Qevlar AI | Legal Agreements - EU

This Master Service Agreement (the “Agreement”), effective as of the date of execution of the Order Form (the “Effective Date”), is by and between QEVLAR AI, a French société par actions simplifiée with a share capital of 18 298,30 €, whose registered office is located at 15 rue Auguste Gervais 92130 Issy -les-Moulineaux, France, registered with the Trade and Companies register of Nanterre under number 952 849 1 15 (“Provider”), and the customer identified in the Order Form (“ Customer”). Provider and Customer may be referred to herein collectively as the “Parties” or individually as a “Party.” WHEREAS, Provider provides access to the Services to its customers; and WHEREAS, Customer desires to access the Services, and Provider desires to provide Customer access to the Services, subject to the terms and conditions of this Agreement. NOW, THEREFORE, in consideration of the mutual covenants, terms, and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions.

“Affiliate” means any entity which controls, is controlled by, or under common control with a Party, where “control” means direct or indirect, ownership or control of more than 50% of the voting interest in the subject entity.
“Alert” means data, information, or notifications received from Customer’s deployed Security Tools regarding a potenti al or actual threat to Customer’s IT network, environment, systems, devices, applications, or data, which are processed by the Services to generate an Investigation Report.
“Aggregated Statistics” means data and information related to Customer’s use of the Services that is used by Provider in an aggregate and anonymized manner, including to compile statistical and performance information related to the provision and operation of the Services.
“API” means any application programming interface made available by Provider for the transmission, processing, or receipt of Alerts, Customer Data, Investigation Reports, or other information in connection with the Services.
“Authorized User” means Customer’s employees, consultants, contractors, and agents (i) who are authorized by Customer to access and use the Services under the rights granted to Customer pursuant to this Agreement and (ii) for whom access to the Services has been purchased hereunder.
“Confidential Information” has the meaning given in Section 6 of this Agreement.
“Customer Data” means, other than Aggregated Statistics, information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or an Authorized User through the Services.
“Data Processing Agreement” means the data processing agreement attached hereto as Exhibit A.
“Documentation” means Provider’s user manuals, handbooks, and guides relating to the Services available on the Platform.
"End Customer" means any third -party customer or client of an MSSP Customer to which MSSP Customer is expressly authorized to provide Managed Services using the Services. End Customer does not include MSSP Customer, any Affiliate of MSSP Customer, any Authorized User, or any Hosting Provider.
“Error” means a substantial failure of the Services to meet the functional or technical specifications expressly made known by Provider in writing (or, if the Services include customizations, the specifications expressly agreed in writing), provided that an Error exists only if it is demonstrable and reproducible.
“Fees” means the fees and charges (i) specified on an applicable Order Form, (ii) accrued through Customer’s usage of the Services, or (iii) otherwise payable to the Provider under the Agreement.
“Investigation Report ” means the report, output, data, analysis, Score, suggested remediation action, or other result generated by the Services in connection with the analysis of an Alert.
"Managed Services " means the managed security, monit oring, detection, response, threat - investigation, advisory, or related information -security services that an MSSP Customer is expressly authorized to provide to End Customers using the Services, including the use of the Services on the MSSP Tenant to remotely monitor, analyze, and manage End Customers' IT networks, environments, systems, devices, applications, or data on behalf of, and for the benefit of, the relevant End Customers. For the avoidance of doubt, Managed Services do not include any resale, distribution, sublicensing, or transfer of the Services or any subscription thereto, which is permitted only under a separate Reseller Agreement executed by the Parties.
“Order Form” means an ordering document executed by Customer and Provider that references this Agreement and specifies the Services subscribed, the Usage Limit, the Fees, the Subscription Term, and any other deal- specific commercial terms. Each Order Form is incorporated into and governed by this Agreement; in the event of any conflict between an Order Form and this Agreement, this Agreement controls except with respect to commercial terms expressly set forth in the Order Form.
“Personal Data” has the meaning set forth in the Data Processing Agreement.
“Platform” means the online platform opera ted or made available by Provider through which Customer and Authorized Users access and use the Services.
“Provider IP” means the Services, the Documentation, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing or owned by the Provider, such as trademarks, patents, copyrights, trade secrets, and trade dress, w hether registered or not. For the avoidance of doubt, Provider IP includes Aggregated Statistics and any information, data, or other content derived from Provider’s monitoring of Customer’s access to or use of the Services but does not include Customer Data.
“Score” means the severity classification or similar rating assigned by the Services to an Alert and included in an Investigation Report.
“Security Tool” means any third-party security, monitoring, detection, logging, alerting, or similar tool used by C ustomer in connection with the Services, including any tool that generates Alerts for processing by the Services.
“Service Level Agreement” means the service level agreement attached hereto as Exhibit B.
“Services” means the Provider’s proprietary cybersecurity solution, algorithms for machine learning and APIs, including any updates, revisions, modifications, fixes, additions, and enhancements to it provided through Maintenance, for the provision of Investigation Reports and any related deliverables g enerated by the Services. “Maintenance” means any correction, update, patch, fix, enhancement, or new version of the Services made available by Provider from time to time.
“Subscription Term” or “Term” means the start date and end date of Customer’s subscr iption to the Services as indicated on the Order Form.

2. Access and Use.

Provision of Access . Subject to and conditioned on Customer’s payment of Fees and compliance with the terms and conditions of this Agreement, Provider hereby grants Customer a non -exclusive, non-transferable (except in compliance with Section 12(g)) right to access and use the Services during the Term, solely by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Customer’s internal use. Provider shall provide to Customer the necessary passwords and network links or connections to allow Customer to access the Services. Provider may use third-party contractors to provide the Services, as well as support, training, and other services, provided Provider will remain responsible for the acts and omissions of its contractors described above. Provider reserves the right to make changes to the Services from time to time, subject to prior written notice to Customer in the event of a change to the Service that has a material adverse impact on Customer’s use o f the Service and will work in good faith with Customer to attempt to mitigate such impact. Unless expressly authorized in an Order Form, Customer may use the Services solely for Customer’s internal business purposes and may not use the Services to provide managed security services, outsourced security services, service bureau services, or other services to any third party, including any Affiliate of Customer. Notwithstanding the foregoing, where the Order expressly designates Customer as a managed security service provider (an “MSSP Customer”), the following additional terms apply in lieu of the internal -use restriction in the immediately preceding sentence: Provider grants MSSP Customer a non -exclusive, non -transferable, non -sublicensable, non - resellable right, for the Subscription Term only, to access and use the Services solely by Authorized Users employed or engaged by MSSP Customer and solely for the purpose of delivering the Managed Services to the End Customers, including the use of the Services to remotely monitor, analyze, and manage End Customers’ IT systems through a tenant operated by MSSP Customer for that purpose (the “ MSSP Tenant”). MSSP Customer shall not (A) permit any End Customer or any other third party to access, directly or indirectly, t he Services, the Platform, the MSSP Tenant, or any Authorized User credentials; (B) deliver to any End Customer any raw Investigation Report, Alert, or Score, except as summarized, reformatted, or otherwise incorporated by MSSP Customer into MSSP Customer’s own deliverable to such End Customer in the ordinary course of providing the Managed Services; or (C) resell, distribute, sublicense, or otherwise make available the Services or any subscription thereto to any End Customer or third party, except under a separate written distribution or reseller agreement executed by the Parties (any such agreement, the “ Reseller Agreement”), which Reseller Agreement is and shall remain distinct from this Agreement; (iii) the Parties acknowledge and agree that any hosting, cloud, infrastructure, or co-location provider used by MSSP Customer or any End Customer in connection with the Managed Services (each, a “ Hosting Provider”) acts solely as an infrastructure provider, shall have no direct access to or rights in the Services, the Platform, or any Provider IP, and is not authorized to perform any function of an Authorized User; and (iv) MSSP Customer remains primarily and fully liable to Provider for all access to and use of the Services by Authorized Users and (whether or n ot permitted hereunder) by End Customers and Hosting Providers, and shall ensure that each End Customer has entered into a written agreement with MSSP Customer that (1) imposes confidentiality, data-protection, and use-restriction obligations no less protective of Provider than those set forth in this Agreement, (2) disclaims any claim, right, title, or interest of the End Customer in or to the Services or Provider IP, and (3) names Provider as an intended third -party beneficiary entitled to enforce such ob ligations directly against the End Customer.
Documentation License. Subject to the terms and conditions contained in this Agreement, Provider hereby grants to Customer a non -exclusive, non -sublicensable, non -transferable (except in compliance with Section 12(g)) license to use the Documentation during the Term solely for Customer’s internal business purposes in connection with its use of the Services.
Excess Usage. The Services are licensed on an Alert -based basis. The maximum number of Alerts that may be submitted to the Services during the applicable subscription period , measured in aggregate across all Authorized Users (“Usage Limit”), is set forth in the Order Form. An Alert is counted each time it is submitted to the Services for processing, regardless of the resulting Investigation Report or Score. Customer is responsible for monitoring its usage and for requesting an upgrade before exceeding the applicable Usage Limits. Provider may monitor Customer's use of the Services to verify compliance with the Usage Limits. If Customer exceeds any Usage Limit, Provider may invoice Customer for the excess usage at Provider’s then-current list price as of the date of regularization, and if Customer exceeds the Usage Limit by more than ten percent (10%), Provider may, on written notice, suspend Customer’s and any Authorized User’s access to the Services until Customer has purchased an upgrade or otherwise reduced its usage to within the Usage Limit, with any such suspension con stituting a Service Suspension for purposes of Section 2(f). Customer shall reimburse Provider for the reasonable costs of verification incurred in connection with any breach of the Usage Limits. Customer shall not, and shall procure that no Authorized Use r shall, make unreasonable or excessive use of the Services or otherwise use the Services in a manner that affects the stability, safety, security or quality of the Services or the underlying infrastructure.
Use Restrictions. Customer shall not use the Services for any purposes beyond the scope of the access granted in this Agreement. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services or Documenta tion, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise atte mpt to derive or gain access to any software component of the Services, in whole or in part; (iv) remove any proprietary notices from the Services or Documentation; (v) bypass or breach any security protocol, security requirement, metering system, or other protection of the Service, or otherwise work around any technical limitation; (vi) use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of Provider or any third party , or that violates any applicable law; (vii) use the Services for benchmarking, competitive analysis, or publication of performance, comparison, or evaluation results, or disclose to any third party any benchmark, performance, c omparison, or evaluation results relating to the Services, without Provider’s prior written consent; or (viii) transmit to the Services any Alert, Customer Data, or other material that contains malicious code, violates applicable law, infringes Provider’s or any third-party rights, or is not authorized to be transmitted to or processed by Provider.
Reservation of Rights . Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.
Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may temporarily suspend Customer’s and any Authorized User’s access to any portion or all of the Services if: (i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP; (B) Customer’s or any Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider; (C) Customer, or any Authorized User, is using the Provider IP for fraudulent or illegal activities; (D) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorgani zation, liquidation, dissolution, or similar proceeding; or (E) Provider’s provision of the Services to Customer or any Authorized User is prohibited by applicable law; (ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any third-party services or products required to enable Customer to access the Services; or (iii) as a result of Customer’s failure to pay undisputed amounts when due and after Provider provides written notice and a reasonable opportunity to cure (any such suspension described in subclause (i), (ii), or (iii), or under Section 4(g), a “ Service Suspension”). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resu mption of access to the Services following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.
Aggregated Statistics. Notwithstanding anything to the contrary in this Agreement, Provider may monitor Customer’s use of the Services and collect and compile Aggregated Statistics. As between Provider and Customer, all rights, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Provider. Customer acknowledges that Provider may compile Aggregated Statistics based on Customer Data input into the Services. Customer agrees that Provider may (i) make Aggregated Statisti cs publicly available in compliance with applicable law, and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable law; provided that such Aggregated Statistics do not identify Customer or Customer’s Confidential Information.

