AGREEMENT (“Agreement”)

This Prevalent Software as a Service (SaaS) Subscription Agreement (“Agreement“) constitutes a legal agreement between Prevalent, LLC, a subsidiary of Mitratech Holdings, Inc., a Delaware Corporation with its principal place of business located at 13301 Galleria Circle, Bldg. B, Suite 200, Bee Cave TX 78738 (“Prevalent”) and You, the Client (“Client”). This Agreement is effective from the date Prevalent accepts the order in accordance with the terms set forth below.

WHEREAS, Prevalent will provide to Client its software application and/or certain monitoring services as part of the Prevalent Cloud Service offerings as referred to in the Prevalent Sales Quote, or in the authorized Prevalent Reseller Sales Quote. In addition, Client may seek certain additional services at a separate cost as reflected in an associated Prevalent Sales Quote and that for the purposes of this Agreement both may be jointly or individually referred to as “Service“). For the purpose of clarity, the parties acknowledge that the Services include software applications, as well as third party data under license to various third-party data providers and offer within the service, all of which are governed by the terms of this Agreement and that Service and Software may be jointly referred to throughout this Agreement as Software. With regard to all Services, Prevalent performance is conditional upon Client fulfilling its obligations set forth in this Agreement or later expressly agreed to in writing. The terms and conditions of this Agreement will supersede any end under license agreements, terms of use, click-through or shrink-wrap terms, purchase orders, invoice terms or other similar documents, whether signed before or after the written version of this Agreement is executed.

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

DEFINITIONS: The terms referenced in this Agreement have the following meaning:

“Prevalent Cloud Services” are certain specified Services that are run on the Prevalent Cloud Services Environment and made commercially available by Prevalent under the terms of this Agreement.

“Prevalent Cloud Services Environment” refers to the combination of hardware and Software owned, licensed, subscribed to, or managed by Prevalent to which Prevalent grants the Client and Users access to a portion of the Prevalent Cloud Service Environment as part of the Prevalent Cloud Services that are described in the Prevalent Sales Quote or the Prevalent Reseller Sales Quote.

“Prevalent Reseller” is the entity authorized by Prevalent to offer Prevalent Services, subject to the terms of this agreement to the Client under the terms of this Agreement.

“Prevalent Reseller Quote” means the formal offer for the sale of specified Prevalent products and services pursuant to this Agreement made available to Client by a Prevalent Reseller.

“Prevalent Sales Quote” is a formal Prevalent offer for the sale of specified products and services pursuant to this Agreement, which shall be effective upon Client’s execution thereof.

“Prevalent Software Service Description” is the formal Prevalent description of the commercial service offering defining the scope and coverage of the service, referenced in the Prevalent Sales Quote or the Prevalent Reseller Sales Quote and attached to this Agreement as Attachment B.

“Services” means, collectively the Prevalent Cloud Services, Professional Services and Software in the Prevalent Software Service Description referenced on the Prevalent Sales Quote or the Prevalent Reseller Sales Quote.

“Software” refers to the application software developed and or distributed by Prevalent, as referenced on the Prevalent Sales Quote or the Prevalent Reseller Sales Quote, and as described in the Prevalent Software Service Description.

“Client” means the Client named above.

“Client Data” means any data, content, code, video, images, questionnaires or other materials of any type that Client or potential vendor uploads, submits or otherwise transmits to or through Services; (ii) reports and documents generated by Prevalent or the Service from such data, content, code, video, images questionnaires or other materials submitted by or on behalf of Client or potential vendor.

“Users” means those employees, contractors, and end users, as applicable, authorized by the Client to use the Services in accordance with this Agreement. For Services that are specifically designed to allow the Client’s customers, suppliers or other third parties to access the Services to interact with the Client, such third parties will be considered “Users” subject to the terms of this Agreement.

“Third-Party Data” means data sources provided from public sources or by a third-party license vendor for use with the Service, such as vendor threat monitoring data or the Prevalent Reseller Sales Quote.

1. ARTICLE I. SOFTWARE AS A SERVICE (“SaaS”) END USER LICENSE AGREEMENT

1.1 SaaS End User License. The Software provides the functionality as specified in the printed Prevalent Software Service Description and product documentation, Attachment B. The Software including any pre-existing data, are the proprietary property of Prevalent and its suppliers and Prevalent retains any and all rights, title and interest in and to the Software, including in all copies, improvements, enhancements, modifications and derivative works of the Software. Client accepts and agrees to be bound by the terms of this Agreement which, upon execution, supersede any click wrap or click through terms in the event of any conflict.

1.2. Third-Party Data License. The Software includes access to various confidential and proprietary Third-Party Data that is utilized along with the Service as a comparative data source in processing the Client Data and generating various reports and reporting data. This information is compiled from third party sources, including but not limited to, public records, user submissions, and other commercially available data sources. These sources may not be accurate or complete, or up-to-date and is subject to ongoing and continual change without notice. Neither Prevalent nor its Third-Party Data sources make any representations or warranties regarding the data and assume no responsibility, for the accuracy, completeness, or currency of the data, or any decisions Client makes based in whole or part on this data or information. This data and information is not a substitute for Client’s own judgment, professional advice, or the need to seek additional input and research before making any decisions and should NOT be used alone to make decisions. Client shall use Third-Party Data solely in connection with present or prospective credit, security, financial or risk management decisions regarding the business vendors to which the Client inquiry relates. Moreover, Client acknowledges that the Third-Party Data: (i) will not be used in determining personal, family or household eligibility for obtaining credit or insurance; ii) nor shall it be used for employment purposes (but may be used when evaluating an individual as an independent consultant vendor); nor iii) for any other purpose governed by the Fair Credit Reporting Act. Clients will abide by all applicable laws as a condition for continued use of their Third-Party Data. Third-Party Data providers of Prevalent shall be deemed to be 3rd party beneficiaries of this Agreement, solely with regard to their Third-Party Data. Prevalent further represents they will use reasonable commercial efforts to: (i) help ensure the appropriateness of the Third-Party Data before it is selected for use with the Service; (ii) to promptly remove Third-Party Data from the Service that is identified as inaccurate data; and (iii) promptly advise Client of known or suspected problems and/or concerns with Third-Party Data.

