Proven Inc MASTER SUBSCRIPTION AGREEMENT

THESE TERMS OF USE GOVERN YOU AND/OR YOUR ORGANIZATION’S USE OF SOFTWARELOCATED AT WWW.GETPROVEN.COM (HEREAFTER THE“SERVICE”).

IF YOU REGISTER FOR A FREE TRIAL FOR OUR SERVICE,THIS AGREEMENT WILL ALSO GOVERN THAT FREE TRIAL.

BY ACCEPTING THESE TERMS, EITHERBY CLICKING A BOX INDICATING YOUR ACCEPTANCE, CONTINUING TO USE THE SERVICE, OR BYEXECUTING AN DOCUMENT THAT REFERENCES THESE TERMS, YOU AGREE TO BE BOUND BYEACH OF THESE TERMS. IF YOU ARE AGREEING TO THESE TERMS ON BEHALF OF A COMPANYOR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCHENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS. IF YOU DO NOT HAVESUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENTAND MAY NOT USE THE SERVICE. BOTHYOU, AND/OR THE LEGAL ENTITY YOU MAY

REPRENTS ARE REFERREDTO AS “CUSTOMER”.

You may not accessthe Services if you are our directcompetitor, except with our prior written consent. In addition, you may not accessthe Service, except with our prior written consent, for purposes of monitoringtheir availability, performance or functionality.

Your use of the Service constitutes your agreement to these terms. It is effective betweenyou (or the

legal entityyou represent) (the “Effective Date”)and Proven Inc as of the date you agree tothese terms or you first use theService, whichever is earlier.

1.       SCOPE OF AGREEMENT

This Agreementsets forth the terms under which Proven will provide the Service to Customer.Capitalized terms in this Agreement are defined in Appendix 2. The Agreementincorporates the following components: (a) the Proven Service Level Agreement(Appendix 1), (b) the definitions controllingthe Agreement (Appendix 2), and (c) the Proven Data Protection Agreement (Appendix 3).

2.       SUBSCRIPTIONSTO THE SERVICE

2.1. Usage Limits.Subscriptions for the Service are limited to the quantities specified by Proven.Each Subscription refers to an individual Customer. Customer may not use the Service in a waywhich exceeds the applicable Subscription limitations communicated by Proven.

3.       CUSTOMER LIMITATIONS/RESPONSIBILITIES

3.1. Limitations. Customerwill not: (a) resell, sublicense, rent, loan, lease, time share or otherwise make the Service available to any party not authorized to usethe Service under the Agreement; (b) modify, adapt, alter, translate, copy, orcreate derivative works based on the Service; (c) reverse-engineer, decompile,disassemble, or attempt to derive the source code for the Service (unless suchright is granted by applicable law and then only to the minimumextent required by law); (d) access the Servicesin order to: (i) build a competitive product or service; or (ii) copy anyideas, features, functions or graphics of theService; (e) merge or use the Service with any software orhardware for which they werenot intended (as described in the Documentation); (f) allow Users to share access credentials; (g) use the Service forunlawful purposes or to store unlawful material; (h) use the Service to send orstore material containing software viruses, worms, Trojan horses or otherharmful computer code, files, scripts, or agents; (i) disrupt the integrity or performance of the Service; (j) remove, alter, or obscure in any way the proprietary rights notices (including copyright, patent, and trademark noticesand symbols) of Proven or itssuppliers contained on or within any copies of the Service, (k) bypass anysecurity measure or access control measure of the Service, (k) use the Serviceother than as described in the Documentation, or (l) perform or disclose anybenchmarking or testing of the Service itself or of the security environment or associated infrastructure without Proven’s priorwritten consent.

3.2. Remediesfor Violation of Customer Limitations. Provenmay, without limiting its other rights and remedies, suspend Customer’s and/or applicable Users’access to the Service at any time if: (i) requiredby applicable law, (ii) Customer or any User is in violation of the terms ofthis Agreement, or (iii)

Customer’s, or a User’suse disrupts the integrity or operation of the Serviceor interferes with use of theService by others. Proven will use reasonable efforts to notify Customer priorto any suspension, unless prohibited by applicable law or court order, andProven will promptly restore Customer’s access to the Service upon resolutionof any violation under this section. IfProven is notified that any Customer Data violates applicable law or third-partyrights, Proven may so notifyCustomer and in such event Customer will promptly remove such Customer Datafrom the Service. If Customer does not take required action, Proven may disablethe applicable Customer Data until the potential violation is resolved.