3. Customer Responsibilities.

General. Customer is responsible and liable for all uses of the Services and Documentation resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services and shall cause Authorized Users to compl y with such provisions. Authorized Users will be provided with passwords, login credentials, and shall keep such materials and tools confidential. Customer is responsible for ensuring that its systems and infrastructure used in connection with the Services satisfy and continue to satisfy Provider’s minimum requirements (as communicated by Provider from time to time) and for providing adequate maintenance of such systems and infrastructure. Customer is responsible for all activity occurring under the passwords, login credentials, and account administration tools issued to Authorized Users. Customer must ensure the systems and any applications to be accessed by Provider in performing the Services are accessible, available, maintained and updated in order to support the Services, and shall provide ready access to all appropriate computing platforms, software, documentation, training material, premises and personnel necessary for Provider’s performance of the Services throughout the duration of the Agreement. Customer shall adequately secure its systems and infrastructure and maintain active antivirus software protection at all times. Customer shall provide such information to Provider upon request.
Customer Materials . Customer shall supply information requested by Provider as reasonably necessary to perform the Services contemplated under this Agreement (“Customer Materials”). Customer hereby grants to Provider the right and limited license to use such Customer Materials solely as necessary to provide Services. Customer shall be solely responsible for the accuracy, quality, integrity, completeness, non -infringement, legality, reliability, and appropriateness of the Customer Materials and all Customer-approved information contained therein. To the extent that any Customer Materials include Personal Data, the processing of the same by Provider shall be subject to the provisions of the Data Processing Agreement.
Security Tools; Alerts . Customer is solely responsible, at its own cost, for obtaining, maintaining, configuring, and operating all Security Tools and other third -party products or services necessary for Customer to use the Services. Customer is responsible for ensuring that all Alerts and other data transmitted to the Services comply with the Documentation an d applicable specifications. Provider is not responsible for any failure, delay, error, inaccurate Investigation Report, or inability to provide the Services to the extent caused by Customer’s Security Tools, systems, configurations, credentials, or failure to provide complete and accurate Alerts or Customer Data. Customer acknowledges that the Services may process Alerts and related Customer Data, including Authorized User identification and contact details, login and usage data, network traffic, logs, dev ice and application data, Security Tool outputs, and other data contained in Alerts or Customer Data, for the purpose of providing the Services, generating Investigation Reports, maintaining and supporting the Services, and performing Provider’s obligation s under this Agreement. Customer is responsible for ensuring that it has all necessary rights, notices, consents, and authorizations for Provider to process such Alerts and Customer Data in accordance with this Agreement and the Data Processing Agreement.

4. Service Levels; Support; Changes.

Service Levels . Customer acknowledges that Provider does not guarantee that the Services will function without restrictions, interruptions, defects, or malfunctions at all times. Provider will provide the applicable service levels and technical support in accordance with the Service Level Agreement in Exhibit B.
Support. The access rights granted hereunder entitle Customer to the support services described in Exhibit B. Provider will handle properly substantiated support requests submitted to contact@qevlar.com with in a reasonable time. Support services shall be performed on work days during business hours. For purposes of this Section 4(b), “work days” means Monday through Friday excluding local public holidays and “business hours” means 9:00 a.m. to 6:00 p.m. local time at the registered office of the contracting Provider entity. Provider does not guarantee the accuracy, completeness, or timeliness of replies or support offered.
Error Report. Customer shall report any Errors in reasonable detail. Following receipt of such report, Provider shall use reasonable efforts to correct Errors and/or implement improvements in later versions in accordance with its usual procedures and version/release policy, and Provider may implement temporary solutions, workarounds, or problem-avoiding limitations. Customer shall reasonably cooperate with maintenance activities, including temporarily ceasing use of the Services if reasonably requested and making backups of its data. Customer remains responsible for its own operation, configuration, parameterization and tuning and for the use of results arising from operating the Services.
New Versions. From the time a new version of the Services can be made available, Provider may cease fixing Errors in, and providing maintenance and support for, prior versions. Provider may incorporate functionality from a prior version in unaltered form but does not guarantee that each new version includes the same functionality, and Provider is not obliged to maintain, modify, or add features specifically for Customer. Provider may require Customer to modify its systems if necessary for proper functioning of a new version.
Additional Services. If, at Customer’s request (or with Customer’s prior written consent), Provider performs any services, supplies, deliverables, or other work that is outside the scope of the Services and support expressly included in this Agreement and the Order Form , including, without limitation, configuration, implementation, setup, custom development, training, and integrations with Security Tools or other third -party systems not expressly included in the Documentation or Order Form (collectively, “ Additional Services”), Customer shall pay Provider for such Additional Services in accordance with Provider’s then -current standard rates. Provider is not obligated to perform any Additional Services and may require that the Parties enter into a separate writte n statement of work, change order, or other written agreement before performing any Additional Services.
No Waiver. Provider’s failure to enforce this Section 4 in any instance will not constitute a waiver of Provider’s right to enforce this Section 4 or any other provision of this Agreement.

5. Fees and Payment.

Fees. Customer shall pay Provider the Fees as set forth in the Order Form without offset or deduction within thirty (30) calendar days after Customer’s receipt of an invoice. Unless otherwis e set forth in Exhibit A, Fees are invoiced annually in advance and are non -refundable except as expressly set forth in this Agreement. Customer shall make all payments hereunder in US dollars on or before the due date set forth in the Order Form. If Customer fails to make any payment when due, without limiting Provider’s other rights and remedies: (i) Provider may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate perm itted under applicable law; (ii) Customer shall reimburse Provider for all costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for t hirty (30) days or more, Provider may suspend Customer’s and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full.
Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Provider’s income.

