Ghost Security, Inc. SaaS Subscription Agreement

THIS SAAS SUBSCRIPTION AGREEMENT GOVERNS CUSTOMER'S ACQUISITION AND USE OF GHOST SECURITY'S SERVICES. CAPITALIZED TERMS HAVE THEIR DEFINITIONS SET FORTH HEREIN.

BY ACCEPTING THIS AGREEMENT, BY EITHER (1) CLICKING A BOX INDICATING ACCEPTANCE OR (2) EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THESE TERMS AND CONDITIONS, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.

IF CUSTOMER HAS PURCHASED THE LICENSE GRANTED HEREUNDER FROM A PARTNER, RESELLER OR DISTRIBUTOR AUTHORIZED BY GHOST SECURITY ("PARTNER"), THEN TO THE EXTENT THAT THERE IS ANY CONFLICT BETWEEN THIS AGREEMENT AND THE AGREEMENT ENTERED BETWEEN CUSTOMER AND THE RESPECTIVE PARTNER, INCLUDING ANY PURCHASE ORDER ("PARTNER AGREEMENT"), THEN, AS BETWEEN CUSTOMER AND GHOST SECURITY, THIS AGREEMENT SHALL PREVAIL. ANY RIGHT GRANTED TO CUSTOMER IN SUCH PARTNER AGREEMENT WHICH ARE NOT CONTAINED IN THIS AGREEMENT, APPLY ONLY IN CONNECTION WITH THE PARTNER. IN THAT CASE, CUSTOMER MUST SEEK REDRESS OR REALIZATION OR ENFORCEMENT OF SUCH RIGHTS SOLELY WITH THE PARTNER AND NOT GHOST SECURITY.

The Services may not be accessed for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.

Ghost Security's competitors, including but not limited to API and Application security vendors, are prohibited from accessing the Services, except with Ghost Security's prior written consent.

This Agreement was last updated on March 18th, 2024. It is effective between Customer and Ghost Security as of the date of Customer's accepting this Agreement ("the Effective Date").

SAAS SUBSCRIPTION AGREEMENT

This SaaS Subscription Agreement, including all exhibits, schedules, Statements of Work and Order Forms (as defined below) (collectively, the "Agreement") are the terms of service under which Ghost Security, Inc. ("Ghost" or "Ghost Security") agrees to grant the Customer access to and use of the Ghost SaaS Service, and Beta Releases (as defined below). By indicating Customer's acceptance of this Agreement, executing an Order Form that references this Agreement, or using the Ghost SaaS Service, or Beta Releases, Customer agrees to be bound by this Agreement. If you are entering into this Agreement on behalf of an entity, such as the company you work for, then you represent to Ghost Security that you have the legal authority to bind the Customer to this Agreement. Ghost Security and Customer are each a "Party" and collectively, the "Parties", hereunder.

1. DEFINITIONS

"Affiliate" means with respect to a Party, any person or entity that controls, is controlled by, or is under common control with such Party, where "control" means ownership of fifty percent (50%) or more of the outstanding voting securities.

"Agent" or "Software" means Ghost Security software, including but not limited to the application that runs in Customer's operating environment and captures systems information, including but not limited to calls and events.

"Authorized User" means a named individual that: (a) is an employee, representative, consultant, contractor or agent of Customer or a Customer Affiliate; (b) is authorized to use the SaaS Service pursuant to this Agreement; and (c) has been supplied a user identification and password by Customer. Customer shall be responsible for all access and use of the SaaS Service by the Authorized Users.

"Beta Releases" means Ghost Security services or functionality that may be made available to Customer to try at its option at no additional charge which is clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation, or by a similar description.

"B2B Relationship Data" means any administrative, transactional or account related data or communications provided by or on behalf of Customer to Ghost Security in connection with the creation, purchase, maintenance, or support of Customer's account with Ghost.

"Customer" means any individual or entity with which Ghost Security has sold its products or services to.

"Customer Data" means any data or other information which is provided by (or on behalf of) Customer directly or indirectly to Ghost Security in connection with the Services, Introductory SaaS Service or Beta Releases, including data that is collected by the Software, and shall not include Customer Personal Data or Service Analytics as defined hereunder.

"Customer Personal Data" means any Customer Data which (i) qualifies as "Personal Data" "Personal Information" "Personally Identifiable Information" or any substantially similar term under applicable privacy laws and (ii) is processed by Ghost Security on behalf of Customer in connection with the Agreement. For the avoidance of doubt, Customer Personal Data shall not include B2B Relationship Data or Service Analytics as defined hereunder.

"Documentation" means the end user technical documentation provided with the Services, as may be modified from time to time.

"License Entitlement" means the license quantity pursuant to which the SaaS Service is deployed by Ghost Security, as set forth in an Order Form, which may be measured by the number of API endpoints, applications, volume of data mirrored, or other defined metric as outlined in the Order Form.

"License Keys" means an alphanumeric code that enables use of the Software.

"Open Source Software" means a program in which source code is made publicly and freely available for use and modification pursuant to certain license terms.