3.3. Customer Responsibilities. Customer will: (a) use commercially reasonable efforts to prevent, and remain responsible for Users’compliance with the Agreement and will promptly notify Proven of anyunauthorized access to the Service arising from a compromise or misuse ofCustomer’s or its User’s

access credentials, (b) use the Services only in accordance with the Documentation, applicable laws, this Agreement, and governmentregulations, (c) comply with terms of service of any Non-Proven ApplicationsCustomer uses in conjunction with the Service, and (d) remain responsible for any action in violationof the Agreement by Customer’s Affiliates or Users.

4.       DATA RESPONSIBILITIES

4.1. ComplianceWith Applicable Laws. Customer isexclusively responsible for: a) determining what data Customer submits to the Service, b) for obtaining allnecessary consent and permissions for submission of Customer Data andrelated data processing instructionsto Proven Inc, c) for the accuracy, quality and legality of Customer Data, andd) that Customer complies in allrespects with applicable data privacy and protection regulations. Customer shall ensure that it is entitledto transfer the relevant Customer Data to Proven so that Provenand its service providers may lawfully use, process, and transferthe Customer Data in accordance withthis Agreement on Customer’s behalf. No rights to the Customer Data are grantedto Proven hereunder other than as expressly set forth in this Agreement.

4.2. ExcludedData. Customer shall not provideProven with any Customer Data that is subject to heightened securityrequirements by law, regulation or contract (examplesinclude but are not limitedto the Gramm–Leach–Bliley Act (GLBA), Health Insurance and Portabilityand Accountability Act (HIPPA), Family Educational Rightsand Privacy Act (FERPA), the Child’s Online Privacy Protection Act (COPPA), the standards promulgated by the PCISecurity Standards Council (PCI-DSS), and their international equivalents (suchCustomer Data collectively, “Excluded Data”). Proven shall have noresponsibility or liability for Excluded Data. https://www.getproven.com/privacy

5.       INTELLECTUALPROPERTY RIGHTS AND OWNERSHIP

5.1. Reservationsof Rights. Except for the limitedrights expressly granted to Customer hereunder, Proven reserves all rights,title, and interest in and to the Service, the underlying software, the ProvenMaterials and any and all improvements (including any arising from Customer’s feedback), modifications and updates thereto, including without limitationall related intellectual property rights inherent therein. Where Customerpurchases Professional Serviceshereunder, Proven grantsto Customer a non-sublicensable, non-exclusive license to use any materials provided by Proven asa result of the

ProfessionalServices (the “Proven Materials”) solely in conjunction with Customer’sauthorized use of the Service and in accordance with this Agreement. No rights are granted to Customer hereunder other than as expressly set forth in this Agreement. Nothing in this Agreement will impairProven’s right to develop, acquire, license, market, promote or distributeproducts, software or technologies that perform the same or similar functionsas, or otherwise compete with, any products, software or technologies thatCustomer may develop, produce, market, or distribute.

5.2. Ownership and Processing of Customer Data.Customer and/or its licensors shall retain all right, title and interest in all Customer Data stored in the Service,including any revisions, updates or other changesmade to that Customer Data. Customer grants Proven a nonexclusive, worldwide,royalty-free right to reproduce, display, adapt, modify, transmit, distributeand otherwise use the Customer Data: (a) solely for the purpose of providingthe Service and Professional Services under this Agreement; (b) to prevent oraddress technical or security issues and resolve support requests; (c) atCustomer's direction or

request, enableintegrations between Customer’s Connected Applications and the Service;and (d) as otherwise required by applicable law.

