLIENT OR TO MEET CLIENT'S RECORD RETENTION REQUIREMENTS. WITH RESPECTTO THE CAPTURE MOBILE SERVICES ONLY, SMARSH EXPRESSLY DISCLAIMS ANY RESPONSIBILITY OR OBLIGATION IMPOSED ON THIRD- PARTY RECORD HOLDERS (AS A SERVICE PROVIDER TO THE APPLICABLE REGULATED ENTITY) BY STATUTE OR BY RULE, REGULATION OR OPINION OF ANY GOVERNMENTAL AGENCY, REGULATORY ORGANIZATION OR SIMILAR INSTITUTION, INCLUDING WITHOUT LIMITATION, THE U.S. SECURITIES AND EXCHANGE COMMISSION, THE FINANCIAL INDUSTRY REGULATORY AUTHORITY, OR ANY SECURITIES EXCHANGE. b. GENERAL. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, CLIENT EXPRESSLY ACKNOWLEDGES AND AGREES THAT USE OFTHE CAPTURE MOBILE SERVICES AND THE INTERNET GENERALLY IS AT CLIENT'S OWN RISK AND, EXCEPT AS SPECIFICALLY PROVIDED FOR HEREIN, THATTHE CAPTURE MOBILE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT ANY WARRANTIES OR CONDITIONS WHATSOEVER, EXPRESS OR IMPLIED. SMARSH WILL USE COMMERCIALLY REASONABLE EFFORTS TO MAKE ACCESS TO THE CAPTURE MOBILE SERVICES AVAILABLE TO CLIENT THROUGH THE REQUIRED ACCESS PROTOCOLS BUT MAKES NO WARRANTY OR GUARANTEE THAT CLIENT WILL BE ABLE TO ACCESS THE SERVICE OR ANY PARTTHEREOF ATANY PARTICULAR TIME OR ANY PARTICULAR LOCATION. C. ADDITIONAL LIMITATIONS. WITHOUT LIMITING THE GENERALITY OF THE TERMS SET FORTH HEREIN, SMARSH AND ITS AFFILIATES, AGENTS, CONTENT PROVIDERS, SERVICE PROVIDERS, AND LICENSORS: (1) HEREBY DISCLAIM ALL EXPRESS AND IMPLIED WARRANTIES AS TO THE ACCURACY, COMPLETENESS, NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OF THE SERVICE GENERALLY, AND ANY CONTENT OR SERVICES CONTAINED THEREIN, AS WELL AS ALL EXPRESS AND IMPLIED WARRANTIES THATTHE OPERATION OFTHE CAPTURE MOBILE SERVICES GENERALLY AND ANY CONTENT OR SERVICES CONTAINED THEREIN WILL BE UNINTERRUPTED OR ERROR -FREE; (II) SHALL IN NO EVENT BE LIABLE TO CLIENT OR ANYONE ELSE FOR ANY INACCURACY, ERROR OR OMISSION, OR LOSS, INJURY OR DAMAGE CAUSED IN WHOLE OR IN PART BY FAILURES, DELAYS OR INTERRUPTIONS IN THE CAPTURE MOBILE SERVICES, OR INSTALLATION AND COMPUTER, MOBILE PHONE OR TABLET DISRUPTIONS RELATED TO THE SERVICES, AND ANY CONTENT OR SERVICES CONTAINED THEREIN. SMARSH SHALL IN NO EVENT BE LIABLE TO CLIENT OR ANYONE ELSE FOR ANY CONSEQUENTIAL, INCIDENTAL, OR SPECIAL DAMAGES ARISING OUT OF, RESULTING FROM, OR RELATING IN ANY MANNER TO THE USE OR INABILITY TO USE THE CAPTURE MOBILE SERVICES, AND ANY CONTENT OR SERVICES CONTAINED THEREIN. (III) . SMARSH SHALL IN NO EVENT BE LIABLE TO REIMBURSE MESSAGE CREDITS, REIMBURSE PAYMENTS OR HAVE ANY OTHER LIABILITY FOR MESSAGES THAT WHERE SENT BUT NOT DELIVERED, NOT RECEIVED OR NOT ACCURATELY DISPLAYED, HEARD OR REPRESENTED ON ANYSUCH COMMUNICATION DEVICE DUETOTHE FAILURE OF SUCH THIRD PARTIES DUE TO THE FACTTHAT DELIVERY METHODS OF ELECTRONIC COMMUNICATIONS TO VARIOUS COMMUNICATION DEVICES IS SUBJECT TO A COMBINATION OF NETWORK PROVIDERS' AND SERVICE PROVIDERS' TERMS AND CONDITIONS AND NETWORK STATUS OVER WHICH SMARSH HAS NO CONTROL (IV) HEREBY DISCLAIMS ANY LIABILITY OF ANY KIND FOR COSTS OR DAMAGES ARISING OUT OF PRIVATE OR GOVERNMENTAL LEGAL ACTIONS RELATED TO CLIENT'S USE OF ANY OF THE CAPTURE MOBILE SERVICES IN ANYCOUNTRY. Service Specific Terms — Capture Mobile I Page 19 of 58 Agreement No. 7020 d. HIGH RISK ACTIVITIES. THE CAPTURE MOBILE SERVICES ARE NOT FAULT -TOLERANT AND ARE NOT DESIGNED, MANUFACTURED OR INTENDED FOR USE OR RESALE AS ONLINE CONTROL EQUIPMENT IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, INCLUDING BUT NOT LIMITED TO USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, DIRECT LIFE SUPPORT MACHINES, OR WEAPONS SYSTEMS, IN WHICH THE FAILURE OF SERVICE COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICALOR ENVIRONMENTAL DAMAGE ("HIGH RISK ACTIVITIES"). IN ADDITION TO THE OTHER DISCLAIMERS AND LIMITATIONS CONTAINED WITHIN THESE TERMS, SMARSH AND ITS AFFILIATES, AGENTS, CONTENT PROVIDERS, SERVICE PROVIDERS AND LICENSORS SPECIFICALLY DISCLAIM ANY EXPRESS OR IMPLIED WARRANTYOF FITNESS FOR HIGH RISK ACTIVITIES INCLUDING EMERGENCY NOTIFICATION SERVICES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF WARRANTIES OR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO CLIENT. IN SUCH JURISDICTIONS, SMARSH'S LIABILITY (AND THE LIABILITY OF ITS AFFILIATES, AGENTS, CONTENT PROVIDERS AND SERVICE PROVIDERS) SHALL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY APPLICABLE LAW. 11) SUB-PROCESSORS.The Capture Mobile Services may rely on the Sub -Processors set forth in the Sub - Processor Exhibit attached hereto. 12) SERVICE LEVELS. The Capture Mobile Services, and the relevant support services, will be provided in accordance with to the Service Level Agreement attached to this Agreement. For the sake of clarity, in the event of a breach of these SLAs with respect to Capture Mobile Services, Smarsh will provide Client with the credit stated in the SLAs. The foregoing remedy is Client's sole and exclusive remedy for a breach of the applicable SLAS. Service Specific Terms — Capture Mobile I Page 20 of 58 Agreement No. 7020 CAPTURE MOBILE SERVICES SUB -PROCESSOR EXHIBIT Sub-Processor(s). With respect to the Capture Mobile Services, the following entities are sub - processors: ............. Name Location Role ._. _.... ................ — TeleMess.._age Ltd. Israel Support, Implementation ..._.�...._.._.._.� �.__._. _ ___ ....... ..............- Microsoft Azure USA Infrastructure as a Service Service Specific Terms — Capture Mobile I Page 21 of 58 Agreement No. 7020 CARRIER PASS THROUGH TERMS OF USE AT&T MOBILE TERMS. This agreement is between you as our subscriber ("You") and the affiliate of AT&T Mobility National Accounts, LLC providing wireless service to You ("AT&T"), and it sets forth the terms and conditions ("Terms and Conditions") under which You agree to use and AT&T agrees to provide access to Archived Messages through the Archived Messages Service (as such terms are defined below). By using the Archived Messages Service, You accept these Terms and Conditions, which AT&T may modify from time to time. 7. DEFINITIONS. 1.1. Archived Messages means a Participating Employee's Messages that AT&T has made available to SMARSH for retrieval through use of SMARSH's Archived Messages Service. 1.2. Archived Messages Service means SMARSH's service that provides You access to Archived Messages. 1.3. Customer Liable MDNs means a Mobile Directory Number (MDN) for AT&T wireless service that is established under Your corporate account and corporate name and for which You are financially responsible to AT&T for an AT&T service. 1.4. Employee Liable MDN means a MDN for AT&T wireless service that is established in the name of an individual employee of Your company or other authorized individual and for which such individual is financially responsible to AT&T for AT&T services. 1.5. Messages means messages sent or received by any Participating Employee via short message service (SMS), multimedia message service (MMS) and/or AT&T Business Messaging Service. 1.6. Participating Employee means Your employee or other authorized user of a mobile device with a Customer Liable MDN whose Customer Liable MDN(s) is subscribed to the Archived Messages Service. 2. ARCHIVI ESaAG�R'VI 2.1. You authorize AT&T to make the Messages available to Smarsh for use solely in connection with SMARSH's Archived Messages Services. 2.2. You will only access, use, copy, store or disclose Archived Messages in accordance with these Terms and Conditions. You will not access, use, copy, store or disclose Archived Messages for any other purpose. 2.3. SMARSH. You will enter into an agreement with SMARSH Inc. ("SMARSH") for the Archived Messages Service, and You will pay all of SMARSH's charges for such Archived Messages Service in accordance with that agreement and these Terms and Conditions. 2.4. Customer Liable MDNs Only. You will enroll only Customer Liable MDNs in the Archived Messages Service. You may not enroll any Employee Liable MDNs in the Archived Messages Service. 2.5. Notice and Consent. Prior to enrolling any individual's device in the Archived Messages Service and accessing, using, storing, copying or disclosing any Participating Employee's Archived Messages, You will provide advance disclosure to each such individual containing clear and conspicuous notice of the terms and conditions of the Archived Messages Service, including how You and SMARSH will access, use, copy, retain, protect or disclose such individual's Archived Messages, as well as the duration and Carrier Pass Through Terms of Use I Page 22 of 58 Agreement No. 7020 purpose of such access, use, copying or retention. You will also obtain all lawfully required consents for those uses of such individual's Messages. You agree to maintain the currency of such consent at all times. 2.6. Transferring a Mobile Device or Customer Liable MDN to Another Employee. Prior to transferring a mobile device or Customer Liable MDN that is enrolled in the Archived Messages Service to another person, you will disenroll or notify SMARSH to disenroll the then -current Participating Employee and the Customer Liable MDN on that mobile device from the Archived Messages Service. 2.7. Acknowledgement and Agreement. You acknowledge that AT&T will make the Archived Messages available to SMARSH for use in connection with the Archived Messages Service and that AT&T will have no further control for the Archived Messages after they are provided to SMARSH. You further agree that AT&T will have no responsibility or liability to You with respect to the Archived Messages after they are provided to SMARSH. 2.8. Limitations and Restrictions. You may access a Participating Employee's Archived Messages only with that Participating Employee's express knowledge and consent. You must maintain records of each Participating Employee's express, informed consent for You to collect and use his or her Archived Messages. If a Participating Employee revokes such consent at any time, then you must immediately cease initiating requests for that individual's Archived Messages. 2.9. Customer Business Records. You agree to maintain full, complete and accurate records related to Your performance under these Terms and Conditions, and You agree to preserve such records for five (5) years from the date of preparation; provided, however, that You agree to retain for at least five (5) years following Your latest access to Archived Messages Service records that are sufficient to demonstrate each Participating Employee's consent to Your access to and use of his or her Archived Messages. Such records shall be available for inspection and copying by AT&T during Your normal business hours, upon five (5) days' notice, but not more than once per quarter, unless otherwise required by applicable law, rule or regulation. If You fail to comply with the obligations set forth in this Section, or if AT&T's review of such records reveals that You are in violation of any of these Terms and Conditions, then, in addition to its other remedies under these Terms and Conditions, Your account agreement with AT&T or at law or in equity, AT&T may terminate your access to the Archived Messages. 2.10. Compliance with Laws, Policies and Practices. You agree to comply with all applicable laws, rules and regulations, including all applicable consumer protection, marketing, data security, export and privacy laws and Federal Trade Commission privacy initiatives. You are solely responsible for making any disclosures required by law, rule, regulation, or otherwise regarding the nature, accuracy, effectiveness, or limitations of the Archived Messages Service. 2.11. Indemnification. You agree to indemnify and hold AT&T, its officers, directors, employees and agents harmless from and against any claim, damage or loss that is related to or arising out of Your failure to comply with any of these Terms and Conditions, including reasonable attorney's fees. Carrier Pass Through Terms of Use I Page 23 of 58 Agreement No. 7020 VERIZON MOBILE TERMS This agreement is between you as our subscriber and Verizon Wireless ("VZW") and it sets forth the terms and conditions under which you agree to use, and we agree to provide access to, Archived Messages through the Archived Messages Service (as such terms are defined below). By using the Archived Messages Service, you accept these Terms and Conditions, which may be modified by us from time to time. 1. Definitions. 1.1 Archived Messages means the Participating Employee's Messages available for retrieval by Smarsh Inc. from VZW. 1.2 Archived Messages Service means Smarsh Inc.'s service that provides Archived Messages to you. 1.3 Corporate Liable VZW MDNs means a VZW Mobile Directory Number (MDN) that is established under your corporate account and corporate name for which you are financially responsible for the payment to VZW for VZW service. 1.4 Messages means messages sent or received by the Participating Employee via the short message service (SMS) or the multimedia message service (MMS). 1.5 Participating Employee means your employee who has opted into the Archived Messages Service via your Corporate Liable VZW MDN. 2. Archived Messages Service. 