"Order Form" means a document executed by and between Ghost Security and Customer or electronically accepted by Customer that references this Agreement, purchase confirmation or any other document which details the Services to be provided by Ghost Security, the fees associated therewith, and any other transaction-specific terms and conditions.

"Statement of Work" or "SOW" means a statement of work or other such executed document that references this Agreement, whereby Customer engages Ghost Security to perform certain training, consulting, technical account management, professional, or similar services related thereto.

"SaaS Service" means Ghost's hosted service solution as specified on an Order Form, made available at www.ghostsecurity.com. The SaaS Service may include the use of certain Software, as applicable.

"Services" means the specific ordered SaaS Service, Support Services, and any of the training services, technical account management services, and/or consulting or other professional services, pursuant to one or more Order Forms and SOW(s), if applicable.

"Subscription Term(s)" means the subscription period(s) specified in an Order Form, during which Authorized Users may use the SaaS Service, subject to the terms of this Agreement.

"Support Services" means the maintenance and support services provided by Ghost Security to Customer during the Subscription Term, as set forth on the Order Form.

"Update" is a SaaS Service release that Ghost Security makes generally available to all Ghost customers, along with any corresponding changes to Documentation. An Update may be an error correction or bug fix; or it may be enhancement, new feature, or new functionality.

2. PROVISION AND USE OF THE SERVICES

2.1 Provision of the SaaS Service.

Subject to Customer's payment of all fees due hereunder, Ghost Security grants Customer a limited, non exclusive, non-sublicenseable, nontransferable (except as specifically permitted in this Agreement) right to access and use the SaaS Service during the applicable Subscription Term, pursuant to the License Entitlement as set forth in the applicable Order Form, solely for Customer's internal business purposes. This grant includes the right to implement the Software for use with the SaaS Service, if applicable. Customer may permit their Affiliates to use and access the SaaS Service and Documentation in accordance with this Agreement, but Customer shall be responsible for the compliance of all Affiliates with this Agreement, Documentation, and the Order Form(s).

2.2 Use Restrictions.

Customer shall not (and shall not permit any third party to): (a) sublicense, sell, transfer, assign, distribute or otherwise grant or enable access to the SaaS Service in a manner that allows anyone to access or use the SaaS Service without an Authorized User subscription, or to commercially exploit the SaaS Service; (b) use the SaaS Service to provide, or incorporate the SaaS Service into, any product or service provided to a third party; (c) use the SaaS Service to develop a similar or competing product or service; (d) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code except to the extent expressly permitted by applicable law (and then only upon advance notice to Ghost Security); (e) copy, modify or create any derivative work of the SaaS Service or any Documentation; (f) remove or obscure any proprietary or other notices contained in the SaaS Service; (g) allow Authorized User subscriptions to be shared or used by more than one individual Authorized User (except that Authorized User subscriptions may be reassigned by Customer to new Authorized Users replacing individuals who no longer use the SaaS Service for any purpose); (h) publicly disseminate performance information regarding the SaaS Service.

2.3 Support Services.

During the Subscription Term, Ghost Security will provide Support Services to the Customer in accordance with the purchased Support Services level detailed in Exhibit A. Customer is required to have Support Services for the duration of the applicable Subscription Term. Customer shall be entitled to Updates to the extent Ghost Security incorporates such Updates into the SaaS Service subject to the applicable Order Form during the Subscription Term.

2.4 Use of Services Deliverables.

Subject to Customer's payment of all fees due hereunder, Ghost Security grants Customer a limited, non-exclusive, royalty-free, non-sublicensable, non-transferable license (except as specifically permitted in this Agreement), to use those elements of the Ghost Technology (as defined below) embodied in the Services deliverables, if any, in Customer's ordinary course of business, solely as so embodied. Ghost Security reserves all other rights in and to the Ghost Technology.

2.5 Beta Releases.

From time to time, Ghost Security may grant Customer access to Beta Releases. Customer shall comply with all terms related to any Beta Releases as posted or otherwise made available to Customer. Ghost Security may add or modify terms related to access or use of the Beta Release at any time. While Ghost Security may provide assistance with Beta Releases in its discretion, notwithstanding anything to the contrary in this Agreement, CUSTOMER AGREES THAT ANY BETA RELEASE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT ANY WARRANTY, SUPPORT SERVICES, MAINTENANCE, STORAGE, OR SERVICE LEVEL OBLIGATIONS OF ANY KIND.

3. CUSTOMER OBLIGATIONS

3.1 Data Collection.

Customer has exclusive control and responsibility for determining what Customer Data is submitted to the Services, Introductory SaaS Service and Beta Releases and for obtaining all necessary consents and permissions for submission of Customer Data and processing instructions to Ghost Security.

3.2 Rights in Customer Data.

Customer is solely responsible for the accuracy, content and legality of all Customer Data and agrees to comply with all applicable laws in its use of the Services, Introductory SaaS Service and Beta Releases. Customer represents and warrants that Customer has all necessary rights, consents and permissions to collect, share and use Customer Data as contemplated in this Agreement, without violation or infringement of any third-party intellectual property, publicity, privacy rights or any laws and regulations.

