Platform Subscription Agreement

Last Revised: April 14, 2023

This Graphite Connect Platform Subscription Agreement (this “Agreement”) describes the terms and conditions on which Graphite Systems Inc. (“Graphite”), offers you, in your individual capacity, or your organization if you
are accessing and using the Services on behalf of your organization (as applicable, “Customer”), access to the Services. If you are accessing and using the Services on behalf of your organization, you represent and warrant
that you have the authority to bind your organization to this Agreement. THIS AGREEMENT IS A LEGAL AGREEMENT BETWEEN CUSTOMER AND GRAPHITE. BY SIGNING A SERVICE ORDER INCORPORATING THIS
AGREEMENT, OR BY ACCESSING OR USING THE SERVICES OR ANY PORTION THEREOF, YOU ARE INDICATING THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO THIS
AGREEMENT, DO NOT SIGN A SERVICE ORDER OR ACCESS OR USE THE SERVICES. This Agreement is hereby incorporated into, and hereby amends, each Service Order(s) between Customer and Graphite. This Agreement is
effective as of the date of the parties’ execution of a Service Order incorporating this Agreement or the first date on which Customer accesses or uses the Services, whichever is earlier (the “Effective Date”).

Customer wishes to subscribe to Graphite’s graphite ® Connect vendor onboarding platform as a service and related solutions. Graphite is willing to provide such services, all on the terms and conditions contained in this
Agreement and set forth below. Therefore, for good and valuable consideration, the receipt and sufficiency of which they each acknowledge, Graphite and Customer agree to be bound by such terms and conditions.

1. Definitions and Construction
   
   
   1.1. Definitions. For the purposes of this Agreement, the following initially capitalized words have the following meanings:
   
   
   “Acceptable Use Policy” or “AUP” means the Graphite Acceptable Use Policy set forth at https://www.graphiteconnect.com/acceptable-use-policy/.
   
   “Administrative User” means any individual who is an employee or independent contractor of Customer or its Affiliates, who is authorized by Customer to use the administrative features of the Graphite Platform.
   
   “Affiliate” means any person, partnership, joint venture, corporation or other form of venture or enterprise, domestic or foreign, including subsidiaries, which directly or indirectly Control, are Controlled by, or are under common Control with a party.
   
   “Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and operating policies of the entity in respect of which the determination is being made, through the ownership of more than fifty percent (50%) of its voting or equity securities, contract, voting trust or otherwise.
   
   “Confidential Information” has the meaning ascribed to it in Section 6.
   
   “Customer Data” means any data that Customer or its Users input into the Graphite Platform for Processing as part of the Services, including any Personal Data forming part of such data.
   
   “Data Breach” means the breach of security leading to the unauthorized destruction, loss, alteration, disclosure of or access to Customer Data Processed in connection with the Services.
   
   “Data Protection Law” means any local, state or national law regarding the processing of Personal Data applicable to Graphite in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law.
   
   “Documentation” means the software user and administrator manuals regarding use of the Graphite Platform, including additional, updated or revised documentation at https://graphite.zendesk.com/hc/en-us.
   
   “End User” means any individual who has been authorized by Customer to use the end user features and functionality of the Graphite Platform.
   
   “Free Trial” means use of the Subscription Services for trial purposes pursuant to a Service Order that specifies that Customer’s use is for a Free Trial.
   
   “Graphite Platform” means the Graphite proprietary graphite ® Connect computer software applications, tools, application programming interfaces (APIs), and connectors provided by Graphite vendor onboarding platform, together with the programs, networks and equipment that Graphite uses to make such platform available to its customers.
   
   “Intellectual Property Rights” means all trade secrets, patents and patent applications, trademarks (whether registered or unregistered and including any goodwill acquired in such trademarks), service marks, trade names, copyrights, moral rights, database rights, design rights, rights in know-how, rights in Confidential Information, rights in inventions (whether patentable or not) and all other intellectual property and proprietary rights (whether registered or unregistered, any application for the foregoing, and all rights to enforce the foregoing), and all other equivalent or similar rights which may subsist anywhere in the world.
   
   “Personal Data” means any information deemed “personal data” or “personal information” (or analogous variations of such terms) under applicable Data Protection Laws, including any information relating to an identified or identifiable natural person.
   
   “Process” or “Processing” means any operation or set of operations which is performed on Customer Data or on sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   
   “Professional Services” means the professional services (typically non-recurring consulting and advice concerning API integration or similar engineering services) to be performed by Graphite that are specified in the applicable Service Order. Professional Services are not required for use of the Subscription Services. Additional terms may apply to Professional Services.
   
   “Renewal Term” has the meaning ascribed to it in Section 8.
   
   “Service Order” means any mutually agreed, written Service Order, executed on behalf of Graphite and Customer, describing the Subscription Services, Support, Professional Services (if applicable), fees, and any special terms for using the Services that Customer has ordered.
   
   “Services” means the Subscription Services and the Professional Services.
   
   “Subscription Services” means the Graphite Platform service offerings to which Customer subscribes, together with the Support, each as specified in the applicable Service Order, and the Documentation.
   
   “Subscription Start Date” means, with respect to each Service Order, the later to occur of the “Subscription Start Date” specified in the Service Order, or the date on which the last of Graphite and Customer executes the Service Order. For Renewal Terms, the Subscription Start Date will be the day immediately following the date on which the preceding term expired, unless otherwise specified in the Service Order.
   
   “Subscription Term” has the meaning ascribed to it in Section 8.3.
   
   “Support” means the Graphite support and maintenance services program as set forth in the Graphite Connect Technical Support, Maintenance, and Service Level Policy published at https://www.graphiteconnect.com/legal/service-level-agreement/ or a successor URL as designated by Graphite from time to time.
   
   “User” means any Administrative User or End User.
   