2.1 You will only access, use, copy, store or disclose Archived Messages in accordance with these Terms and Conditions. Customer will not access, use, copy, store or disclose Archived Messages for any other purpose. (a) Smarsh Inc.. You will enter into an agreement with Smarsh Inc. Inc. ("Smarsh Inc.") for the Archived Messages Service and you will pay all of Smarsh Inc.'s charges for such Archived Messages Service in accordance with such agreement. (b) Corporate Liable VZW MDNs Only. You will enroll only Corporate Liable VZW MDNs in the Archived Messages Service. You will not enroll any Employee Liable VZW MDNs in the Archived Messages Service. "Employee Liable VZW MDN" means a VZW MDN that is established in the name of an individual employee of your company and such individual employee is financially responsible for the payment to VZW for VZW services. (c) Notice and Consent. Prior to enrolling any employee in the Archived Messages Service and accessing, using, storing, copying or disclosing any Participating Employee's Archived Messages, you will provide advance disclosure to each employee containing clear and conspicuous notice of how you and Smarsh Inc. (and its affiliate, Smarsh Inc.) will access, use, copy, retain, protect or disclose such employee's Archived Messages, as well as the duration and purpose of such access, use, copying or retention. Prior to enrolling any employee in the Archived Messages Service, you will obtain the employee's consent to the archiving of the employee's Archived Messages, including a consentfor a carrierto share the Archived Messages with you and Smarsh Inc. and you will not access, use, store, copy or disclose any employee's Archived Messages until such consent has been obtained. (d) Revocation of Consent. You will ensure that each Participating Employee may immediately revoke consent through readily available mechanisms to the Participating Employee. You will immediately notify Smarsh Inc. of any such revocation of consent so that Smarsh Inc. can notify VZW of such revocation. If consent is revoked, then you will not access, retrieve, use, store, copy or disclose such employee's Archived Messages dated after the revocation date. You may access, use, store, copy or disclose such employee's Archived Messages retrieved byyou prior to such revocation date. Carrier Pass Through Terms of Use I Page 24 of 58 Agreement No. 7020 (e) Periodic Reminders. You will provide periodic reminders to each Participating Employee of its enrollment in the Archived Messages Service. (e) You acknowledge that VZW will make available to Smarsh Inc. the Archived Messages for use in connection with the Archived Messages Service and VZW will have no further control or responsibility for the Archived Messages once they are provided to Smarsh Inc. (f) Limitations and Restrictions. You may access the Participating Employee's Archived Messages only with that Participating Employee's express knowledge and consent. You must maintain records of each employee's express, informed consent for you to collect such Participating Employee's Archived Messages. If a Participating Employee revokes such consent at any time, then you must immediately cease initiating requests for that employee's Archived Messages. 2.2 Customer Business Records. You will maintain full, complete and accurate records related toyour performance under these Terms and Conditions, and shall preserve such records for five (5) years from the date of preparation; provided, however, that you will retain, for at least five (5) years following the latest access to Archived Messages, records sufficient to demonstrate each employee's consent to access and use its Archived Messages. Such records shall be available for inspection and copying by VZW during your normal business hours, upon five (5) days' notice, but not more than once per quarter, unless otherwise required by applicable law, rule or regulation. If you refuse to comply with the obligations set forth in this Section or if VZW's review of such records reveals that you are in violation of any of these Terms and Conditions, then, in addition to its other remedies under these Terms and Conditions, your account agreement with VZW or at law or in equity, VZW may terminate your access to the Archived Messages. 2.3 Compliance with Laws, Policies and Practices. You will comply with all applicable laws, rules and regulations, including all applicable consumer protection, marketing, data security, export and privacy laws and Federal Trade Commission privacy initiatives. You are solely responsible for making any disclosures required by law, rule, regulation, or otherwise regarding the nature, accuracy, effectiveness, or limitations of the Archived Messages Service. 2.4 Responsibility and Indemnification. 2.4(a) Responsibility. You assume all responsibility and risk for the Notice and Consent of Participating Employees and the Periodic Reminders as set forth above. 2.4(b) Indemnification. 2.4(b)(1) You will defend, indemnify and hold harmless VZW, its Affiliates, and their respective directors, officers, employees, contractors, agents, shareholders, any successors and assigns and their respective heirs and legal representatives (collectively, the "VZW Indemnitees"), from and against any and all Claims and Losses, reasonable attorney's fees and defense costs arising out of, relating to or resulting from your acts or omissions oryour failure to comply with the terms of Section 2.1 (c) Notice and Consent and 2.1(e) Periodic Reminders. For any Claims that are the subject of your indemnification obligations herein, VZW will have sole control of the defense, unless VZW tenders such defense thereof to you, and will provide you with reasonable information throughout the course of such defense. (i) "Claims" means any third party claims, demands, actions, disputes, controversies or requests for equitable or injunctive relief by a Participating Employee that you have not complied with your notice and/or consent requirements and (ii) "Losses" means any damages or settlement amounts payable to a Participating Employee as a result of the final adjudication or settlement of a Claim, including, without limitation, judgments, arbitration awards, payments of interest, fines, assessments, penalties and deficiencies, and any other losses, obligations, liabilities, costs or expenses suffered or incurred as a result of a Claim. 2.5(b)(2)Your indemnification obligations are subject to the following: (a) You will cooperate reasonably with VZW in connection with any Claim; (b) You will not consent to the entry of any judgment or enter into any settlement of Claim without VZW's prior written consent, which will not be unreasonably Carrier Pass Through Terms of Use I Page 25 of 58 Agreement No. 7020 withheld; and (c) You are obligated to VZW for its reasonable attorney's fees and expenses incurred in the enforcement of the indemnification hereunder. 3. Billing and Payment. The billing and payment terms set forth in your account agreement with VZW apply to all of Smarsh Inc.'s charges set forth on the VZW bill and you will pay VZW for all of Smarsh Inc.'s charges set forth on the VZW bill in accordance with that agreement. Carrier Pass Through Terms of Use I Page 26 of 58 Agreement No. 7020 02 ADDITIONAL CARRIER TERMS FOR MOBILE CARRIER CAPTURE • https://www.telemessage.com/wp- content/uploads/2023/01/H osted_M obi le_Record i ng_Sched u le.pdf • https://www.o2.co.uk/termsandconditions/business ROGERS https://www.telernessage.com/wp- content/u ploads/2023/02/Rogers_H osted_M obi le_Record i ng_Sched u le.pdf . https://www.rogers.com/support/terms BELL • https://www.bell.ca/styles/common/all_languages/all_regions/pdfs/Bell_Terms_of_Service.pdf TEL,US https://www.tel us.com/en/support/article/service-terms-between-you-and-tel us Carrier Pass Through Terms of Use I Page 27 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS - WEB ARCHIVE 1. Service Description. "Web Archive" is a Service that crawls and captures Client -designated websites and sends such captured content to Client's archive of record with Smarsh as Client Data, or to a Client's own, or third party, archive. Web Archive is licensed based on (a) a domain Fee for each website or video domain from which webpages and videos will be captured, and (b) a page Fee for each webpage URL or video URL that will be captured. 2. Data Retention. Web Archive is designed to retain the Client Data captured by Web Archive during the Term of the Agreement for the retention periods set by Client. Unless configured otherwise, the maximum retention period is 7 years. If Client requires Client Data to be retained for longer than 7 years, additional fees will apply. Client is solely responsible for ensuring that the default retention period or any other retention policies implemented by Client within Web Archive comply with any applicable legal, regulatory, or Client internal requirements. Following termination or expiration of the Agreement, Smarsh will retain Client Data up to a minimum of six (6) months. Thereafter, Smarsh may delete Client Data in its sole discretion. 3. Service Environment. The Web Archive Service is hosted on a Smarsh-managed service environment located in the United States. 4. Service Level Agreement. Web Archive, and the relevant support services, will be provided in accordance with to the Service Level Agreement attached to this Agreement. For the sake of clarity, in the event of a breach of these SLAB with respect to Web Archive, Smarsh will provide Client with the credit stated in the SLAB. The foregoing remedy is Client's sole and exclusive remedy for a breach of the applicable SLAS. Service Specific Terms — Web Archive I Page 28 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS — TWITTER These Service Specific Terms — Twitter apply when Client uses a Connected Archive or a Connected Capture Service to capture or archive Twitter content. Unless expressly stated otherwise, capitalized terms contained in these Service Specific Terms have the meaning given them in the Smarsh Service Agreement - General Terms. Twitter Content. Twitter is a Third Party Service as further described in Section 5 (Third Party Providers) of the Smarsh Service Agreement— General Terms. The Services capture the following information from Twitter as Client Data: tweets created by end users, end users' comments, end users' retweets where the retweet contains new end user content, end users' direct messages, end users' blocks, end users' favorites, and end users' follows ("Twitter Content"). Smarsh will capture only end user content as Twitter Content, it will not capture third -party content from Twitter. Client is permitted to actively capture Twitter Content only for end users who are Client's current employees or contractors. Client is prohibited from actively capturing Twitter Content for any individual who is not a Client employee or contractor. Furthermore, Client is permitted to capture Twitter Content from only those end user accounts that the employee or contractor uses solely within the scope of its employment or contract with Client. Client will provide each employee and contractor with clear and conspicuous notice of policies regarding the receipt, transmission, storage, and use of employee's or contractor's Twitter Content. Client is responsible for ensuring that each employee and contractor has agreed to such policies and that each employee has been made aware that such employee has no reasonable expectation of privacy in such employee's Twitter Content. Client will immediately disable Twitter Content capture within the applicable Services for an employee or contractor when such employee's employment or contractor's service with Client is terminated. 2. Acceptable Use of Twitter Content. Client may capture, archive, and use Twitter Content contained in Client Data for the following purposes: (a) to meet legal and regulatory obligations to store communications (e.g. SEC 17a4, MiFID 2); (b) to search and export communications in response to litigation or regulatory requests (electronic discovery); and (c) to detect and prevent misconduct by automatically flagging communications which match certain keyword policies (driven by legal and regulatory requirements, such as FINRA rule 3110)... If Client is a government entity: (i) Client's use of the Services to capture and archive Twitter Content must be in accordance with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4; and (ii) Client is prohibited from using Twitter Content to conduct surveillance or gather intelligence. 3. Twitter TOS. Twitter requires Smarsh to pass through certain additional terms ("Twitter TOS"). Smarsh is not a party to the Twitter TOS. The Twitter TOS are subject to modification by Twitter. The Twitter TOS are available at �I fl os woR r:r rj!,I, Client shall at all times comply with the Twitter TOS when using the Services to capture or archive Twitter Content. Twitter may direct Smarsh to cease the capture and archive of Twitter Content if Client violates the Twitter TOS. Smarsh will have no liability for such termination of the Services pursuant to Client's or Client's end users' violation of the applicable Twitter TOS. 4. Twitter Content and Data Privacy. As used in these Service Specific Terms —Twitter: (i) 'personal data' and 'controller' have the meanings assigned in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and its implementing regulations promulgated by the EU, EEA, and their individual member states ("GDPR"); (ii) 'process' has the meaning assigned in the GDPR or the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199) and its implementing regulations ("CCPA"), as Service Specific Terms - Twitter I Page 29 of 58 Agreement No. 7020 applicable; and 'personal information' and 'service provider' have the meaning assigned in the CC PA. 4.1 Notwithstanding anything to the contrary in this Agreement or any other agreement to which Client and Smarsh are parties, with respect to personal data and personal information contained in Twitter Content that Smarsh captures and archives as Client Data, and any processing thereof by either Client or Smarsh, the parties acknowledge and agree that: a) Twitter and Client are joint controllers; b) Smarsh is a processor and service provider that processes such personal data and personal information on behalf of Client; c) Client is solely responsible for all legal obligations of a controller or joint controller under applicable Data Protection Laws & Regulations (as defined in the data privacy agreement executed by the parties); and d) in no event will Smarsh be obligated to fulfill the legal duties of a controller or a joint controller related to Client Data. 4.2 Client will use the Services to process Twitter Content in accordance with applicable laws, including but not limited to the GDPR, the CCPA, and all other applicable Data Protection Laws and Regulations. 