3.3 Customer Data; Storage.

Without limiting Ghost Security's obligations hereunder, Customer acknowledges that Customer is responsible for properly configuring and using the SaaS Service, Introductory SaaS Service and Beta Releases and otherwise taking reasonable action to secure and protect Customer accounts and Customer Data.

3.4 Open Source Software and Third-Party Software.

Customer acknowledges and agrees that certain Open Source Software libraries, components and utilities, and other third-party software not owned or developed by Ghost Security are embedded in the Software. The publicly available open source license terms governing the Open Source Software shall take precedence over this Agreement to the extent that the Agreement imposes greater restrictions on Customer.

4. PROPRIETARY RIGHTS

4.1 Customer Data.

As between the Parties, Customer shall retain all right, title and interest (including any and all intellectual property rights) in and to the Customer Data. Subject to the terms of this Agreement, Customer hereby grants to Ghost Security a non-exclusive, worldwide, royalty-free right to use, copy, store, transmit, modify, create derivative works of and display the Customer Data solely to the extent necessary to provide the Services, Introductory SaaS Service and Beta Releases to Customer during the Subscription Term.

4.2 Ghost Technology.

The Services, Introductory SaaS Service, Beta Releases, Documentation, including all copies and portions thereof, and all intellectual property rights therein, including, but not limited to derivative works, deliverables, Updates, enhancements and modifications therefrom ("Ghost Technology"), shall remain the sole and exclusive property of Ghost Security. Customer is not authorized to use (and shall not permit any third party to use) the Ghost Technology or any portion thereof except as expressly authorized by this Agreement.

4.3 Service Analytics.

Ghost Security may process Service Analytics for internal business purposes in order to deliver, enhance, secure and support the Services, Introductory SaaS Service, Beta Releases and Software. Customer may have the ability to configure the Services, Introductory SaaS Service and Beta Releases (as applicable) to limit the Service Analytics that are collected.

5. FEES & PAYMENT

5.1 Fees and Payment.

All fees are as set forth in the applicable Order Form and shall be paid by Customer within thirty (30) days of date of invoice, unless otherwise specified in the applicable Order Form or SOW. Except as expressly set forth in an Order Form or SOW: (a) payment obligations are non-cancelable and fees are non-refundable; and (b) Customer may not decrease the License Entitlement or downgrade to the Introductory SaaS Service during the applicable Subscription Term.

5.2 Effect of Nonpayment.

This Agreement or Customer's access to Services may be suspended or terminated if Customer's account falls into arrears. Unpaid amounts may be subject to interest at the lesser of one and one-half percent (1.5%) per month or the maximum permitted by law, plus all collection costs.

5.3 Taxes.

All fees stated on Order Form are exclusive of any taxes, levies, or duties ("Taxes"), and Customer will be responsible for payment of all such Taxes excluding taxes based solely on Ghost Security income. Unless Customer provides Ghost Security a valid state sales/use/excise tax exemption certificate, Customer will pay and be solely responsible for all Taxes.

5.4 Travel and Expenses.

Customer will pay any reasonable and actual pre-approved out-of-pocket expenses incurred in connection with the Services which may include without limitation, airfare, lodging, and meals. Ghost Security shall provide Customer invoices and receipts for any such Customer pre-approved expenses.

6. TERM AND TERMINATION

6.1 Term.

This Agreement will continue for so long as there is an Order Form in effect between the Parties or for so long as Customer is using the Introductory SaaS Service, unless earlier terminated pursuant to the terms of this Agreement.

6.2 Termination for Cause.

Either Party may terminate this Agreement (or any affected Order Form or Statement of Work) (a) upon the other Party's material breach that remains uncured for thirty (30) days following written notice of such breach, except that termination will take immediate effect on written notice in the event of a breach of Section 2.2 ("Use Restrictions"), Section 2.4 ("Use of Services Deliverables") or 10 ("Confidential Information"); or (b) immediately in the event the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors (and not dismissed within sixty (60) days thereafter).

6.3 Treatment of Customer Data Following Expiration or Termination.

Customer agrees that following termination of this Agreement, or termination or expiration of any Order Form, Ghost Security may immediately deactivate Customer's account(s) associated with the Agreement or applicable Order Form. Customer understands that Ghost Security may retain copies of Customer Data in regular backups or as required by law, which will remain subject to the confidentiality and security standards set forth in Sections 10 and 11, respectively, for so long as Customer Data is retained by Ghost Security.

6.4 Effect of Termination.

Upon early termination of this Agreement by Customer for Ghost Security's uncured material breach pursuant to Section 6.2 or by Ghost Security pursuant to Section 6.3, Customer is entitled to a prorated refund of prepaid fees relating to the Services applicable to the remaining period in the applicable Subscription Term. Upon expiration or termination of this Agreement by Ghost Security for Customer's uncured material breach pursuant to Section 6.2 or by Customer pursuant to Section 6.3, unpaid fees relating to the Services applicable to the duration of any applicable Subscription Term will be immediately due and payable.