   
   
   1.2. Construction. This Agreement applies to the provision of all Services. The parties will enter into one or more Service Orders that contain additional terms and conditions applicable to the provision of certain Services. Upon execution by the parties, each Service Order will be incorporated into this Agreement.



2. Provision and Use of Services; Operational Issues
   
   
   2.1. Provision of Subscription Services. During the Subscription Term, Customer may access and use the Graphite Platform in accordance with this Agreement. Graphite will make the Graphite Platform available to Customer, and provide the Support. Graphite’s service levels with respect to the Graphite Platform and Support are included in the Support description published at https://www.graphiteconnect.com/legal/service-level-agreement/ or a successor URL as may be designated by Graphite from time to time. Graphite’s service levels do not apply to any Free Trial.
   
   2.2. Customer’s Account. Customer will designate one or more of its employees to be the point of contact with Graphite for the management and support of the Subscription Services, and who will be responsible for establishing and managing Customer’s use of the Subscription Services (“Account”), including the creation of credentials to access Customer’s Account. Customer is solely responsible for maintaining the status of its User base. Customer will safeguard all Administrative User authentication credentials in its possession or under its control. Customer is responsible for all activities that occur under the Account (except to the extent resulting from any breach or non-conformance by Graphite of its obligations under this Agreement).
   
   2.3. Customer’s General Responsibilities. Customer and its Users are solely responsible for obtaining and maintaining their Internet access to the Subscription Services. Customer is solely responsible for the accuracy, quality and integrity of the Customer Data that Customer or its Users input into the Graphite Platform. Customer must comply, and will ensure that its Administrative Users comply, with the AUP, as may be updated by Graphite from time to time in its discretion.
   
   2.4. Backup. Graphite will perform backups of Customer Data stored on the Graphite Platform on a real-time back-up basis with 4 hour ‘snapshots’. Graphite maintains failover in the event of a hosting provider failure.
   
   2.5. Technology Improvement. Graphite may modify the Services as it determines necessary to reflect changes in technology and information security practices. Graphite will notify Customer in advance of any modifications that are likely to degrade the Subscription Services (“Degradation”). If Graphite proposes to introduce any Degradation into the Graphite Platform, then Graphite will provide Customer at least six months’ notice prior to Graphite’s implementation of the Degradation, except in cases of emergency, such as critical vulnerability remediation, in which case Graphite will provide as much prior notice as is reasonable in the circumstances. If a modification (including a Degradation) made by Graphite materially reduces the features or functionality of the Subscription Services then, unless Graphite has provided a substantially equivalent replacement, Customer may, at any time within the 30 day period following Graphite’s implementation of the modification, terminate any affected Service Order by delivery of written notice to Graphite to that effect. Within 30 days of such termination, Graphite will refund to Customer a pro-rata amount of any affected Subscription Services fees prepaid to Graphite and applicable to the unutilized portion of the Subscription Term for terminated Subscription Services, and any affected unutilized Professional Services fees prepaid to Graphite.



3. License Grants and Proprietary Rights
   
   
   3.1. License by Graphite. Subject to the terms and conditions of this Agreement, Graphite hereby grants to Customer a non-exclusive, non-transferable (except in accordance with Section 12.12 – Assignment), royalty-free, worldwide license, without right to sub-license, for the Subscription Term, to (a) access and use, and to permit its Users to access and use, the Graphite Platform, in accordance with the Documentation, subject to the license scope in the applicable Service Order, and (b) reproduce, modify, and distribute and display the Documentation, in each case solely for Customer’s operations in its ordinary course of business. Graphite reserves all other rights not expressly granted in this Agreement.
   
   3.2. License by Customer. Customer hereby grants to Graphite a non-exclusive, non-transferable (except in accordance with Section 12.12 – Assignment), royalty-free license, without right to sub-license (except to its sub- processors, as required for the provision of the Subscription Services), to use the Customer Data, solely as necessary to perform the Services and as otherwise may be agreed in writing by Customer. Customer reserves all other rights not expressly granted in this Agreement.
   
   3.3. Ownership of Intellectual Property Rights.
   
   
   3.3.1. Ownership and Use of Customer Data. Customer retains all of its rights, title and interest and Intellectual Property Rights in and to the Customer Data and Customer Confidential Information. No ownership interest in the Customer Data or Customer Confidential Information is transferred or conveyed to Graphite by virtue of this Agreement. Graphite will use Customer Data and Customer Confidential Information only for purposes of providing the Services, unless otherwise authorized in writing by Customer.
   
   3.3.2. Graphite’s Intellectual Property and Ownership Rights. As between Customer and Graphite, Graphite and Graphite’s licensors retain and own all right, title and interest and all Intellectual Property Rights in and to the Subscription Services, Graphite’s Confidential Information, and all enhancements or improvements to, or derivative works of any of the foregoing created or developed by or on behalf of Graphite (collectively, “Graphite Intellectual Property”). Nothing in this Agreement transfers or conveys to Customer any ownership interest in or to the Graphite Intellectual Property.
   
   
   3.4. Restrictions. Customer will not: (i) except to the extent, if any, permitted by applicable law or required by Graphite’s licensors, reverse assemble, reverse engineer, decompile, or otherwise attempt to derive source code from any of the Graphite Platform; (ii) reproduce, modify, or prepare derivative works of the Graphite Platform; or (iii) share, rent, or lease the Subscription Services, or use the Subscription Services to operate any timesharing, service bureau or similar business or to provide the Graphite Platform as a standalone offering.



4. Compensation
   
   
   4.1. Subscription Plans. Customer’s subscription plan for the Subscription Services is specified in the applicable Service Order. Customer may not reduce Customer’s commitment under the subscription plan specified in the Service Order during the Subscription Term. Customer is not entitled to any refund of fees paid or relief from fees due if the volume of Subscription Services Customer actually uses is less than the volume Customer ordered, and Customer may not carry over any of the unused volume to Customer’s next Subscription Term.
   