1.3. Software License Grant. Except as otherwise expressly agreed upon in writing by the parties, and subject to Client’s compliance with the terms and conditions of this Agreement, Prevalent grants to Client a non-exclusive, non-transferable right to access and use the Software solely in Client’s internal business operations during the term of this license. Client is provided a right to: (i) use the Software within the Prevalent Cloud Services Environment in accordance with the scope and term of the Agreement as specified below, which is offered as a Service; and (ii) produce reports for Client’s internal use. For the purpose of clarity, no third party may rely in any manner on the reports, results, recommendation work product provided by or generated through the Service, all work is provided for informational purposes solely for the benefit of the Client. Client rights to use the Service shall be limited to those expressly granted in this Agreement. All rights not expressly granted to Client are retained by Prevalent. The Service is protected by copyright laws, trade secret, as well as laws and any applicable regulations and/or treaties related to other forms of intellectual property. Prevalent owns, or has the necessary rights in, all intellectual property rights in the Service. The right to use the Service is subject to these rights and to all the terms and conditions of this Agreement. Client is granted only the non-exclusive, non-transferable right to use the Service and related user documentation solely on the hosted Prevalent Cloud Service Environment during the term as specified in the Prevalent Sales Quote, and does not acquire any rights of ownership in such materials; and to use the reports and documents generated during the term for Client’s internal historical and compliance purposes, on an “AS IS” without warranty of any kind, stated or implied, and provided all the materials, reports and documents will be treated as Confidential Information, in accordance with Section 2.6, notwithstanding the termination or expiration of this Agreement.

a) The Client grants Prevalent the right to use, process, collect, copy, store, transmit, modify and create derivative works of Client Data, in each case solely to the extent necessary to provide the applicable Service to Client in accordance with this Agreement, for the duration of the Services period plus any additional post-termination period during which Prevalent provides the Client with access to retrieve an export file of Client’s content, not to exceed 60 days. The license granted by this Agreement shall apply only for the number of user id’s, or capacity (i.e. number of vendors etc.) provided for pursuant to the associated Prevalent Sales Quote , and shall only be valid for such time as the term stated in the Prevalent Sales Quote remains in full force and effect; in the event Client terminates or otherwise discontinues their use of the hosted Prevalent Cloud Service Environment with Prevalent, this license and Client’s right to use the Service shall terminate without further notice. Prevalent shall make only such copies of the Client Data as may be necessary to perform its obligations under this Agreement or as otherwise part of its regular internal backup and/or disaster recovery practices. Client shall take reasonable steps, including limiting access to user IDs and passwords, to limit access to the Software to those of its employees who are authorized to use the Software. Except in the case of Prevalent’s negligence or willful misconduct or breach of any of its obligations under this Agreement, Client remains responsible for any and all actions taken using Client accounts and passwords, and Client agrees to immediately notify Prevalent of any unauthorized use of which Client becomes aware, or reasonably suspect.

b) The Client agrees not to use or permit use of the Services, including by uploading, emailing, posting, publishing or otherwise transmitting any material, including the Client Data, Service generated work product or report, or third party content, for any purpose that may (a) menace or harass any person or cause damage or injury to any person or property, (b) involve the publication of any material that it knows to be false, defamatory, harassing or obscene, (c) violate privacy rights or promote bigotry, racism, hatred or harm, (d) constitute unsolicited bulk e-mail, “junk mail”, “spam” or chain letters; (e) constitute an infringement of intellectual property or other proprietary rights, (f) frame, scrape, link or mirror any content forming a part of the Service, other than Client’s own intranets or otherwise for its own internal use; (g) knowingly upload to the Service or use the Service to send or store viruses, worms, time-bombs, Trojan horses or other harmful or malicious code or (h) otherwise violate applicable laws, ordinances or regulations. In addition to any other rights afforded to Prevalent under this Agreement, Prevalent reserves the right, but has no obligation, to take remedial action if any material violates the foregoing restrictions, including the removal or disablement of access to such material. Prevalent shall have no liability to the Client in the event that Prevalent takes such action. The Client shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and ownership of all of Client Data.

1.4. Restrictions on Transfer, Use, Alteration and Copying. Client may not, without Prevalent’s prior written consent, conduct, cause or permit the: (i) use, copying, modification, rental, lease, sublease, sublicense, or transfer of the Service except as expressly provided in this Agreement; (ii) creation of any derivative works based on the Service or its accompanying documentation including but not limited to translations, (iii) alteration of any files or libraries in any portion of the Service, or reproduction of the database portion or creation of any tables or reports relating to the database portion; (iv) reverse engineering, disassembly, or decompiling of the Service; (v) use of the Service in connection with service bureau, facility management, timeshare, service provider or like activity whereby Client operates or uses the Service for the benefit of a third party; (vi) use of the Service, including any data, information or reports generated by the Service, by any party other than Client and its subcontractors and agents acting on Client’s behalf and subject to the terms of this Agreement; or (vii) falsely imply any sponsorship or association with Prevalent. Any violation of this section shall result in immediate termination of this Agreement, which termination shall not be exclusive of other remedies available.

a) Except for the purposes of training, translation, Client’s internal backup, operational support or internal distribution, Client may not copy or allow others to copy any part of the user documentation or other printed material provided with the Service.