7. LIMITED WARRANTY

7.1 Limited Warranty.

Ghost Security warrants that during the Subscription Term the Services made available for Customer's use (which for purposes of this Section 7.1 excludes Support Services which shall be addressed under Exhibit A) will operate in substantial conformity with the applicable Documentation. In the event of a material breach of the foregoing warranty, Customer's exclusive remedy and Ghost Security's entire liability, shall be for Ghost Security to use commercially reasonable efforts to correct the reported non-conformity within thirty (30) days, or if Ghost Security determines such remedy to be impracticable, Ghost Security at its discretion, may terminate the applicable Order Form (and applicable Statement of Work, if any) and Customer will receive, as its sole remedy, a refund of any fees Customer has pre-paid for use of affected Services for the terminated portion of the applicable Subscription Term.

7.2 Malicious Code.

Ghost Security warrants that Ghost Security will not knowingly introduce into the Services software viruses, worms, Trojan horses or other code, files, scripts, or agents intended to do harm.

7.3 Warranty Disclaimer.

EXCEPT FOR THE WARRANTY IN THIS SECTION 7, THE SERVICES ARE PROVIDED "AS IS". NEITHER GHOST SECURITY NOR ITS SUPPLIERS MAKES ANY OTHER WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, THOSE ARISING FROM A COURSE OF DEALING OR USAGE OR TRADE, AND ALL SUCH WARRANTIES ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.

8. LIMITATION OF REMEDIES AND DAMAGES

8.1 Liability Cap.

EXCEPT WITH RESPECT TO: (A) EITHER PARTY'S OBLIGATIONS UNDER SECTION 9 ("INDEMNIFICATION") (FOR WHICH THE LIABILITY LIMITATION SHALL NOT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER TO GHOST SECURITY IN THE CUMULATIVE AND AGGREGATE FOR ALL CLAIMS); AND (B) CUSTOMER'S INFRINGEMENT OF GHOST SECURITY'S INTELLECTUAL PROPERTY RIGHTS, IN NO EVENT SHALL EITHER PARTY'S TOTAL AGGREGATE LIABILITY EXCEED THE AMOUNTS PAID BY AND/OR DUE FROM CUSTOMER FOR THE THEN-CURRENT ANNUAL SUBSCRIPTION TERM, UNDER THE APPLICABLE ORDER FORM(S) RELATING TO THE CLAIM.

8.2 EXCEPT FOR CUSTOMER'S INFRINGEMENT OF GHOST SECURITY'S INTELLECTUAL PROPERTY RIGHTS, IN NO EVENT SHALL EITHER PARTY, OR GHOST SECURITY'S AFFILIATES OR ITS LICENSORS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, INDIRECT, PUNITIVE OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, LOSS OF USE, BUSINESS INTERRUPTIONS, LOSS OF DATA, REVENUE, GOODWILL, PRODUCTION, ANTICIPATED SAVINGS, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, IN CONNECTION WITH OR ARISING OUT OF THE PERFORMANCE OF OR FAILURE TO PERFORM THIS AGREEMENT, WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE, EVEN OF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

8.3 Limitations Fair and Reasonable.

EACH PARTY ACKNOWLEDGES THAT THE LIMITATIONS OF LIABILITY SET FORTH IN THIS SECTION 8 REFLECT THE ALLOCATION OF RISK BETWEEN THE PARTIES UNDER THIS AGREEMENT, AND THAT IN THE ABSENCE OF SUCH LIMITATIONS OF LIABILITY, THE ECONOMIC TERMS OF THIS AGREEMENT WOULD BE SIGNIFICANTLY DIFFERENT.

9. INDEMNIFICATION

9.1 By Ghost Security.

Ghost Security shall defend Customer from and against any claim by a third party alleging that the SaaS Service when used as authorized under this Agreement infringes any trademark or copyright of such third party, enforceable in the jurisdiction of Customer's use of the SaaS Service, or misappropriates a trade secret (but only to the extent that such misappropriation is not a result of Customer's actions) ("Infringement Claim") and shall indemnify and hold harmless Customer from and against any damages and costs awarded against Customer by a court of competent jurisdiction or agreed in settlement by Ghost Security (including reasonable attorneys' fees) resulting from such Infringement Claim.

9.2 Remedies.

If Customer's use of the SaaS Service is (or in Ghost Security's opinion is likely to be) enjoined, if required by settlement or if Ghost Security determines such actions are reasonably necessary to avoid material liability, Ghost Security may, at its option: (i) procure for Customer the right to use the SaaS Service in accordance with this Agreement; (ii) replace or modify, the SaaS Service to make it non-infringing; or (iii) terminate Customer's right to use the SaaS Service and discontinue the related Support Services, and upon Customer's certification of deletion of the Software (if any), refund prorated pre-paid fees for the remainder of the applicable Subscription Term for the SaaS Service.

9.3 By Customer.

Customer will defend, indemnify and hold Ghost Security harmless from and against any damages and costs (including reasonable attorneys' fees and costs incurred by Ghost Security) finally awarded against Ghost Security arising from or in connection with any claim alleging that Ghost Security's use of the Customer Data infringes a copyright, trademark, trade secret or breaches privacy, or publicity right of a third party.