6. Confidential Information. From time to time during the Term, either Party may disclose or make available to

the other Party information about its business affairs, products, confiden tial intellectual property, trade secrets, third -party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media, and whether or not marked, designated, or otherwise identifie d as “confidential” (collectively, “ Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain;

known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclos ing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making t he disclosure pursuant to the order shall first have given writte n notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving Pa rty shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certif y in writing to the disclosing Party that such Co nfidential Information has been destroyed. Each Party’s obligations of non -disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law. Provider may refer to Customer as a Provider customer and may use Customer’s (brand) names and/or logos/figurative marks in Provider’s sales, marketing, investor and analyst materials (including Provider’s website).

7. Intellectual Property Ownership; Feedback.

Provider IP. Customer acknowledges that, as between Customer and Provider, Provider owns all rights, title, and interest, including all intellectual property rights, in and to the Provider IP.
Customer Data. Provider acknowledges that, as between Provider and Customer, Customer owns all rights, title, and interest, including all intellectual property rights, in and to the Customer Data. Customer hereby grants to Provider a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Provider to provide the Services to Customer, and a non -exclusive, perpetual, irrevocable, royalty -free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data (i) incorporated within the Aggregated Statistics and
as part of Provider’s Internal AI Use as defined and authorized in Section 7(e). To the extent that any Customer Data includes Personal Data, the processing of the same by Provider shall be subject to the provisions of the Data Processing Agreement.
Feedback. If Customer or any of its employees or contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer hereby assigns to Provider on Customer’s behalf, and on behalf of i ts employees, contractors, and/or agents, all right, title, and interest in, and Provider is free to use, without any attributio n or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Provider is not required to use any Feedback.
Customer Materials; Non-Infringement. Customer represents and warrants that any Customer Data, Alerts, Security Tool outputs, materials, data, designs, specifica tions, credentials, configurations, or other information made available by Customer or Authorized Users for use, maintenance, processing, installation, integration, or analysis in connection with the Services do not infringe any rights of third parties, violate applicable law, or constitute an unlawful processing or transfer of Personal Data. Provider is not obliged to perform any data conversion unless expressly agreed in writing.
Use of Customer Data for AI Model Development; No Third-Party Model Training.
Provider's Internal AI Use. In addition to the rights granted in Section 7(b), Provider may use Customer Data (including in pseudonymized or non -anonymized form) to develop, train, fine -tune, test, validate, evaluate, secure, monitor, and improve the Ser vices, the Provider IP, and Provider's proprietary artificial intelligence and machine-learning models, and to generate Aggregated Statistics, derivative datasets, embeddings, signatures, threat-intelligence, and model weights from such data ("Provider's Internal AI Use"). Provider's Internal AI Use is subject to the confidentiality obligations in Section 6 and to the security and data- protection commitments in the Data Processing Agreement. Provider may retain and continue to use models, weights, signatures, and other artifacts resulting from Provider's Internal AI Use after expiration or termination of this Agreement, provided that Provider does not retain Customer Data in identifiable form except as permitted by Section 6 of the Data Processing Agreement.
No third-party model training. Notwithstanding anything to the contrary in this Agreement, Provider shall not transmit, disclose, license, or otherwise make available any Customer Data to any third party for the purpose of training, fine -tuning, evaluating, or otherwise developing such third party's large language models, foundation models, or other artificial intelligence or machine-learning models for that third party's own benefit, and Provider shall not authorize any Sub-processor or other third party to do so. For the avoidance of doubt, this Section 7(e)(ii) does not restrict (A) Provider's use of third -party infrastructure (including third - party hosted models accessed via API) to perform inference on Customer Data on Provider's behalf in the course of providing the Services, or (B) Provider's use of third -party providers for analytics, observability, or operational support, in each case subject to the Sub-processor commitments in the Data Processing Agreement and on terms that contractually prohibit the third party from training its models on Customer Data.

8. Limited Warranty; Disclaimers.

Disclaimers. THE SERVICES ARE PROVIDED “AS IS” AND PROVIDER HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY D ISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON -INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE PROVIDER IP, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER ENTITY’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.
No Advice; No Third-Party Reliance. Any advice, recommendations, guidance, statements, or other information that Provider may provide to Customer (including in connection with consultancy, education, trainin g, or workshops), whether or not as part of the Services, is provided for Customer’s internal informational purposes only and does not constitute professional advice. Customer acknowledges that any use of such advice, recommendations, guidance, statements, or information (including any report or other output provided by Provider) is at Customer’s sole risk and is based on information provided by Customer. Customer shall not disclose any such advice, report, or associated data to any third party or otherwise make the foregoing available to any third party without Provider’s prior written consent, and then only if (i) Customer has paid all fees due to Provider for such advice or report, and (ii) Customer enters into a written agreement with such third party providing that Provider owes no duty to, and assumes no liability with respect to, such third party arising from or relating to such advice, report, or its contents. Customer acknowledges that Investigation Reports, Scores, suggested remediation actions, and any other outputs generated by the Services are provided for Customer’s internal informational and security -assessment purposes only. They are generated through automated, agentic, and artificial-intelligence-based analysis and are indicative only. To the extent that any feature of the Services performs automated or autonomous actions on or in connection with Customer’s systems, networks, endpoints, identities, applications, or data (including, without limitation, blocking, isolating, quarantining, termina ting, modifying, disabling, restoring, or otherwise remediating any activity, file, process, account, asset, or configuration), Customer expressly authorizes such actions, acknowledges that they are performed on a commercially reasonable best-efforts basis pursuant to Customer’s configuration, Customer’s instructions, and the then-current rule sets, models, and policies of the Services, and accepts sole responsibility for the consequences of such actions, including any disruption to Customer’s operations or impact on third parties. Customer is responsible for reviewing and configuring the scope of autonomous action permitted within its environment and for maintaining its own oversight, monitoring, and rollback capabilities. Customer is solely responsible for reviewing, validating, and determining whether and how to rely on any Investigation Report, Score, suggested remediation action, or other output, and for implementing any remediation, mitigation, escalation, or other security measures. Provider does not w arrant that the Services will identify all threats, vulnerabilities, incidents, malicious activity, or other security issues; correctly classify the severity of any Alert; prevent any security incident; remediate any vulnerability or threat; or produce out puts that are complete, accurate, current, or appropriate for Customer’s particular systems, environment, or risk profile.

9. Indemnification.

Provider Indemnification.
Provider shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (“ Losses”) incurred by Customer resulting from any third -party claim, suit, action, or proc eeding (“ Third-Party Claim ”) that the Services developed by Provider itself, or any use of the Services in accordance with this Agreement, infringes or misappropriates such third party’s intellectual property rights, provided that Customer promptly notifie s Provider in writing of such Third-Party Claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such Third-Party Claim.
If a Third-Party Claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non- infringing, (B) obtain the right for Customer to continue use, or (C) provide functional equivalents of the affected Services. If Pro vider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer.
This Section 9(a) will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; (B) modifications to the Services not made by Provider; or (C) Customer Data.
Customer Indemnification . Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider from and against any Losses resulting from any Third -Party Claim that the Customer Data, or any use of the Customer Data in accordance with this Agreement, infringes or misappropriates such third party’s intellectual property rights and any Third -Party Claims based on Customer’s or any Authorized User’s (i) negligence or willful misconduct; (ii) use of the Services in a manner not authorized by this Agreement; (iii) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; or (iv) modifications to the Services not made by Provider, provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice. Customer’s indemnification obligations include Third -Party Claims arising from or relating to Security Tools, Alerts, Customer systems, Customer’s instructions, or any allegation that Provider’s receipt, access, use, processing, or analysis of Customer Data or Alerts in accordance with this Agreement violates applicable law or infringes, misappropriates, or otherwise violates any third-party right.
Sole Remedy . THIS SECTION 9 SETS FORTH CUSTOMER’S SOLE REMEDIES AND PROVIDER’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.

10. Limitations of Liability.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL: (i) EITHER PARTY BE LIABLE TO THE OTHER OR TO ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, OR BUSINESS INTERRUPTION ARISING OUT OF OR RELATED TO THE AGREEMENT, CUSTOMER’S INABILITY TO USE THE SERVICES, DOCUMENTATION, OR ADDITIONAL SERVICES IN ACCORDANCE WITH AND SUBJECT TO THE AGREEMENT; AND (ii) EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER FOR ALL LOSSES, CLAIMS AND DAMAGES (EXCEPT FOR FEES OWED UNDER THE AGREEMENT) EXCEED THE TOTAL AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER FOR THE APPLICABLE SERVICES UNDER THE AGREEMENT IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT FIRST GIVING RISE TO THE LIABILITY. All limitations and exclusions of liability in the Agreement will apply even if the above stated remedies fail of their essential purpose and regardless of the form or source of claim or loss, whether the claim or loss was foreseeable, and whether Provider and its Affiliates have been advised of the possibility of the claim or loss.