4.3 As between the parties, Client is solely responsible for ensuring that its instructions to Smarsh to capture, archive, or otherwise process Twitter Content comply with applicable Data Protection Laws and Regulation Service Specific Terms - Twitter I Page 30 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS - VENDOR RISK MANAGEMENT PLATFORM 1. Service Description. The "VRM Platform" is a software as a service platform that is designed to assist the Client with assessing and auditing Client's service providers and vendors. The VRM Platform includes the following functionalities: • Custom vendor questionnaire and assessment creation; • Workflow management to assign, distribute and track the status of tasks within the VRM Platform • Answer Scoring Automation, Filtering and Reporting A "User" of the VRM Platform is someone who registers for a VRM Platform account at the behest of Client. 2. Client Vendor Access. Client may invite Client Vendors to create an account to use the Client's VRM Platform only for the express purpose of providing answers to Client's vendor questionnaires and assessments. Client is responsible for all activities undertaken by Client's Vendors that access and use Client's VRM Platform, including all content uploaded by the Vendor into the VRM Platform. Access. Subject to the terms of this Agreement, Client may access and use the VRM Platform for the duration of the applicable respective subscription term as set forth in the Order Form. Smarsh reserves the right to suspend Client's access to the VRM Platform, upon reasonable advance written notice to the Client, if (i) Smarsh reasonably believes that Client's actions, or the actions of Client's Users, is reasonably likely (in Smarsh's sole reasonable opinion) to negatively affect the availability, quality, or performance of Smarsh's systems or the VRM Platform; or (iii) Smarsh in good faith suspects that any unauthorized third party has gained access to the VRM Platform using credentials issued tothe Client bySmarsh. Forthe sake ofclarity, Smarsh will provide Client with reasonable advanced notice (to the extent commercially practicable) prior to suspending Client's access. 4. Restrictions. The Client will not (and will not knowingly permit any third party to, including its Users): (a) use the VRM Platform to develop a similar or competing product or service; (b) reverse engineer, decompile, disassemble, or seek to access the source code, algorithms, or non-public APIs to the VRM Platform or any related features; (c) modify or create derivative works of the VRM Platform or copy any element of or related features with the VRM Platform; (d) copy, rent, lease, distribute, assign, or otherwise transfer rights to the VRM Platform or any part thereof, for the benefit of a third party; or remove any proprietary notices or labels from the VRM Platform or any part thereof, (e) use the VRM Platform to perform or publish benchmarks or performance information about the VRM Platform; (f) provide access to or sublicense the VRM Platform to a third party except as authorized under the Agreement, (g) transmit, or allow any Third Party Service to transmit on Client's behalf to Smarsh any data that is subject to PCI data storage requirements, (h) use the VRM Platform in a manner that (i) violates applicable laws, rules, or regulations, or (ii) negatively affects the availability, quality, or performance of the VRM Platform. The Client will not, directly or indirectly, in whole or in part, use or knowingly permit the use of any securitytesting tools in order to probe, scan or attempt to penetrate or ascertain the security of the VRM Platform. 5. Content on VRM. Smarsh does screen or review the content uploaded to the VRM Platform by or on behalf of Client ("Client Content"). Smarsh reserves the right to remove uploaded content if it violates the terms of the Agreement or these Service Specific Terms, the AUP, or otherwise Service Specific Terms — VRM I Page 31 of 58 Agreement No. 7020 threatens the safety and security of the VRM Platform. Client, and not Smarsh, is responsible for all content uploaded into the VRM Platform by Client or Client's Users, including verifying the accuracy and completeness of content uploaded by Users for the purpose of Vendor assessments and questionnaires. Scores and results generated by the VRM Platform are dependent on Client Content and the responsibility of the Client to verify. Client represents and warrants that (a) Client Content will not (i) infringe any third party right, including third party rights in patent, trademark, copyright, or trade secret, or (ii) constitute a breach of any other right of a third party, including any right that may exist under contract or tort theories; (b) Client will comply with all applicable local, state, national, or foreign laws, rules, regulations, or treaties in connection with Client's use of the Services, including those related to data privacy, data protection, communications, SPAM, or the transmission, recording, or storage of technical data, personal data, or sensitive information. Smarsh is not responsible for Client's Content and Client shall indemnify and hold Smarsh harmless of any damages, claims, penalties, liabilities arising from Client Content. 6. Termination; Data Transition; Export of Client Content. Following the termination or expiration of the applicable subscription term of the VRM Platform, Client will cease to have access to the VRM Platform and the Client Content and content stored within the VRM Platform. Client is responsible for exporting all Client Content and Content from the VRM Platform prior to the termination or expiration of these Service Specific Terms or the Agreement. Thereafter, Smarsh reserves the right to delete all data in Client's VRM Platform, including all account information and Client Content. Upon such termination or expiration, Client agrees to immediately cease using the VRM Platform and any associated Smarsh IP. 7. WARRANTY DISCLAIMER; NO GUARANTEE. EXCEPT AS SET FORTH ABOVE, SMARSH MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND IN CONNECTION WITH THE VRM PLATFORM, INCLUDING, WITHOUT LIMITATION, ANY INFORMATION OR MATERIALS PROVIDED OR MADE AVAILABLE BY SMARSH. SMARSH HEREBY DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON -INFRINGEMENT. SMARSH DOES NOT REPRESENT OR WARRANT THAT THE VRM PLATFORM WILL BE AVAILABLE OR ERROR -FREE. SMARSH WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES OR OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET, ELECTRONIC COMMUNICATIONS, OR OTHER SYSTEMS OUTSIDETHE REASONABLE CONTROL OF SMARSH. SMARSH DOES NOT GUARANTEE THAT USE OF THE VRM PLATFORM BY CLIENT WILL ENSURE CLIENT'S LEGAL COMPLIANCE WITH ANY FEDERAL, STATE, OR INTERNATIONAL STATUTE, LAW, RULE, REGULATION, OR DIRECTIVE. THE VRM PLATFORM IS NOT DESIGNED OR INTENDED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL- SAFE PERFORMANCE, INCLUDING BUT NOT LIMITED TO ANY APPLICATION IN WHICH THE FAILURE OF THE VRM PLATFORM COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR PROPERTY DAMAGE. 8. Conflict. To the extent that any language contained in the Agreement conflicts with any language contained in Service Specific Terms, the terms of these Service Specific Term shall control as it relates to h the VRM Platform. Service Specific Terms — VRM I Page 32 of S8 Agreement No. 7020 SERVICE SPECIFIC TERMS — NUCLEI These Service Specific Terms- Nuclei apply only where Client purchases Nuclei Products and associated Smarsh archiving Services. Unless expressly stated otherwise, capitalized terms contained in these Service Specific Terms have the meaning given them in the Smarsh Service Agreement - General Terms. 1. Nuclei Products and Services. Nuclei's products (the "Nuclei Products") are cloud -native SaaS services. Nuclei products and services are resold by Smarsh and licensed to Client by Nuclei, Inc. pursuant to the Nuclei Authorized User Terms of Use, available at r7Uc:06.w.ao/deg a0/ ("Nuclei Terms"). The Nuclei Terms and Nuclei's privacy policies apply to data generated, hosted, processed, and stored by the Nuclei Products, and this Agreement does not apply to such data. In the event Nuclei breaches the Nuclei Terms, Client's sole remedies are those remedies set forth in the Nuclei Terms. Nuclei provides technical support for the Nuclei Products (defined below). The Nuclei SLAB available at Iut,srs a>gpr� nzl,rl^I„aiaC...:a�rgam(!Fr. II��flmiivcce—L-.y( wgrt:r�tw . apply to Nuclei Products. In the event Nuclei does not meet its service level commitments, Client must request applicable service credits from Smarsh. Each Nuclei Product is explained in more detail below. 1.1. Nuclei Products. 1.1.1. Nuclei. The Nuclei transcode service translates data extracted from Nuclei Record and third -party communications systems. Nuclei transcode includes the following capabilities: (a)transcoding audio data from one content format to another, (b) transcoding video data from one content format to another, and (c) transcoding text data from one content format to another. A "unit" with respect to Nuclei means a phone number, username, or email address associated with the transcoded audio, video, or text file. 1.1.2. Nuclei Transcription. Nuclei Transcription uses automatic speech recognition to transcribe audio and video recordings and generates the associated metadata necessary to create a searchable record for the associated recording. A "unit" with respect to Nuclei Transcription means one minute. 1.1.3. Nuclei Record. Nuclei Record automatically records audio, video, message, or signal data generated byvoice systems and other modern communication systems. Depending on the type of voice or communication system Client uses, Nuclei Record will be licensed as either: (i) a cloud -native SaaS product, or (ii) an on -premise software product. A "unit" with respect to Nuclei Record means a phone number, username, or email address for which audio, video, message, or signal data is recorded. 1.2. Nuclei Services. 1.2.1. Nuclei Historical. Nuclei Historical is a service for importing historical data from existing call recording systems, processing it with Nuclei transcode, and sending it to external systems for further processing. A "unit" with respect to Nuclei Historical means a gigabyte. 2. Smarsh Voice Archiving. Smarsh provides archiving services for voice data captured and processed by the Nuclei Products. Client must use a Connected Archive product to archive voice data or voice transcriptions from Nuclei Products. With respect to Voice Archiving for Nuclei Products, capture Fees and storage Fees are separate. A "Unit" with respect to Voice Capture means a phone number, username, or email address. A ""Unit"" with respect to Voice Storage means a gigabyte. For archiving associated with Nuclei Historical, with respect to: (i) Voice Capture a "Unit" means a gigabyte, and (ii) Voice Transcription a "Unit" means one minute. Service Specific Terms - Nuclei I Page 33 of 58 ri smarsh� SERVICE SPECIFIC TERMS — UMONY Agreement No. 7020 These Service Specific Terms - Umony apply when Client uses a Connected Archive or a Connected Capture Service to capture or archive content from WhatsApp or WeChatl. Unless expressly stated otherwise, capitalized terms contained in these Service Specific Terms have the meaning given them in the Smarsh Service Agreement - General Terms. 1. Umony Products. Smarsh capture of WhatsApp and WeChat is enabled by Third Party Services provided by Umony Limited ("Umony"). Smarsh resells Umony products and services (collectively, the "Umony Products") and Umony licenses Umony Products pursuant to the Agreement, the Service Specific Terms for the applicable Connected Archive or Connected Capture Service, and these Service Specific Terms- Umony. Umony deliversthe Umony Products. Umony receives, processes, and stores all data or information generated by Client's use ofthe Umony Products. Umony transmits thedata or information to the Connected Archive Service or Connected Capture Service Client purchased. 2. Umony Portal. Client's access to and use of the Umony web portal ("Umony Portal") are subject to the Umony End User License Agreement ("Umony EULA"), attached as Exhibit A. Smarsh is not a party to the Umony EULA, and the Umony EULA may not be modified by Smarsh or Client. Umony may modify the Umony ELLA, and Smarsh will incorporate those modifications into the Agreement upon notice to Client. 2.1. Client shall comply with the Umony EULA when using the Umony Portal. Umony may suspend Client's access to or terminate Client's license to the Umony Portal if Client violates the Umony EULA. Smarsh will have no liability for any such suspension or termination pursuant to Client's or Client's end users'violation of the Umony EULA. 2.2. If Umony breaches the Umony EULA, Client's remedies are those remedies set forth in the Umony EULA and are solely between Client and Umony. 