Master Subscription Agreement

This Master Subscription Agreement (the “Agreement”) governs Customer’s access and use of the AI security software as a platform and services (the "Services") of Onyx Security (“Onyx Security” or ‘Company”). Customer may use the Services subject to the terms below. If Customer registers for an evaluation of Company’s Services, the applicable provisions of this Agreement will also govern that evaluation.

If Customer has purchased the license granted hereunder from a reseller, distributor, or other channel partner authorized by Company (“Partner”), and any conflict exists between this Agreement and the agreement entered into between Customer and the Partner, including any purchase order thereunder (“Partner Order Form”), then, as between Customer and Company, this Agreement shall prevail. Any rights granted to Customer in such Partner Order Form which are not expressly contained in this Agreement shall apply only as between Customer and such Partner. In that case, Customer must seek redress, realization, or enforcement of such rights solely with such Partner and not Company.

Customer, or an individual acting on Customer’s behalf, represents that it has the authority to bind Customer (and affiliates as applicable) to these terms. Company and Customer are each a “Party” and collectively the “Parties”.

1. Definitions. The following capitalized terms have the meanings set forth below:
   
   1. “Affiliate” with respect to any entity, means any other entity controlling, controlled by or under common control with such entity, where “control” means direct or indirect ownership or voting control of fifty percent (50%) or more of the equity or voting securities of the entity in question or having the power, by commitment or otherwise, to elect a majority of the Board of Directors (or similar governing body) of the entity in question.
   2. “Customer Data” means electronic data and content of Customer that originates, resides on, or is otherwise processed through Customer's systems and processed by Company in the provision of the Services, excluding Analytics Information (defined below).
   3. “Feature” means any module, tool, functionality, or feature of the Services.
   4. “Order Form” means a written or electronic order form, to/in which this Agreement is attached or incorporated, and which is agreed by the Parties. The Order Form shall include the commercial terms, including the Subscription Scope, agreed between the Parties. 
   5. “Subscription Scope” means any Services usage and/or limitations set forth in the Order Form or Partner Order Form (if purchased via Partner). 
   6. “Subscription Term” means either the Services subscription period specified in the Order Form or Partner Order Form, as the case may be.
   7. “Users” means an employee of Customer authorized to access and use the Services on behalf of Customer.

2. Subscription. 
   
   1. Access Right. Subject to the terms and conditions of this Agreement, Company hereby grants Customer a limited, worldwide, non-exclusive, non-sublicensable, non-assignable (except as otherwise allowed herein), non-transferable and revocable right to install (if relevant) and remotely access the Services during the Subscription Term (defined below) for Customer's internal business purposes (collectively, the “Subscription”). Unless otherwise indicated, the term “Services” also includes any manual or documentation provided or made available to Customer in connection with the operation of the Services (“Documentation”). Customer may use the Services subject to the Subscription Scope, other usage limitations or restrictions specified in this Agreement, and applicable laws and regulations. 

Customer shall be solely responsible for providing all equipment, systems, assets, access, and ancillary goods and services needed to access and use the Services and for ensuring their compatibility with the Services.

2. Additional Purchases. Purchases of access to additional Features and/or additional volume under the Subscription Scope (collectively, “Additional Purchases”) shall be documented by a mutually signed written addendum to the Order Form or by executing a new Order Form, in each case according to the pricing agreed between the Parties. If Customer makes any Additional Purchases during a Subscription Term, the Subscription Fees and the Services term therefor will be prorated to be coterminous with the Subscription Term.
3. Account Setup. In order to access the Services, Customer is required to set up an administrative account with Company by submitting the information requested in the applicable Services interface (“Account”), and each User may need to set up a user account (each, a “User Account”, and references herein to the “Account" shall be deemed to include all such User Accounts if applicable). Customer warrants that all information submitted during the registration process is, and will thereafter remain, complete and accurate. Customer shall be responsible and liable for all activities that occur under or in the Account. Customer will require that all Users keep user ID and password information strictly confidential and not share such information with any unauthorized person. Customer shall be fully responsible and liable for any breach of this Agreement by a User. Customer must ensure that each User complies with the terms of this Agreement.  Any unauthorized access to or use of the Services must be immediately reported to the Company.
4. Hosting. The Services are hosted by a third-party hosting services provider selected by Company (“Hosting Provider”), and accordingly the availability of the Services shall be in accordance with the Hosting Provider's then-current uptime commitments.
5. Integration. Customer may allow Company to automatically retrieve data from Customer’s or its third-party systems or services for Customer (“Integrations”). Customer hereby represents and warrants that Customer has the permission, authority, and rights for such Integrations and hereby grants Company permission for integrations where Customer links Customer’s or its third-party systems in its user account or through such tools as Company may provide. Company disclaims any liability associated with providing Integrations on Customer’s behalf. When Customer connects its systems, tools, or accounts for Integrations, Customer authorizes Company to: (i) store and use any data and use any materials Company needs to perform the integration and provide Customer the Services, (ii) gather any data reasonably necessary for Company to provide the Services to Customer; and (iii) otherwise take any action in connection with such service as is reasonably necessary for Company to provide the Services to Customer. Customer agrees that third-party service providers are entitled to rely on the foregoing authorization Customer has granted. Customer hereby agrees that if its rights and authority to allow Company automatic access to such system(s) lapses, Customer will immediately disable such integrations from within its user accounts.