11. Term and Termination.

Term. The term of this Agreement begins on the Effective Date and, unless terminated earlier pursuant to this Agreement’s express provisions, will continue as set forth in the Order Form. Upon expiration of the Term, this Agreement will not automatically renew, and any renewal or extension will require the Parties’ prior written agreement regarding the terms applicable to such renewal or extension.
Termination. In addition to any other express termination right set forth in this Agreement:
Provider may terminate this Agreement, effective on written notice to Customer, if Customer: (A) fails to pay any amount when due hereunder, and such failure continues more than thirty (30) days after Provider’s delivery of written notice thereof; or (B) breaches any of its obligations under Section 2(d) or 6;
either Party may terminate this Agreement, effective o n written notice to the other Party, if the other Party breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured for thirty (30) days after the non -breaching Party provides the breaching Party with written notice of such breach; or
either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files a petition for voluntary bankruptcy or has filed against it a petition for involuntary bankruptcy, which is not withdrawn or denied within thirty (30) days, or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
Effect of Expiration or Termination . Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Provider IP and, without limiting Customer’s obl igations under section 6, Customer shall delete, destroy, or return all copies of the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or destroyed. No expiration or termination will affect Customer’s obligation to p ay all Fees that may have become due before such expiration or termination or entitle Customer to any refund. Customer is solely responsible for exporting and backing up Customer Data, Alerts, and Investigation Reports during the Term. Following expiration or termination of this Agreement, Customer’s access to the Services, Alerts, and Investigation Reports will terminate, and Alerts and Investigation Reports may no longer be available through the Services, except as expressly required under the DPA or applicable law. Provider shall have no obligation to provide migration, conversion, transition, or other professional services following expiration or termination unless separately agreed in writing by the Parties or required under applicable law. Amounts invo iced by Provider prior to termination for Services properly provided before the effective date of termination remain payable in full.
Survival. This Section 11(d) and Sections 1, 2(c), 2(d), 2(f), 2(g), 3, 4(e), 4(f), 5, 6, 7, 8, 9, 10, 11(c), and 12 survi ve any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.

12. Miscellaneous.

Entire Agreement . This Agreement, together with any other documents incorporated here in by reference and all related Exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following orde r of precedence governs: (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference.
Notices. All notices, requests, consent s, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and addressed to the Parties at the addresses set forth on the first page of this Agreement (or to such other address that may be designated by the Party giving Notice from time to time in accordance with this Section). All Notices must be delivered by personal delivery, nationally recognized overnight courier (with all fees pre -paid), email (with confirmation of transmission), or certified or registered ma il (in each case, return receipt requested, postage pre -paid). Except as otherwise provided in this Agreement, a Notice is effective only:
upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements o f this Section.
Force Majeure. In no event shall Provider be liable to Customer, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond Provider’s reasonable control, including but not limited to (i) acts of God; (ii) flood, fire, earthquake, explosion, epidemic, pandemic or other public health issue; (iii) war, invasion, hostilities (whether war is declared or not), terrorist threats or acts, riot or other civil unrest; (iv) government order, law, or actions;
embargoes or blockades in effect on or after the date of this Agreement; (vi) national or regional emergency; (vii) strikes, labor stoppages or slowdo wns, or other industrial disturbances; and (viii) shortage of adequate power or transportation facilities. If a force majeure situation persists for more than sixty (60) days, either Party may terminate this Agreement in writing. In such case, performance already rendered shall be paid for on a pro -rata basis and the Parties shall not be deemed to have satisfied their respective obligations under this Agreement.
Amendment and Modification; Waiver . No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. Provider may update the Documentation, policies, and standard technical or operational requirements applicable to the Services from time to time; provided that no such up date will materially reduce Customer’s rights or Provider’s obligations under this Agreement during the then-current Term unless Customer agrees in writing. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiv er thereof, and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.
Severability. If any provision of th is Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to affect their original intent as closely as possible in a mutually acc eptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
Governing Law; Submission to Jurisdiction . This Agreement is governed by and construed in accordance with the internal laws of France without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of Paris, France. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder may be instituted exclusively in the competent courts of France in each case located in the city of Paris, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.
Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Provider; provided that, on prior written notic e to Provider and subject to (A) the assignee not being a competitor of Provider, (B) the assignee assuming all of Customer’s obligations under this Agreement, and (C) Customer remaining liable as primary obligor in the case of an assignment to an Affiliat e, Customer may assign this Agreement (1) to a wholly-owned Affiliate of Customer, or (2) in connection with a merger, consolidation, reorganization, sale of substantially all of its assets, or other change of control of Customer. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and th eir respective permitted successors and assigns.
Export Regulation. Customer shall comply with all applicable export laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmenta l approval), that prohibit or restrict the export or re-export of the Services or any Customer Data.
Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under section 6 or, in the case of Customer, Section 2(c), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequa te remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.
Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

EXHIBIT A

DATA PROCESSING AGREEMENT This Data Processing Addendum (this “ DPA”) forms part of the Agreement, or other agreement between Customer and Provider governing Customer’s use of the Services, between the Qevlar AI, Inc. (the “Provider”), and the party identified as “Customer” in the Agreement (“Customer”) (each a “Party” and together, the “Parties”). The effective date of this DPA is the Effective Date of the Agreement or, if executed separately, the date of the last signature of this DPA (“Effective Date”). This DPA describes t he commitments of the Parties concerning the pr ocessing of Personal Data in connection with Customer’s use of the Services. Any capitalized term not defined in this DPA will have the meaning given it in the Agreement.

1. Definitions. As used in the DPA, the following terms shall have the following mean ings, and cognate terms shall be

construed accordingly: “Customer Data” means any Personal Data processed by Provider on behalf of Customer as a service provider or processor (as applicable) in connection with the Services, as more particularly described in Annex A of this DPA. “Data Protection Law” means all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to the Personal Data, including (but not limited to): (i) European Data Protection Laws; and (ii) all laws and regulations of the United States, including the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq (“CCPA”); as may be amended, superseded or replaced; Section 5 of the Federal Trade Commission Ac t; the FTC Standards for Safeguarding Customer Information, and other state and federal privacy and data breach notification laws and regulations. “EEA” means the Member States of the European Union, plus Iceland, Liechtenstein, and Norway. “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protect ion Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e -Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss FDPA”); and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts into domestic law the GDPR, e - Privacy Directiv e or any other law relating to data and privacy as a consequence of the UK leaving the European Union (collectively, “UK Data Protection Laws”); in each case as may be amended, superseded or replaced. “Model Clauses” means, depending on the circumstances u nique to Customer, any of the following: (i) the standard contractual clauses for processors as approved by the European Commission pursuant to its decision 2021/914 (the “2021 Standard Contractual Clauses”), and (ii) the UK International Data Transfer Add endum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, (“UK IDTA”), each alternatively referred to as Standard Contractual Clauses, incorporated by reference and forming part of this DPA. “Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Laws. . “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Provider and/or its Sub -processors in connection with the prov ision of the Services. The Parties acknowledge and agree that “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log -in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. “Sub-processor” means any processor engaged by Provider or its Affiliates to assist in fulfilling its obligations with respect to the provision of the Services pursuant to the Agreement or this DPA . Sub -processors may include third parties or Provider’s Affiliates but shall exclude any Provider’s employee, contractor or consultant. The terms “controller”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly; and the terms “business”, “service provider” and “sell” shall h ave the meanings given to them in the CCPA.