1.5. Security. Prevalent implements security procedures to help protect Client Data from security attacks. However, subject to Prevalent’s taking reasonable measures to secure Client data for transport, Client understand that use of the Services necessarily involves transmission of Client Data over networks that are not owned, operated or controlled by Prevalent, and we are not responsible for any of Client Data lost, altered, intercepted or stored across such networks, except to the extent caused by Prevalent’s negligence or willful misconduct. Notwithstanding the foregoing, Prevalent acknowledges and confirms that it has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures to help secure against the accidental, unauthorized or unlawful processing, destruction, loss, damage or disclosure of Client Data and adequate security programs and procedures to ensure that unauthorized persons or parties do not have access to any equipment used to process such information or data. Prevalent also agrees that it shall (i) scan the Services for any code or device which is designed or intended to impair the operation of any computer or database or prevent or hinder access to, or the operation of, any program or data, using detection software generally accepted in the industry, (ii) secure its computing environments according to generally accepted industry standards to ensure that the Services cannot be accessed by any unauthorized person or malicious software, and (iii) promptly remedy and notify Client of any security breach of which it becomes aware or may reasonably suspect.

1.6. Indemnity for Client Data. Client shall bear sole responsibility for any information uploaded or supplied by Client in connection with use of the Service, including but not limited to ensuring that the use of the Service to store, process and transmit Client Data is compliant with all applicable laws and regulations. IN NO EVENT SHALL PREVALENT BEAR ANY LIABILITY FOR THE USE OR LOSS OF ANY INFORMATION UPLOADED OR SUPPLIED BY CLIENT IN CONNECTION WITH USE OF THE SERVICE, UNLESS SUCH LOSS IS CAUSED BY PREVALENT’S NEGLIGENCE OR WILLFUL MISCONDUCT. Client will defend, indemnify and hold harmless Prevalent from and against any loss, cost, liability or damage, including attorneys’ fees, for which Prevalent becomes liable arising from or relating to any claim relating to Client’s inappropriate use of Client Data in violation of this Agreement, including but not limited to any claim brought by a third party alleging that Client Data, or Client’s use of the Services in breach of this Agreement, infringes or misappropriates the intellectual property rights of a third party or violates applicable law. Prevalent shall not be responsible or liable for the deletion, alteration, destruction, damage, loss or failure to store any Client Data unless, and only to the extent that, such deletion, alteration, destruction, damage, loss or failure to store any Client Data is directly and proximately caused by Prevalent’s action or inaction and subject to any limitations set forth in this Agreement.

1.7. Legal Compliance. Client must ensure that Client’s use of Services and all Client Data is at all times compliant with applicable local, state, federal and international laws and regulations (“Laws”) provided, however, that Client’s failure to do so shall not be deemed a breach of the foregoing to the extent caused by the Services or Prevalent. Client represents and warrants that: (i) Client has obtained all necessary rights, releases and permissions to provide all Client Data to Prevalent and to grant the rights granted to Prevalent in this Agreement and (ii) Client Data and its transfer to and use by Prevalent as authorized by Client under this Agreement do not violate any Laws (including without limitation those relating to export control and electronic communications) or rights of any third party, including without limitation any intellectual property rights, rights of privacy, or rights of publicity, and any use, collection and disclosure authorized herein is not inconsistent with the terms of any applicable privacy policies. Other than its security and confidentiality related obligations set forth in this Agreement or in the Prevalent Privacy Policy http://www.prevalent.net/ethics-and-privacy, its negligence or willful misconduct, Prevalent assumes no responsibility or liability for Client Data, and Client shall be solely responsible for Client Data and the consequences of using, disclosing, storing, or transmitting it.

1.8. Subscription Term. Services provided under this Agreement shall be provided for the Services period defined in the Prevalent Sales Quote or the Prevalent Reseller’s Sales Quote, unless earlier suspended or terminated in accordance with this Agreement or the Prevalent Sales Quote or the Prevalent Reseller’s Sales Quote (“Initial Subscription Term”). Upon the expiration of the Initial Subscription Term, the Software and/or Services provided in the Sales Quote or the Prevalent Reseller’s Sales Quote will renew for a subsequent Subscription Term equal to the Initial Subscription Term (the “Renewal Subscription Term” and collectively with the Initial Subscription Term, the “Subscription Term”) unless and until a party provides the other party written notice of its intent not to renew with not less than thirty (30) days to the end of the then-current Subscription Term.