3. Support Services. 

Company shall provide support and maintenance services in accordance with Company's Service Level Agreement (the “SLA”) set forth in Exhibit A. The support and maintenance services may be performed by Company and/or Company's certified third-party providers. Company shall be responsible for such service providers' performance of the support and maintenance services. The term "Subscription" shall include the services provided under the SLA. Customer acknowledges and agrees that Company may from time to time, during the Subscription Term, develop bug fixes and/or patches (“Updates”), which may remotely and automatically update and maintain the Services components (including if installed on Customer’s premises). In addition, Company may from time to time, during the Subscription Term, develop enhancements, new releases, new Features, new versions of, and other changes to the Services (collectively, “Upgrades”), which may remotely and automatically upgrade the Services components (including if installed on Customer’s premises). For clarity, such Updates and/or Upgrades do not include any generally-available release of the Services (typically including new Features, functionality, and/or enhancements) that is subject to the payment of separate fees. 

4. Subscription Fees.

Provision of the Services is conditioned on Customer’s payment of the applicable fees as set forth in each Purchase Order (“Fees”) and Company reserves the right, following notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Purchase Order, all Fees and other amounts paid pursuant to this Agreement and a Purchase Order are non-refundable and without right of set off. Unless otherwise specified in the respective Purchase  Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Purchase Order are due at the commencement of such Subscription Term and payable as described in the Purchase Order; and (iii) all Fees are due and payable within thirty (30) days of the date of Company's invoice.  Any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (i) the rate of one and a half percent (1.5%) per month; or (ii) the highest amount permitted by applicable law. All amounts payable under each Purchase Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services. If Customer purchased the Subscription via a Partner, the Subscription is subject to the full payment of the applicable fees as set forth in the Partner Order between Customer and the respective Partner. All payments shall be made directly to Partner, as agreed between Customer and Partner. If Customer is entitled to a refund under the terms and conditions of this Agreement, then, unless Company specifies otherwise, Company will refund any applicable fees to the Partner, and the Partner alone will be responsible for refunding the appropriate amounts to Customer.

5.        Subscription Restrictions. 

As a condition to the Subscription, and except as expressly permitted otherwise under this Agreement, Customer shall not do (or permit or encourage to be done) any of the following Subscription restrictions (in whole or in part): (a) copy, "frame" or "mirror" the Services; (b) sell, assign, transfer, lease, rent, sublicense, or otherwise distribute or make available the Services to any third party (such as offering it as part of a time-sharing, outsourcing or service bureau environment); (c) publicly perform, display or communicate the Services; (d) modify, alter, adapt, arrange, or translate the Services; (e) decompile, disassemble, decrypt, reverse engineer, extract, or otherwise attempt to discover the source code or non-literal aspects (such as the underlying structure, sequence, organization, file formats, non-public APIs, ideas, or algorithms) of, the Services; (f) remove, alter, or conceal any proprietary rights notices displayed on or in the Service; (g) circumvent, disable or otherwise interfere with security-related or technical features or protocols of the Services; (h) make a derivative work of the Services, or use it to develop any service or product that is the same as, competes with (or substantially similar to) it; (i) store or transmit any robot, malware, Trojan horse, spyware, or similar malicious item intended (or that has the potential) to damage or disrupt the Services; or (j) take any action that imposes or may impose (as determined in Company’s reasonable discretion) an unreasonable or disproportionately large load on the servers, network, bandwidth, or other cloud infrastructure which operate or support the Services, or otherwise systematically abuse or disrupt the integrity of such servers, network, bandwidth, or infrastructure (collectively, the "Subscription Restrictions").

6. Personal Data. 

To the extent that Company processes personal data on behalf of Customer, the data processing addendum (“DPA”) set forth in Exhibit B shall apply.

7. Mutual Warranties. 

Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.