   4.2. Payment of Services Fees. Customer will pay Graphite the fees for the Services as specified in the applicable Service Order. Graphite invoices in advance for use of the Services. Unless specified otherwise in the applicable Service Order, Customer will make all payments within thirty (30) days of receipt of Graphite’s invoice. Unless otherwise specified in the applicable Service Order, all Fees are stated and payable in US dollars.
   
   4.3. Sales Taxes, Etc. Customer will be responsible for any applicable sales, value-added, use and similar taxes, together with all customs and import duties, and similar levies and impositions (“Taxes”) payable with respect to its acquisition of Services, or otherwise arising out of or in connection with this Agreement, other than taxes based upon Graphite’s personal property ownership or net income. Unless expressly specified otherwise in any Service Order, all fees, rates, and estimates exclude Taxes. If Customer has tax-exempt status, Customer will provide written evidence of such status with its purchase orders or upon request by Graphite.
   
   4.4. Withholding. If Customer is located outside the U.S.A., and is required to withhold taxes imposed upon Graphite for any payment under this Agreement by virtue of the statutes, laws, codes, or governmental regulations of a country in which any Subscription Services are delivered or obtained, then such payments will be made by Customer on behalf of Graphite by deducting them from the payment then due Graphite and remitting such taxes to the proper authorities on a timely basis, and the payments provided for under this Agreement will be adjusted upwards appropriately so that Graphite actually receives the full amount of the fees set forth in the applicable Service Order. Customer will provide Graphite with official documentation or tax receipts on such withholdings supporting such taxes and such payments as may be required by Graphite for its tax records as soon as reasonably possible following payment to the applicable tax authority, and in any event no later than when required by applicable law.
   
   4.5. Value Added Taxes. All amounts payable under this Agreement are exclusive of any value added taxes or similar taxes (“VAT“) levied or assessed by any taxing authority. If Graphite is required to account to the relevant tax authority for VAT, Customer must pay to Graphite (in addition to and at the same time as paying any other consideration for the Services) an amount equal to the amount of VAT, subject to Graphite providing a valid VAT invoice to Customer. Where VAT is required to be withheld by Customer on payments made to Graphite, the amount payable to Graphite shall be grossed up so that Graphite receives the same amount as if such VAT withholding had not applied. Where Customer is required to reimburse any expenses of Graphite, such reimbursement shall be treated for VAT purposes as part of the consideration payable for the Services by Graphite and shall not include any amount of VAT invoiced to Graphite unless the Graphite notifies Customer that it is not entitled to credit or repayment of that invoiced VAT from the relevant tax authority. In relation to any Services provided by Graphite to Customer under this Agreement, if reasonably requested by Graphite, Customer must promptly provide Graphite with details of the Customer’s VAT registration and such other information as is reasonably requested in connection with such Graphite’s VAT reporting requirements in relation to such Services. It is Graphite’s understanding that, in line with the nature of the Services, Customer will be using the Services only for enterprise (business) purposes. Should any tax authority provide notification to that VAT was applied by Graphite in error, then: (a) Graphite shall without unreasonable delay provide Customer with a valid credit note; and (b) if the VAT applied in error was paid by Customer, Graphite shall, without unreasonable delay, repay to Customer any such VAT after obtaining a VAT credit or otherwise receiving a refund of such VAT from the tax authority for the VAT that was charged in error, subject to the reasonable cooperation of Customer in ensuring that, where reasonably possible, Graphite will be able to apply for the refund. If VAT, GST, and other applicable indirect taxes were not charged but subsequently it is found that they should have been charged or such taxes are assessed and agreed with the relevant tax authority as being due on the consideration, the relevant taxes due will be paid upon presentation of a valid invoice and under the conditions that Customer has been notified of the assessment within a reasonable time. Any penalties or late payment interest related to the incorrect application of the VAT, GST, or other applicable indirect tax legislation shall be due by the party who is liable for the tax under the applicable law.



5. Warranties
   
   
   5.1. Warranties. Graphite warrants to Customer that:
   
   
   5.1.1. Performance Warranty. During the Subscription Term, the Graphite Platform, in the form provided by Graphite, will conform in all material respects to its applicable specifications set forth in the Documentation.
   
   5.1.2. Viruses. Graphite will use commercially reasonable efforts, using applicable current industry practices, to ensure that the Graphite Platform, in the form provided by Graphite to Customer under this Agreement, contains no computer virus, Trojan horse, worm or other similar malicious code.
   
   5.1.3. Support. Graphite will provide the Support in a good, professional and workmanlike manner, consistent with applicable industry standards.
   
   5.1.4. Infringement. Graphite’s provision to Customer of the Subscription Services does not infringe any third party patent, copyright, trademark or service mark, or result from misappropriation by Graphite of any third party’s trade secrets (collectively, an “Graphite Infringement”).
   
   5.1.5. Compliance with Law. The Services, in the form provided or made available by Graphite, will comply with all laws applicable to Graphite and its provision of Services.
   
   
   5.2. Performance Remedy. If the Graphite Platform fails to conform to the warranty set forth in Section 5.1.1 and Customer provides written notice of the non-conformance to Graphite within the applicable Subscription Term then, as Customer’s exclusive remedy and Graphite’s sole obligation: Graphite will either repair or, at its option, replace the non-conforming Graphite Platform or, if Graphite is unable to correct the non-conformance within 30 days of receipt of such written notice from Customer, Customer may terminate the applicable Subscription Services, and Graphite will refund to Customer a pro-rata amount of any Subscription Services fees prepaid to Graphite and applicable to the unutilized portion of the Subscription Term for the terminated Subscription Services.
   