1.9. Limited Warranty. Prevalent represents and warrants to Client that the Service will in substantial compliance with the Prevalent Software Service Description attached hereto as Attachment B. In the event of a breach, Client will promptly notify Prevalent of the non-conformity in writing and Prevalent will use reasonable commercial efforts to repair the Service to operate in compliance with its Prevalent Software Service Description and in compliance with the Service Level Agreement set forth in Attachment A. Client’s exclusive remedy for breach of this warranty is for Prevalent to correct or work around the reported malfunction upon request. If the malfunction persists in causing a material failure in Client’s production instances of the Service, causing a failure to conform to the Prevalent Software Service Description without correction or work-around forty-five (45) days after written notice to Prevalent of a warranty claim under this Section 1.9, then Client may terminate without liability for the balance of the terminated Services and receive a refund for all pre-paid Services, not yet delivered, as their exclusive remedy. All limited warranties on the Service are granted only to Client and are non-transferable. This remedy represents Prevalent’s exclusive duty and Client’s sole remedy even in the event that the remedy should fail in its essential purpose.

1.10. Prevalent makes no warranty that the Software will meet Client’s requirements or operate under Client’s specific conditions of use. Except as otherwise expressly provided herein, Prevalent makes no warranty that operation of the Service will be secure error free, or free from interruption. EXCEPT AS EXPLICITLY PROVIDED IN THIS AGREEMENT OR OTHERWISE AGREED TO IN WRITING BY PREVALENT, PREVALENT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN FACT OR IN LAW, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS SET FORTH IN THIS AGREEMENT. CLIENT MUST DETERMINE WHETHER THE SERVICE SUFFICIENTLY MEETS CLIENT’S REQUIREMENTS FOR SECURITY AND UNINTERRUPTABILITY. EXCEPT TO THE EXTENT ATTRIBUTABLE TO A BREACH OF PREVALENT’S SECURITY OR SERVICE LEVEL OBLIGATIONS HEREUNDER, CLIENT BEARS SOLE RESPONSIBILITY AND ALL LIABILITY FOR ANY LOSS INCURRED DUE TO FAILURE OF THE SERVICE TO MEET CLIENT’S REQUIREMENTS. EXCEPT TO THE EXTENT ATTRIBUTABLE TO EITHER PARTY’S GROSS NEGLIGENCE OR WILFULL MISCONDUCT, OR SERVICE LEVEL OBLIGATIONS HEREUNDER, PREVALENT WILL NOT, UNDER ANY CIRCUMSTANCES, BE RESPONSIBLE OR LIABLE FOR THE LOSS OF DATA ON ANY CLIENT COMPUTER OR INFORMATION STORAGE DEVICE. IN ADDITION, CLIENT ACKNOWLEDGES AND AGREES THAT (A) THE SERVICE DOES NOT CONSTITUTE THE PROVISION OF LEGAL ADVICE OR SERVICES IN ANY MANNER; (B) THE SERVICE DOES NOT ENSURE CLIENT’S COMPLIANCE WITH ALL APPLICABLE INDUSTRY REGULATIONS AND LAWS; AND (C) CLIENT IS SOLELY RESPONSIBLE FOR ITS COMPLIANCE WITH APPLICABLE LAWS RULES AND REGULATIONS.

1.11. Indemnification. Prevalent, excluding actions based upon Client Data or Third-Party Data, shall defend Client, at Prevalent’s expense, against any claims, demands, suits or proceedings (“Claims”) made or brought against Client by a third party alleging that the use of the Service as contemplated hereunder, infringe a patent, copyright, trademark, or other intellectual property right of a third party or misappropriates such third party’s trade secrets. Further, Prevalent shall indemnify and hold Client harmless against all costs (including reasonable attorneys’ fees) to the extent arising out of or in connection with such Claims. Upon receiving notice of a Claim, Client shall (a) give Prevalent prompt written notice of the Claim; (b) give Prevalent sole control of the defense and settlement of the Claim (provided that Prevalent may not settle or defend any claim unless it unconditionally releases Client of all liability and does not attribute any blame or contributory fault to Client); and (c) provide to Prevalent, at Prevalent’s cost, all reasonable assistance in the defense or settlement of such Claim. In addition to Prevalent’s obligations above, Prevalent may, at its expense: (a) secure the right for Client to continue to use the Software, (b) modify the Software so as to make it non-infringing, or (c) provide Client with a functional non-infringing replacement. If none of these alternatives is commercially practicable, Client will have the option to return the Software to Prevalent, and Prevalent will refund a pro-rated amount of the fees paid for the current subscription term, using straight line depreciation. This Section 1.10 states Prevalent’s entire liability and Client’s exclusive remedy for any claim of intellectual property infringement under this Agreement.

1.12. License by Client to Use Feedback. Client grants Prevalent a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction or other feedback provided by Client or Users relating to the operation of the Services but on an anonymized basis and without identification or attribution to Client.

2. GENERAL TERMS AND CONDITIONS

2.1. Updates/Changes to Services and Terms – Due to changes in technology and the marketplace, Prevalent may make modifications to the products or services that comprise Client’s Prevalent Services or particular components of such product or service (including but not limited to discontinuing a component) from time to time and will use commercially reasonable efforts to notify Client of any material modifications. Any such modification shall not be deemed to violate the Software Warranty, and Client agrees that Prevalent will not be liable to Client for any such modifications. Prevalent reserves the right to discontinue offering a Client’s Prevalent Services at the conclusion of Client’s then current subscription term. Likewise, Prevalent reserves the right to routinely update, amend or change these Terms. At least 30 days prior to the updated or amended Terms taking effect, Prevalent will notify Client by e-mail of such changes, and a new Terms document will be posted at https://mitratech.com/legal-notice/prevalent-terms-of-use/. Client’s continued use of the Services after the 30 days will serve as consent to the changed terms.