2.3. Performance and monitoring data (including numbers of conversations recorded) logged by the Umony Products, as contained on the Umony Portal is "Umony Usage Data." Client can monitor the performance of the Umony Products through the Umony Usage Data available in the Umony Portal. 2.4. Umony retains any intellectual property rights that may subsist in the aggregated Usage Data or in the presentation or methods used to compile the Usage Data on the Umony Portal. An access license to the Usage Data is subject to the End -User Licensing Agreement. 3. Umony Products Support. Smarsh will provide technical support for the Umony Products in accordance with Section 1 of the Support and Service Levels available at hGt v , r'p'carsl z cr �P ,LB m.afa, mru" rvbc,Igrvgjy>. If Smarsh is unable to resolve an issue with the Umony Products identified in the support case submitted by Client, Smarsh will escalate the issue to Umony. 4. Restrictions on Client's Use of Umony Products. Client shall not: 4.1. attempt to sell, sublicense, or otherwise distribute the Umony Products; 1 WhatsApp is a registered trademark of WhatsApp, Inc., and WeChat is a registered trademark of Tencent Holdings Limited. Smarsh's use of such trademarks is solely for descriptive purposes and does not imply any association withthe respective trademark holder or its products or brands. Smarsh is not affiliated with, associated with, authorized by, or endorsed by WhatsApp, Inc. or Tencent Holdings Limited. 4.2. combine or attempt to combine the Umony Products with anythird-party software application; 4.3. develop, modify, adapt, create derivative works from, reverse engineer, decompile, or disassemble the Umony Products; 4.4. 4.5. attempt to circumvent any security protocols or devices, or interfere with the proper working of Service Specific Terms - Umony I Page 34 of 58 Agreement No. 7020 the Umony Products or the servers or networks on which any part of the Umony Products is hosted or operates; or 4.6. use any information provided by Umony (whether Confidential Information or otherwise) to create any software or platform with expressions or functions that are substantially similar to those of the Umony Products. S. Umony Content; Implementation. The Services capture incoming and outgoing electronic messages in WhatsApp and WeChat conversations from the Umony Products as Client Data ("Umony Content"). The implementation process for Smarsh capture of Umony Content requires certain actions that Client and Umony must complete. Smarsh is not responsible for delays in implementation caused by Umony, Client, or Client employees or contractors. Capture of Client's employees' and contractors' WhatsApp and WeChat conversations as Umony Content requires certain actions Client employee or Client contractor must complete. Neither Smarsh nor Umony are responsible for data transmission failures caused by Client's, Client's employees', or Client's contractors' actions or failure to act. Client is only authorized to use the Umony Content capture products in connection with those accounts linked to Client's current employees or contractors ("Authorized Persons"). Client is not authorized to permit individuals that are not Authorized Persons to use the Umony Content Capture products. Client will provide each Authorized Person with clear and conspicuous notice of policies regarding the receipt, transmission, storage, and use of Authorized Person's Umony Content. Client shall ensure that each Authorized Person has agreed to those policies and that each Authorized Person has been made aware that the Authorized Person has no reasonable expectation of privacy in the Umony Content. Client shall ensure that all Authorized Persons using the Umony Content Capture products inform any third parties that such Authorized Person's electronic communications are being captured by the Umony Content Capture services. Client shall immediately disable Umony Content capture within the applicable Services upon the termination of an employee or contractor for whom Client is capturing Umony Content. 6. Umony Content and Data Privacy. As used in these Service Specific Terms — Umony: (i) 'personal data' and 'controller' have the meanings assigned in Regulation (EU) 2016/679 of the European Parliament and of the Council of27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and its implementing regulations promulgated by the EU, EEA, and their individual member states ("GDPR"); (ii) 'process' has the meaning assigned in the GDPR or the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199) and its implementing regulations ("CCPA"), as applicable; and 'personal information' and 'service provider' have the meaning assigned in the CCPA. 6.1. Notwithstanding anything to the contrary in this Agreement or any other agreement to which Client and Smarsh are parties, with respect to personal data and personal information contained in Umony Content that Smarsh captures and archives as Client Data, and any processing thereof by either Client or Smarsh, the parties acknowledge and agree that: a) Client is a controller; b) Smarsh is a processor and service provider that processes such personal data and personal information on behalf of Client; c) Umony, is a sub -processor to Smarsh; d) Client is solely responsible for all legal obligations of a controller under applicable Data Protection Laws & Regulations (as defined in the data privacy agreement executed by the parties); and Service Specific Terms — Umony I Page 35 of 58 "i s's',® Agreement No. 7020 e) in no event will Smarsh or Umony be obligated to fulfill the legal duties of a controller or related to Client Data. 6.2. Client will use the Smarsh Services and Umony Products to process Umony Content in accordance with applicable laws, including but not limited to the GDPR, the CCPA, and all other applicable Data Protection Laws and Regulations. 6.3. As between the parties, Client is solely responsible for ensuring that its instructions to Smarsh to capture, archive, or otherwise process Umony Content comply with applicable Data Protection Laws and Regulations. 7. Umony Disclaimers. Umony makes no guarantee that: 7.1. the Umony Products can be operated free from any minimum hardware, software, server, or operating system requirements; 7.2. access to, and usage of, any Umony Products will be continuous, uninterrupted, or error -free at all times (whether for scheduled maintenance, downtime or otherwise); 7.3. the Umony Products will be fit for any particular purpose; 7.4. the results of Client's use of the Umony Products, the Umony Portal or the Umony Usage Data will fulfill Client's specific needs; or 7.5. Umony will procure in Client's name a commercial license to use WhatsApp or WeChat. Service Specific Terms — Umony I Page 36 of 58 Agreement No. 7020 umon�yIL 0 u: xr ib: t (J n,o ca rr•r Porto: I..r)d User I kern se ,cgir EM')ent: End -User Licensing Terms [Umony] Portal (Portal) End User Licence Agreement (EULA)Date last revised: MAY 2020 1. Application This EULA is a binding, legally enforceable agreement. It sets out the terms on which you agree to use the Portal and access the data contained within it. This EULA and the access licences granted hereunder are effective on the dateyou first use the Portal and shall continue for as long asyou usethe Portal. Your use of the Portal may also be subjectto terms imposed byyour employer (as the customer) and our appointed reseller. As an individual user (whether authorised through an account, or otherwise), you are deemed to be authorised to act on behalf of your employer and by accessing the Portal, you agree to be bound by the terms of this EULA. You will be prompted to accept the terms (byticking the relevant box) the first time thatyou login toyour account on the Portal, and the next timeyou login after each update to this EULA. Therefore, if you do not agree with any of the provisions of these terms, you should cease accessing or using the Portal and notifyyour Portal administrator. We mayamend or updatethis EULA at anytime, in anyway (with orwithout noticetoyou). Updateswill require you to confirm your continued acceptance the next time you login. You are, nonetheless,advised to check regularly (to understand the terms that apply to your use at the relevant time) andyou may wish to print and retain a copy for your future reference. 2. Status of contract The Portal is owned and operated by us. We are Umony Limited, a UK registered company (number 10988562) and our registered office is at Russell House, 140 High Street, Edgware, UK HA8 7LW (we/us/our) and our website is available at w .umonv.com. Your accessto, and use of, the Portal is granted toyou through our appointed reseller(s). Your employer has a contract with our reseller and we, in turn, have a direct contractual relationship with our resellers (typically through a written reseller agreement). This EULA is referred to in our reseller agreement as the end -user licensing terms. This is because we developed the proprietary software on which the Portal operates, and own all of the intellectual property rights both in the Portal, its underlying software and the software used to feed the data into the Portal. More information is contained in section 6. 3. Liability We reserve the right to enforce our rights under it againstyou (whether you as an individual End- User or your employer as our indirect customer) in the event of any actual or suspected breach of its terms at anytime. Such enforcement is without prejudiceto anyother rights or remediesthird parties may also have againstyou for a ny breach. For example, a breach ofthese terms may also be a breach of the terms that exist between your employer and our appointed reseller. In addition, you may also face disciplinary action from your employer. By accessing and using this product, you represent that you have the authority and capacity to agree to this EULA on behalf of yourself or the entity that you represent (where necessary). As we do not guarantee continuous, uninterrupted access to the Portal at all times (as per section 4.2), we shall not be liable to you for any losses that you incur as a result of any failure by you to use, or access, any part of the Portal at any time. 4. Limited access licence Umony EULA I Page 37 of 58 Agreement No. 7020 4.1 We grant to you a limited, non -transferable, non-sublicensable non-exclusive, revocable licence to access and use the Portal and its data and various functions, in accordance with this EULA, for lawful business purposes only. Any other use or access is prohibited. We reserve all rights in the Portal. This EULA does not grant you any rights in, or licences to, the Portal (other than the limited licence granted in this section 4. 4.2 Access to the Portal is granted on an "as is" basis only for the duration of the term of the agreement between our appointed reseller and its customer (your employer). We do not guarantee the continued, uninterrupted availability of the Portal to you at anytime (whether for scheduled maintenance, downtime, or otherwise), or that the Portal is accessible from any particular location. 4.3 You are responsible for ensuring that your systems are functional, able to access the Internet, and meet any minimum operating system requirements to access the Portal. To ensure that you receive optimum functionality from the Portal, you should always use the latest versions and use compatible browsers, ensure that cookies, pop -ups and JavaScript settings are enabled on your browsers and use any minimum screen resolution settings. 4.4 Any condition, warranty, representation or other term concerning your use of the Portal, which might otherwise be implied into, or incorporated in, this EULA (whether by statute, common law or otherwise) is excluded to the extent permitted by law, including without limitation, warranties of satisfactory quality or fitness for purposes. S. Usage problems and support requests If you have any queries relating to this EULA, your access to, or the operation of, the Portal through your account, or the data contained on it, please contactyour Portal administrator who will be ableto utilise the correct support channels to ensure that the query reaches us, where necessary. You should always provide (in sufficient detail), the nature of the problem and how it came to your attention, so that the most efficient resolution can be identified, 6. Intellectual Property Rights We own all rights and titles to, and interests in, the Portal and all data and other information (other than User Information) included therein, including but not limited to all patents, trade and service marks, copyright, trade secrets and other proprietary rights therein. You therefore acknowledge that all intellectual property rights in the Portal throughout the world belong to us, such rights are licenced (not sold) toyou, and thatyou have no intellectual property rights in, or to, the Portal other than the right to use the Portal in accordance with the terms ofthisEULA. 7. Restrictions 7.1 You may not: (a) rent, lease, lend, sell, redistribute or sublicence the Portal or your rights to access it inany way; (b) violate (or assist any other party to violate) any applicable law, statute, ordinance or regulation; (c) provide false, inaccurate or misleading information; Umony EULA I Page 38 of 58 Agreement No. 7020 (d) take any action which interferes with, intercepts or expropriates any system, data or information; (e) partake in anytransaction that involvesthe proceeds of illegal activity; (f) transmit or upload anyvirus or other malicious software or program; or (g) attempt to gain unauthorised access to other users' accounts or the Portal's related or underlying networks or systems. 