5.3. Use of Aggregate Information. Proven may collect, anonymize, and aggregatedata derived from the operation of the Service(“Aggregated Data”), and Proven may use such Aggregated Data for purposesof operating Proven’s business, monitoring performance of the Service,and/or improving the Service. Proven’s use of Aggregated Data as described inthis section shall not result in any unauthorized disclosure of Customer Data,Customer Confidential Information, or personally identifiable information ofAuthorized Users. Aggregated Datawill not be capable of re-identification. Aggregated Data belongs to Proven.

5.4. Ownershipof Deliverables. With respect to anydeliverables or work product (“Deliverables”) resulting from any of theProfessional Services, Proven owns all right title and interest in and to theintellectual property rights pertaining to such Deliverables and grants toCustomer a non-exclusive, worldwide right and license to use such Deliverable in connection with Customer’spermitted use of the Service.

5.5. Feedback. Customer grants to Proven a non-exclusive,royalty-free, fully paid up, worldwide, transferable, sublicensable, irrevocable,perpetual license to use or incorporate into the Service any suggestions, ideas,enhancement requests, feedback,recommendations or other information provided by Customer or its Users relatingto the features, functionality or operation of the Service or the

Professional Services(“Feedback”). Feedback does not includeCustomer Data. Notwithstanding any other term herein, Feedback shall not create anyconfidentiality obligation for Proven.

6.       CONFIDENTIAL INFORMATION

6.1. Confidentiality.“Confidential Information” meansinformation and/or materialsprovided by one party (“Discloser”) to the other party (“Recipient”), which are identified as confidential at thetime of disclosure or, under thecircumstances of disclosure, a reasonable person would understand to beconfidential. The following information shall be considered ConfidentialInformation whether or not marked or identified as such: this Agreement, aparty’s pricing, product roadmap, product plans, or strategic marketing plans,algorithms, business plans, customer lists, designs documents, drawings,engineering information, financial analysis, forecasts, formulas, hardwareconfiguration information, know-how, ideas, inventions, market information,processes, products, research, specifications, software, source code, tradesecrets or any other non-public information relating to the Service includingthe Documentation. Recipient may disclose Discloser’s Confidential Informationonly to

Recipient’sAffiliates, employees, officers, directors, advisors or contractors who need toknow such Confidential Information and who are under a duty of confidentiality no less restrictive than Recipient’s dutyhereunder.

6.2. Exclusions. “Confidential Information” does notinclude information that: (a) is independently developed by or for the Recipient without access or reference to, or use of, Confidential Information; (b) islawfully received free of restriction from another source having the right tofurnish such information;

(c) is or becomes lawfully in the public domain other than througha breach of this Agreement;(d) was known by the Recipient prior to disclosure; (e) Discloser agrees in writingis free of such restrictions; or

(f) is generally disclosed by the Discloser to third partieswithout a duty of confidentiality.

6.3. Duties Regarding Confidential Information. At all times during and after the term of this Agreement, Recipient shall (a) keepDiscloser’s Confidential Information confidential and not disclose Discloser’s ConfidentialInformation to a third party without the Discloser’s written consent or asexpressly permitted in this Agreement, and (b) not use the ConfidentialInformation for purposes other than the performance of this Agreement. Where disclosure is required by law, such disclosure shall not constitutea breach of this Agreement provided Recipient gives Discloser reasonableadvance notice (if legally permissible) to enable Discloser to seek appropriateprotection of the Confidential Information and discloses only that portion ofthe Confidential Information that the Recipient is legally compelled or isotherwise legally required to disclose. Anyprior non-disclosure agreement executed among the parties is terminated infavor of these confidentiality terms.

6.4. UnauthorizedDisclosures. The parties agree that Recipient’s threatened or actualunauthorized disclosures of Confidential Information may result in irreparableinjury for which a remedy in money damages may be inadequate. The partiestherefore agree the Discloser may be entitled to seek an injunction to prevent a breach or threatened breach of this Section withoutposting a bond. Any such injunction shall be additional toother remedies available to Discloser at law or in equity.

7.       WARRANTIES AND DISCLAIMER

7.1. General Representations and Warranties. Each party represents and warrants that it has the power and authority to enter into thisAgreement and the performance by such party of its obligations and dutieshereunder will not violate any agreement to which such party is bound.