2.2. Fees, Invoices and Payment. Subject to performance of the Services in accordance with the Agreement, Client shall pay Prevalent or the Prevalent Reseller the fees for the Services set forth in the Prevalent Sales Quote or the Prevalent Reseller sales Quote (the “Fees“). The Fees include all charges associated with the Services including all incidental costs except for taxes and expenses. Prevalent shall submit invoices for Services delivered in accordance with the payment schedule set forth in the Prevalent Sales Quote or the Prevalent Reseller Sales Quote. Client shall pay all invoices within 30 days of receipt of the invoice; thereafter unpaid balances which are not the basis of a good faith dispute shall accrue interest at a rate of 1.5% per month. If Client fails to pay all invoices or charges for referencing these Terms within thirty (30) business days of Prevalent’s notice or the Prevalent’s Reseller notice to Client that payment is past due or delinquent in addition to Prevalent’s other remedies, Prevalent may suspend or terminate access to and use of the Service by Clients. At the expiration of each Subscription Term, Prevalent may increase or adjust the Fees annually by providing Client at least 30 days prior written notice (“Annual Fee Adjustment”).

2.3. Upgrades. If Client chooses to upgrade a Service or increase the number of authorized Clients during the Subscription Term (a “Subscription Upgrade”), any incremental Subscription Charges associated with such Subscription Upgrade will be prorated over the remaining period of Client’s then current Subscription Term and will be due and payable upon implementation of such Subscription Upgrade. In any future Subscription Term, no refunds or credits for Subscription Charges or other fees or payments will be provided to Client if Client elects to downgrade their Service Plan.

2.4. Expenses. Travel and expenses are not included in the Service installation and configuration that appears in the Prevalent Sales Quote or the Prevalent Reseller Sales Quote. Prevalent, or the Prevalent Reseller, will be reimbursed for those expenses that have been incurred in accordance with this Agreement and itemized on its invoice and accompanied by adequate, supporting documentation. Unless otherwise agreed to in advance, all expenses shall be invoiced in arrears after Prevalent, or the Prevalent Reseller has incurred the Expense and after Client has provided prior written approval for reimbursement.

2.5. Equitable Relief. Client acknowledges that any use or disclosure of the Software in a manner inconsistent with the terms of this Agreement, or breach of confidentiality may cause Prevalent or the Prevalent Reseller irreparable damage for which other remedies may be inadequate, and Client agrees not to oppose any request to a court of competent jurisdiction by Prevalent or the Prevalent Reseller for injunctive or other equitable relief seeking to restrain such use or disclosure. Client waives any right it may have to require Prevalent or the Prevalent Reseller to post a bond or other form of security as a precondition to any such injunctive relief.

2.6. Severability. If any provision of this Agreement shall be held to be invalid or unenforceable, the remainder of this Agreement shall remain in full force and effect. To the extent any express or implied restrictions are not permitted by applicable laws, these express or implied restrictions shall remain in force and effect to the maximum extent permitted by such applicable laws.

2.7. Confidential Information. “Confidential Information” means any information one party discloses to the other under this Agreement which is identified as confidential or proprietary. Confidential Information does not include information which: is rightfully obtained by the recipient without breaching any confidentiality obligations; is or becomes known to the public through no act or omission of the recipient; the recipient develops independently without using Confidential Information; or is disclosed in response to a valid court or governmental order if the recipient notifies the disclosing party and assists in any objections. The recipient may use Confidential Information only for the purposes for which it was provided under this Agreement and shall treat it with the same degree of care as it does its own similar information, but with no less than reasonable care. This section shall not affect any other confidential disclosure agreement between the parties. The parties agree that upon the termination or expiration of this Agreement, they will promptly return or destroy any Confidential Information received upon request.

2.8. Limitation of Liability. Except for breach of Client’s payment obligations or situations arising as a result of either party’s gross negligence or willful misconduct, or a breach of the indemnity provisions granted hereunder, each party’s aggregate liability to the other for claims arising out of or relating to this Agreement, whether for breach or in tort, is limited to the price charged to Client for the Services. EXCEPT IN THE CASE OF GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, OR A BREACH OF INDEMNIFICATION OBLIGATIONS, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT (INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUE, PROFITS, GOODWILL, USE, DATA OR OTHER ECONOMIC ADVANTAGE) HOWEVER THEY ARISE, WHETHER IN BREACH OF CONTRACT, BREACH OF WARRANTY, OR IN TORT, INCLUDING NEGLIGENCE, AND EVEN IF THAT PARTY HAS PREVIOUSLY BEEN ADVISED OF, OR COULD REASONABLY HAVE FORESEEN, THE POSSIBILITY OF SUCH DAMAGES. LIABILITY FOR DAMAGES WILL BE LIMITED AND EXCLUDED, EVEN IF ANY EXCLUSIVE REMEDY PROVIDED ABOVE FAILS OF ITS ESSENTIAL PURPOSE.