8. Intellectual Property Rights. 
   
   1. Services. As between the Parties, Company is, and shall be, the sole and exclusive owner of all intellectual property rights in and to: (a) the Services and all related software and intellectual property; and (b) any and all improvements, derivative works, and/or modifications of/to the foregoing, regardless of inventorship or authorship. Customer shall make, and hereby irrevocably makes, all assignments necessary or reasonably requested by Company to ensure and/or provide Company the ownership rights set forth in this paragraph. Company shall be entitled, from time to time, to modify and replace the Features (but not material functionalities, unless it improves the material functionality) and user interface of the Services. Nothing herein constitutes a waiver of Company’s intellectual property rights under any law.
   2. Feedback. If Company receives any feedback (which may consist of questions, comments, suggestions or the like) regarding any of the Services (collectively, “Feedback”), all rights, including intellectual property rights in such Feedback shall belong exclusively to Company and such shall be considered Company's Confidential Information. Customer hereby irrevocably and unconditionally transfers and assigns to Company all intellectual property rights it has in such Feedback and waives any and all moral rights that Customer may have in respect thereto. It is further understood that use of Feedback, if any, may be made by Company at its sole discretion, and that Company in no way shall be obliged to make use of the Feedback.
   3. Analytics Information. Customer acknowledges and agrees that Company may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Any anonymous information, derived from the use of the Services (i.e., metadata, aggregated and/or analytics information and/or intelligence relating to the operation, support, and/or Customer’s use, of the Services) which is not personally identifiable information and does not identify Customer (“Analytics Information”) may be used by Company to provide the Services, for compliance with applicable laws, and for development and/or statistical purposes. Analytics Information is Company's exclusive property.
   4. Customer Data. Customer hereby grants Company and its Affiliates a worldwide, non-exclusive, non-assignable (except as provided herein), non-sublicensable (except to Company's subcontractors, if applicable), non-transferable right and license, to access and use the Customer Data for Company's provision of the Services and as further specified in this Agreement. The Services do not operate as an archive or file storage service and Customer is solely responsible for backups of Customer Data. As the exclusive owner of the Customer Data, Customer represents, warrants and covenants that Customer has received and/or obtained any and all required consents or permits and has acted in compliance with any and all applicable laws to allow Company to receive, transfer, use and otherwise process the Customer Data in order to perform the Services and as further specified in this Agreement. Company may use or disclose the Customer Data: (a) to satisfy any applicable law, regulation, legal process, subpoena or governmental request; and/or (b) to collect, store, transfer, and/or process the Customer Data through Company's Affiliates, third party service providers and vendors, as reasonably necessary to provide the Services. Company will maintain commercially reasonable administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of the Customer Data. 
9. Third Party Components. 

The Services may use or include third-party open source software, files, libraries or components, or other third-party software (collectively, "Third-Party SW"), that may be distributed to Customer and are subject to third-party license terms. A list of any Third-Party SW and related licenses will be provided by Company upon request. If there is a conflict between any third-party license and the terms of this Agreement, then the third-party license terms shall prevail, but solely in connection with the related third-party software. Company makes no warranty or indemnity hereunder with respect to any third-party software.

10.  Confidentiality. “Confidential Information” means any nonpublic information disclosed by or on behalf of one Party (“Discloser”) to the other Party (“Recipient”) pursuant to this Agreement that is marked as “confidential,” or in some other manner to indicate its confidential nature or which is confidential by its nature, or that would reasonably be understood to be confidential given the nature of the information or material, or the circumstances surrounding its disclosure. Confidential Information does not include any information which: (i) is or becomes generally known and available to the public through no act of the Recipient; (ii) was already in the Recipient’s possession without a duty of confidentiality owed to the Discloser at the time of the Discloser’s disclosure; (iii) is lawfully obtained by the Recipient from a third party who has the express right to make such disclosure; or (iv) is independently developed by the Recipient without breach of an obligation owed to the Discloser. The Recipient may use the Discloser’s Confidential Information solely to perform its obligations under this Agreement. Except as set forth in the immediately following sentence, the Recipient will not disclose the Discloser’s Confidential Information to any third party except to its employees, consultants, affiliates, agents, and subcontractors having a need to know such information to perform its obligations under this Agreement who have signed a non-disclosure agreement with the Recipient containing terms at least as protective of the Discloser’s Confidential Information as those contained herein. The Recipient may disclose the Discloser’s Confidential Information to the extent that such disclosure is required by law or by the order of a court of similar judicial or administrative body, provided that it notifies the Discloser of such required disclosure to enable Discloser to seek a protective order or otherwise to prevent or restrict such disclosure. All right, title, and interest in and to Confidential Information are and will remain the sole and exclusive property of the Discloser. Notwithstanding anything to the contrary in this Agreement, Company’s obligations with respect to the protection of Customer Data are solely as set forth in Section ‎‎8.4 (Customer Data). The Recipient will use no less than commercially reasonable efforts to protect the Discloser’s Confidential Information from unauthorized access, use, or disclosure. 
11. DISCLAIMER OF WARRANTIES. Company represents and warrants that, under normal, authorized use, the Services shall substantially perform in conformance with its Documentation. As Customer's sole and exclusive remedy and Company's sole liability for breach of this warranty, Company shall use commercially reasonable efforts to repair the Services. The warranty set forth herein shall not apply if the failure of the Service results from or is otherwise attributable to: (i) repair, maintenance or modification of the Services by persons other than Company or its authorized contractors; (ii) accident, negligence, abuse or misuse of the Services; (iii) use of the Services other than in accordance with the Documentation; or (iv) the combination of the Service with equipment or software not authorized or provided by Company. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES AND THE RESULTS THEREOF ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. COMPANY DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS OR OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN SECTION ‎7 (MUTUAL WARRANTIES) AND THIS SECTION ‎11, COMPANY EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, SATISFACTORY QUALITY TITLE, NON-INFRINGEMENT, NON-INTERFERENCE, AND FITNESS FOR A PARTICULAR PURPOSE. COMPANY WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES OR OTHER PROBLEMS INHERENT IN USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS OR FOR ISSUES RELATED TO PUBLIC NETWORKS OR CUSTOMER'S HOSTING SERVICES. COMPANY SHALL NOT BE RESPONSIBLE FOR ANY ADDITIONAL WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER.
12. LIMITATION OF LIABILITY. NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, PROFITS, REPUTATION OR GOOD WILL, DATA, OR DATA USE, OR THE COST OF PROCURING ANY SUBSTITUTE GOODS OR SERVICES. WITHOUT DEROGATING FROM COMPANY'S INDEMNIFICATION OBLIGATION UNDER SECTION ‎‎13 AND EXCEPT FOR ANY DAMAGES RESULTING FROM ANY BREACH OF EITHER PARTY’S CONFIDENTIALITY OBLIGATIONS HEREIN, WILLFUL MISCONDUCT, AND/OR CUSTOMER'S MISAPPROPRIATION OR OTHERWISE VIOLATION OF COMPANY'S INTELLECTUAL PROPERTY RIGHTS (INCLUDING VIOLATION OF THE SUBSCRIPTION RESTRICTIONS BY CUSTOMER), EITHER PARTY’S MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL AMOUNTS ACTUALLY PAID OR PAYABLE TO COMPANY BY CUSTOMER IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM. THIS LIMITATION OF LIABILITY IS CUMULATIVE AND NOT PER INCIDENT. FOR CLARITY, THE LIMITATIONS IN THIS SECTION DO NOT APPLY TO PAYMENTS DUE TO COMPANY UNDER THIS AGREEMENT (INCLUDING ITS EXHIBITS).
13. Indemnification. 
    