   5.3. Infringement Remedy. Customer’s sole and exclusive remedy for any non-conformance with the warranty in Section 5.1.4 above will be Customer’s defense and indemnification rights under Section 9.1 below, and Customer’s termination rights under Section 8.2 below.
   
   5.4. Scope. Without limiting the express warranties in this Section 5, Graphite does not warrant that the Graphite Platform or Services are completely free from all bugs, errors, or omissions, or will ensure complete security. The warranties in Sections 5.1.1 and 5.1.3 do not apply to any Free Trial. The warranties in this Agreement are for the sole benefit of Customer, and may not be extended to any other person or entity.
   
   5.5. Disclaimer Of Implied Warranties. Neither party makes any representation or warranty in connection with the Services, except as expressly warranted in this Agreement. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS SPECIFICALLY WARRANTED IN THIS SECTION 5, EACH PARTY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY OF NON-INFRINGEMENT OR IMPLIED OBLIGATION TO INDEMNIFY FOR INFRINGEMENT, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, AND ANY STATUTORY REMEDY.



6. Confidential Information
   
   
   6.1. Restrictions on use and Disclosure. Neither Graphite nor Customer will disclose to any third party any information provided by the other party pursuant to or in connection with this Agreement that the disclosing party identifies as being proprietary or confidential or that, by the nature of the circumstances surrounding the disclosure, ought in good faith to be treated as proprietary or confidential (such information, “Confidential Information”), and will make no use of such Confidential Information, except under and in accordance with this Agreement. The receiving party will take reasonable precautions (using no less than a reasonable standard of care) to protect the disclosing party’s Confidential Information from unauthorized access or use. Each party may disclose Confidential Information to its Affiliates and service providers, and its Affiliates and service providers may use such information, in each case solely for purposes of this Agreement. Each party will be liable for any breach of its obligations under this Section 6 that is caused by an act, error or omission of any such Affiliate or service provider. The receiving party will promptly notify the disclosing party in writing if the receiving party becomes aware of any breach of this Agreement with respect to the Confidential Information of the disclosing party in the receiving party’s possession and will cooperate with the disclosing party in every reasonable way to help the disclosing party regain possession of the Confidential Information and prevent its further unauthorized use or disclosure. Confidential Information includes information disclosed by the disclosing party with permission from a third party, and combinations of or with publicly known information where the nature of the combination is not publicly known. Graphite’s Confidential Information includes information regarding Graphite Platform, Graphite’s processes, methods, techniques and know-how relating to identity management, user authentication or user authorization, Documentation, road-maps, pricing, marketing and business plans, financial information, information security information, Graphite’s Security Standards (defined in Section 7.2 below) certifications, and Personal Data of Graphite personnel. Customer’s Confidential Information includes its proprietary workflows and processes, systems architecture, marketing and business plans, financial information, information security information, information pertaining to Customer’s other suppliers, and Personal Data of Customer’s personnel. This Section 6 does not apply to Graphite’s obligations regarding use and protection of Customer Data; those obligations are specified in Section 7 (Data Protection).
   
   6.2. Exclusions. Except with respect to Personal Data, Confidential Information does not include information that the receiving party can establish: (i) has entered the public domain without the receiving party’s breach of any obligation owed to the disclosing party; (ii) has been rightfully received by the receiving party from a third party without confidentiality restrictions; (iii) is known to the receiving party without any restriction as to use or disclosure prior to first receipt by the receiving party from the disclosing party; or (iv) has been independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information. 6.3. Disclosure Required By Law. If any applicable law, regulation or judicial or administrative order requires the receiving party to disclose any of the disclosing party’s Confidential Information (a “Disclosure Order”) then, unless otherwise required by the Disclosure Order, the receiving party will promptly notify the disclosing party in writing prior to making any such disclosure, in order to facilitate the disclosing party’s efforts to protect its Confidential Information. Following such notification, the receiving party will cooperate with the disclosing party, at the disclosing party’s reasonable expense, in seeking and obtaining protection for the disclosing party’s Confidential Information. The receiving party will disclose only that portion of the Confidential Information that is legally required.
   
   6.4. Independent Development. The terms of confidentiality under this Agreement will not limit either party’s right to independently develop or acquire products, software or services without use of or reference to the other party’s Confidential Information.



7. Data Protection
   
   Graphite will Process all Personal Data in accordance with the Data Processing Addendum set forth at https://www.graphiteconnect.com/legal/data-processing-addendum/ (“DPA”) as may be updated by Graphite from time to time if required by applicable law, which is hereby incorporated by reference, and the parties agree to comply with the terms of such DPA. For purposes of the Standard Contractual Clauses (as defined in the DPA), which form part of the DPA, when and as applicable, Customer and its Affiliates are each the data exporter, and Customer’s signing of or entering into this Agreement, and an applicable Affiliate’s signing of or entering into a Service Order, shall be treated as signing of the Standard Contractual Clauses and their appendices.
   
   
   7.1. Regulatory Issues.
   
   
   7.1.1. Personal Data – Compliance with Applicable Law. Customer may select the Personal Data it elects to input into and Process using the Graphite Platform in its sole discretion; Graphite has no control over the nature, scope, or origin of, or the means by which Customer acquires, Personal Data Processed by the Subscription Services. Subject to the Customer Legal Basis Assurance (defined in Section 7.1.4 below), Graphite will comply, and will ensure that its personnel comply, with the requirements of state, provincial, regional, federal and national privacy laws and regulations governing Customer Personal Data Processed by Graphite in connection with Graphite’s provision of Services. Customer is solely responsible for ensuring that it complies with any legal, regulatory or similar obligations or restrictions applicable to the types of data Customer elects to Process with the Graphite Platform.
   