2.9. BACKGROUND CHECKS

a) As permitted and as may be required by law, Prevalent Employees and Subcontractors with access to Client Data must pass a background check, which can be performed by Prevalent or by a contractor that is authorized by Prevalent to perform background checks. If Prevalent performs the background check, Prevalent will provide verification to Client upon request that it performed such background screenings for all existing Prevalent Employees involved with access to Client Data at the time such employees were hired by Prevalent or at some subsequent time that is prior to their involvement in the provision of Services to Client. Background screenings pursuant to this section must be updated at least every seven (7) years.

b) Background screenings under this Section will be conducted in accordance with applicable local, state and federal law and at a minimum shall include the following:

i) Verification of identification, citizenship and Social Security Number;

ii) or a series of repeated convictions a criminal history search to identify felony convictions conducted in the employee’s current county of residence and prior county of residence (if applicable) for the immediate preceding seven year period; an adverse result may include a felony conviction in the last seven years for job related crimes, typically characterized as crimes of violence, dishonesty, theft, drugs; and

iii) Patriot Act check.

iv) Federal Search:

      • National Criminal Records
      • International Criminal Records
      • State-specific Sex Offender Records

v) Felonies: No year limits

      • SSN Trace
      • Credit Report (for mutually agreed Positions of Trust)
      • Motor Vehicle Report

vi) Watches and Sanctions:

      • Denied Persons List Excluded Parties List
      • FBI Most Wanted Terrorist List FDA Debarment List
      • Specially Designated Nationals & Blocked Persons List (include OFAC)

c) A failure to pass a background screening or confirmed felony conviction must be reported to Client prior to involvement in the provisions of Services. Furthermore, any confirmed felony conviction or any alleged offense involving illegal drugs, violence, or a breach of fiduciary duty after the background screening has been completed must be reported to Client before such Prevalent Employee can continue any involvement in the provisions of Services.

2.10. Hiring of Personnel. Client will not recruit any personnel Prevalent assigns to perform Services until one year after completion of the applicable Services, including initiating personal contact for the purpose of hiring, but excluding any general advertisement or other general public and undirected communication with respect to a job position.

2.11. Termination:

a) EVENTS CONSTITUTING TERMINATION. Either party may terminate this Agreement if the breaching party fails to cure any breach of this Agreement within thirty (30) days of written notice from the non-breaching party specifying such breach.

b) OBLIGATIONS UPON TERMINATION. Upon termination of this Agreement, Client shall discontinue use of the Service and extract all Client Data from the Services within thirty (30) days of the date of termination unless otherwise agreed.

c) SURVIVAL UPON TERMINATION. The other rights and obligations of the parties pursuant to Articles; 1.4 Restrictions on Transfer; 1.6 Indemnification for Client Data; 1.7 Legal Compliance; 1.9 Limited Warranty; 1.11 Indemnification; 2.7 Confidential Information; 2.8 Limitation of Liability; 2.10 Hiring Personnel; 2.11 Termination; 2.12 Audit; and 2.15 Waiver & Severability of this Agreement shall survive and continue after any termination of this Agreement.

2.12. Audit. Upon reasonable notice to either party, and during normal business hours, will have the right to audit the other party to ensure compliance with the terms of this Agreement. Such audit shall be no more than one such audit in any twelve (12) month period during the Term (unless otherwise required by regulators or applicable law). The party requesting the audit will: (i) schedule each audit at a mutually agreeable time to the other party; (ii) will be responsible for all time and materials costs of its own or third-party auditors retained to conduct the audit; (iii) abide by the other party’s reasonable security policies and practices; will be strictly limited to the terms of this Agreement.

2.13. Market Assistance. Client consents to participate in and will cooperate with Prevalent in developing a case study that would be subject to Client’s review and approval and that Prevalent could then use in its future marketing efforts. Client will subject to their prior approval, agree to act as a customer reference for Prevalent in future sales opportunities.

2.14. Headings. Headings of sections in this Agreement are inserted for convenience only and are in no way intended to limit or define the scope and/or interpretation of this Agreement.

2.15. Waiver & Severability. Failure on the part of either party to give notice of default, or delay in exercising any right or remedy hereunder, shall not operate as a waiver of any such right or remedy except as otherwise expressly stated in this Agreement. In the event that any provision of this Agreement is held invalid, illegal or unenforceable, the remaining provisions shall be enforced to the maximum extent permitted by applicable law.

2.16. Force Majeure. Neither party will be liable for any delay in performance hereunder if such delay is due to causes beyond the reasonable control of such party in the event Prevalent is the party unable to perform, Prevalent shall provide Client with a pro-rata refund of fees paid upon any such termination as their exclusive liability and Client’s exclusive remedy for such event.

2.17. Assignment. Except in the case of merger or sale of all or substantially all of a party’s assets, neither party may assign or otherwise transfer any of its rights, duties or obligations under this Agreement without the prior written consent of the other party. Such consent may not be unreasonably withheld.

2.18. General.

a) Disputes will be governed by the laws of the State of Delaware, excluding its conflict of laws rules. The exclusive venue for any litigation arising out of or relating to this Agreement will be New Castle County, DE; and the parties waive any claims of forum inconvenience.

b) This Agreement, together with its Attachments constitutes the entire agreement between the parties relating to the Services, and supersedes all prior or contemporaneous oral or written communications, proposals, conditions, representations and warranties, and prevails over any conflicting or additional terms contained in any quote, purchase order, order document, acknowledgment, or other communication between the parties relating to the Services, even if Prevalent uses such order documents for invoicing purposes.

Attachment A

Service Level Agreement

SERVICE LEVELS INTRODUCTION

This Attachment A sets forth certain levels of service that Provider is required to meet in performing the Services during the Term (“Services Levels”). As used herein “Provider” means Prevalent, LLC, a subsidiary of Mitratech Holdings, Inc. and “Company” means you, the Client identified in the above SaaS Subscription Agreement.