    1. Company agrees to defend and hold harmless, at its expense, any third party action or suit brought against Customer alleging that the Services, when used as permitted under this Agreement, infringes intellectual property rights of a third party (“IP Infringement Claim”); and Company will pay any damages finally awarded by a court of competent jurisdiction against Customer that are attributable to any such IP Infringement Claim, provided that Customer (i) promptly notifies Company in writing of such claim; and (ii) grants Company the sole authority to handle the defense or settlement of any such claim and (iii) provides Company with all reasonable information and assistance in connection therewith, at Company’s expense. Company will not be bound by any settlement that Customer enters into without Company's prior written consent.
    2. If the Services become, or in Company's opinion are likely to become, the subject of an IP Infringement Claim, then Company may, at its sole discretion: (a) procure for Customer the right to continue using the Services; (b) replace or modify the Service to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Company's reasonable efforts, then Company may terminate the affected Order Form(s) upon written notice to Customer, and Customer shall be entitled to receive a pro-rated refund of any prepaid Subscription Fees under such Order Form(s) based on the remaining period of the corresponding Subscription Term(s).
    3. Notwithstanding the foregoing, Company shall have no responsibility for IP Infringement Claims resulting from or based on: (i) Company’s compliance with Customer’s instructions or specifications; or (ii) the combination or use of the Services with equipment, devices or software not supplied by Company. 
    4. This Section ‎13 states Company's entire liability, and Customer's exclusive remedy, for any IP Infringement Claim.
14. Term and Termination.
    
    1. Term. This Agreement commences on the Effective Date and, unless terminated in accordance with this Section ‎‎14, shall continue in full force and effect until all Order Forms or Partner Order (as the case may be) expire or are terminated (the “Term”). In case Customer purchased the subscription directly from the Company, unless otherwise specified in an Order Form, following the initial subscription term specified in the Order Form and any Renewal Subscription Term (as defined below), the Order Form shall automatically renew for successive one year terms (each at Company's then current pricing and packaging or as otherwise mutually agreed by the Parties) (each, a “Renewal Subscription Term”) unless either Party notifies the other Party in writing of its intent not to renew the Order Form, not less than thirty (30) days prior to the expiration of the then-current Subscription Term.
    2. Termination for Breach. Each Party may terminate this Agreement (and the respective Order Form or Partner Order) immediately upon written notice to the other Party if the other Party commits a material breach under this Agreement and, if curable, fails to cure that breach within sixty (60) days after receipt of written notice specifying the material breach (except that for payment defaults, such cure period will be seven (7) days).
    3. Termination for Bankruptcy. Each Party may terminate this Agreement (and the respective Order Form) upon written notice to the other Party upon the occurrence of any of the following events in respect of such other Party: (a) a receiver is appointed for the other Party or its property, which appointment is not dismissed within sixty (60) days; (b) the other Party makes a general assignment for the benefit of its creditors; (c) the other Party commences, or has commenced against it, proceedings under any bankruptcy, insolvency or debtor’s relief Law, which proceedings are not dismissed within sixty (60) days; or (d) the other Party is liquidating, dissolving or ceasing normal business operations.
    4. Effect of Termination; Survival. Upon termination of this Agreement for any reason: (a) the Subscription shall automatically terminate, (b) Customer shall cease all access and use of the Services thereunder, and (c) Customer shall (as directed) permanently erase and/or return all Confidential Information of Company in Customer's possession or control. If purchased directly from Company, following termination, all outstanding Fees and other charges that accrued as of termination, shall become immediately due and payable and, if necessary, Company shall issue a final invoice therefor. The provisions of this Agreement that, by their nature and content, must survive the termination of this Agreement in order to achieve the fundamental purposes of this Agreement (including limitation of liability) shall so survive. Termination shall not affect any rights and obligations accrued as of the effective date of termination.
15. Miscellaneous.
    