7.2. Customer Warranties. Customer represents and warrants that: (a) it has the right to provide Proven with access to all Customer Data,(b) it shall obtain from its Users all consents required under law regardingthe use of the Customer Data and Feedback as described in this Agreement.

7.3. Disclaimerof Warranty. EXCEPT FOR THE EXPRESS WARRANTIESSET FORTH IN THIS SECTION 9, TO THE MAXIMUM EXTENTPERMITTED UNDER APPLICABLE LAW, THE SERVICE, PROFESSIONAL SERVICES AND DOCUMENTATIONARE PROVIDED “AS IS” WITHOUT OTHER WARRANTY OF ANY KIND, AND PROVEN MAKES NOWARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, WITH RESPECT TO THESERVICE AND PROFESSIONAL SERVICES. PROVEN SPECIFICALLY AND EXPLICITLY DISCLAIMSALL OTHER WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION THEIMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON-INFRINGEMENT, THOSE ARISING FROM A COURSE OF DEALING OR USAGE OR TRADE, ANDALL SUCH WARRANTIES ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.FURTHER, PROVEN DOES NOT WARRANT THE SERVICE WILL BE ERROR-FREE OR THAT THE USEOF THE SERVICE WILL BE UNINTERRUPTED. THE SERVICE AND MATERIALS ARE NOTDESIGNED, INTENDED OR WARRANTED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRINGFAIL-SAFE CONTROLS.

8.       INDEMNIFICATION

8.1. IndemnificationBy Customer. If a third party initiates or threatens legal action againstProven for processing Customer Data uploaded into the Service by Customer orUsers, or for a claim relating to Customer’s, or a User’s breach of itsobligations under Section 5, where such claim arises solely from Proven operatingthe Service, then Customerwill: (a) promptlyassume the defense of the claim and (b)pay costs, damages and/or reasonable attorneys’ fees that are included in afinal judgment against Proven (without right of appeal) or in a settlementapproved by Customer that are attributable to Proven processing of suchCustomer Data to provide the Service; provided that Proven (i) notifiesCustomer in writing of the claim promptly after receiving it, (ii) allowsCustomer to control the defense of the claim with counselof its choice, and to settle such claim at Customer’s sole discretion (unlessthe settlement requires payment by Proven or requires Proven to admitliability, in which case Proven will have the right to approve suchpayment or admission, and (iii)reasonably cooperates with Customer in defending the claim at Customer’s expense.

8.2. IndemnificationBy Proven. Subject to the limitations in Section 9, if a third party threatensa legal action alleging that Customer’s use of the Service directly infringesthe third party’s patent, copyright, or trademark, or if a third-party allegesProven is in breach of its confidentiality obligations under section 6 (suchaction, a “Claim”) Proven agrees to hold harmless and indemnify Customer andits affiliates, including its officers, directors, employees, and agents, fromsuch Claim, including reasonable attorneys’ fees..