   7.1.2. ePHI. If Customer is subject to US healthcare data protection laws (e.g., HIPAA), Customer may not use the Graphite Platform to Process “electronic Protected Health Information”.
   
   7.1.3. Data Consents. Customer is solely responsible for providing its end users with appropriate notice. Where required by applicable Data Protection Law, Customer is solely responsible for obtaining, and represents and covenants that it has obtained or will obtain prior to Processing by Graphite, all necessary consents, licenses or approvals for the Processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of, any Personal Data provided by Customer or its Users as part of the Services (the “Customer Legal Basis Assurance”).
   
   7.1.4. Regulator Inquiries and Court Orders. If any regulator, or any subpoena, warrant or other court or administrative order, requires Graphite to disclose or provide Customer Data to a regulator or to any third party, or to respond to inquiries concerning the Processing of Customer Data, Graphite will promptly notify Customer, unless prohibited by applicable law. Following such notification, Graphite will reasonably cooperate with Customer in its response, except to the extent otherwise required by applicable law.
   
   
   7.2. Information Security. Graphite will implement and maintain commercially reasonable technical and organizational security measures designed to meet the following objectives: (i) ensure the security, confidentiality, integrity, and availability of Customer Data Processed by Graphite in connection with the Services; (ii) protect against any anticipated threats or hazards to the security or integrity of such Customer Data; (iii) protect against unauthorized access to, disclosure, loss, or use of such Customer Data; and (iv) ensure that Graphite’s return or disposal of such Customer Data is performed in a manner consistent with Graphite’s obligations under items (i)-(iii) above, including those set forth in Exhibit A to this Agreement. Customer is solely responsible for consequences of Customer’s decision not to adopt updates or best practices that Graphite makes available to Customer. Graphite will undergo an annual independent security audit to verify the adequacy of its information security measures applicable to the Services (such as SOC-2, ISO 27001) (collectively, “Security Assessment”). Upon Customer’s written request and no more than once per calendar year, Graphite will provide Customer with the opportunity to review the Security Assessment report applicable to Graphite’s provision of Subscription Services.
   
   7.3. Data Export, Retention, Deletion and Return. Customer may export Customer Data from the Graphite Platform at any time during the Subscription Term, using the Graphite Platform’s then existing features and functionality, at no additional charge. Customer is solely responsible for its data retention obligations with respect to Customer Data. Graphite will delete all Customer Data within 30 days of termination or expiration of the Subscription Term, and other Customer Data retained by Graphite (if any). Graphite is not obligated to delete copies of Customer Data retained in automated backup copies generated by Graphite, which Graphite will retain for up to 14 months from their creation. Such backup copies will remain subject to this Agreement until the copy, or the Customer Data in the copy, is destroyed. Graphite’s obligations to return Customer Data upon termination of a Subscription Term may be fulfilled by permitting Customer to export Customer Data as specified above.
   
   7.4. Breach Notification. Graphite will notify Customer without undue delay upon Graphite’s becoming aware of any breach of security leading to the unauthorized destruction, loss, alteration, disclosure of or access to Customer Data in Graphite’s possession or control. Graphite will notify Customer of a Personal Data Breach relating Customer Personal Data (each as defined in the DPA) and undertake its obligations under applicable Data Protection Law (also as defined in the DPA) in accordance with its obligations further described in Section 10 of the DPA.



8. Term; Termination of Service Orders
   
   
   8.1. General. This Agreement will commence on the Effective Date and will continue in effect until terminated in accordance with Section 8.2 below.
   
   8.2. Termination On Breach. In the event of a material breach of the Agreement by either party, the non- breaching party may terminate the Agreement or any Service Order affected by the breach by giving the breaching party written notice of the breach and the non-breaching party’s intention to terminate. If the breach has not been cured within the period ending 30 days after such notice, and if the non-breaching party provides written notice of termination to the breaching party (“Termination Notice”), then this Agreement or any such Service Order will terminate within the time period specified in the Termination Notice. Notwithstanding the foregoing, Customer’s failure to pay any overdue fees and expenses within 30 days of Graphite notifying Customer of the overdue payment will constitute a material breach of this Agreement. If Customer terminates this Agreement or any Service Order for breach in accordance with this Section 8.2, then Graphite will refund to Customer a pro-rata amount of any affected Subscription Services fees prepaid to Graphite and applicable to the unutilized portion of the Subscription Term for terminated Subscription Services, and any affected unutilized Professional Services fees prepaid to Graphite.
   
   8.3. Subscription Term and Renewal. Each subscription term for Subscription Services will commence on the Subscription Start Date, and will continue for the period specified in the Service Order or, if not so specified, one year (an “Initial Term”). Upon expiration of the Initial Term the parties may renew the Subscription Services term for successive periods of at least one year each (each, a “Renewal Term”) at such rates as may be mutually agreed in writing between them (Initial Term and Renewal Term collectively, the “Subscription Term”).
   
   8.4. Fulfillment of Obligations on Termination. Except as otherwise specified in this Agreement, termination of the Agreement or of any Services will not entitle Customer to any refund of or relief from payment of any Services fees paid or payable under this Agreement.
   
   8.5. Post Termination Obligations. Following any termination of the Agreement or any Service Order, each party will, within 30 days of such termination, (i) immediately cease use of any Confidential Information of the other communicated for the purposes of this Agreement or such Service Order, and (ii) return or destroy (and certify destruction of) all copies of any Confidential Information of the other party disclosed under the Agreement or such Service Order within 30 days of such termination, subject to each party’s customary backup and archival processes.
   