7.2 In addition, you may not copy, frame, scrape, decompile, reverse engineer, disassemble, attempt to derive the source code of, modify or create derivative works from the Portal, any updates, its underlying networks or systems, or any part thereof (except as and only to the extent any foregoing restriction is prohibited by applicable law or to the extent as may be permitted by the licensing terms governing use of any open sourced components included with the Portal) or tryto circumvent its security protocols, interfere with its proper working or the servers on which the Portal is hosted. Any attempt to do so is a violation of our rights. 7.3 Information contained on the Portal is to be used as stated in section 4 only. Therefore, you must not extract or download any Portal content, information or data (including any metadata) for any other purpose. 7.4 You further recognise that the Portal is used by others simultaneously. Therefore, in accessing the Portal, you must not damage, disrupt, impair or otherwise interfere with the Portal's functions and services that are offered by us to others. 7.5 Any breach of the restrictions in this section 7 will constitute a material breach of this EULA, and the provisions of sections 3 and 12 may apply. 7.6 The restrictions imposed on you under this section 7 also include a direct obligation on you not to permit, or fail to prevent, any third party (whether another authorised user, friend, colleague or family member) from doing any of the actions restricted by this section. If you become aware of any such action, you must notify your administrator immediately upon discovery. a. Data protection 8.1 Asyour company's account is managed by our appointed reseller, your employer will remain the data controller; our appointed resellerwill be a data processor on the controller's behalf,and we will be a sub -processor on behalf of our appointed reseller. Any personal data that we access through the Portal is merely processed by us "in transit" when passed to our appointed reseller. We only store very limited categories of personal data, in cached form, for a very limited period of time (up to a maximum of days) where we are temporarily unable to effect the data transfer through the Cloud to our appointed reseller. 8.2 As we are registered in the UK, any personal data compliance obligations imposed on us are in accordance with the requirements of UK and EU Data Protection Laws (including the EU General Data Protection Regulation 2016/679). Where specific territorial data protection laws apply to your use of the Portal, these will be managed by our appointed reseller and may apply in addition (with our specific agreement). 8.3 When accessing the Portal through your account, personal data in connection with your account and your use of the Portal will be processed [by us and/or our reseller]. This is to verify compliance with the terms of this EULA. This usage data will normally be processed only by us and shared with our reseller who may, in turn, share this with your employer's administrator(s). 8.4 Any personal data that belongs to you in order to set up your account is no different to the personal data already processed by your employer (our reseller's customer) as the data controller. We will therefore be processing your personal data only for the purposes of monitoring such access and account usage, and for responding to support queries logged withus. Other categories of your personal data that we will access will include your name, business email address and business mobile device number (which is the device subject to the conversation tracking operated by our proprietary software). Umony EULA I Page 39 of 58 Agreement No. 7020 8.5 Where you raise a support request under section 5 in accordance with the process specified in that section, some of your personal data related to the relevant request may be processed by us in connection with the resolution of the relevant problem, where your administrator or our appointed reseller cannot resolve the issue in the first instance. 8.6 In general terms, we will comply with our obligations under applicable Data Protection Laws when processing your personal data. We implement appropriate technical and organisational security measures to preserve the integrity of, and prevent any corruption or loss, damage or destruction to, any personal data and are ISO27001 certified (as at the date this EULA waslast updated). 8.7 If an event occurs on the Portal that causes your data to be damaged, lost or otherwise exposed to third parties at any time, we will notify our reseller who will notify your administrator promptly (as required by our reseller agreement). 8,8 If you wish to access any of your personal data that is processed by us in connection with your use of the Portal at any time, please contact your administrator in the first instance, who will (in turn) notify our reseller who will contact us. We may then contact you (either directly or through your administrator), in order to clarify your request and provide you with the requested data we are able and permitted (by Data Protection Law) to provide. 8.9 We do not process your personal data on the basis of your consent. Your personal data is required to enable you to access your account and use the Portal. If you no longer want us to process your personal data, please notifyyour administrator who will (in turn) arrange forour reseller to notify us. In those circumstances, we may longer be able to monitor your useof your account and your account may need to be closed. 8.10 We reserve the right to amend the terms of this EULA at any time (as stated in section 1). However, if we alter the way we process your personal data we will notify your administrator and/or you personally (through your account) where we are required to do so by Data Protection Law. 8.11 We additionally reserve the right to disclose your account details, and any related personal data that is necessary to identify you personally, to your employer (as the customer) and/or regulatory or law enforcement bodies or agencies in connection with any investigation that may concern you or your use of WhatsAppTm and/or WeChatTm. Any such disclosure under thissection may be done without notifying you first. 9. Confidentiality 9.1 When accessing the Portal, you will likely access information that may be sensitive or confidential to your employer. It is your duty to keep such information secure at all times. 9.2 Where we have access to your confidential information (as the operator of the Portal), we will ensure that information is kept appropriately secure. 9.3 You must treat your account details as confidential and must not share them with anyone other than us or your firm's administrator; this includes those categories of persons listed in section 7.6. 9.4 For the purposes of this EULA, "Confidential Information" means all non-public, proprietary information provided to you by Umony, whether through the Portal or otherwise. Confidential Information includes the Portal and all information and materials contained therein, your account and login information, and any other non-public financial, technical or business information of Umony. Umony EULA I Page 40 of 58 Agreement No. 7020 9.5 Umony will at all times retain sole ownership of all Confidential Information. You will hold all Confidential Information in strict confidence. You will not transfer, display, convey or otherwise disclose or make available any Confidential Information to anythird party. You may disclose such Confidential Information to your directors, officers, or employees only to the extent such persons have a need to know such Confidential Information and who are bound by written confidentiality obligations at least as protective as those contained in thisEULA. You are fully responsible for any misuse or disclosure of Confidential Information by such personnel. 9.6 You shall notify Umony in writing immediately upon discovery of any unauthorised use or disclosure of Confidential Information or any other breach of this EULA and cooperate with Umony in every reasonable wayto regain possession of Confidential Information and prevent any further unauthorised use. Upon termination or expiration of this EULA, you will promptly destroy all Confidential Information in your possession. 9.7 The obligations of confidentiality do not apply to any particular Confidential Information to the extent that you can demonstrate to Umony's satisfaction that such Confidential Information: (a) is in or enters the public domain through no fault of your own and without any breach of confidentiality or other restriction on disclosure; or (b) was lawfully in your possession without any breach of confidentiality or other restriction on disclosure prior to receiving it from Umony. 9.8 You may disclose Confidential Information to the extent required by law provided that you provide reasonable prior notice to Umony of any such disclosure and cooperate with efforts to limit, eliminate or otherwise secure protective treatment for such disclosure. 9.9 You agree and acknowledge that any actual or threatened breach of confidentiality may cause irreparable harm for which monetary damages would be an inadequate remedy and that Umony would be entitled to seek injunctive or other equitable relief to prevent or remedy such a breach. 10. User Materials You agree that Umony may collect and use technical data and related information, including but not limited to technical information about your device, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the Portal (collectively "Data"). You may also voluntarily provide information, feedback and other content in connection with your use of the Portal (together with Data, "User Materials"). You agree that Umony may use the User Materials to improve its products and services or to provide products and services to you, and you hereby grant Umony a perpetual, nonexclusive, worldwide, royalty free, fully paid -up, transferrable and sublicence licencein and to the User Materials, including all intellectual property rights therein, for Umony to use, modify and create derivative works ofthe same in connection with or related to any business purpose. 11. Automatic Software Updates Umony mayfrom time to time develop patches, bug fixes, updates, upgrades and other modifications to improve the performance of the Portal and related services ("Updates"). These Updates may be automatically installed without providing any additional notice or receiving any additional consent. By using the Portal, you consent to these automatic updates. If you do not want such updates, your remedy is to stop using the Portal. If you do not cease using the Portal, you will receive Updates automatically. Umony EULA I Page 41 of 58 Agreement No. 7020 The terms of this EULA will govern any updates provided by us that replace or supplement the original Portal, unless such upgrade is accompanied by a separate licence, in which case the terms of that licence will govern to the extent that there is any conflict or ambiguity between the two. 12. Termination & Suspension 12.1 Portal access is conditional on compliance with this EULA in full. We may suspend or disable access (temporarily or permanently) where: a) you breach, or are suspected of breaching, any of the terms of this EULA; b) your employer is in breach of any of the terms of this EULA or its contract with our appointed reseller (in which case, the reseller is obliged to notify us); c) we need to protect the integrity of the Portal or the data contained on it; or d) we need to safeguard our reasonable interests, or those of our other customers and their individual users. 12.2 Without prejudiceto any other rights, we may terminate this EULA at anytime, without notice, if our agreement with our reseller has to terminate due to: (i) updates to the general functionality and underlying software, networks, servers or code of WhatsAppTm and/or WeChatTm (as applicable to you) preventing our proprietary software performing in the way that it does as at the date this EULA was last revised; or (ii) WhatsAppTm and/or WeChatTm (as applicable) amending their end user licensing agreements to have the same effect. 12.3 Where we suspend access to the Portal, or disable or block relevant account details to deny access, such suspension will be for the shortest time possible. Reinstatement of access will be granted only on satisfactory assurance and evidence (where requested) that sufficient steps have been taken to prevent those circumstances recurring. In no event will we be liablefor the removal of or disabling of access to the Portal, or any action taken in respect of the same. 12.4 You may terminate this EULA (effective immediately) upon written notice to us. Alternatively, you can simply stop using your account. Upon termination of this EULA, we willterminate your access to the Portal, close your account by disabling your login details, and you shall destroy all copies or screenshots made (full or partial) of the Portal and the data extracted from it. 12.5 Any decision by us to suspend or terminate your access to the Portal will be final. Responses that we may take in this section 12 are not limited, and we may take any other action that we reasonably consider to be appropriate in the circumstances. 