9.       LIMITATION OF LIABILITYAND DISCLAIMER OF DAMAGES.

9.1. DISCLAIMEROF INDIRECT DAMAGES. IN NO EVENTSHALL EITHER PARTY, OR ITS AFFILIATES OR ITS LICENSORS BE LIABLE UNDER ANYLEGAL THEORY FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, INDIRECT, PUNITIVE OREXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, LOSS OF USE,BUSINESS INTERRUPTIONS, REVENUE, GOODWILL, PRODUCTION, ANTICIPATED SAVINGS, OR COSTSOF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, IN CONNECTION WITH OR ARISINGOUT OF THE PERFORMANCE OF OR FAILURE TO PERFORM THIS AGREEMENT(INCLUDING ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIESIN OR DESTRUCTIVE PROPERTIES OF THE SOLUTION), WHETHER ALLEGED AS A BREACH OFCONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE, EVEN OF A PARTY HAS BEENADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9.2. LIMITATIONOF LIABILITY. NEITHER PARTY’S (OR ITS AFFILIATES’) AGGREGATE AND CUMULATIVELIABILITY ARISING FROM OR RELATINGTO THIS AGREEMENT, WHETHER IN CONTRACT, TORT, STATUTE OROTHERWISE WILL EXCEED THE AMOUNTS PAID OR OWED TO PROVEN BY CUSTOMER IN THEAGGREGATE DURING THE SIX (6) MONTHS IMMEDIATELY PRECEDING THE FIRST EVENTGIVING RISE TO LIABILITY. NOTHING IN THIS AGREEMENT IS INTENDED TO EXCLUDE OR LIMIT EITHER PARTY’S LIABILITY FOR DEATH, PERSONALINJURY, OR PROPERTY DAMAGE CAUSED BY NEGLIGENCE, OR FOR FRAUD. NOTHING IN THISSECTION WILL LIMIT THE FEES OWED BY CUSTOMER UNDER THIS AGREEMENT FOR THE SERVICEOR PROFESSIONAL SERVICES,OR FOR VIOLATING CUSTOMER’S OBLIGATIONS IN SECTION 4 AND 5.THE PARTIES ACKNOWLEDGE THAT THE FEES PAID PURSUANT TO THIS AGREEMENTREFLECT THE ALLOCATION OF RISK SET FORTH IN THIS AGREEMENT, AND THAT PROVENWOULD NOT ENTER INTO THIS AGREEMENT WITHOUT THESE LIMITATIONS ON ITS LIABILITY.

10.    TERM AND TERMINATION

10.1. Effective Date and Term.This Agreement commenceson the Effective Date and shall remainin effect until terminated by either Party in accordance withthe terms of the Agreement (the “Term”).

10.2. Termination. After five (5) days writtennotice, either party may terminatethis agreement for noreason, or any reason.

10.3. Effect of Termination. If this Agreementis terminated Proven’swill no longer provide the Service,all of Customer’s Affiliates and Users’ rights to use the Service willterminate.

11.    SURVIVAL. The provisions of Sections: 6(“Confidential Information”),8 (“Indemnification”), 9 (“Limitation of Liabilityand Disclaimer of Damages”), and 12 (“Miscellaneous”), and any other terms andconditions of this Agreement which by their nature reasonably should survivethe termination or other expiration of this Agreementshall survive any expiration or termination of this Agreement.

12.    MISCELLANEOUS

12.1. Assignment. Proven may assignthis Agreement withoutthe consent of Customer. Customermay not assign this agreement.

12.2. Compliance with Applicable Laws.Each party will comply with all applicable laws, including without limitation, applicableexport-control restrictions, data privacy laws, and anti-corruption laws.

12.3. FutureFeatures and Functions. Customer agreesthat Proven may, from time to time, at its sole discretion, modify and updatethe Service. Customer understands and agrees that any features or functionsrelated to Proven products referenced on any Proven website, or in anypresentations, verbal or electronic communications, press releases or public statements, which are not currently availableas a GA release, may not bedelivered on time or at all. The development, release, and timingof any features or functionality describedfor our products and services remains at Proven’s sole discretion. Accordingly, Customer agrees that it is using theService based solely upon features and functions that are currently availableas of the time Customerfirst accesses the Service, and not inexpectation of any future feature orfunction.

12.4. Notices. Notices may be sent by first-class,registered mail (return receipt requested) or private courier to the addressof the receiving party identified on the first page of this Agreement. Notice will be deemed given five (5) days aftermailing U.S. first class, registered mail, or upon confirmed delivery by

private courier, whicheveris sooner. Customerwill address noticesto Proven’s LegalDepartment, with a copy to LEGAL@GETPROVEN.COM.Either party may from time to time change its address for notices under thissection upon written notice to the other party.

12.5. Non-waiver.Any failure of either party to enforce performance by the other party of any ofthe provisions of this Agreement, or to exercise any rights or remedies underthis Agreement, will not be construed as a waiver of such party's right toassert or rely upon such provision, right or remedy in that or any other instance.Neither party waives any rights or limits its remediesfor actions taken outside the scope of this Agreement.