   8.6. Suspension – Critical Threats. If Graphite, acting reasonably in the circumstances then known to Graphite, determines that Customer’s or any of its Users’ use of the Subscription Services poses an imminent threat to (i) the security or integrity of any Customer Data or the data of any other Graphite customer, or (ii) the availability of the Graphite Platform to Customer or any other Graphite customer (collectively, a “Critical Threat”), then Graphite will immediately attempt to contact Customer to resolve the Critical Threat. If Graphite is unable to immediately contact Customer, or if Graphite contacts Customer but Customer is unable to immediately remediate the Critical Threat, then Graphite may suspend Customer’s and its Users’ use of the Graphite Platform until the Critical Threat is resolved and Graphite is able to restore the Subscription Services for Customer.
   
   8.7. Survival. The provisions of Sections 1, 3.3-3.4, 4.3-4.4, 6, 7, 8.4-8.7 and 9-12 of this Agreement will survive any termination or expiration of this Agreement.



9. Indemnification
   
   
   9.1. Graphite’s Infringement Indemnification.
   
   
   9.1.1. Defense and Indemnity. If any third party makes any claim against Customer that alleges an Graphite Infringement (defined in Section 5.1.4) then, upon notification of such claim, Graphite will, at its sole cost and expense, defend Customer against such claim and any related proceeding brought by such third party against Customer, and indemnify Customer from and against all damages, fines and penalties finally awarded against Customer or agreed to be paid by Customer in a written settlement approved in writing by Graphite, and resulting from the Graphite Infringement. Graphite’s obligations under this Section 9.1.1 are subject to Customer’s compliance with the “Indemnification Conditions” (defined below).
   
   “Indemnification Conditions” means the following conditions with which a party must comply in order to be entitled to defense or indemnification under the Agreement by the other party: (i) the indemnified party notifies the indemnifying party in writing of any claim that might be the subject of indemnification promptly after any executive officer of the indemnified party or member of the indemnified party’s legal department first knows of the claim, provided, however, that no failure to so notify an indemnifying party will relieve the indemnifying party of its obligations under this Agreement except to the extent that such failure materially prejudices defense of the claim, and except to the extent of damages incurred by the indemnifying party as a result of the delay; (ii) the indemnifying party is given primary control over the defense and settlement of the claim (subject to the foregoing, the indemnified party may nonetheless participate in the defense at its sole cost and expense); (iii) the indemnified party makes no admission of liability (except as required by applicable law) nor enters into any settlement without the indemnifying party’s prior written agreement (not to be unreasonably withheld); (iv) the indemnified party provides such assistance in defense of the proceeding as the indemnifying party may reasonably request, at the indemnifying party’s reasonable expense; and (v) the indemnified party uses all commercially reasonable efforts to mitigate its losses.
   
   9.1.2. Graphite’s Mitigation Rights. If any Subscription Services become (or in Graphite’s opinion are likely to become) the subject of any infringement or misappropriation claim, Graphite may, and if Customer’s use of the Subscription Services is enjoined, Graphite must, at its sole expense, either: (i) procure for Customer the right to continue using the relevant Subscription Services; (ii) replace or modify the relevant Subscription Services in a functionally equivalent manner so that they no longer infringe; or (iii) terminate the applicable Service Order or Customer’s rights to use affected Subscription Services, and refund to Customer a pro-rata amount of any subscription fees prepaid to Graphite and applicable to the unutilized portion of the Subscription Term for the terminated Subscription Services.
   
   9.1.3. Exclusions. Notwithstanding the foregoing, Graphite will have no obligation with respect to any infringement or misappropriation claim to the extent based upon (i) any use of the Subscription Services not in accordance with their applicable license rights, (ii) the combination of the Subscription Services with other products, equipment, software, services or data not supplied by Graphite where the infringement would not have occurred but for such combination, or (iii) any Customer Data.
   
   
   9.2. Customer’s Consent Indemnification.
   
   
   9.2.1. Defense and Indemnity. If any third party makes any claim against Graphite that alleges a non- conformance with the Customer Legal Basis Assurance (defined in Section 7.1.3) then, upon notification of such claim, Customer will, at its sole cost and expense, defend Graphite against such claim and any related proceeding or investigation brought by such third party against Graphite, and Customer will indemnify Graphite from and against all damages, fines and penalties finally awarded against Graphite or agreed to be paid by Graphite in a written settlement approved in writing by Customer, and resulting from the non-conformance. Customer’s obligations under this Section 9.2.1 are subject to Graphite’s compliance with the Indemnification Conditions.
   
   9.2.2. Mitigation Rights. If Customer Data is, or in Customer’s reasonable opinion is likely to become, the subject of a claim of non-conformance with the Customer Legal Basis Assurance, then Customer will have the right to: (i) procure the rights necessary for Customer and Graphite to continue to Process the affected Customer Data; (ii) modify the Customer Data so that there is no longer a non-conformance; or (iii) delete or otherwise remove the non-conforming Customer Data from the Graphite Platform.
   
   9.2.3. Exclusions. Notwithstanding the foregoing, Customer will have no obligation under this Section 9.2 or otherwise with respect to any claim of non-conformance with the Customer Legal Basis Assurance to the extent based upon Graphite’s Processing of the affected Customer Data other than in accordance with this Agreement.



10. Limitations and Exclusions of Liability
    
    
    10.1. Exclusion of Certain Claims. SUBJECT TO SECTION 10.3, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR EXEMPLARY DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, ARISING OUT OF (i) THE PERFORMANCE OR NON-PERFORMANCE OF THIS AGREEMENT OR ANY RELATED AGREEMENT, OR ANY SOFTWARE, PRODUCTS OR SERVICES PROVIDED HEREUNDER, OR (ii) ANY CLAIM, CAUSE OF ACTION, BREACH OF CONTRACT OR ANY EXPRESS OR IMPLIED WARRANTY, UNDER THIS AGREEMENT, ANY RELATED AGREEMENT OR OTHERWISE, MISREPRESENTATION, NEGLIGENCE, STRICT LIABILITY, OR OTHER TORT.
    