    1. Entire Agreement. This Agreement, and any exhibits attached or referred hereto, represents the entire agreement between the Parties concerning the subject matter hereof, replaces all prior and contemporaneous oral or written understandings and statements, and may be amended only by a written agreement executed by both Parties. Any terms and conditions (whether printed, linked to or otherwise), within any Order Form or related correspondence which purport to modify or supplement the terms and conditions of this Agreement (or the corresponding Order Form), shall be void and of no effect.
    2. No Waiver. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach shall not be deemed a waiver by that Party as to subsequent enforcement or actions in the event of future breaches. Any waiver granted hereunder must be in writing.
    3. Severity. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect, and such provision shall be reformed only to the extent necessary to make it enforceable.
    4. Government Use. Any use of the Services by an agency, department, or other entity of the United States government shall be governed solely by the terms of this Agreement.
    5. No Third Parties. Except as stated otherwise herein, this Agreement is for the sole benefit of the Parties hereto, and nothing herein, express or implied, shall give, or be construed to give, any rights hereunder to any other person.
    6. Assignment. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party in connection with a merger, consolidation, sale of all of the equity interests of such Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Without derogating from and subject to the abovementioned, this Agreement will bind and benefit each Party and its respective successors and assigns.
    7. Governing Law; Jurisdiction. This Agreement shall be governed by and construed in accordance with the laws of the State of New York without regard to principles of conflicts of law. All disputes arising out of or in connection with this Agreement shall be finally and exclusively settled under the Rules of Arbitration of the International Chamber of Commerce by one arbitrator appointed in accordance with the said Rules. The place of arbitration shall be New York, New York. The language of the arbitration shall be English. Notwithstanding the foregoing, each Party may also seek interim relief in any court of competent jurisdiction in order to protect its proprietary rights. The law governing this arbitration agreement shall be the governing law set forth above. Each Party irrevocably waives its right to trial of any issue by jury.
    8. Amendments. No modifications to this Agreement can be made except in writing, signed by the Customer and Company.
    9. No Agency. This Agreement does not, and shall not be construed to, create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party has any authority to enter into agreements of any kind on behalf of the other Party.
    10. Force Majeure. Company will not be liable for any delay or failure to provide the Services resulting from circumstances or causes beyond the reasonable control of Company, including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, riot, acts of terrorism, earthquakes, explosions, power outages, pandemic or epidemic (or similar regional health crisis), or any other cause that is beyond the reasonable control of Company (“Force Majeure Event”).
    11. Notices. Notices to either Party shall be deemed given (a) four (4) business days after being mailed by airmail, postage prepaid, (b) the same business day, if dispatched by facsimile or electronic mail before 13:00 hour (local time for the receiving Party) and sender receives acknowledgment of receipt, or (c) the next business day, if dispatched by facsimile or electronic mail after the hour 13:00 (local time for the receiving Party) and sender receives acknowledgment of receipt. A copy of any legal notice shall be sent to legal@onyx.security.

EXHIBIT A

SERVICE LEVEL AGREEMENT

1. General. 

‍

Subject to Customer’s compliance with its obligations under the Agreement, Company will provide Customer with the maintenance and support services specified in this Services Level Agreement (“SLA”), for the Services. In the event of any conflict between this SLA and the terms of the Agreement, the terms of the Agreement shall prevail. Nothing in this SLA shall be construed as to require Company to dispatch personnel to Customer’s site or otherwise provide on-site services.

2. Definitions
   ‍The following definitions apply to this SLA:

• “Business Days” means Monday - Friday, excluding holidays.
• “Business Hours” means GMT: Monday - Friday between 9:00 AM- 5:00 PM.
• “Downtime” or “Downtime Incident” means the time in which the Services are unavailable to the Customer and is measured based on server-side monitoring tools that track system reachability, service responsiveness, and critical API availability. Downtime Incidents shall exclude: (i) planned downtime incidents announced in advance by Company, including without limitation, for periodic upgrade and maintenance; (ii) network disruption between a Customer’s network and the Services outside of Company’s control; (iii) Downtime Incidents that are caused by the SLA Exclusions specified below; and/or (iv) any time where Company is waiting for information from the Customer or waiting for Customer confirmation that the Services have been restored.  
• “Downtime Period” means the number of minutes in a calendar month during which the Services are unavailable to the Customer due to Downtime Incident(s). 
• “Monthly Uptime Percentage” means the monthly uptime expressed as a percentage, calculated based on the total number of minutes in a calendar month, minus the Downtime Period, divided by the total number of minutes in a calendar month.

3. Availability.
   ‍During Customer’s Subscription Term, Company will use commercially reasonable efforts to make the Services available with a Monthly Uptime Percentage of at least 99.5% during monthly billing cycle. This availability excludes any downtime caused by the Hosting Provider.

4. Other SLA Exclusions.
   ‍The SLA does not apply to any: (a) features or services which Customer did not purchase and/or are specified in the Services associated documentation as excluded; or (b) Downtime Incidents that: (i) are caused by factors beyond Company’s reasonable control (e.g., any Force Majeure Event), failure of Internet access or any public telecommunications network, shortage of adequate power or transportation facilities or any other problems beyond Company’s reasonable control; (ii) results or outcomes attributable to repair, maintenance or modification of Company’s software or platform by persons other than Company’s authorized third parties; (iii) resulted from accident, negligence, abnormal physical or electrical stress, abnormal environmental conditions, abuse or misuse of the Company’s software or Services; (iv) resulted from use of the Services other than in accordance with its manuals, specifications or Documentation or in violation of the Agreement; (v) resulted from Customer’s equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within Company’s direct control); and/or (vi) resulted from the combination of the Company’s software with equipment or software not authorized or provided by Company’s or otherwise approved by Company in the Services’ manuals, specifications or Documentation.