9.4 Indemnity Process.

Each Party's indemnification obligations are conditioned on the indemnified Party: (a) promptly giving written notice of the claim to the indemnifying Party; (b) giving the indemnifying Party sole control of the defense and settlement of the claim; and (c) providing to the indemnifying Party all available information and assistance in connection with the claim, at the indemnifying Party's request and expense. The indemnified Party may participate in the defense of the claim, at the indemnified Party's sole expense (not subject to reimbursement). Neither Party may admit liability for or consent to any judgment or concede or settle or compromise any claim unless such admission, concession, settlement, or compromise includes a full and unconditional release of the other Party from all liabilities in respect of such claim.

10. CONFIDENTIAL INFORMATION

10.1 Each Party (as "Receiving Party") agrees that all code, inventions, know-how, business, personal data, technical and financial information it obtains from the disclosing party ("Disclosing Party") constitute the confidential property of the Disclosing Party ("Confidential Information"), provided that it is identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure. Customer Data, pricing information, Ghost Security Technology, Beta Releases (including the existence of), performance information relating to the Services, Introductory SaaS Service or Beta Releases, and the terms and conditions of this Agreement shall be deemed Confidential Information without any marking or further designation.

10.2 Customer Personal Data.

Customer acknowledges that the Services, Introductory SaaS Service and Beta Releases do not require Customer to input or otherwise transmit Customer Personal Data and Customer agrees not to input or otherwise transmit any Customer Personal Data to the Services, Introductory SaaS Service or Beta Releases without Ghost Security's explicit consent or as otherwise set forth in the applicable Order Form or other written agreement between the Parties.

10.3 B2B Relationship Data; Service Analytics.

For the avoidance of doubt and subject to the terms hereunder, Ghost Security processes Service Analytics and B2B Relationship Data in its role as an independent controller and in accordance with applicable laws and Ghost Security's privacy policy.

11. SECURITY

11.1 During the Subscription Term, Ghost Security will maintain reasonable administrative, physical, and technical safeguards designed for the protection, confidentiality, and integrity of Customer Data at least as rigorous as the measures standard in the industry in accordance with Section 11.3. Ghost Security will not use Customer Data except to provide the Services, Introductory SaaS Service, Beta Releases or Support Services in accordance with this Agreement or as instructed by Customer.

11.2 Ghost Security will only be liable for any unauthorized access to Customer Data by third parties only to the extent resulting from Ghost Security's gross negligence or willful misconduct. The provisions of this Section 11.2 apply notwithstanding any provision of this Agreement or any other agreement between Ghost Security and Customer (or any affiliate of Customer) to the contrary.

11.3 Ghost Security Security Addendum.

Ghost Security will implement and maintain commercially reasonable security measures (as set forth in Exhibit B) designed to meet the following objectives: (i) ensure the security and confidentiality of Customer Data in the custody and under the control of Ghost Security; (ii) protect against any anticipated threats or hazards to the security or integrity of such Customer Data; (iii) protect against unauthorized access to or use of such Customer Data; and (iv) ensure that Ghost Security's return or disposal of such Customer Data is performed in a manner consistent with Ghost Security's obligations under the Agreement and applicable law.

12. GENERAL TERMS

12.1 If Customer acquired the Services from a Ghost Security authorized distributor or reseller ("Partner"), then this Agreement is not exclusive of any rights Customer obtains under Partner's sale agreement. If a Partner has granted Customer any rights that Ghost Security does not also directly grant to Customer in this Agreement, or that conflict with this Agreement, then Customer's sole recourse with respect to such rights is against the Partner.

12.2 References.

Unless otherwise specified in the applicable Order Form, Ghost Security may refer to Customer as one of Ghost Security's customers and use Customer's logo as part of such reference, provided that Ghost Security complies with any Customer trademark usage requirements provided by Customer.

12.3 Compliance With Laws.

Ghost Security and Customer will comply with all applicable laws and regulations with respect to performance under this Agreement, including, without exception all requirements of applicable state and federal privacy laws and regulations governing personally identifiable information, personal information, personal data and any other substantially similar term.

12.4 Assignment.

Neither Party may assign this Agreement, in whole or in part, without the prior written consent of the other Party, provided that no such consent will be required to assign this Agreement in its entirety to (i) an Affiliate that is able to satisfy the obligations of the assignor under this Agreement or (ii) a successor in interest in connection with a merger, acquisition or sale of all or substantially of the assigning Party's assets, provided that the assignee has agreed to be bound by all of the terms of this Agreement and all fees owed to the other Party are paid in full.

12.5 Severability.

If any provision of this Agreement shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited to the minimum extent necessary so that this Agreement shall otherwise remain in effect.

12.6 Governing Law; Jurisdiction and Venue.

This Agreement will be governed by the Applicable Law described below as applicable (without regard to the conflicts of law provisions of any jurisdiction), and claims arising out of or in connection with this Agreement will be subject to binding arbitration in accordance with Section 12.6 to be located in the Arbitration Tribunal and Venue of the State of Texas, USA.