    10.2. Limitation of Liability. Subject to Section 10.3, neither party’s maximum aggregate liability arising out of this Agreement or any related agreement will in any event exceed the fees paid to Graphite under the Service Order giving rise to the claim during the 12 month period immediately preceding the aggrieved party’s first assertion of any claim against the other, regardless of whether any action or claim is based in contract, misrepresentation, warranty, indemnity, negligence, strict liability or other tort or otherwise.
    
    10.3. Exceptions.
    
    
    10.3.1. Sections 10.1 and 10.2 do not apply to either party’s (a) indemnification obligations, (b) willful misconduct or gross negligence, (c) infringement or misappropriation of any of the other’s Intellectual Property Rights, or (d) liability or loss which may not be limited by applicable law.
    
    10.3.2. Section 10.2 does not apply to (i) Customer’s obligations to pay fees and expenses when due and payable under this Agreement, nor (iii) either party’s obligations under Section 6 (Confidential Information) or Section 7 (Data Protection), provided, however, that except to the extent of willful misconduct or gross negligence of Graphite, Graphite’s maximum aggregate liability under Section 7 will not exceed two times (2X) the fees paid by Customer to Graphite under the affected Service Order in the 12 month period immediately preceding Customer’s first assertion of its claim.
    
    
    10.4. Free Trial. With respect to any Free Trial, Graphite’s aggregate liability will in no event exceed one hundred US dollars, regardless of any theory of liability, and notwithstanding any provision of this Agreement to the contrary, including Sections 10.1-10.3.
    
    10.5. General. Each party agrees that these exclusions and limitations apply even if the remedies are insufficient to cover all of the losses or damages of such party, or fail of their essential purpose and that without these limitations the fees for the Services would be significantly higher. Neither party may commence any action or proceeding under this Agreement more than two years after the occurrence of the applicable cause of action.



11. Dispute Resolution
    
    
    11.1. Governing Law and Venue. This Agreement will be governed by and interpreted in accordance with the laws of the state of California. Any claims brought hereunder shall be brought in the state or federal courts located in San Francisco, California.
    
    11.2. Legal Expenses. If any proceeding is brought by either party to enforce or interpret any term or provision of this Agreement, the substantially prevailing party in such proceeding will be entitled to recover, in addition to all other relief arising out of this Agreement, its reasonable attorneys’ and other experts’ (including without limitation accountants) fees and expenses.



12. Miscellaneous Provisions
    
    
    12.1. Affiliates. This Agreement set forth the general terms and conditions under which Graphite will provide Services to Customer and its Affiliates. Service Orders may be entered into under this Agreement by either the entity designated above as “Customer” or any of Customer’s Affiliates. The entity that executes a Service Order in the position of services recipient will be considered the “Customer” for all purposes of the Service Order; and the Service Order will be considered a two party agreement between Graphite and such “Customer” under this Agreement.
    
    12.2. Publicity; References. Unless otherwise specified in the applicable Service Order, Graphite may refer to Customer as one of Graphite’s customers and use Customer’s logo as part of such reference, provided that Graphite complies with any trademark usage requirements notified to it by Customer. With Customer’s prior written approval, including if so specified in the applicable Service Order, (i) Graphite may either (a) issue a press release announcing the relationship between Graphite and Customer, or (b) submit a joint press release to Customer for Customer’s approval, such approval not to be unreasonably withheld or delayed; and (ii) Customer will be a reference account for Graphite, provided, however, that Graphite will provide Customer with reasonable notice and obtain Customer’s consent before scheduling any reference calls or site visits.
    
    12.3. Compliance With Laws – Export Control; Anti-Bribery; Modern Slavery. Each party will comply with all laws and regulations applicable to it, including U.S. export control laws. Neither party will have any liability to the other for any non-performance of their obligations under this Agreement to the extent that the non-performance is mandated by applicable law. Each party represents and warrants to the other that neither it nor its Affiliates, nor any of its or their users, officers or directors, are persons, entities or organizations is prohibited from dealing (including provision of software, products or services) by virtue of any applicable law, regulation, or executive order, including US export control laws, and names appearing on the U.S. Department of the Treasury’s Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons List. Each party will comply with the requirements of applicable anti-bribery and modern slavery laws, including: (i) the Foreign Corrupt Practices Act of 1977, the UK Bribery Act of 2010; and (ii) the UK Modern Slavery Act 2015, California Transparency in Supply Chains Act 2010 and any applicable anti-slavery laws.
    
    12.4. Equitable Relief. Each of Customer and Graphite acknowledges that damages will be an inadequate remedy if the other violates the terms of this Agreement pertaining to protection of a party’s Intellectual Property Rights, Confidential Information or Personal Data. Accordingly, each of them will have the right, in addition to any other rights each of them may have, to seek in any court of competent jurisdiction, temporary, preliminary and permanent injunctive relief to restrain any breach, threatened breach, or otherwise to specifically enforce any of the obligations in this Agreement.
    
    12.5. Business Continuity / Disaster Recovery. During any period in which Customer is subscribed to the Subscription Services, Graphite will comply with its then current applicable Business Continuity and Disaster Recovery Plans. Graphite will test such plans at least once a year. Graphite may not modify such plans to provide materially less protection to Customer without Customer’s prior written consent, which may not be unreasonably conditioned or withheld.
    