2. Role and Scope of Processing

Scope. This DPA applies to the extent that Provider Processes Customer Data on behalf of Customer in connection with the Services. This DPA does not apply to Provider’s Processing of Provider operational data, including any Personal Data containe d in technical, security, and usage telemetry that Provider collects in connection with operating the Services (“Provider Operational Data”), which is governed by Provider’s Privacy Policy and applicable law.
Roles of the Parties . The Parties acknowledge and agree t hat, with respect to the Processing of Customer Data under this DPA: (i) Customer is the controller or business (or, where Customer is itself acting as a processor or service provider for a third party, the processor or service provider) of the Customer Da ta; and (ii) Provider is the processor or service provider (or, where applicable, sub-processor) of the Customer Data, in each case acting on behalf of Customer. For the avoidance of doubt, the Parties acknowledge that Provider is the controller or busines s with respect to Provider Operational Data, including any Personal Data contained in technical, security, and usage telemetry that Provider collects in connection with operating the Services. Each Party will comply with all Applicable Data Protection Laws binding on it in the performance of this DPA.
Provider’s Processing of Customer Data. Provider shall Process Customer Data only: (i) on behalf of Customer; (ii) for the purposes described in the Agreement, this DPA (including Annex A), and Customer’s documented, lawful instructions; and (iii) as otherwise required by applicable law. The Parties agree that the Agreement (including this DPA) constitutes Customer’s complete and final instructions to Provider regarding the Processing of Customer Data. Any additional or alternative instructions require the Parties’ prior written agreement. Provider shall promptly notify Customer in writing if, in Provider’s reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless such notice is prohibited by law, and may suspend Processing of the affected Customer Data until Customer modifies or confirms the instruction.
Customer Responsibilities. Customer is responsible for the lawfulness of Customer Data and its Processing pursuant to the Agreement and this DPA. Customer represents and warrants that: (i) it has provided and will continue to provide all notices an d obtained and will continue to maintain all consents, permissions, and authorizations necessary under Applicable Data Protecti on Laws for Provider and its Sub-processors to lawfully Process Customer Data for the purposes contemplated by the Agreement and this DPA; (ii) it has complied and will continue to comply with all Applicable Data Protection Laws in its collection, use, transfer, and provision of Customer Data to Provider; and (iii) its Processing instructions to Provider comply with Applicable Data Protection Laws. Customer is solely responsible for determining whether the Services satisfy its obligations under Applicable Data Protection Laws. Customer is further responsible for the source, configuration, and lawful use of any Security Tool that generates Alerts and for ensuring that Personal Data made available to Provider through Security Tools may lawfully be Processed by Pro vider as contemplated by the Agreement.
Aggregated and De-Identified Data. Provider may collect, generate, derive, and use anonymized, aggregated, statistical, and de-identified data (as those terms are defined under Applicable Data Protection Laws) from the operation of the Services, provided that such data does not identify Customer, any Authorized User, or any other natural person. Provider may use such data for i ts own legitimate business purposes, including to operate, secure, support, evaluate, d evelop, and improve the Services. Where Applicable Data Protection Laws apply to de -identified data, Provider shall (i) take reasonable measures to ensure that the information cannot be associated with a natural person, (ii) publicly commit to maintaining and using the information in de - identified form and not to attempt re -identification, and (iii) contractually obligate any recipients to comply with equivalent restrictions.

3. Sub-processing

Authorized Sub -processors. Customer provides Provider with a general written authorization to engage Sub -processors to Process Customer Data on Customer’s behalf in connection with the Services. Provider shall maintain a current list of its Sub - processors at the URL as Provider may designate from time to time (the “Sub-processor List”), and Customer acknowledges that, as of the Effective Date, it consents to Provider’s use of the Sub-processors identified on the Sub-processor list below:

Sub-processors	Nature of processing activities	Processing localization
Amazon Web Services Inc	Hosting & infrastructure services	EU
Google LLC	Infrastructure service	EU
Microsoft Corporation	Infrastructure service	EU
Postmark	E-mail delivery	United States of America

Notice of New Sub-processors. Provider shall update the Sub-processor List at least fifteen (15) days before authorizing any new Sub -processor to Process Customer Data and shall notify Customer of the update through the mechanism designated on Provider’s website or by other reasonable means. If Provider reasonably determines that engagement of a new Sub -processor on an expedited basis is necessary to protect the confidentiality, integrity, or availability of Customer Data or to avoid mater ial disruption to the Services, Provider shall provide such notice as soon as reasonably practicable.
Sub-processor Obligations. Provider shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations that are no less protec tive of Customer Data than those imposed on Provider under this DPA, to the extent applicable to the services provided by that Sub -processor; and (ii) remain responsible for the performance of, and any acts or omissions by, its Sub-processors that cause Provider to breach this DPA.
Objection to New Sub -processors. Customer may object in writing to Provider’s appointment of a new Sub -processor on reasonable grounds relating to data protection by notifying Provider within ten (10) calendar days after Provider’s notice of the update. The notice must set forth the specific grounds for the objection, and the Parties shall discuss the objection in good faith to seek a commercially reasonable resolution. If no resolution is reached within fifteen (15) calendar days after Customer’s not ice, Provider may, in its sole discre tion, (i) decline to engage the new Sub -processor for the affected portion of the Services, or (ii) permit Customer to terminate the affected portion of the Services in accordance with the termination provisions of the Agreement, in which case Provider shall refund any prepaid, unused fees for the terminated portion of the Services. Customer’s failure to object within the period set forth in this Section will constitute consent to the new Sub-processor.

4. Security and Audits

Security Measures. Provider shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data within Provider’s control from Security Incidents and to preserve the security and confidentiality of Customer Data, taking into account the state of the art, industry best practices, the cost of implementation, and the nature, scope, context, and purposes of the Processing (the “Security Measures”), as detailed in Annex B. Provider shall ensure that any personnel authorized to Process Customer Data are subject to a written or statutory obligation of confidentiality.
Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and may be updated or modified by Provider from time to time, provided that no such update or modification will materially diminish the overall security of the Services subscribed by Customer.
Customer Security Responsibilities . Customer is responsible for implementing and maintaining appropriate technical and organizational measures within its own environment, including: (i) protecting the confidentiality of all account credentials and authentication factors used to access the Services; (ii) securing Customer’s systems, networks, endpoints, and Security Tools; (iii) configuring the Services and the integrations with Security Tools in accordance with Provider’s Documentation; (iv) backing u p Customer Data and any Investigation Re ports outside the Services to the extent necessary for Customer’s business continuity, retention, or regulatory needs; and (v) reviewing the information made available by Provider regarding data security and priv acy and independently determining whether the Services meet Customer’s requirements under Applicable Data Protection Laws.
Security Incident Response. To the extent required by Applicable Data Protection Laws, Provider shall notify Customer of a Security Incident without undue delay after becom ing aware of it and in any event within the time period required by Applicable Data Protection Laws. Each notice shall include, to the extent then known and as reasonably requested by Customer to assist Customer in complying with its notification obligatio ns under Applicable Data Protection Laws: (i) a description of the nature of the Security Incident, including the categories and approximate number of affected data subjects and records; (ii) the likely consequences of the Security Incident; (iii) the measures taken or proposed to be taken to address the Security Incident and mitigate its effects; and (iv) the contact details of Provider’s primary security contact. Provider shall promptly take reasonable steps within its control to contain, investigate, and remediate the Security Incident. Provider’s notification of or response to a Security Incident is not, and shall not be construed as, an acknowledgment of fault or liability by Provider. The obligations in this Section 4 (d) do not apply to Security Incidents to the extent caused by Customer, an Authorized User, a Security Tool, or any other third party not within Provider’s reasonable control.
Security Audits. Provider shall make available to Customer, on Customer’s reasonable written request and on a confidential basis, summary information and written responses to standard security and privacy questionnaires reasonably necessary to veri fy Provider’s compliance with this DPA, including a copy of Provider’s most recent third -party security audit reports (e.g., SOC 2 Type II) and certifications. Customer may exercise this right no more than once in any twelve (12) month period, except where (i) a supervisory authority requires Customer to provide additional information, (ii) Provider has experienced a con firmed Security Incident affecting Customer Data, or (iii) Customer has a reasonable, documented basis to believe Provider is in material breach of this DPA. Any on-premises or live-environment audit will be subject to a separate written agreement between the Parties addressing scope, timing, confidentiality, and cost, and shall be conducted by a reputable, mutually agreed independent auditor that is not a competitor of Provider, during normal business hours, in a manner that does not interfere with Provider’s operations or compromise the security or confidentiality of other Provider customers’ data, and at Customer’s sole cost. Provider may charge Customer for any audit support exceeding two (2) person-days per year at Provider’s then-current professional services rates.

5. International Data Transfers

Processing Locations. Customer acknowledges that, in providing the Services, Provider and its Sub -processors may Process Customer Data in the European Union or in the United States of America, at Custome r’s request. Provider shall ensure that any such transfer of Customer Data is made in compliance with Applicable Data Protection Laws and this DPA.
Transfers Governed by European Data Protection Laws. To the extent Provider Processes any Personal Data protected by European Data Protection Laws in a jurisdiction that has not been recognized by the European Commission, the UK Information Commissioner, or the Swiss Federal Data Protection and Information Commissioner (as applicable) as providing an adequate level of protection, Customer (as data exporter) is deemed to have entered into the Standard Contractual Clauses with Provider (as data importer), which are incorporated by reference into this DPA. If and to the extent any term of the Standard Contractu al Clauses conflicts with this DPA, the Standard Contractual Clauses prevail with respect to Processing governed by them.
Alternative Transfer Mechanisms. If at any time the Standard Contractual Clauses are amended, replaced, repealed, or otherwise in validated, or if Applicable Data Protection Laws require additional or different safeguards (including, without limitation, supplementary measures or additional cross-border transfer clauses) to lawfully transfer Customer Data, the Parties shall cooperate in good faith to take all steps reasonably required to maintain a lawful basis for the transfer. Provider may, in lieu of relying on the Standard Contractual Clauses, rely on any alternative transfer mechanism approved by the relevant supervisory authority that lawfully permits the transfer of Customer Data.