1. GENERAL PROVISIONS

1.1. Measurement and Reporting.

1.1.1. Except as otherwise agreed upon by the Parties, Provider will monitor its actual performance of the Services against the Service Levels. Provider will provide automated tools, collect and provide to Company the data reasonably made available to it by such tools, and be responsible for measuring performance against the Service Levels. Provider’s failure to properly measure performance with respect to any particular Service Level for any month will be a Service Level Default with respect to such Service Level for such month.

1.1.2. Provider will provide Company with a set of hard- and soft-copy reports to verify Provider’s performance and compliance with the Service Levels. Detailed supporting information for all reports will be provided to Company in spreadsheet form, or such other form as reasonably requested by Company. The raw data, detailed supporting information, and other data produced or derived from measurement of the Services will be Company Data and may be accessed by Company on-line and in real time, where feasible, at any time during the Term.

2. DEFINITIONS

All capitalized terms used but not defined in this Attachment A have the meanings assigned to them in the Agreement. For purposes of this Attachment A, the following terms have the following meanings:

2.1. “Actual Uptime” means the aggregate amount of time within Scheduled Uptime when Services are actually available for normal business use by Company or users, as applicable (i.e., Actual Uptime = Scheduled Uptime – Outage). Services are actually available for normal business if they can be used in accordance with its intended functionality, with the required database files and tables being accessible with current data.

2.2. “Availability” means the Actual Uptime expressed as a percentage of the Scheduled Uptime (i.e., Availability % = (Actual Uptime)/Scheduled Uptime x 100%).

2.3. “Downtime” means an Outage that continues for a period of more than ten (10) minutes.

2.4. “Monthly Charge” means the amount Provider invoices Company for the Services for a given month; where Provider has quotes fees based upon a longer term the Monthly Charge will be calculated as the monthly pro rata amount of the longer term quoted.

2.5. “Outage” means any interruption of five (5) minutes or more during which ten percent (10%) or more of Company or users are unable to access the System or their access to the System is substantially impaired (including through significant logon delay).

2.6. “Service Level Default” means an occurrence of Provider’s failure to meet any Service Level.

2.7. “Scheduled Uptime” means the period of time (days of the week and hours per day) the Services are expected to be available to Company for normal business use. Scheduled Uptime excludes maintenance windows for the Services.

3. SERVICE LEVEL PROCESS

3.1. Reevaluation of Service Levels. Section 5.1 of this Attachment A. identifies the Service Levels that apply during the Term, subject to the following:

3.1.1. The numerical values associated with such Service Levels (e.g., Availability of 99.8%) will be subject to Company’s and Provider’s mutual reevaluation three (3) months after the Effective Date. The purpose of such reevaluation is to confirm or change the numerical value based upon the average performance of Provider with respect to the applicable Service Level during such three (3) month period. Company and Provider may agree to adjust the Service Levels at this time.

3.1.2. The Parties agree that the Service Levels confirmed or changed in accordance with Section 3.1A above will not be less than those levels reasonably and consistently achievable with the systems and environments used to provide the Services if used in accordance with the practices and standards used in well-managed operations performing services similar to the Services

3.2. Additions/Modifications to Service Levels. The Parties will cooperate to identify additional Service Levels in furtherance of the objective of having a comprehensive set of Service Levels that provide a fair, accurate, and consistent measurement of Provider’s performance of the Services. In response to changes in Company’s business needs or to reflect changes in or evolution of the Services, Company and Provider will, at least once per year, review and assess any changes and agree to add or substitute new Service Levels to meet such objective(s) as may be redefined from time to time during the Term.

4. SERVICE LEVELS

4.1. Provider must meet or exceed the Service Levels described in this Attachment A, including Section 5.1.

4.1.1. System Availability and Performance. Provider must maintain availability and performance of the System to users so as to meet or exceed the Service Levels set forth in Section 5.1.

4.1.2. System Capacity. Provider must provide sufficient hosting capacity to target the Service Levels, availability and performance objectives in Section 5.1. Company will work with Provider to forecast and anticipate unexpected increases in System usage due to any unusual events that could change the rate of System usage typically observed in normal site operation.

4.1.3. Response Time. Provider must manage equipment, bandwidth, and network response times to target Service Levels and performance objectives stated in Section 5.1.

5. SERVICE LEVEL DEFAULTS

5.1. Credits. The SLA credits are calculated as a % of the Monthly Charge owed by Company for the month during which the Service Level Default occurs. Where Prevalent fails to attain the 99.8% service level, rather than the Service Credit set forth above Client may elect to demand a pro-rata refund based upon the number of days outside of the Service the 99.8% service level and the refund will be determined on a pro rata basis using the annual Service Subscription fee stated in the Prevalent sales Quote. The refund will be paid at the end of the calendar quarter; this represents Prevalent’s sole liability for that Service level breach and Client’s sole remedy.

6. SERVICE LEVELS

6.1. SERVICE LEVEL: SYSTEM AVAILABILITY.

6.1.1. Provider will provide the Application Services 24 hours per day, 365 days per year with an Availability of 99.8%, excluding scheduled maintenance, which will not be performed during Company’s normal business hours of operation. Provider will provide Company with its maintenance schedule and will notify Company in advance of any non-scheduled maintenance.

6.2. SERVICE LEVEL: MONITORING AND RESPONSE TIME.

6.2.1. Provider will respond to and resolve System faults based on the severity levels detailed below. The time clock will restart any time a severity level is changed. “Response” means the time Provider takes from its receipt of a problem report until it begins work to resolve the problem. “Target Resolution” means estimated amount of time to provide a work around or other resolution.