    12.6. Force Majeure. If the performance of this Agreement is adversely restricted or if either party is unable to conform to any warranty or obligation by reason of any Force Majeure Event then, except with respect to obligations to pay any fees or expenses and to obligations under Section 12.5 above (Business Continuity / Disaster Recovery), the party affected, upon giving prompt written notice to the other party, will be excused from such performance on a day-to-day basis to the extent of such restriction (and the other party will likewise be excused from performance of its obligations on a day-to-day basis to the extent such party’s obligations relate to the performance so restricted); provided, however, that the party so affected will use all commercially reasonable efforts to avoid or remove such causes of non-performance and both parties will proceed whenever such causes are removed or cease. “Force Majeure Event” means any failure or delay caused by or the result of causes beyond the reasonable control of a party or its service providers that could not have been avoided or corrected through the exercise of reasonable diligence, including natural catastrophe, internet access or related problems beyond the demarcation point of the party’s or its applicable infrastructure provider’s facilities, state-sponsored malware or state-sponsored cyber-attacks, terrorist actions, laws, orders, regulations, directions or actions of governmental authorities having jurisdiction over the subject matter hereof, or any civil or military authority, national emergency, insurrection, riot or war, or other similar occurrence. If a party fails to perform its obligations as a result of such restriction for a period of more than 30 days, then the other party may terminate the affected Services without liability.
    
    12.7. Fraudulent Activity; Aggregated Information Derived From Usage. Graphite may use Personal Data obtained from Users’ use of the Graphite Platform to detect security incidents and to protect against fraudulent or illegal activity. Graphite may create aggregated and de-identified data that is derived from Users’ use of the Subscription Services (“Aggregated Usage Data”). Graphite may use Aggregated Usage Data for Graphite’s internal and business operations, including to conduct aggregate analysis of the Subscription Services’ performance and use. Graphite may disclose the results of it analysis of Aggregated Usage Data to third parties as Graphite reasonably considers necessary, provided that such results do not contain any Personal Data of Customer’s Users, identify either Customer or any of its Users, or enable a third party to determine that either Customer or any of its Users were the source of such information. For the sake of clarity, neither Aggregated Usage Data nor the results of its analysis are Confidential Information of Customer.
    
    12.8. Captions and Headings. The captions and headings are inserted in this Agreement for convenience only, and will not be deemed to limit or describe the scope or intent of any provision of this Agreement.
    
    12.9. Severability; Invalidity. If any provision of this Agreement is held to be invalid, such invalidity will not render invalid the remainder of this Agreement or the remainder of which such invalid provision is a part. If any provision of this Agreement is so broad as to be held unenforceable, such provision will be interpreted to be only so broad as is enforceable.
    
    12.10. Waiver. No waiver of or with respect to any provision of this Agreement, nor consent by a party to the breach of or departure from any provision of this Agreement, will in any event be binding on or effective against such party unless it be in writing and signed by such party, and then such waiver will be effective only in the specific instance and for the purpose for which given.
    
    12.11. Third Party Beneficiaries. Except as expressly set forth in this Agreement, no provisions of this Agreement are intended nor will be interpreted to provide or create any third party beneficiary rights or any other rights of any kind in any other party. If the law governing this Agreement is English law, then a person who is not a party to this Agreement will not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement. Notwithstanding the foregoing, Graphite’s suppliers of products and services delivered hereunder will enjoy the same disclaimers of warranty, limitations on liability and similar exculpatory provisions with respect to such products and services as does Graphite.
    
    12.12. Assignment. Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other, which will not be unreasonably withheld, provided, however that, subject to any restrictions specified in any applicable Service Order, either party may assign all, but not some of its rights and obligations under this Agreement to any of its Affiliates, or to any entity into or with which it is merged, or that acquires all or substantially all of its assets, upon notice to the other party, but without requiring consent. Subject to the foregoing restriction on assignment, this Agreement will be binding upon, inure to the benefit of and be enforceable by the parties and their respective successors and assigns.
    
    12.13. Notices. Graphite will provide Customer with notices that affect Graphite’s customers generally (e.g., notices that relate to modifications or updates to, or the availability or interoperability of the Graphite Platform) via e-mail or the Graphite Platform dashboard or account center. Graphite will provide Customer with any legal notices by e-mail to the e-mail address Customer provided Graphite on the applicable Service Order, or during Customer’s registration for the Services, or to a substitute, updated e-mail address that Customer has provided to Graphite for these purposes. Customer is responsible for keeping its mailing and e-mail address current with Graphite. Except as otherwise specified in this Agreement, all notices to be given to Graphite under this Agreement must be in writing and sent by email to [email protected], or to a substitute, updated emailed address notified by Graphite, marked “Attention: Legal Department”. Notices sent electronically will be deemed received within 1 business day of dispatch.
    
    12.14. Governing Language. The governing language for this Agreement and its related transactions, for any notices or other documents transmitted or delivered under this Agreement, and for the negotiation and resolution of any dispute or other matter between the parties, will be the English language. If there is any conflict between the provisions of any notice or document and an English version of the notice or document (including this Agreement), the provisions of the English version will prevail. Customer waives any rights it may have under any law in any state or country to have the Agreement written in any language other than English. In transactions between the parties, a decimal point will be indicated by a period, and not by a comma.
    
    12.15. Entire Agreement. This Agreement together with any policies, addenda, or other terms referenced herein, constitutes and embodies the entire agreement and understanding between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous written, electronic or oral communications, representations, agreements or understandings between the parties with respect thereto. In the event of any conflict between the provisions of this Agreement and any Service Order, the provisions of this Agreement will prevail.
    
    12.16. Changes to Agreement. Graphite reserves the right to make changes to this Agreement from time to time. If Graphite makes material changes, Graphite will provide Customer with notice, such as by posting the updated version of this Agreement through the Services or sending Customer an email. Unless Graphite says otherwise in its notice, the amended Agreement will be effective immediately. Customer’s continued use of the Services after Graphite provides Customer notice indicates Customer’s acceptance of the changes. If Customer does not agree to the amended Agreement, Customer must stop using our Services.
    
    12.17. How to Contact Graphite. If Customer has a question about the Services or this Agreement, please contact Graphite via email at [email protected].