12.6. DisputeResolution. This Agreement will be governed by the laws of the State ofCalifornia, U.S.A., without giving effect to any conflicts of laws provisions. Neither the United Nations Convention onContracts for the International Sale of Goods nor the Uniform ComputerInformation Transactions Act will apply to this Agreement. Any claim, suit,action or proceeding arising out of or relating to this Agreement or itssubject matter will be brought exclusively in the state or federal courts ofSan Francisco County, California, and each party irrevocably submits to theexclusive jurisdiction and venue of such courts. No claim or action, regardlessof form, arising out of this Agreement may be brought by either partymore than one (1) year after the earlier of the following: a) the expiration or termination of all Subscriptions, b) the terminationof this Agreement, or c) the time a party first became aware, or reasonablyshould have been aware, of the basis for the claim. To the fullest extentpermitted, each party waives the right to trial by jury in any legal proceedingarising out of or relating to this Agreement or the transactions contemplatedhereby.

12.7. Severability.If any provision of this Agreement is held invalid or unenforceable underapplicable law by a court of competent jurisdiction, it shall be replaced withthe valid provision that most closely reflectsthe intent of the parties,and the remaining provisions of the Agreement will remain in full force and effect.

12.8. Relationshipof the Parties. Nothing in this Agreement is to be construed as creating anagency, partnership, or joint venture relationship between the parties hereto.Neither party shall have any right or authority to assume or createany obligations or to make anyrepresentations or warranties on behalfof any other party, whetherexpress or implied,or to bind the other party in any respect.Each party may identify the other as a customer orsupplier, as applicable.

12.9. Force Majeure.Force majeure eventsshall excuse the affected party (the "Non-Performing Party") from its obligations underthis Agreement so long as the event and its effects continue. Force majeure events include acts whichare beyond the reasonable control of a party, including without limitation,Acts of God, natural disasters, pandemic, epidemic, war, riot, network attacks,acts of terrorism, fire, explosion, accident, sabotage, strikes, inability toobtain power, fuel, material or labor, or acts of any government (each, a “Force Majeure Event”). As soon as feasible, the Non-Performing Party shall notify the other party of: (a) itsbest reasonable assessment of the nature and duration of the Force MajeureEvent, and (b) the steps it is taking to mitigate its effects. If the ForceMajeure Event prevents performance for more than sixty (60) days, and theparties have not agreed upon a revised basis for performance, then either partymay immediately terminate the Agreement upon written

notice. Proven’s suspension of the Servicesin order to comply with laws is a Force Majeure Event.

12.10. U.S. Government Restricted Rights. If the Serviceis used by the U.S. Government, partiesagree

the Service is “commercial computer software” and “commercial computerdocumentation” developed exclusively atprivate expense, and (a) if acquired by or on behalf of a civilian agency,shall be subject solely to the terms of this Agreement as specified in 48C.F.R. 12.212 of the Federal Acquisition Regulations and its successors; and (b) if acquired by or on behalf of units of the Department of Defense (“DOD”)shall be subject to the terms of this commercial computer software license asspecified in 48

C.F.R. 227.7202-2, DOD FAR Supplement and its successors.

12.11. EntireAgreement. This Agreement, together with the Appendices constitute the entireagreement between parties, and supersedes all prior or contemporaneousproposals, quotes, negotiations, discussions, or agreements, whether written ororal, between the parties regarding its subject matter. Revisions to thisAgreement must be made by a separate amendment, signed by each party, and mustbe expressly drafted for that purpose and identify the specific sections thatare being revised. However, ifCustomer agreed to these terms by reference in another binding instrument,Proven may change these terms by posting an updated version at the applicableURL and notifying Customer of the change. By continuing to access or use the Service after such notice Customer agreesto be bound by the updated terms. Customer click-through terms, preprinted termsin Customer purchase orders or other customer-generated ordering documents, orterms referenced or linked within them, will have no effect on this Agreementand are hereby rejected, regardless of whetherthey are signed by Proven and/or purport to take precedence over thisAgreement. The order of precedence among all documents executed among theparties shall be: (1) These terms, (2) the Documentation.

Appendix 2 (Definitions)

“Affiliate” means, with respect to aparty to this Agreement, any entity that directly or indirectly controls, is controlled by, or is under commoncontrol with such party throughthe possession of morethan fifty percent (50%) of the voting stock of the controlled entity.