SEVERITY LEVEL FAULT DESCRIPTION RESPONSE Target Resolution
Severity 1 Production system is down, impacting all Prevalent applications. 1 hour 4 hours
Severity 2 Ability to use the Application Services, but Company operation is severely restricted and no workaround exists. 4 hours 1 business day
Severity 3 Ability to use the Application Services with faults that cause minor disruption to service. 1 business day ASAP

6.3. SERVICE LEVEL: SECURITY.

6.3.1. Physical and Technical Security. Provider will provide appropriate and adequate physical and technical security for the Application Services, including, but without limitation, the following:

6.3.1.1. Provider will have Representatives capable of identifying, categorizing, and responding to a security incident.

6.3.1.2. Provider will implement a security fix across the infrastructure in accordance with Provider’s regular update process.

6.3.1.3. Provider will promptly shut down ALL access to the System, or any component of it associated with the Application Services, responding to a request by Company’s security manager.

6.3.1.4. Provider will not directly or indirectly subcontract, assign, or transfer, permit, or allow any portion of the Services, related support, or other activities under the Agreement offshore, meaning outside the continental United States, Canada or the United Kingdom, without the express prior written consent of the Company.

6.3.2. Provider will require all permitted subcontractors and/or third-party service providers utilized either directly or indirectly by Provider in the performance of Services (“Third-Party Service Provider”) to adhere to, and with all requirements of the Agreement, including, but not limited to, the Company security requirements set forth in the Agreement.

6.3.2.1. Provider will conduct annual independent security reviews and audits by a reputable and nationally known independent third-party audit firm to ensure that Provider is meeting all of the physical and technical security requirements of the Agreement. Provider’s audit agency will prepare a written audit report detailing audit findings. Provider will not store or transmit Company Data as clear text. Provider will store and transmit Company Data only in a secure and encrypted mode.

6.3.2.2. Provider will institute and maintain a separation of duties between application development, quality assurance, testing, and production environments.

6.3.3. Security Event Notification.

6.3.3.1. If either Prevalent or Client discovers or is notified of a breach or potential breach of security relating to the Client Data (“Event”), (i) such party shall notify the other party of such breach or potential breach, and (ii) if the applicable Client Data was in the possession of Prevalent or Subcontractors at the time of such breach or potential breach, Prevalent shall promptly but not more than 72 hours from discovery or notification (A) investigate and remediate the effects of the breach or potential breach, (B) provide Client with information related to the breach or potential breach and coordinate with Client while conducting the Prevalent’s investigation; (ii) Prevalent agrees to reasonably cooperate with Client to the extent Client determines it is necessary to conduct its own investigation; and (iii) provide Client with assurance reasonably satisfactory to Client that such breach or potential breach has been remediated. Prevalent will cooperate fully with Client regarding any notification for impacted individuals.

6.3.4. Prevalent implements a comprehensive backup and recovery process. More specifically, snapshots of the data (“Snapshots”) are performed every 24 hours, those Snapshots are stored for 14 days.

6.3.5. Secure Audit Repository. Provider will log the following information to a secure audit repository:

      • Any OS patch or OS configuration changes and the user and IP address making them;
      • Account creation, deletions, and modifications (OS not application);
      • Failed attempt to access data;
      • Failed login;
      • Start/stop of server; and
      • Changes to firewall configuration files.


Attachment B

Prevalent Platform Software Service Description

The Prevalent Platform is a Software as a Service (SaaS) offering that automates many of the tasks associated with the vendor risk management process, including evidence collection, evidence risk analysis, email notifications, and scheduling. The Prevalent Platform offers security, compliance, and risk management professionals a platform to manage and automate the vendor risk assessment process. The Prevalent Platform enables organizations to evaluate vendors based on vendor tiers determined by their importance or potential risk to the organization. The Prevalent Platform enables the creation of standard tier structure for the organization, a standardized assessment workflow, Shared Assessment content, evidence collection, risk scoring, and reporting. The Prevalent Platform manages each vendor independently, providing the ability to understand the impact of doing business with a particular vendor. Each Prevalent Platform license shall allow for the assessment, management and reporting for one third party vendor per license for the license term. Once a product license has been redeemed for the entity, a license fee will be triggered for that entity.

1. A product license is considered redeemed for the entity when any one of the following actions below are triggered against an entity within the application:

(a) Survey/schedule sent to an entity
(b) Survey/schedule sent on behalf of the client to an entity initiating the collection and analysis processes of the Risk Operations Team
(c) Survey imported against an entity
(d) Risk items are imported against an entity
(e) Risk items created against an entity
(f) Risk items modified against an entity
(g) An agreement is issued to entity

2. VTM: Prevalent Vendor Threat Monitor (VTM) is a Software as a Service (SaaS) offering that enables organizations to continuously monitor key relationship risk areas, including Data Risk, Operational Risk, Financial Risk, Brand Risk, Regulatory Risk and Geographic Risk. Organizations using Prevalent VRM SaaS to assess vendors and service providers can opt to configure VTM to monitor for potential risk areas identified by Prevalent VRM. Prevalent VTM will notify the risk manager associated with the relationship to determine whether the risk poses an actual threat to the organization. Data types that are part of this analysis include external data breach notifications, IP reputation data, malware for known domains, financial analysis, phishing attacks, regulatory issues and other publicly available information. Each VTM license shall allow for the monitoring of threat intelligence and reporting for one third party vendor per license for the license term.