5. Customer Support Services. 
   ‍Company shall use commercially reasonable efforts to ensure that the Services shall perform in all material respect with the Services Documentation. Company shall, during Business Hours, assist in the operation of the Services and in verifying the causes of suspected errors. Company will use commercially reasonable efforts to respond to Customer according to the response table set forth below in Section 6 after receipt of Customer’s request for support.

‍

6. Reporting Cases & Response Time

• Customer support requests should be sent by emailing Company’s support at support@onyx.security. Support queries sent to other Company’s email addresses will not be considered as support requests. Company may, at any time update the communication methods to be used in order to submit the issue to Company’s support team.
• All support queries are logged within Company CRM system and allocated an ID reference number.
• Support queries are prioritized by the Company support team who will respond to the Customer either by Slack or email or phone as follows: 

7. Support Exclusions.
   ‍In addition to the SLA Exclusions specified above, Company shall not be required to correct any error that in Company’s reasonable discretion resulting from:

1. any modifications of the Services that have not been approved by Company in writing;
2. Customer’s instructions, or installation or set up adjustments; 
3. use of the Services other than as permitted in the Agreement and Documentation;
4. any fault in any equipment or programs used in conjunction with the Platform, or other causes beyond the control of Company; and/or
5. Customer’s negligence or willful misconduct.

‍

8. Customer Responsibilities.
   ‍Company’s obligations hereunder are subject to the following: 

1. Customer’s agreement to receive from Company communications via e-mail, telephone, and other formats;
2. Customer’s technical support contact shall cooperate with Company at all times during the provision of technical support and maintenance services hereunder; and
3. Customer shall report to Company all problems with the Services and shall implement any corrective procedures provided by Company reasonably promptly after receipt.

‍

EXHIBIT B

DATA PROCESSING ADDENDUM

‍

This Data Processing Addendum (“DPA”) forms part of this Agreement. If there is a conflict between the terms of the Agreement and this DPA, the DPA terms shall prevail. 

1. INTERPRETATION AND DEFINITIONS‍
   
   1. ‍The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
   2. Definitions
      
      1. “Affiliate” see above definition in Section 1.1 of the Agreement. 
      2. “Authorized Affiliate” means any of Customer’s Affiliate(s) which (i) is subject to the Data Protection Laws and Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (ii) is permitted to use the Services pursuant to the Agreement between Customer and Onyx Security, but has not signed its own agreement with Onyx Security and is not a “Customer” as defined under the Agreement.
      3. “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include Customer and/or Customer’s Authorized Affiliates.
      4. “CCPA” means the California Consumer Privacy Act of 2018 and its modifications and amendments. ‍
      5. "Data Privacy Framework" or "DPF" means the EU-US Data Privacy Framework as adopted by the European Commission on July 10, 2023, and/or the Swiss-US Data Privacy Framework. "UK Extension" means the United Kingdom's extension to the EU-US Data Privacy Framework.
      6. “Data Protection Laws and Regulations” means all laws and regulations of the European Union, the European Economic Area and their Member States (including the GDPR), the UK GDPR (defined below), U.S. state laws (including CCPA), and other country’s laws, as applicable to the Processing of Personal Data under the Agreement.
      7. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
      8. “Member State” means a country that belongs to the European Union and/or the European Economic Area.
      9. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
      10. “Onyx Security” means the relevant Onyx Security entity as specified in the Agreement, including Onyx Security Ltd. and Onyx Security, Inc.
      11. “Onyx Security Group” means Onyx Security and its Affiliates, and their employees, personnel, contractors and consultants engaged in the Processing of Personal Data.
      12. “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined under Data Protection Laws and Regulations. For the avoidance of doubt, business contact information, log in and authentication data of Customer's end users of the Services are not deemed to be Personal Data subject to this DPA.
      13.  “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      14. “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
      15. “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Customer, as updated from time to time. Customer shall send a request to security@onyx.security to receive a copy of the Security Documentation.
      16. ‍“Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here as updated, amended, replaced or superseded from time to time by the European Commission; or (ii) where required from time to time by a Supervisory Authority for use with respect to any specific restricted transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Regulatory Authority or Data Protection Laws and Regulations.
      17. “Sub-processor” means any Processor engaged by Onyx Security and/or an Onyx Security Affiliate to Process Personal Data on behalf of Customer.
      18. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or other regulatory body pursuant to other applicable Data Protection Laws and Regulations.
      19. “UK GDPR” means the Data Protection Act 2018, as updated, amended, replaced or superseded from time to time by the UK’s Information Commissioner’s Office.

‍

2.     PROCESSING OF PERSONAL DATA

2.1   The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA Onyx Security is the Data Processor and Onyx Security may engage Sub-processors pursuant to the requirements set forth in Section ‎5 “Sub-processors” below. For clarity, this DPA shall not apply with respect to Onyx Security processing activity as a Data Controller with respect to data as detailed in Onyx Security’s privacy policy. 