12.7 Arbitration.

Any and all disputes, claims or causes of action, in law or equity, including without limitation, claims arising out of or related to the Parties' negotiations and inducements to enter into this Agreement, enforcement, breach, performance or interpretation of this Agreement will be submitted to mandatory, binding arbitration under the auspices of the Arbitration Tribunal applicable above, or its successors, under its then-current commercial arbitration rules and procedures.

12.8 Notice.

Notices to a Party will be sent by first-class mail, overnight courier or prepaid post to the address for such Party as identified on the first page of this Agreement and will be deemed given seventy-two (72) hours after mailing or upon confirmed delivery or receipt, whichever is sooner. Customer will address notices to Ghost Security Legal Department at [email protected].

12.9 Force Majeure.

Neither Party will be in default or liable under this Agreement by reason of any failure in performance of this Agreement if such failure arises, directly or indirectly, out of causes reasonably beyond the reasonable control of such Party, including acts of God or of the public enemy, terrorism, political unrest, U.S. or foreign governmental acts in either a sovereign or contractual capacity, fire, flood, failure of third party connections, epidemic, pandemic or virus, utilities or networks, earthquake, hostile attacks, restrictions, strikes, and/or freight embargoes.

12.10 Amendments; Waivers.

No supplement, modification, or amendment of this Agreement shall be binding, unless executed in writing by a duly authorized representative of each Party to this Agreement. No waiver will be implied from conduct or failure to enforce or exercise rights under this Agreement, nor will any waiver be effective unless in a writing signed by a duly authorized representative on behalf of the Party claiming such waiver.

12.11 Entire Agreement; Interpretation.

This Agreement is the complete and exclusive statement of the mutual understanding of the Parties and supersedes all previous written and oral agreements and communications relating to the subject matter of this Agreement. In this Agreement, headings are for convenience only and "including", "e.g.", and similar terms will be construed without limitation.

12.12 Subcontractors.

Ghost Security may use the services of subcontractors and permit them to exercise the rights granted to Ghost Security in order to provide the Services, Introductory SaaS Service, and Beta Releases under this Agreement. These subcontractors may include, for example, Ghost Security's hosting infrastructure. Ghost Security remains responsible for compliance of any such subcontractor with the terms of this Agreement.

12.13 Feedback.

Ghost Security shall be free to use, irrevocably, in perpetuity, for free and for any purpose, all suggestions, ideas and/or feedback relating to the Services, Introductory SaaS Service or Beta Releases (collectively, "Feedback") provided to Customer, its Affiliates and Authorized Users.

12.14 Independent Contractors.

The Parties to this Agreement are independent contractors. There is no relationship of partnership, joint venture, employment, franchise or agency created hereby between the Parties. Neither Party will have the power to bind the other or incur obligations on the other Party's behalf without the other Party's prior written consent.

12.15 Export Control.

In its use of the Services, Introductory SaaS Service, and Beta Releases, Customer agrees to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. Without limiting the foregoing, (i) Customer represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. government as a "terrorist supporting" country, (ii) Customer shall not (and shall not permit any of its users to) access or use the Services in violation of any U.S. export embargo, prohibition or restriction, and (iii) Customer shall not submit to the Services, Introductory Service or Beta Release any information that is controlled under the U.S. International Traffic in Arms Regulations.

12.16 Government End-Users.

Elements of the Services, Introductory SaaS Service and Beta Releases are commercial computer software. If the user or licensee hereunder is an agency, department, or other entity of the United States Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Services, Introductory SaaS Service or Beta Release, or any related documentation of any kind, including technical data and manuals, is restricted by a license agreement or by the terms of this Agreement in accordance with Federal Acquisition Regulation 12.212 for civilian purposes and Defense Federal Acquisition Regulation Supplement 227.7202 for military purposes.

12.17 Counterparts.

This Agreement may be executed in counterparts, which taken together shall form one binding legal instrument. The Parties hereby consent to the use of electronic signatures in connection with the execution of this Agreement, and further agree that electronic signatures to this Agreement shall be legally binding with the same force and effect as manually executed signatures.

EXHIBITS

Exhibit A: Support Services Policy (SaaS)

1. DEFINITIONS

a) "Error" means a failure of the SaaS Service to conform to the specifications set forth in the Documentation, resulting in the inability to use, or material restriction in the use of the SaaS Service. b) "Start Time" means the time at which Ghost Security first becomes aware of an Error.

2. SUPPORT SERVICES

Ghost Security will provide Support Services to Customer through the portal located at https://support.ghost.security or through other customer support center contacts, set forth below (the "Customer Support Center").