13. Entire Agreement/Severability As stated in section 1, this EULA applies to your Portal access. Its terms supersede in full all other terms that may be imposed on your Portal access, whether by our reseller or your employer (in the event of conflict). If any provision in this EULA is unenforceable, illegal, or invalid, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect. Where such changeis not possible, the relevant provision shall be deemed deleted without affecting the validity, enforceability or legality of the remainder. 14. Waiver. As stated in section 3, we reserve our rights to enforce breaches of this EULA. Where we do not takesuch action immediately, whether against you or your employer, such rights will only be deemed to have been waived if in writing given to you directly, or indirectly through your employer or our reseller. Any waiver or failure by us to enforce any provision of this EULA on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. Umony EULA I Page 42 of 58 Agreement No. 7020 15. Right to assign Further to section 7.1, this EULA and your account details are personal to you individually, and your employer / our reseller's customer, collectively. You must not assign, transfer or otherwise disclosesuch details to third parties at anytime without our or our reseller's prior consent. However, nothing prevents us from assigning, transferring, charging or mortgaging any (or all) of our rights and/or obligations under this EULA at any time. Where this happens, your employer will be notified through our reseller. 16. Governing law Access to the Portal, the terms of this EULA, and all matters arising from or connected with it, are governed by English law. Any contractual or non -contractual dispute between you and us will be subject to the exclusive jurisdiction of the English courts in the first instance. However, we reserveour rights to take appropriate action through our appointed reseller through the Courts in the countryin which you are established, where appropriate. 17. Communication between us If you wish to contact us in writing, or if any condition in this EULA requires you to give us notice in writing, you can send this to us by email at hello umony.com or prepaid post to Umony Limited, 4t' Floor,109 Farringdon Road, London, ECl R 313W. Please make sure you provide a return contact address and/or email address Umony EULA I Page 43 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS — BUSINESS SOLUTIONS Email Hosting. If Client purchases Email Hosting, Email Encryption or Data Loss Prevention ("DLP") Services, these additional terms apply. a) Units. Email Encryption is a Service that encrypts a Client designated email mailbox's outgoing email. A "Unit" with respect to Email Encryption, Email Hosting or DLP is an email mailbox. b) With respect to Email Hosting Services, if Microsoft Corporation ("Microsoft") increases the price that Microsoft charges for the underlying licenses or services Microsoft provides that are applicable to the Email Hosting Services, Smarsh may increase the price for the Email Hosting Services bythe full amount of the price increase, regardless of whether the price increase occurs during the Initial Term. c) With respect to the Email Hosting Services, the retention of Email Hosting Service Client Data during the Term is subject to space limitations applicable to the Email Hosting Service plan purchased by Client. Email Hosting Service Client Data will be retained for a period of 30 days following the termination or expiration of the earlier of the Email Hosting Service termination or the termination or expiration of the Agreement. d) The following terms and conditions apply to Email Hosting Services. This document ("MSFT Terms") concerns Your use of Microsoft software, which includes computer software provided to You by Smarsh or Intermedia as described below, and may include associated media, printed materials, and "online" or electronic documentation (individually or collectively "Licensed Products'l 1. DEFINITIONS. For purposes of these MSFT Terms, the following definitions will apply: "Client Software" means software that allows a Device to access or utilizethe services or functionality provided by the Server Software. "Device" means each of a computer, workstation, terminal, handheld PC, pager, telephone, personal digital assistant, "smart phone", or other electronic device. "Server Software" means software that provides services or functionality on a computer acting as server. "Redistribution Software" means software described in Paragraph 6 ("Use of Redistribution Software") below. 2. OWNERSHIP OF LICENSED PRODUCTS. The Licensed Products are licensed from an affiliate of the Microsoft Corporation ("Microsoft"). All title and intellectual property rights in and to the Licensed Products (and the constituent elements thereof, including but not limited to any images, photographs, animations, video, audio, music, text, and "applets" incorporated into the Licensed Products) are owned by Microsoft or its suppliers. The Licensed Products are protected by copyright laws and international copyright treaties, as well as other intellectual property laws Service Specific Terms — Business Solutions I Page 44 of 58 Agreement No. 7020 and treaties. Your possession, access, or use of the Licensed Products does not transfer any ownership of Licensed Products or any intellectual property rightsto You. 3. COPYRIGHT, TRADEMARK AND PATENT NOTICES. You must not remove, modify or obscure any copyright, trademark or other proprietary rights notices that are contained in or on the Licensed Products. You must include Microsoft's copyright notice on any labels or documentation (including online documentation) that include the Licensed Products. You have no right under this Agreement to use any Microsoft logos in any manner whatsoever. Whenever a Licensed Product is first referenced in anywritten or visual communication, You must use the appropriate trademark, Licensed Product descriptor and trademark symbol (either TM or ft and clearly indicate Microsoft's (or Microsoft's suppliers') ownership of such marks. For information on Microsoft trademarks, including a listing of current trademarks, see http://www.mi E gft,. gm r emaks. You must not undertake any action that will interfere with or diminish Microsoft's (or Microsoft's suppliers') right, title and/or interest in the trademark(s) or trade name(s). At Microsoft's request, You must provide Microsoft with samples of all of Your written or visual materials that use a Licensed Product name. 4. ANTI -PIRACY. You must not engage in the manufacture, use, distribution or transfer of counterfeit, pirated or illegal software. You may not distribute or transfer Licensed Products to any party that You know is engaged in these activities. You must report to Microsoft any suspected counterfeiting, piracy or other intellectual property infringement in computer programs, manuals, marketing materials or other materials owned by Microsoft, its Affiliates and/or its licensors as soon as You become aware of it. You will cooperate with Microsoft in the investigation of any party suspected of these activities. S. USE OF CLIENT SOFTWARE. You may use the Client Software installed on Your Devices only in accordance with the instructions, and only in connection with the services, provided to You. The terms of this MSFTTerms permanently and irrevocably supersede the terms of any Microsoft End User License Agreement that may be presented in electronic form during Your use of the Client Software 6. USE OF REDISTRIBUTION SOFTWARE. In connection with the services provided to You, You may have access to certain "sample," "redistributable" and/or software development ("SDK") software code and tools (individually and collectively "Redistribution Software"). YOU MAY NOT USE, MODIFY, COPY, AND/OR DISTRIBUTE ANY REDISTRIBUTION SOFTWARE UNLESS YOU EXPRESSLY AGREE TO AND COMPLY WITH CERTAIN ADDITIONALTERMS CONTAINED IN THE SERVICES PROVIDER USE RIGHTS ("SPUR"). Microsoft does not permit You to use any Redistribution Software unless You expressly agree to and comply with such additional terms. 7. COPIES. You may not make any copies of the Licensed Products; provided, however, that You may (a) make one (1) copy of Client Software on Your Device; and (b) You may make copies of certain Redistribution Software in accordance with Paragraph 6 (Use of Redistribution Software). You must erase or destroy all such Client Software and/or Redistribution Software upon termination or cancellation of Your agreement with Smarsh, upon notice from Smarsh or upon transfer of Your Device to another person or entity, whichever first occurs. You may not copy any printed materials accompanying the Licensed Products. 8. LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION AND DISASSEMBLY. You may not reverse engineer, decompile, or disassemble the Licensed Products, except and only to the extent that applicable law, notwithstanding this limitation expressly permits such activity. 9. NO RENTAL. You may not rent, lease, lend, pledge, or directly or indirectly transfer or distribute Licensed Products to any third party, and You may not permit any third party to have access to and/or use the functionality of the Licensed Products. 10. TERMINATION. Without prejudice to any other rights, Intermedia may terminate Your rights to use the Licensed Products if You fail to comply with these terms and conditions. In the event of termination or cancellation, You must stop using and/or accessing the Licensed Products, and Service Specific Terms — Business Solutions I Page 45 of 58 Agreement No. 7020 destroy all copies of the Licensed Products and all of their component parts. 11. NO WARRANTIES, LIABILITIES OR REMEDIES BY MICROSOFT. ANY WARRANTIES, LIABILITY FOR DAMAGES AND REMEDIES, IF ANY, ARE NOT BY MICROSOFT OR ITS AFFILIATES OR SUBSIDIARIES. 12. PRODUCT SUPPORT. Any product support for the Licensed Products is not provided by Microsoft or its affiliates orsubsidiaries. 13. NOT FAULT TOLERANT. THE LICENSED PRODUCTS MAY CONTAIN TECHNOLOGY THAT IS NOT FAULT TOLERANT AND IS NOT DESIGNED, MANUFACTURED, OR INTENDED FOR USE IN ENVIRONMENTS OR APPLICATIONS IN WHICH THE FAILURE OF THE LICENSED PRODUCTS COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL, PROPERTY OR ENVIRONMENTAL DAMAGE. 14. EXPORT RESTRICTIONS. The Licensed Products are of U.S. origin for purposes of U.S. export control laws. You agree to comply with all applicable international and national laws that apply to the Licensed Products, including U.S. Export Administration Regulations, as well as end -user, end -use and destination restrictions issue by U.S. and other governments. For additional information, see h'ttr).////www,0 icro5gLtt. gCn) x�aortin �. 15. DISCLOSURE OF INFORMATION. You hereby consent to the provision of Your information regarding Your Account to Microsoft to the extent required under the terms of its license agreement with Microsoft. 16. LIABILITY FOR BREACH. You agree that You will also be legally responsible directly to Microsoft for any breach of these terms and conditions. 17. OWA ACCESS RESTRICTIONS. You acknowledge and agree that if You have an Outlook Web Access -only (OWA-only) Account (Basic SAL license), You are restricted from and will not use shared folders, shared calendars, shared contacts, shared tasks and public folders with respectto such access. Service Specific Terms — Business Solutions I Page 46 of 58 Agreement No. 7020 SERVICE SPECIFIC TERMS - SMARSH UNIVERSITY These Service Specific Terms — Smarsh University apply only to Client's purchase and use of Smarsh University training and certification courses. Unless expressly stated otherwise, capitalized terms have the meaning given them in the Smarsh Service Agreement - General Terms. Descriptions. "Smarsh University" or "Smarsh U" is a suite of training and certification courses designed to help Client and its Users understand and leverage the features and functionality of the products Client purchases from Smarsh. Smarsh University courses are offered as Public Courses, Dedicated Courses, and Web -based Courses (defined below). 2. Definitions. "Certification Exam" is an examination related to a specific Smarsh product or Service that if passed leads to certification of expertise in the use of such Smarsh product or Service. "Dedicated Courses" are private instructor -led courses conducted either by web conference or on -site at Client's facilities. "Public Courses" are instructor -led courses attended by Trainees from multiple companies and are conducted by web conference or on -site at a Smarsh-hosted event. "Trainee" is a Client employee, agent, or Representative for whom Client purchases a Smarsh U subscription or attendance at a Dedicated Course or an a la carte Public Course. "Web -based Courses" or "WBC" is a suite of pre-recorded online courses available to Trainees by login to the Smarsh learning management system using the Trainee's Smarsh Central access credentials. "Smarsh U Lab" is a training environment hosted in Smarsh data centers in the U.S. 3. Orders and Payment. Client must execute an Order Form to purchase Smarsh University subscriptions, blocks of Public Courses, and Dedicated Courses. Client must purchase all a la carte courses and Certification Exams through Smarsh Central. Smarsh University course Fees and Certification Exam Fees are non-refundable. 3.1. SUbscriptio�ns. Smarsh U subscriptions are offered as Full Access or WBC-only (defined below) and sync to and co -terminate with Client's then -current service Term under the Agreement. A "Unit" with respect to Smarsh U subscriptions is one Trainee. "Full Access" subscriptions include unlimited Public Courses and WBC access for each Trainee. "WBC-only" subscriptions include unlimited WBC access for each Trainee. 