2.2   Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations and comply at all times with the obligations applicable to Data Controllers (including, without limitation, Article 24 of the GDPR).  For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the means by which Customer acquired Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to Process and transfer to Onyx Security the Personal Data and to authorize the Processing by Onyx Security of the Personal Data pursuant to this DPA. Customer shall defend, hold harmless and indemnify Onyx Security, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Customer and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA. 

3.  Onyx Security’s Processing of Personal Data 

1.  Subject to the Agreement, Onyx Security shall Process Personal Data that is subject to this DPA only in accordance with Customer’s documented instructions as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required otherwise by Data Protection Laws and Regulations, in which case, Onyx Security shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are specified in Schedule 1 (Details of the Processing) to this DPA.

2. To the extent that Onyx Security or its Affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer and/or its authorized users relating to Processing of Personal Data or where Onyx Security considers such a request to be unlawful (i) Onyx Security shall inform Customer, providing relevant details of the problem (but not legal advice), (ii) Onyx Security may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Onyx Security all outstanding amounts owed to Onyx Security or due before the date of termination. Customer will have no further claims against Onyx Security (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below). 

3. Onyx Security will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Onyx Security to the extent that such is a result of Customer’s instructions.

3.   RIGHTS OF DATA SUBJECTS. If Onyx Security receives a request from a Data Subject to exercise its rights as described under Data Protection Laws and Regulations (“Data Subject Request”), Onyx Security shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Onyx Security shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Onyx Security’s provision of such assistance. 

‍

4. ONYX SECURITY PERSONNEL 

‍

1. Onyx Security shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

‍

2. Onyx Security may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, Onyx Security shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.

‍

5. AUTHORIZATION REGARDING SUB-PROCESSORS

1. Onyx Security’s current list of Sub-processors is included in Schedule 2 (“Sub-processor List”). Customer hereby grants a general authorization to Onyx Security to appoint new Sub-processors, and Onyx Security shall comply with the conditions of Section ‎5.2 to ‎5.4. The Sub-processor List as of the date of execution of this DPA, is hereby, or shall be (as applicable), authorized by Customer. 
2. Onyx Security shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services. Customer can subscribe to sub-processor notifications by emailing subprocessors@onyx.security.
3. Customer may reasonably object to Onyx Security’s use of a Sub-processor for reasons related to the GDPR by notifying Onyx Security promptly in writing within seven (7) business days after receipt of Onyx Security’s notice by sending an email to subprocessors@onyx.security. Such written objection shall include the reasons related to the applicable Data Protection Laws or Regulations for objecting to Onyx Security’s use of such Sub-processor. Failure to object to such Sub-processor in writing within seven (7) business days following Onyx Security’s notice shall be deemed as acceptance of the Sub-processor. In the event Customer reasonably objects to a Sub-processor, Onyx Security will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If Onyx Security is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Onyx Security without the use of the objected-to Sub-processor by providing written notice to Onyx Security provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Onyx Security. Until a decision is made regarding the Sub-processor, Onyx Security may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Onyx Security due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.

This Section ‎5 shall not apply to subcontractors of Onyx Security which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors. 

‍

6. SECURITY

‍

1. Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Onyx Security shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR or other applicable Data Protection Laws and Regulations for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data. Upon Customer’s request, Onyx Security will use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, and/or other applicable Data Protection Laws and Regulations, taking into account the nature of the processing, the state of the art, and the information available to Onyx Security.
2. Upon Customer’s written request at reasonable intervals, at Customer’s expense, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Onyx Security shall allow for and contribute to audits. Unless otherwise required by a Regulatory Authority or in the event of a security incident, such audit requirements shall be satisfied by Onyx Security making available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Onyx Security) a copy or a summary of Onyx Security’s then most recent third-party audits or security certifications, as applicable; provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Onyx Security’s prior written approval. Upon Onyx Security’s request, Customer shall return all records or documentation in Customer’s possession or control provided by Onyx Security in the context of an audit and/or the certification. The Parties shall agree on the scope, methodology, timing and conditions of such audits and inspections which shall be conducted during normal business hours. Notwithstanding anything to the contrary, nothing in this DPA will require Onyx Security either to disclose to Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Onyx Security; (ii) Onyx Security’s internal accounting or financial information; (iii) any trade secret of Onyx Security; or (iv) any information that, in Onyx Security’s sole reasonable discretion, could compromise the security of any of Onyx Security’s systems or premises or cause Onyx Security to breach obligations under any applicable law or its obligations to any third party.

‍

7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. Onyx Security shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Onyx Security of which Onyx Security becomes aware (a “Personal Data Incident”). Onyx Security shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Onyx Security deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Onyx Security’s reasonable control. In any event, Customer will be the party responsible for notifying the appropriate Supervisory Authority and/or concerned data subjects (where required by Data Protection Laws and Regulations).

‍

8. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, Onyx Security shall, at the choice of Customer, delete or return the Personal Data to Customer after the end of the provision of the Services relating to Processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Onyx Security may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Onyx Security’s Customers. 