3. SUPPORT SERVICES SUBSCRIPTIONS

Pursuant to the Support Services Subscription purchased by Customer, as set forth in the Order Form, Ghost Security shall provide the following level of support services:

a) Standard Support Services: Customer will have access to the Customer Support Center in one of the geographical regions offered by Ghost Security and selected by Customer, Monday through Friday (9 a.m. to 5 p.m.) in Customer's selected region.

b) Premium Support Services: Customer will have access to the Customer Support Center

4. CUSTOMER RESPONSIBILITIES

Customer is responsible for the prompt installation of all Updates to the Software, as provided by Ghost Security. Customer shall provide commercially reasonable cooperation and full information to Ghost Security with respect to the furnishing of Support Services.

Customer will designate a certain number of employees or agents that will interface with the Customer Support Center, and submit Errors, requests, or support tickets (the “Technical Support Contacts”). Customer is permitted to name as many Technical Contacts as allowed pursuant to the purchased Support Service Subscription.

Customer’s non-named Technical Contacts may contact the Customer Support Center only in case of an emergency or on an exception basis. Ghost Security will respond to such Error submission and cooperate with the non-named Technical Contact, subject to later verification and involvement of a named Technical Support Contact.

Additional named Technical Support Contacts may be permitted upon mutual agreement of the Parties.

5. EXCLUDED SUPPORT SERVICES

Ghost Security shall not be obligated to fix any Error or incident:

1. Where the SaaS Service is not used for its intended purpose.

2. Where the SaaS Service (including Software as applicable) has been altered, damaged, modified, or incorporated into other software or services in a manner not approved by Ghost Security.

3. Where the SaaS Service (including Software as applicable) is a release that is no longer supported by Ghost Security.

4. Which is caused by Customer’s or a third party’s software or equipment or by Customer’s negligence, abuse, misapplication, or use of the SaaS Service (including Software as applicable) other than as specified in the Documentation.

5. Which would be resolved by the Customer using an Update or newer version of the SaaS Service (or Software as applicable) or by adding hardware.

If Ghost Security determines that it has no obligation to fix the reported incident for one of the reasons stated above, the Parties may mutually agree to enter into a separate agreement authorizing Ghost Security to provide additional services at Ghost Security’s then-current professional services rates plus expenses.

6. END OF LIFE POLICY

Customer acknowledges that new features may be added to the SaaS Service based on market demand and technological innovation. Accordingly, as Ghost Security develops enhanced versions of the SaaS Service, Ghost Security may cease to maintain and support older versions of the Software.

Ghost Security will use commercially reasonable efforts to provide Support Services with respect to older versions of the Software that may accompany the SaaS Service. Ghost Security shall have no obligation to support Software outside of Ghost Security’s stated EOS/EOL policy for the applicable Software.

Such EOS/EOL policies shall be made available to Customer either in the accompanying Documentation or upon request and are subject to update from time to time in Ghost Security’s reasonable discretion.

7. CUSTOMER SUPPORT CENTER CONTACT

• Telephone (for Premium Support Services only)

• USA Regular: +1 (512) 522-3349

• Email:

• Create support ticket via email to [email protected]

• Portal:

• Ghost Security Support Portal

• Each Technical Support Contact must register with the Customer Support Center on the portal prior to submitting a ticket.

• Language:

• Support Services will be provided in English.

8. ERROR RESPONSE SERVICE LEVELS

Customer shall submit each ticket with a severity level designation based on the definitions in the table below.

Severity response times do not vary, whether Customer contacts the Customer Support Center via phone, email, or portal. Ghost Security shall respond to such a ticket in accordance with the severity designation within the time frame set forth below from the Start Time and validate Customer’s severity level designation or notify Customer of a proposed change in the severity level designation with justification for the change.

Ghost Security will provide continuous efforts to resolve Severity 1 issues until a workaround or resolution can be provided or until the incident can be downgraded to a lower severity. Ghost Security will use reasonable efforts to meet the target response times for the Errors stated in the table below.

Ghost Security does not guarantee resolution and resolution may consist of a fix, workaround, software availability, or another solution Ghost Security deems reasonable.

Error Response Service Levels

Severity 1 (Critical) Any Error in the SaaS Service causing the SaaS Service to be unusable, resulting in a critical impact on the operation of the SaaS Service and there is no workaround. Ghost Security will promptly: (i) assign a specialist to correct the Error; (ii) provide ongoing communication on the status of an Update; and (iii) begin to provide a temporary workaround or fix. Standard Support Services Response Time: Within 4 hours. Premium Support Services Response Time: Within 30 minutes.

Severity 2 (Serious) An Error in a SaaS Service where the SaaS Service will operate but its operation is severely restricted. No workaround is available, and performance may be degraded, or functions are limited. Ghost Security will promptly: (i) assign a specialist to correct the Error; and (ii) provide additional escalated Support Services as determined necessary by Ghost Security. Standard Support Services Response Time: Within 8 hours. Premium Support Services Response Time: Within 2 hours.

Severity 3 (Moderate) An Error in the SaaS Service where the SaaS Service will operate with limitations that are not critical to the overall operation, such as a workaround forces a user and or a systems operator to use a time-consuming procedure to operate the system; or removes a non-essential feature. Ghost Security will triage the request and may include a resolution in the next Update. Standard Support Services Response Time: Next business day. Premium Support Services Response Time: Within 4 hours.