6. Retention and Deletion of Customer Data. During the term of the Agreement, the Services will provide Customer

with controls (as described in the Documentation) that Customer may use to retrieve, exp ort, or delete Customer Data. Customer authorizes Provider, upon expiration or earlier termination of the Agreement (or upon termination or suspension of the Servic es pursuant to the Agreement), to delete all Customer Data (including copies) in Provider’s possession or control in accordance with Provider’s standard procedures, subject to (i) any extended retention required by applicable law and (ii) any backup or archi val copies retained in accordance with Provider’s standard retention schedule (which will continue to be protected in accordance with this DPA until securely overwritten or destroyed). Provider has no obligation to provide migration, conversion, or other professional services in connection with the deletion or return of Customer Data unless sep arately agreed in writing or required by applicable law.

7. Cooperation; Data Subject and Regulator Requests

Data Subject Requests. The Services provide Customer with controls (as described in the Documentation) that Customer may use to access, corre ct, delete, restrict, or export Customer Data in order to assist Customer in responding to requests from data subjects or consumers (each, a “Data Subject Request”). To the extent Customer cannot independently respond to a Data Subject Request using the controls provided through the Services, Provider shall, taking into account the nature of the Processing, provide reasonable assistance to Customer at Customer’s cost. If Provider receives a Data Subject Request directly that identifies or relates to Customer, Provider shall not respond to the requestor other than to confirm receipt and direct the requestor to Customer, unless legally compelled, and shall promptly notify Customer of the request unless prohibited by law.
Government and Law -Enforcement Requests. If a government, regulator, or law -enforcement authority sends Provider a binding legal demand for Customer Data (such as a subpoena, court order, or search warrant), Provider shall (i) promptly noti fy Customer of the demand, unless legally prohibit ed from doing so, to enable Customer to seek a protective order or appropriate remedy; (ii) take reasonable steps to challenge or limit overbroad demands; (iii) disclose only the minimum amount of Custome r Data legally required to comply; and (iv) where lawful, redirect the requestor to seek the data directly from Customer.
Impact Assessments and Consultation . To the extent required by Applicable Data Protection Laws, Provider shall provide Customer, at Customer’s reasonable written request and cost, with information reasonably necessary to enable Customer to conduct a data protection impact assessment, transfer impact assessment, or similar privacy assessment, and to consult with the appli cable supervisory authority where required.

8. Jurisdiction-Specific Terms

California (CCPA). To the extent that Customer Data is subject to the CCPA, the Parties acknowledge and agree that Customer is a “business” and that Customer appoints Provider as its “service provider” for the limited purposes of providing the Services as set forth in the Agreement and this DPA (the “Permitted Purposes”). Provider: (i) shall not sell or share (as those terms are defined in the CCPA) any Customer Data; (ii) shall not retain, use, or disclose Customer Data for any purpose oth er than the Permitted Purposes specified in the Agreement and this DPA, including any commercial purpose other than the business purpose of providing the Services, or as otherwise permitted by the CCPA; (iii) shall not retain, use, or disclose Customer Data outside the direct business relationship between Provider and Customer, except as permitted by the CCPA; (iv) shall not combine Customer Data with personal information that Provider receives from or on behalf of another person, or that Provider collects from its own interaction with a consumer, except as permitted by the CCPA; (v) shall comply with applicable obligations under the CCPA and provide the same level of privacy protection as is required of a business under the CCPA; and (vi) shall notify Customer if Provider determines that it can no longer meet its obligations under the CCPA. Customer has the right, upon reasonable written notice, to take reasona ble and appropriate steps to stop and remediate any unauthorized use of Customer Data by Provider. Provider may de -identify or aggregate Personal Data in the course of providing the Services, and any such de-identified or aggregated data is not Personal Data for purposes of this DPA.

9. Limitation of Liability. Each Party’s and its affiliates’ liability arising out of or relating to this DPA (including the

Standard Contractual Clauses), whether in contract, tort (including negligence), or under any other theory of liability, is subject to, and shall be counted toward, the aggregate limitations and exclu sions of liability set forth in the Agreement. Any reference in the Agreement to the aggregate liability of a Party means the aggregate liability of that Party and its affiliates under the Agreement and this DPA, taken together.

10. Term and Survival. This DPA takes effect on the Effective Date and remains in effect for the term of the Agreement.

Provisions that by their nature are intended to survive (including Sections 4, 5, 7, 8, 9, this Section 10, and Section 11) s urvive expiration or termination of the Agreement for so long as Provider retains any Customer Data.

11. Miscellaneous

Order of Precedence . In the event of any conflict between this DPA and the Agreement with respect to the Processing of Customer Data, this DPA controls. If and to the e xtent the Standard Contractual Clauses conflict with this DPA, the Standard Contractual Clauses prevail with respect to Processing governed by them.
Affiliates. Customer’s rights and remedies under this DPA may be exercised only by the Customer entity that has signed the Agreement, on behalf of itself and its affiliates that are permitted users of the Services, in a single, combined manner; no Customer affiliate may independently exercise rights or seek remedies under this DPA except where Applicable D ata Protection Laws expressly require otherwise.
Counterparts; Electronic Signatures. This DPA may be executed in counterparts (including by electronic signature), each of which is deemed an original, and all of which together constitute one and the same instrument.
Severability . If any provision of this DPA is held to be invalid, il legal, or unenforceable, the remainder of this DPA will continue in full force and effect, and the Parties will negotiate in good faith to modify the affected provision to reflect their original intent.
Governing Law. This DPA is governed by, and construed in accordance with, the governing law specified in the Agreement, except to the extent that Applicable Data Protection Laws require otherwise.
Updates to this DPA. Provider may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, or industry best practices, provided that any such update does not materially diminish Provider’s obliga tions or Customer’s rights under this DPA. Provider will provide reasonable advance notice of any material update.

ANNEX A — DATA PROCESSING DESCRIPTION

Subject matter Provider’s provision of the Services (an AI-based cybersecurity threat investigation and reporting software-as-a-service) to Customer pursuant to the Agreement. Duration of Processing The term of the Agreement, plus any post -termination period during which Provider retains Customer Data in accordance with Section 6 of this DPA or applicable law. Nature and purpose of Processing Collection, receipt, storage, organization, structuring, a nalysis (including machine - learning and rules -based analysis), enrichment, correlation, classification, scoring, retrieval, transmission, retention, and deletion of Customer Data, in each case for the purpose of: (i) receiving and processing Alerts from Cu stomer’s Security Tools; (ii) generating Investigation Reports, Scores, and suggested remediation actions; (iii) operating, supporting, maintaining, securing, and improving the Services in accordance with the Agreement; and (iv) complying with applicable law. Types of Personal Data Personal Data contained in or derived from Alerts and other Customer Data submitted to the Services, which may include, depending on the configuration and the source Security Tools: (i) Authorized User identification and contact data (e.g., name, business email, business phone, role, employee identifier); (ii) authentication and audit data (e.g., login identifiers, hashed passwords, IP addresses, session and API logs, timestamps);

network, endpoint, application, and device telemetry (e.g., IP addresses, MAC addresses, hostnames, URLs, process and file metadata, user activity logs, security tool outputs); and (iv) any other Personal Data that Customer or an Authorized User submits to or generates through the Services. Special categories of data The Services are not intended to Process special categories of Personal Data (as defined under the GDPR) or “sensitive personal information” (as defined under the CCPA). Customer is responsible for not submitting such data to the Servi ces other than as expressly authorized in writing by Provider and subject to additional safeguards. Categories of data subjects Authorized Users; Customer’s employees, contractors, and personnel; users of Customer’s information systems; and any other natural persons whose Personal Data is contained in Alerts or other Customer Data submitted to or generated through the Services. Frequency of transfer Continuous, for the duration of the Agreement. Sub-processor List The current Sub -processors include cloud hosting and infrastructure providers, as follows: Amazon Web Services, Microsoft Azure, Google Cloud Platform, Postmark. ANNEX B — SECURITY MEASURES This Annex B describes the technical and organizational measures that Provider implements and maintains to protect Customer Data Processed by Provider in connection with the Services. Provider operates the Services pursuant to a shared -responsibility model, which requires Customer to take certain steps within its own environment as described in the Agreement and Section 4(c) of this DPA. Provider may update or modify these measures from time to time provided that no such change will materially diminish the overall security of the Services. ‍

Encryption

• Customer Data is encrypted in transit using TLS 1.2 or higher.