‍

9. AUTHORIZED AFFILIATES
   
   1. The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Onyx Security and an Authorized Affiliate. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
   2. The Customer shall remain responsible for coordinating all communication with Onyx Security under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

‍

10. TRANSFERS OF DATA
    
    1. Personal Data may be transferred from the EU Member States, the EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission, and the UK Supervisory Authority (“Adequacy Decisions”), without any further safeguard being necessary.
    2. To the extent that there is Processing of Personal Data which includes transfers from the EEA and the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the below terms shall apply:

1. With respect to the EU transfers of Personal Data, Customer as a Data Exporter (as defined in the SCCs) and Onyx Security on behalf of itself and each Onyx Security Affiliate (as applicable) as a Data Importer (as defined in the SCCs) hereby enter into the SCC set out in Schedule 3. To the extent that there is any conflict or inconsistency between the terms of the SCC and the terms of this DPA, the terms of the SCC shall take precedence.

‍

11. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections ‎2.2, ‎2.3.,3, ‎8 and ‎13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate. 

‍

12. CCPA. To the extent that the Personal Data is subject to the CCPA, Onyx Security shall not sell or share Customer's Personal Data. Onyx Security acknowledges that when processing Personal Data in the context of the provision of the Services, Customer is not selling or sharing Personal Data to Onyx Security. Onyx Security agrees not to retain, use or disclose Customer Personal Data: (i) for any purpose other than the Business Purpose (as defined below); (ii) for no other commercial or Business Purpose; or (iii) outside the direct business relationship between Onyx Security and Customer. Notwithstanding the foregoing, Onyx Security may use, disclose, or retain Customer Personal Data to: (i) transfer the Personal Data to other Onyx Security’s entities (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Customer; (ii) to comply with, or as allowed by, applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by Onyx Security to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyse anonymous information. Onyx Security shall use commercially reasonable efforts to comply with its obligations under CCPA. If Onyx Security becomes aware of any material applicable requirement (to Onyx Security as a service provider) under CCPA that Onyx Security cannot comply with, Onyx Security shall use commercially reasonable efforts to notify Customer. Upon written Customer’s notice, Onyx Security shall use commercial reasonable and appropriate steps to stop and remediate Onyx Security’s alleged unauthorized use of Personal Data; provided that Customer must explain and demonstrate in the written notice which processing activity of Personal Data it considers to be unauthorized and the applicable reasons. Onyx Security shall use commercially reasonable efforts to enable Customer to comply with consumer requests made pursuant CCPA. Notwithstanding anything to the contrary, Customer shall be fully and solely responsible for complying with its own requirements under CCPA. “Business purpose” means the Processing activities that Onyx Security will perform to provide Services (as described in the Agreement), this DPA and any other instruction from Customer, as otherwise permitted by applicable law, including, CCPA and the applicable regulations, or as otherwise necessary to provide the Services to Customer. 

‍

13. RELATIONSHIP WITH AGREEMENT. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) Onyx Security’s (including Onyx Security’s Affiliates’) entire, total and aggregate liability, related to personal data or information, privacy, or for breach of, this DPA and/or Data Protection Laws and Regulations, including, without limitation, if any, any indemnification obligation or applicable law regarding data protection or privacy, shall be limited to the amounts paid to Onyx Security under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Onyx Security and/or Onyx Security Affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings;  (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Onyx Security, Onyx Security Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).

List of Schedules

• SCHEDULE 1 - DETAILS OF THE PROCESSING
• SCHEDULE 2 - SUB-PROCESSOR LIST
• SCHEDULE 3 – STANDARD CONTRACTUAL CLAUSES
  

‍

SCHEDULE 1 - DETAILS OF THE PROCESSING

Subject matter. Onyx Security will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.

Nature and Purpose of Processing.

1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) to Customer and providing support and technical maintenance, if agreed in the Agreement.
2. For Onyx Security to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. 

Duration of Processing. Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Onyx Security will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Type of Personal Data. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: 

• Personal Data contained in Customer personnel interactions with AI services
• Any other Personal Data or information that the Customer decides to provide to the Onyx Security or the Services.

The Customer and the Data Subjects shall provide the Personal Data to Onyx Security by supplying the Personal Data to Onyx Security’s Service. 

For the avoidance of doubt, the information subject to the Onyx Security’s privacy policy (e.g., log-in details) (Onyx — Privacy Policy) shall not be subject to the terms of this DPA.

‍

Categories of Data Subjects. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

‍

• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Customer end users

‍

The frequency of the transfer. Continuous basis 

‍

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. As described in this DPA and/or the Agreement 

‍

For transfers to (sub-) processors. As detailed in Schedule 2.

‍

SCHEDULE 2 – SUB-PROCESSOR LIST

‍

SCHEDULE 3 - STANDARD CONTRACTUAL CLAUSES

EU SCCs. If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:

a) The Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) as applicable, will apply, with respect to restricted transfers between Customer and Onyx Security that are subject to the GDPR.

b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Onyx Security (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section ‎5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Customer, as informed by Customer to Onyx Security; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction. 

c) Annex I.A: With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Onyx Security as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Onyx Security as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA. 

d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.

e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent Supervisory Authority is the Irish Supervisory Authority.

f) Annex II of the Standard Contractual Clauses shall be completed as described in the Security Documentation. 

g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.

‍