Severity 4 (Low) An Error in the SaaS Service where the SaaS Service can be used with only slight inconvenience. All SaaS Service feature requests fall into this severity level. Ghost Security will triage the request and may include a resolution in the next Update. Standard Support Services Response Time: Next business day. Premium Support Services Response Time: Next business day.

Ghost Security does not guarantee resolution, and resolution may consist of a fix, workaround, software availability or other solution Ghost Security deems reasonable.

Ghost Security, Inc. SaaS Subscription Agreement

Exhibit B – Ghost Security Security Addendum

This Ghost Security Security Addendum (the “Addendum”) outlines Ghost Security’s security infrastructure and practices, as may be applicable to the Services. This Addendum will control in the event of a conflict between the Agreement and this Addendum. Capitalized terms not defined herein are defined in the Agreement.

1. Audits and Certifications

Ghost Security’s security control environment, in connection with certain regions of the SaaS Service, undergoes an independent evaluation in the form of a SOC 2 Type 1 or Type 2 Security audit. These reports are available upon request. For more information on Ghost Security’s security and related certifications (excluding whitepapers or other marketing materials referenced on the site, if any), visit the Ghost Security website at www.ghost.security.

2. SaaS Service Architecture

The SaaS Service leverages third-party cloud infrastructure, such as Google Cloud Platform (GCP), and is operated in a multi-tenant environment designed to segregate and restrict customer data access based on business needs. The architecture provides effective logical data separation for different customers via unique identifiers, allows the use of customer and user role-based access privileges, and provides separate environments for testing, staging, and production while incorporating additional data segregation measures. Ghost Security and the third-party cloud provider operate a shared security responsibility model, where the third-party cloud provider is responsible for the security of the underlying cloud infrastructure, including data center facilities, data encryption, automated backups, and hardware and software systems.

3. Incident Management

Ghost Security maintains a security incident management program. Upon detection of a security incident, including but not limited to a data breach incident, Ghost Security undertakes an internal investigation and, where appropriate, executes a remediation process, up to and including notification to impacted individuals, in accordance with applicable law.

4. Operational Security

Ghost Security has physical security policies, processes, and procedures based on industry best practices. These policies govern physical security and environmental controls, such as access management, visitor policies, and escorting, used to secure Ghost Security’s systems and facilities. Ghost Security also maintains a change management process to monitor changes to information systems, network devices, system components, physical and environmental controls, and software development.

5. Asset Management

Ghost Security manages corporate and customer data assets under strict security policies and procedures. Authorized personnel who access these assets must comply with security protocols. Antivirus tools run real-time scans, detect viruses, and update signatures regularly. Laptops and remote users are required to have virus protection. Role-based access controls restrict access to sensitive data on a need-to-know basis. Access lists define user behavior in information systems, and security policies ensure adherence to authorized usage only.

6. Risk Assessment Management

Ghost Security maintains a corporate risk assessment program that defines risk levels for discovered security issues, assigns employees to manage and review the risk program regularly, includes guidance on threat identification and mitigation strategies, and conducts annual risk assessments.

7. Business Continuity & Disaster Recovery

Ghost Security has a documented business continuity and disaster recovery plan that is tested annually. To minimize service interruptions, Ghost Security leverages cloud infrastructure to restore services, deploys redundant components to reduce single points of failure, and ensures data and services are backed up across multiple cloud regions.

8. Information Security

Ghost Security has documented security policies that define information security rules and best practices. These policies are reviewed annually and updated as necessary. Customer Data submitted by Customer to the SaaS Service is transmitted securely with adequate encryption protection in transit and at rest, following industry standards.

9. Vendor Management

Ghost Security has a vendor management program that establishes rules and requirements for vendors and requires security assessments for vendors accessing, storing, or processing data.

10. Personnel Security

Employees sign confidentiality agreements and must acknowledge and adhere to Ghost Security’s Code of Conduct. Annual security training is mandatory for all employees. Employment background checks are conducted unless prohibited by law. Background checks verify employment history, educational credentials, and, where applicable, criminal and credit history. Onboarding and offboarding processes ensure compliance with security policies.

11. Vulnerability Management

Security assessments identify vulnerabilities in Ghost Security’s corporate IT infrastructure and SaaS Service platform. Patch management processes are reviewed for effectiveness and security compliance.

12. Penetration Testing

Ghost Security or an authorized third party conducts annual penetration testing of its SaaS Service. Security vulnerabilities are reviewed for applicability, ranked by risk level, and assigned for remediation.

13. Data Protection & Personal Data Processing

Ghost Security follows appropriate security measures to protect Customer Personal Data. More details can be found in the Ghost Security Privacy Policy at www.ghost.security/privacy. This policy outlines how Ghost Security protects Service Analytics, handles B2B Relationship Data, and manages other collected data.

14. Return & Deletion of Customer Data

Upon termination or expiration of a Customer’s SaaS Service subscription, Ghost Security will deactivate the Customer’s account. Customer Data in Ghost Security systems will be deleted or securely removed. See the Agreement for more details.