• Customer Data at rest is encrypted using AES-256 encryption.

• Authentication credentials and secrets are encrypted in transit and at rest; key material is managed using a dedicated key- management service with regular rotation. • Employee endpoints used to access production systems use full-disk encryption.

‍

‍Access Control

• Role-based access control with least -privilege principles is applied acros s the Services’ infrastructure, application, and data layers.

• Multi-factor authentication is enforced for access to production, administrative, and source-control systems.

• Strong password complexity, account lockout, and session controls are enforced for personnel access. • Production access keys, service accounts, and privileged credentials are rotated regularly and on personnel changes.

• Personnel access is provisioned and de-provisioned in accordance with documented joiner-mover-leaver procedures and reviewed periodically.

‍

‍Network and Application Security

• Network segmentation, firewalls, and security groups separate production, staging, and corporate environments.

• Web application firewalls and DDoS protection are deployed at the network perimeter. • Vulnerability scanning, dependency scanning, and continuous security monitoring are performed across production systems and application code.

• Application changes follow a documented secure development lifecycle, including peer code review, automated testing, and pre-production validation.

• Independent third -party penetration testing is performed at least annually, with findings remediated according to documented service-level objectives based on severity.

‍

‍Logging and Monitoring

• Authentication events, administrative actions, and security -relevant events are logged centrally with tamper -resistant controls.

• Logs are retained in accordance with Provider’s retention schedule and applicable law.

• Automated alerting and 24x7 monitoring detect anomalous and potentially malicious activity.

• A documented incident -response plan governs detection, triage, containment, eradication, recovery, and post -incident review.

‍

‍Availability and Resilience

• The Services are deployed in geographically redundant infrastructure operated by leading public cloud providers.

• Documented business continuity and disaster recovery plans are maintained and tested at least annually. • Customer Data backups are encrypted and stored in controlled environments, with restoration tested periodically. Personnel and Organizational Security • Provider maintains a formal information security program aligned with industry frameworks (SOC 2 type 2). • Personnel are subject to background screening (to the extent permitted by applicable law), confidentiality obligations, and recurring security and privacy awareness training. • Documented policies and procedures govern acceptable use, data classification, change management, vendor management, and risk assessment. • Endpoint protection is deployed on devices used to access production or sensitive systems. Physical Security • Production systems are hosted in data centers operated by leading public cloud provi ders, which implement physical security controls including 24x7 monitoring, visitor logging, access cards, biometric controls (where applicable), and environmental safeguards. • Provider corporate offices implement physical access controls, visitor management, and clean-desk practices. Third-Party Risk Management • All sub -processors and vendors with access to Customer Data undergo security and privacy due diligence before onboarding and are reviewed at least annually thereafter. Provider maintains a docume nted sub -processor inventory, notifies customers of any changes, and contractually binds all sub -processors to equivalent data protection obligations — a program independently validated under SOC 2 Type II with no exceptions noted. • All sub-processors are contractually bound to data protection obligations equivalent to or stricter than those in this DPA, with Provider retaining full liability for sub-processor compliance. Compliance and Assurance • Provider maintains, and provides Customer with summary inf ormation about, third -party audits and certifications applicable to the Services (e.g., SOC 2 Type II), as available, on a confidential basis. • Provider performs periodic internal audits and risk assessments of the Services. ANNEX C — CROSS-BORDER TRANSFERS This Annex C sets forth the terms applicable when transfers of Personal Data subject to European Data Protection Laws are mad e from the EEA, the United Kingdom, or Switzerland to Provider in a jurisdiction that has not received an adequacy determination.

1. Application of the 2021 SCCs (EEA)

For data transfers subject to the GDPR, the 2021 SCCs apply as follows: (a) Module Two (Controller to Processor) applies wher e Customer is a controller and Provider is a processor of Customer Data; (b) Module Three (Processor to Processor) applies wher e Customer is a processor and Provider is a sub-processor of Customer Data; (c) in Clause 7 (docking clause), the optional language applies; (d) in Clause 9, Option 2 (general written authorization) applies, and the prior -notice period is as set forth in Section 3 of this DPA; (e) in Clause 11, the optional independent dispute resolution language does not apply; (f) in Clause 17, Option 1 applies and the 2021 SCCs are governed by the law of the Republic of Ireland; (g) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland; (h) Annex I.A is populated as set forth below; (i) Annex I.B incorporates the details set forth in Annex A of this DPA; (j) Annex I.C designates the supervisory authority of the EU member state in which the da ta exporter is established or, where no such authority is competent, the Irish Data Protection Commission; and (k) Annex II incorporates the technical and organizational measures set forth in Annex B of this DPA.

2. Application of the UK IDTA (United Kingdom)

For data transfers subject to the UK GDPR, the UK IDTA applies and is deemed to be entered into between Customer (as data exporter) and Provider (as data importer), incorporating by reference the 2021 SCCs (as modified above) and the information s et forth in Annex A and Annex B of this DPA.

3. Application to Swiss Transfers

For data transfers subject to the Swiss FADP, the 2021 SCCs apply as modified above, with the following adjustments: (a) references to “Regulation (EU) 2016/679” are read as refere nces to the Swiss FADP; (b) references to “EU,” “Union,” “Member State,” and “Member State law” are read as references to Switzerland and Swiss law; and (c) references to the “competent supervisory authority” and “competent courts” are read as references t o the Swiss Federal Data Protection and Information Commissioner and competent Swiss courts.

4. Data Exporter and Data Importer Details (Annex I.A)

Data Exporter Customer and any authorized affiliate of Customer that uses the Services pursuant to the Agreement. Contact details (Exporter) The email address(es) designated by Customer to receive notices under the Agreement. Activities relevant to the transfer (Exporter) Receipt of the Services from Provider pursuant to the Agreement. Role (Exporter) Controller (or, where applicable, processor). Data Importer Qevlar AI Inc., a Delaware corporation. Contact details (Importer) Qevlar AI Inc., Legal & Privacy: morane.bensoussan@qevlar.com (or such other address as Provider may designate from time to time). Activities relevant to the transfer (Importer) Provision of the Services to Customer pursuant to the Agreement. Role (Importer) Processor (or, where applicable, sub-processor). Signature and Date By entering into the Agreement and this DPA, each Party is deemed to have signed the Standard Contractual Clauses (and, where applicable, the UK IDTA) incorporated herein, including their annexes, as of the Effective Date of this DPA.

5. Future Changes

If and to the extent any of the Standard Contractual Clauses or the UK IDTA are amended, replaced, repealed, or otherwise invalidated under Applicable Data Protection Laws, the Parties shall cooperate in good faith to enter into an updated or replacement transfer mechanism within a reasonable period. Provider may, in lieu of relying on the Standard Contractual Clauses or the UK IDTA, rely on any alternative transfer mechanism approved by the competent supervisory authority that lawfully permits the transfer of Customer Data.

EXHIBIT B — SERVICE LEVEL AGREEMENT (SLA)

Capitalized terms used and not defined have the meanings set forth in the Agreement. This SLA forms part of, and is governed by, the Master Service Agreement to which it is attached. In the event of any inconsistency between this SLA and the body of the Agreement, the Agreement controls except with respect to the service-level metrics, response-time objectives, Service Credits, and exclusions expressly set forth herein.

1. Definitions

“Availability Exclusion” means any event, circumstance, or condition described in Section 4 that is excluded from the calculation of Downtime. “Business Day” means Monday through Friday, excluding (i) for U.S. customers, U.S. federal holidays, or (ii) for customers in the European Union or the United Kingdom, public holidays in France. “Business Hours” means 9:00 a.m. to 6:00 p.m. local time at the registered office of Provider on a Business Day. “Maintenance Window” means any period of time during which Provider performs Scheduled Maintenance or Emergency Maintenance, in each case as defined in Section 5. “Monthly Availability Percentage” means for any given c alendar month, the percentage calculated as: ((Total Minutes – Downtime Minutes) / Total Minutes) × 100, rounded to two decimals. “Monthly Fees” means the recurring subscription Fees actually paid by Customer to Provider under the Agreement (excluding one-time, professional-services, or pass-through fees) for the affected Covered Services for the calendar month in which the SLA Failure occurred. If Fees are invoiced annually, the Monthly Fees are deemed equal to one-twelfth (1/12) of the relevant annual Fees. “Service Credit” means the credit due to Customer, calculated as a percentage of Monthly Fees in accordance with Section 6, in the event of an SLA Failure. “SLA Failure” means the failure of Provider to achieve the Service Commitment in a given calendar month. “Service Commitment” means the Monthly Availability Percentage commitment set forth in Section 2. “Total Minutes” means the total number of minutes in a calendar month (i.e., 1440 multiplied by the number of days in such month).