3.2. floc' s of P I' Cou s. Client may purchase Public Courses in 1-day, 2-day, and 3-day blocks. Blocks of Public Courses are consumed in half -day or one day increments per -Trainee, as specified in the registration information for each Public Course. 3.3. Dedicated Courses. Dedicated Courses are one-time courses offered on a per -Trainee, per -day basis. Dedicated Courses are capped at ten (10) Trainees and are sold in half -day increments. All on -site Dedicated Courses must be scheduled at leasttwo (2) weeks in advance and require a minimum purchase of one full day. Trainer travel expenses will be included in the Fees for on -site Dedicated Courses. 3.4. Purchases from within Sma,Tsw Central. Payments for Certification Exams and a la carte Public Courses and WBC are processed through Stripe Checkout. Payments processed through Service Specific Terms — Smarsh University I Page 47 of 58 Agreement No. 7020 Stripe Checkout are subject to the St. pfw ,m Bs-ckou.; User Terrns of � rvk��, and the Stripe Privacy Policy. 4. Certification. Client may purchase Certification Exams for Trainees or Users. Once a Trainee or User passes a Certification Exam, the Trainee or User is Smarsh-certified and will receive a verifiable digital certificate of achievement and a verifiable digital badge indicating the Trainee is certified in the use of a specific Smarsh product or Service. Certificates and badges are unique to each User or Trainee and will transfer with such individual if they change employment. Certifications are valid for twenty-four (24) months following a successful Certification Exam. After that time, a Trainee or User must recertify to maintain their Smarsh certification. A recertification exam is available up to six (6) months following certification expiration. Thereafter the Trainee or User must retake the Certification Exam to maintain Smarsh certification. For the avoidance of doubt, Client must purchase new Certification Exam if User or Trainee wishes to (i) retake a failed Certification Exam (ii) certify in additional products or Services. S. License. Smarsh grants Client and its Trainees a non-exclusive, non -transferable, limited license to access and use the Smarsh U Lab, course materials and course content solely for training purposes. 6. Client Obligations and Trainee Conduct. 6.1. Trainees may not share access credentials. 6.2. Client must provide a computer for each Trainee and high-speed internet access to enable Trainees to remotely connect to the Smarsh U Lab for all courses. 6.3. Client must provide dedicated classroom space for on -site Dedicated Courses. 6.4. Smarsh may refuse, limit, or cancel any Smarsh U course if, in the sole opinion of Smarsh, any Trainee displays unreasonable behavior or acts in a violent, threatening, inappropriate, abusive, or disruptive manner during a course. 7. Substitutions and Cancellations. 7.1. Substitutions. Client may transfer a Unit up to three (3) times during an annual Term. Client must request all transfers by submitting a support case through Smarsh Central. 7.2. Peguests to Ro52cf1gdQle. Client may reschedule a Dedicated Course one time. Client must submit all requests to reschedule a Dedicated Course by submitting a support case through Smarsh Central. Client must submit its request to reschedule at least one week prior to the scheduled course date for virtual Dedicated Courses and at least two weeks prior to the scheduled course date for on -site Dedicated Courses. Client must submit its proposed reschedule date within 30 days following a reschedule request, and the rescheduled course date must occur not morethan 180 days afterthe original course date.The parties will execute a change order to reflect the rescheduled course date. 7.3. Cancellations by rnarsl . Smarsh will use commercially reasonable efforts to hold all courses as scheduled but may need to cancel or reschedule a course in certain circumstances. If Smarsh cancels an on -site Dedicated Course or a Public Course that Client purchased a la carte, Smarsh will issue Client a reschedule voucher equal to the Fee for the cancelled course. Client may use the voucher to reschedule the Dedicated Course or register for a future Public Course within twelve (12) months of the cancelled course date. All vouchers expire twelve (12) months after the cancelled course date. Service Specific Terms — Smarsh University I Page 48 of 58 Agreement No. 7020 8. Intellectual Property. Smarsh University and related course materials, information technology infrastructure, including the software, hardware, databases, electronic systems, networks, and all applications required to deliver the Smarsh U Lab are Smarsh Intellectual Property. WARRANTY DISCLAIMER; NO GUARANTEE. ALL SMARSH UNIVERSITY COURSES, MATERIALS, AND ANY OTHER DOCUMENTATION, PUBLICATIONS, OR OTHER INFORMATION OR MATERIALS PROVIDED BY OR ON BEHALF OF SMARSH TO CLIENT OR ITS TRAINEES FOR TRAINING PURPOSES ARE FURNISHED ON AN "AS -IS" BASIS, WITHOUT REPRESENTATION OR WARRANTY OF ANY KIND. SMARSH WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES OR OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET, ELECTRONIC COMMUNICATIONS, OR OTHER SYSTEMS OUTSIDE THE REASONABLE CONTROL OF SMARSH. SMARSH DOES NOT GUARANTEE THAT SMARSH U COURSES OR CERTIFICATION WILL ENSURE CLIENT'S LEGAL COMPLIANCE WITH ANY FEDERAL, STATE, OR INTERNATIONAL STATUTE, LAW, RULE, REGULATION, OR DIRECTIVE Service Specific Terms — Smarsh University I Page 49 of 58 Agreement No. 7020 INFORMATION SECURITY ADDENDUM Security Program Smarsh has implemented and will maintain appropriate technical, physical, and administrative measures reasonably designed to prevent accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to confidential information ("Information Security Program"). iL Smarsh's Information Security Program oversees all areas of security applicable to Smarsh and information security, including physical access to Smarsh's data centers that store data ingested by the applicable service ("Client Data"), system and data access, transmission of Client Data, as well as general supervision and enforcement. Smarsh's Information Security Program generally aligns with the security standards published by International Organization for Standardization (ISO). iii. Smarsh undergoes annual independent third -party SSAE 18 SOC 2 Type II (or its equivalent or successor) assessments of its Information Security Program. After each such assessment, Smarsh assesses the criticality of any issues presented in such report or assessment, and remediates, or implements compensating controls for, any issues identified in such assessment in a timely manner based on level of criticality and risk. 1.2 Personnel Security Smarsh performs criminal background checks on all Smarsh employees prior to commencement of employment. Smarsh requires each employee to maintain the confidentiality of Confidential Information, including written confidentiality agreements and annual security and data privacy awareness training. Smarsh also requires additional role -based security training for employees with access to Client Data or the application that processes and stores Client Data. 1.3 Third Party Risk Management Smarsh screens and enters into written confidentiality agreements with its vendors to maintain the security of Confidential Information. Smarsh conducts an initial risk assessment of each vendor, including an initial risk review and verification before engaging such vendor. Thereafter, Smarsh conducts an annual risk review of such vendor. 1.4 Smarsh's Access Security Facilities Access. Smarsh employs physical security procedures which require that only authorized individuals have access to corporate facilities. Such procedures include the use of CCTV, cardkey access, processes to log and monitor visitors, and use of receptionists or security guards. ii. Systems Access. Smarsh follows the principle of "least privilege" when granting access to Smarsh internal systems ("Smarsh Systems"). Smarsh uses complex password requirements across all Smarsh Systems to minimize password -related access control risks. Smarsh, when reasonably possible and feasible, utilizes multi -factor authentication for access and administration of Smarsh's Systems. Smarsh's information security policies prohibit Smarsh employees from sharing, writing down, or storing passwords in an unencrypted manner on any Smarsh System (including desktops). 1.5 Application Security — Software as a Service Information Security Addendum I Page 50 of 58 Agreement No. 7020 Applications. Smarsh provides various software as a service solution that, as configured by Client, capture, ingest, store, and archive Client Data from various third -party service providers of Client (each, a "SaaS Application"). Software Code Review and Design. Smarsh uses a "security by design" approach that follows generally accepted industry standards for a secure software development life cycle. Smarsh performs both static and dynamic web application security code analysis on all code prior to deployment in a production environment. Smarsh uses a formal change management process that includes the tracking and approval for all software product updates and changes. Any such changes are internally reviewed and tested within a staging environment before such changes are finalized and deployed to production environments. iii, Monitoring & Application Scanning. Smarsh, in accordance with generally accepted industry standards, monitors the SaaS Applications and the Smarsh networks, servers, and service environments hosting the SaaS Applications for potential security vulnerabilities consistent with Smarsh's vulnerability management program. Smarsh will promptly assess discovered security vulnerabilities talking into account the risk posed and prioritize them for remediation activities. iv, Anti-Malware Testing. Smarsh, using industry -standard measures, on a regular basis, tests and scans the SaaS Applications for (a) 'back door,' 'time bomb,' 'Trojan Horse,' 'worm,' 'drop dead device,''virus','spyware' or'malware;' or (b) any computer code or software routine that disables, damages, erases, disrupts or impairs the normal operation of the SaaS Applications or any component thereof. V. Physical and Software Security. Smarsh's information security policy requires all network devices and servers that host or process Client Data to be secured to address reasonable threats through industry standard technical measures. Smarsh physically or logically separates quality assurance and test environments from production environments. Smarsh uses industry - standard firewalls, intrusion detection, and malware detection on its networks and hosted systems and requires the use of VPN for access to its secured environments. vi. Client Data. Smash will not use Client Data for testing purposes or access Client Data, except as authorized by Client, or as required by the applicable services. Smarsh will not use any data derived from Client Data for any purpose except to provide the Services. vii. Smarsh Physical Data Center Security. Smarsh ensures that physical security controls are implemented to prevent unauthorized individuals from accessing Smarsh data centers. Smarsh uses data center security measures that align with industry standard practices for physical security and, at a minimum, require that Smarsh data centers use: floor -to -ceiling walls, multi - factor authentication for data center access, 24/7 security monitoring, alarmed exits, and onsite security personnel. viii. Cloud Environment Data Center Security. Smarsh may use infrastructure -as -a -service providers ("Cloud Providers") to provide the services (as applicable). Before utilizing a Cloud Provider, Smarsh evaluates the Cloud Provider's security controls and processes to ensure that such security program meets the applicable obligations contained in Smarsh's own Information Security Program. On a regular basis thereafter, Smarsh reviews each Cloud Provider's security controls as audited by Cloud Provider's third -party security audits and certifications to ensure that such Cloud Provider maintains its Security Program at a level consistent with Smarsh's Information Security Program. Such controls include the use, at a minimum, physical access controls, multi -factor authentication for data center access, 24/7 security monitoring, alarmed exits, and onsite security personnel. ix. Penetration Testing. Smarsh performs annual penetration testing on the SaaS Applications using independent, third -party resources. Upon written request (and not more than once every 12 months), Smarsh will provide a summary penetration testing report to Client. x, Performance. Smarsh uses industry -standard technology and tools to monitor the uptime status Information Security Addendum I Page 51 of 58 Agreement No. 7020 of its SaaS Applications and to send alerts when any warning conditions need to be reviewed. xi. Data Management. Client Data is stored in a logically separated environment. xii. Encryption. Smarsh encrypts Client Data in transit and at rest using encryption techniques that comply with security industry standards published by NIST. 1.6 Business Continuity/Disaster Recovery. Smarsh maintains a Business Continuity and Disaster Recovery Plan ("BCP") and shall activate the BCP in the event of a disaster, as defined in the BCP. Upon written request, Smarsh will make an executive summary of the BCP available to Client. Smarsh tests the BCP on a regular basis, and at least annually. 