“Authorized User” or “User” means: (a)in the case of an individual accepting this Agreement on such individual’s ownbehalf, such individual; or (b) an employee or authorized third-party ofCustomer, who has been authorized by Customer to use the Service in accordance with the termsand conditions of thisAgreement and has been allocated user credentials.

“CustomerData” means any electronic data or materials provided or submitted by or for Customer to orthrough the.

“Documentation” means Proven’s published user manual that describes the functionality of the Service, as updated by Proven from timeto time.

“Party” means eitherCustomer or Proven and togetherthe “Parties”.

“Professional Services” means TrainingServices, Implementation Services,or other servicesCustomer agrees to purchase as described in a fully executed statementof work.

“Service” means ProvenInc-as-service platform locatedat WWW.GETPROVEN.COM.

"Subscription" means access to the Service during the Subscription Term. Each Subscription is specific to aunique Authorized User and under no circumstance may an Authorized UserSubscription be transferred to, shared among or used by different AuthorizedUsers.

“Subscription Term(s)” means the subscription period(s)during which Customer is authorized to usethe Service, as specified by Proven Inc.

“Vendor”means a person or legalentity Customer invitesto offer or market the Vendor’s products and/or services via the Services.

Appendix 3

PROVEN DATA PROCESSING ADDENDUM(DPA)

This Data Processing Addendum, including its Schedules, (“DPA”) formspart of the Master SubscriptionAgreement between Proven and Customer for the purchase of the Service (the“Agreement”) to reflect the Parties’ agreement with regard to the Processing of Personal Data.Customer enters into this DPA on

behalf of itself and, to the extent requiredunder applicable Data Protection Laws and Regulations, in the name and onbehalf of its Authorized Affiliates. For the purposes of this DPA only, andexcept where indicated otherwise, the term “Customer” shall include Customerand Authorized Affiliates. All capitalized terms not defined herein shall havethe meaning set forth in the Agreement.In the course of providing the Serviceto Customer pursuant to the Agreement, Proven may Process Personal Data onbehalf of Customer and the Parties agree to comply with the followingprovisions with respect to any Personal Data, each acting reasonably and ingood faith.For the avoidance of doubt, signature of the DPA on page 8 shall be deemed to constitute signature andacceptance of the Standard Contractual Clauses, including Schedule 2. WhereCustomer wishes to separately execute the Standard Contractual Clauses and itsAppendix, Customer should also complete the information as the data exporterand sign on page 14 (Schedule 2).

HOW THIS DPA APPLIES

If the Customerentity signing this DPA is a party to the Agreement, this DPA is an addendum toand forms part of the Agreement. In such case, the Provenentity that is party to the Agreement is party to this DPA.1.

DATA PROCESSING TERMS

“Affiliate” means any entity that directlyor indirectly controls,is controlled by, or is under common control with the subject entity.“Control,” for purposes of this definition, means direct or indirect ownershipor control of more than 50% of the voting interests of the subject entity.“

Authorized Affiliate” means any ofCustomer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the EuropeanUnion, the EuropeanEconomic Area and/or their member states,Switzerland and/or the United Kingdom, and (b) is permitted to use the Servicepursuant to the Agreement between Customer and Proven, but has not signed itsown Order with Proven and is not a “Customer” as defined under this DPA.

“CCPA” means the California ConsumerPrivacy Act, Cal. Civ. Code § 1798.100et seq., as amended by the California Privacy Rights Act, andits implementing regulations.

“Controller” meansthe entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means the entity thatexecuted the Agreement together withits Affiliates (for so long as theyremain Affiliates) agreed to the terms of the Agreement.

“Customer Data” means what is definedin the Agreement as “Customer Data”, provided that such data is electronic data and information submitted by or for Customer to the Service. This DPAdoes not apply to Non-Proven Applications as defined in the Agreement.

“CustomerData Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access toCustomer Data, including Personal Data, transmitted, stored or otherwiseProcessed by Proven or its Sub-processors.

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement,including those of the European Economic Area, Switzerland, the United Kingdomand the United States and its states.