2. Service Commitment

Provider will use commercially reasonable efforts to make the Covered Services available with a Monthly Availability Percentage of at least 99.5% during each calendar month of the Subscription Term (the “Service Commitment”). The Service Commitment is measured per calendar month and applies on a per-Covered-Service basis.

3. Technical Support

Provider provides technical support during Business Hours through (a) email at support@qevlar.com and (b) the in-product support channel made available through the Platform. Customer shall submit support requests with sufficient detail to enable Provider to reproduce, triage, and resolve the issue. Each support request will be classified at the severity level set forth below. Customer is responsible for proposing an initial severity classification; Provider will confirm or adjust the classification in good faith after its first triage assessment. Severity Definition Initial Response Time Objective P1 — High Material features of the Covered Services is impaired or fail for a substantial portion of Authorized Users; a workaround may exist but is not commercially reasonable for ongoing use. Within 4 Business Hours P2 — Medium A non-material feature is impaired; the Covered Services remain materially usable; a workaround exists. Within 1 Business Day P3 — Low Cosmetic issue, “how -to” question, documentation request, or feature inquiry. Within 5 Business Days Response Time Objectives are the periods within which Provider will commit a qualified engineer to begin work on the request. They are not resolution -time commitments. Provider’s response and resolution depend upon Customer’s timely cooperation and the timely provision of information requested by Provider (including reproduction steps, configurations, and logs).

4. Availability Exclusions

Downtime does not include, and Provider has no obligation to provide Service Credits in respect of, any unavailabil ity or degradation of the Covered Services that is caused, directly or indirectly, by any of the following (each, an “Availability Exclusion”): • Scheduled Maintenance and Emergency Maintenance (as defined in Section 5); • any action of Provider when complying with the request or direction of Customer, including configuration changes requested by Customer; • Customer’s breach of the Agreement, including unauthorized access or use, or violation of the Use Restrictions or the Usage Limit; • Customer’s failure to respond to support requests that require Customer’s participation in identification, reproduction, or resolution of an issue; • Customer’s or any Authorized User’s equipment, software, or other technology (including Security Tools, browsers, networks, and integrations) not within the sole and exclusive control of Provider; • failures, degradations, or fluctuations in electrical, connectivity, network, or telecommunications equipment or lines, including those caused by Customer’s conduct or by Internet-access problems beyond Provider’s network; • use of the Covered Services in combination with hardware, software, data, equipment, or technology not provided by Provider or not authorized by Provider in writing; • modifications to the Covered Services not made or authorized by Provider in writing; • the unavailability of features released for testing, alpha, beta, preview, “labs”, or evaluation purposes (whether or not expressly identified as such); • limitation or suspension of the Covered Services pursuant to Section 2 of the Agreement (Service Suspension); • suspension or termination of Customer’s right to use the Covered Services in accordance with the Agreement; • force-majeure events, as defined in the Agreement; • any circumstance the principal cause of which is the act or omission of a third party not under Provider’s direction or control (other than Provider’s Sub-processors acting on Provider’s behalf).

5. Maintenance

5.1 Scheduled Maintenance. Provider may perform routine maintenance (including platform upgrades, security patching, and infrastructure changes) ( “Scheduled Maintenance”). Provider will use commercially reasonable efforts to perform Scheduled Maintenance outside Business Hours (in the time zone of the Customer’s primary data-processing region) and to provide Customer with at least forty -eight (48) hours’ prior notice through the Provider status page, email to Customer’s technical contacts, or in - product notifications. 5.2 Emergency Maintenance. Provider may perform emergency maintenance (including critical security patches, vulnerability remediation, response to threats or attacks against the Covered Services or Provider’s infrastructure, and remediation o f incidents affecting the integrity or confidentiality of Customer Data) without prior notice ( “Emergency Maintenance” ). Provider will provide Customer with notice of Emergency Maintenance as soon as reasonably practicable thereafter.

6. Service Credits

6.1 Calculation. If Provider fails to meet the Service Commitment in any calendar month (an “SLA Failure”), Customer is entitled to Service Credits calculated as follows: Monthly Availability Percentage Service Credit (% of Monthly Fees) ≥ 99.5% 0% (Service Commitment met) ≥ 99.0% and < 99.5% 10% ≥ 95.0% and < 99.0% 15% < 95.0% 25% 6.2 Cap. Service Credits issued in respect of any given calendar month will not exceed, in the aggregate, fifty percent (50%) of the Monthly Fees actually paid by Customer for the affected Covered Services for that calendar month. Service Credits are not refundable in cash, are not transferable, and may be applied solely as a credit against future Fees payable by Customer under the Agreement. If the Agreement expires or is terminated before Customer has applied accrued Service Credits, the unused Service Credits will be paid as a one -time cash refund within sixty (60) days following the effective date of termination, except where termination results from Customer’s breach (in which case the Service Credits are forfeited). 6.3 Claim Process. To receive a Service Credit, Customer must submit a written claim to support@qevlar.com no later than thirty (30) days after the end of the calendar month in which the SLA Failure occurred. The claim must include (a) Customer’s account identifier, (b) the calendar month in respect of which the credit is claimed, (c) Customer’s calculation of the Monthly Avail ability Percentage with supporting ev idence reasonably acceptable to Provider (which may include Provider’s status -page records, Customer’s monitoring data, and Provider’s incident reports), and (d) the requested Service Credit amount. Provider will vali date the claim against its own monitori ng records and, in case of any discrepancy, Provider’s monitoring records control , except where Customer demonstrates a manifest error. Provider will notify Customer of its determination within thirty (30) days afte r receipt of a complete claim and, if the claim is accepted (in whole or in part), apply the Service Credit on the next invoice issued under the Agreement. 6.4 Sole and Exclusive Remedy. Subject to Section 7, Service Credits set forth in this SLA are Customer’s sole and exclusive remedy, and Prov ider’s sole liability, for any SLA Failure or any failure by Provider to achieve the Service Commitment. The remedies in this SLA are not cumulative with any other remedy available under the Agreement for the same event.

7. Chronic Failure; Termination for SLA Failure. In addition to (and not in derogation of) the Service Credits set forth in

Section 6, if Provider experiences (a) Monthly Availability Percentages below 95.0% in any three (3) consecutive calendar months, or (b) Monthly Availability Percentages below 99.0% in any four (4) calendar months within any rolling twelve (12)-month period (each a “Chronic Failure”), Customer may terminate the affected Order Form (and, at Customer’s option, the Agreement) for cause upon thirty (30) days’ written notice to Provider, without further cure period, provided that such notice is given within ninety (90) days following the event giving rise to the termination right. Upon such termination, Provider will refund any prepaid but un used Fees for the affected Covered Services, calculated pro rata from the effective date of termination. The termination right set forth in this Section 7 is in addition to, and does not waive, any other termination rights set forth in the Agreement.

8. Status, Reporting, and Records. Provider operates a publicly accessible status page (https://status.qevlar.com or such other

URL as Provider may designate) showing real-time availability, incidents in progress, and a history of resolved incidents. Within ten (10) Business Days following a P1 or P2 incident affecting the Covered Services for more than four (4) hours, Provider wi ll publish (or make available to Customer) a written post-incident review summarizing (i) the nature and timeline of the incident, (ii) the root cause(s) identified, (iii) the remediation steps taken or planned, and (iv) any preventive measures. Provider will r etain availability records for the Covered Services for a period of at least thirteen (13) months and will make summary availa bility reports available to Customer on reasonable written request, no more than once per calendar quarter.

9. Miscellaneous

9.1 No Implied Modification of MSA. Except as expressly set forth in this SLA, nothing in this SLA modifies the terms of the Agreement. The limitations of liability set forth in the Agreement apply to Provider’s obligations and Customer’s remedies und er this SLA, and Service Credits awarded hereunder will count toward the aggregate liability cap set forth in the Agreement. 9.2 Updates. Provider may update this SLA from time to time to reflect changes in the Covered Services, applicable law, or industry practice, provided that no such update will materially diminish Customer’s rights under this SLA during the then -current Subscription Term unless Customer consents in writing or such update is required by applicable law. 9.3 Survival. Sections 6 (in respect of accrued Service Credits and claims submitted in accordance with Section 6.3) and 10 survive expiration or termination of the Agreement.

MASTER SERVICE AGREEMENT EU