1.7 Incident Response. Security Incident. Smarsh's Information Security Program includes incident response policies and procedures in the event that there is any actual, or reasonably suspected, unauthorized access to Smarsh facilities, Smarsh Systems, or the SaaS Applications ("Security Incident"), including processes to ensure that (i) the Security Incident is contained and remediated in a timely fashion; (ii) if required, timely notice is provided to any affected parties (iii) the Security Incident is appropriately tracked; (iv) all related server logs are retained for at least ninety (90) days following the Security Incident; (v) all related Security Incident reports are retained for at least three (3) years; and (vi) all related Security Incident logs are appropriately protected to ensure the integrity of such log. Smarsh will promptly implement such procedures upon becoming aware of a Security Incident. ii. Client Data Incident. Upon becoming aware of any actual or reasonably suspected unauthorized third -party access to, or disclosure of, Client Data ("Client Data Incident"), Smarsh will: (i) investigate, and take reasonable measures to remediate, the cause of such Client Data Incident, and (ii) promptly, after discovery, provide written notice to the Incident Response Contact set forth in the Incident Contact Sheet. 2. Security Documentation; Audit Rights; Security Assessments Security Documentation. Upon written request, not more than once every 12 months, and subject to the confidentiality obligations set forth in the Agreement, Smarsh will make available to Client, at no cost to Client, a copy of Smarsh's most recent (i) annual independent SSAE 18 SOC 2 Type II report, (ii) executive summary of Smarsh's annual penetration test, and (iii) Smarsh's standard information gathering questionnaire (collectively, "Security Packet") to demonstrate Smarsh's compliance with the Information Security Program. ii. Security Assessments of Cloud Providers. Client recognizes that Smarsh utilizes Cloud Providers to process Client Data or provide the Services. Client agrees that Smarsh does not have access to, or control over, the physical infrastructure or facilities used by such Cloud Providers or the manner in which such Cloud Providers allow third parties to audit such Cloud Provider's security controls and processes. If Client wishes to conduct an audit of any related Cloud Provider applicable to the Services, Client may elect to do so in the manner set forth in this Section 3. Upon Client's written request (and no more than once every 12 months), and subject to the confidentiality obligations set forth in this Agreement, Smarsh agrees to use commercially reasonable efforts to provide Client with sufficient information to obtain such security documentation on its own. Information Security Addendum I Page 52 of 58 Agreement No. 7020 SUPPORT AND SERVICE LEVEL AGREEMENT 1. SUPPORT Smarsh offers a broad range of technical support services as set forth below. 2. SUPPORT PACKAGES The Smarsh Basic support package is included with all Smarsh Services at no additional charge. Client may purchase a premium support package to extend hours of support coverage, receive support from named or assigned members of the Smarsh Global Support team, and access other support services beyond those included in the Basic support package. The table below provides an overview of the support services included with each support package. The Agreement provides more details about the premium support packages purchased by Client. Client may access online support resources and FAQ's at Ittr .n l u rsbc~orr ("Smarsh Central"). Features Access to Smarsh Central Self Service Support ✓ ✓ ✓ ✓ ✓ Resources Access to System Status Page Updates and ✓ ✓ ✓ ✓ ✓ Subscriptions products Updates, Fixes, and ✓ .,,...✓ ....._ ✓_..✓ .... ✓__. __..._.... Enhancements (.Standard Releose Cycle) Web -based Support ✓ ✓ ✓ ✓ ✓ 24/7 Phone Support for ✓ ✓ ✓ ... ✓ ✓ Severity 1 Issues Enhanced Support Pesponse ✓ ✓ ✓ ✓ Times Famed technical Support ✓ ✓ ✓ ✓ Engineer(s) Weekly .Status Calls ✓.__........._ _. ✓ _..�... ✓ ._..�. ✓�__..�....... Annual Account Peviews ✓ ✓ ✓ ✓ Quarterly Account Peview.s ✓ ✓ ... Regular Account Reports ✓ ........................................... Smarsh University _ ..... ._ ✓ ✓ ✓ ✓ Subscription Service Level Agreement Page 53 of 58 Agreement No. 7020 _....... ........... ..—------------ _............... _ Named Executive Sponsor ✓ ✓ Dedicated Account Status Page * BCS AND BCS ELITE ARE NOT AVAILABLE FOR PROFESSIONAL ARCHIVE. 3. SERVICE INCIDENTS AND SUPPORT REQUESTS Except with respect to Severity Level 1 issues, Smarsh recommends reporting issues regarding availability or performance of the Services by creating a case at Smarsh Central. All Severity Level 1 issues must be reported via phone. Support requests must include a detailed description of the error or request, including the operating conditions that gave rise to the error. The individual requesting support will receive notification via email to confirm receipt of a Support request, along with a case number for reference. Smarsh standard phone support is available Monday through Friday between the hours of 8 am and 8 pm Eastern (excluding United States Federal or Smarsh- observed Holidays). If Client purchases a premium support package, standard phone support hours may be expanded. Off -hours phone support is available 24 hours per day, 36S days per year for Severity Level 1 issues. Smarsh may limit the right to submit support requests to a maximum of 10 Users, unless specified otherwise in the Agreement. Severity OEM® - • Issue impacts multiple users: SaaS Service is completely shut down, or major functionality is 1 unavailable or materially impacted by performance issues, and no workaround is available. Issue impacts multiple users: important features are unavailable or degraded, or multiple users are degraded, and no workaround is available. 2 Or The issue impacts a single user, major functionality is unavailable or materially impacted by performance issues, and no workaround is available. Issue impacts multiple or single users: important features are unavailable, but a workaround is available, 3 Or intermittent disruption of Services. ...... .......... _ _..... .......................... ......... A minor feature is unavailable, 4 Or there is a minor performance impact Initial Response After Client creates a case, Smarsh will use commercially reasonable efforts to respond to Client within the target response time indicated below for the corresponding severity level and support package. For all packages, Smarsh will respond to routine service requests (e.g. requests for information, password resets, reports of potential defects, feature requests, and troubleshooting guidance) within one business day. Service Level Agreement I Page 54 of 58 Agreement No. 7020 * For Pro Plus and Pro Elite - during US Business Hours, except for Severity 1. Resolution Process Smarsh will address and resolve issues with the Services reported by Client that are within the control of Smarsh based on the resolution process indicated below for the corresponding severity level. If Client purchases a premium support package, Smarsh will provide notification of a target resolution or workaround plan, updates, and escalation based on the process for the corresponding severity level specified below, unless specified otherwise in the Agreement. Severity Notification of Resolution Escalation to Updates Target Management Smarsh will Within 4 hours after initial Every hour If the issue is not investigate the response resolved within 8 issue and will hours after initial work response 1 continuously until the error is fixed or a temporary' workaround is implemented. Smarsh will ......... Within 48 hours after initial Every 4 hours If the issue is not investigate the response resolved within 3 issue and will business days after work initial response 2 continuously until the error is fixed or a temporary workaround is implemented. Smarsh will work Within 4 days after initial Every day If the issue is not during normal' response resolved within 5 business hours to business days after 3 investigate the initial response issue and implement a fix or workaround. Service Level Agreement I Page 55 of 58 Agreement No. 7020 ........ .. Smarsh will work Within 7 days after initial As agreed by the As agreed by the to provide a fix in response parties. parties. 4 the next maintenance release. I Escalation Process Client may escalate an active support case if (i) Client is not satisfied with the resolution method implemented by Smarsh, (ii) there has been a significant change in the business impact to Client after the issue was reported, or (iii) Smarsh fails to respond in a timely manner during the resolution process. Instructions for initiating the escalation process are available at Smarsh Central. 4. Service Levels This section applies only to those SaaS Services set forth specifically herein.. It does not apply to products that are deployed on -premises. i. Definitions "Availability" means that Client can access the platform and is measured using the formula in section 2.2 below. "Downtime" means service interruptions that occur outside applicable maintenance windows specified in section 2.4 below, including Planned Maintenance, Emergency Maintenance, and Outages. "Emergency Maintenance" means maintenance required to: (i) maintain Availability on a go -forward basis, or (ii) execute a critical security change. "Outages" means unplanned service interruptions that temporarily prevent access to major functions of the applicable platform. "Planned Maintenance" means: (i) maintenance that occurs during applicable maintenance windows specified in section 2.4 below, or (ii) maintenance that occurs outside applicable maintenance windows for which Smarsh has provided advance notice in accordance with section 2.4 below. ii. Uptime Commitment The Availabilityfor the production instance of those SaaS Services (setforth below during each calendar month (the "Uptime Commitment") is as specified below. The Uptime Commitments specified below do not apply to user acceptance testing environments or other non -production environments. Service Level Agreement I Page 56 of 58 Agreement No. 7020 Availability is measured using the following industry -standard formula: Total Minutes in a Month (30 days) — Total Downtime in the Month * 100 Availability (less Planned Maintenance) = Total Minutes in a Month (30 days) S. Service Credits If Smarsh does not meet its Uptime Commitment in any calendar month, Smarsh will issue Client a credit for a portion of Client's platform Fees for the affected Service in accordance with the table below. Client must request credits within thirty (30) days from the end of the month in which Smarsh did not meet its Uptime Commitment. Smarsh will use its diagnostic monitoring tools to verify its failure to meet its Uptime Commitment before Smarsh issues a credit. Smarsh will apply applicable credits to Client's next invoice. 6. Maintenance Windows Smarsh provides maintenance notifications and reminders, and Client may subscribe to such notifications and reminders, through the Status Page at I ii?;f �a4,a_c �r bra. Professional Archive. To the extent reasonably possible, Smarsh will refrain from performing maintenance that causes interference with or disruption to Client's access to Professional Archive. Smarsh will perform planned maintenance during the maintenance windows specified below. To the extent feasible, Smarsh will provide 48 hours' advance notice of any maintenance it will perform outside its maintenance windows and that may cause interference with or disruption to Client's access to Professional Archive. Service Level Agreement I Page 57 of 58 Agreement No. 7020 r° fe s,a�r�.��.l..Aaf�uv_mrs�aiclanane �.rndcrvv�: • Mon -Thu rs: 12:00 AM-5:00 AM and 9:00 PM-11:59 PM Eastern • Fri:12:00 AM-5:00 AM and 6:00 PM-11:59 PM Eastern • Weekends: anytime Capture Platform and Capture Mobile. To the extent reasonably possible, Smarsh will refrain from performing maintenance that causes interference with or disruption to Client's access to Cloud Capture during normal business hours for the region in which Client's Cloud Capture instance is deployed. Smarsh will perform planned maintenance during the maintenance windows specified below. To the extent feasible, Smarsh will provide at least three (3) days' advance notice of any maintenance it will perform outside its maintenance windows and that may cause interference with or disruption to Client's access to Cloud Capture. Smarsh may perform Emergency Maintenance without providing advance notice to Client. . !.0 vvGrtd: • Mon-Fri:12 AM - 5AM and 8 PM -11:59 PM • Weekends: any time The times specified above are local to the region in which Client's Cloud Capture instance is deployed. Service Level Agreement I Page 58 of 58 Agreement No. 7020 ,i, s m a, s� Purchase Order Information Client to Complete: Is a Purchase Order (PO) required for the purchase of the Services on this Order Form? ( ) No ( ) Yes — Please complete below PO Number: PO Amount: Upon signature by Client and submission to Smarsh, this Order Form shall become legally binding unless Smarsh rejects this Order Form for any of the following reasons: (i) changes have been made to this Order Form (other than completion of the purchase order information and the signature block); or (ii) the requested purchase order information or signature is incomplete; or (iii) the signatory does not have authority to bind Client to this Order Form. Client authorized By: Date A'TTESTI U M1�- m' Tracy Weaver, City Cleric APPROVED AS TO FORM: Mark D Hensley, City Attorney I Joaquin V laquez, Assistant City Attorney Risk Management US:+1(866)762-7741 UK:+44(0)800-048-8612 www.smarsh.com Jose Calderon