“Data Subject” meansthe identified or identifiable personto whom PersonalData relates.“Data Subject Request” means, a Data Subject’slegal right of access, right to rectification, restriction of Processing,

erasure (“rightto be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decisionmaking as set out in applicable Data Protection Laws and Regulations.

“Europe” means the European EconomicArea, Switzerland and the United Kingdom.

“GDPR” means Regulation (EU) 2016/679of the European Parliament and of the Council of 27 April 2016 on the protection of natural personswith regard to the processing of personal data and on the free movement of such data, and repealingDirective 95/46/EC (General Data Protection Regulation), including asimplemented or adopted under the laws of the United Kingdom.

“Personal Data” means any information relatingto (i) an identified or identifiable naturalperson and,

(ii) an identified or identifiable legal entity (wheresuch information is protected similarlyas Personal Data or personallyidentifiable information under applicable Data Protection Laws andRegulations), where for each (i) or (ii), such data is Customer Data.

“Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automaticmeans, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise makingavailable, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which ProcessesPersonal Data on behalf of the Controller, including asapplicable any “service provider” as that term is defined by the CCPA.

“Public Authority” means a government agencyor law enforcement authority, including judicial authorities.

“Proven” means ProvenInc, a company incorporated in Delaware, US.

“StandardContractual Clauses” means Standard Contractual Clausesfor the transferof Personal Data to third countries pursuant toRegulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currentlyset out at HTTPS://EUR- lex.europa.eu/eli/dec_impl/2021/914/oj.

“Sub-processor” means any Processor engagedby Proven.

2.       PROCESSING OF PERSONALDATA

2.1. Roles ofthe Parties. The parties acknowledge and agree that with regard to theProcessing of Personal Data, Customer is a Controller or a Processor, Proven isa Processor and that Proven will engage Sub-processors pursuantto the requirements set forth in section5 “Sub-processors” below.

2.2. Customer’sPersonal Data Obligations. Customer’s instructions for the Processing ofPersonal Data shall comply with Data Protection Laws and Regulations and whereCustomer is a processor, the instructions of its Controller. Customerconfirms that its instructions do not conflictwith the instructions of its Controller. Customershall have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Customeracquired Personal Data. Customer acknowledges that any Processing governed bythis DPA is lawful on the basis that Data Subjects have given consent. WhereCustomer is required by applicable Data Protection Laws and Regulations toevidence Data Subjects’ consent, it may request a copy of the consent logcaptured by Proven. Customer specifically acknowledges and agrees that its useof the Service will not violate the rights of any Data Subject, including thosethat have opted-out from sales or other disclosures of Personal Data, to theextent applicable under Data Protection Laws and Regulations.

2.3. Proven’sProcessing of Personal Data. Proven shall Process Personal Data on behalf ofand only in accordance with applicable Data Protection Laws and Regulations and Customer’s documented instructions for the followingpurposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Users in their use of the Service; and(iii) Processing to comply with other documented reasonable instructionsprovided by Customer (e.g., via email) where such instructions are consistentwith the terms of the Agreement. Where Customer is a processor, Customerconfirms that its instructions to Proven are consistent with the terms of theagreement between the Customer and the Controller.

2.4. Details ofthe Processing. The subject-matter of Processing of Personal Data by Proven isthe performance of the Service pursuantto the Agreement. The durationof the Processing, the nature andpurpose of the Processing, the types of Personal Data and categories of Data SubjectsProcessed under this DPA are further specified in Schedule 2(Description of Processing/Transfer) to this DPA.

2.5. CustomerInstructions. Proven shall inform Customer if, in its opinion, Customer’sinstructions for the Processing of Personal Data infringes GDPR. Where this relates to instructions from the Customer’s Controller, Customer agrees toimmediately inform its Controller.

3.       RIGHTS OF DATASUBJECTS

3.1. Notification. Proven shall, to the extent legallypermitted, promptly notify Customer of any complaint, dispute or Data SubjectRequest it has received from a Data Subject. Where Customer is a processor, Customeragrees to forwardany notification it receives from Proven withoutundue delay, to its Controller. Proven shall notrespond to a complaint, dispute or Data Subject Request itself, and shall redirect the complaint, dispute orData Subject Request as necessary to allow Customer to respond directly. Takinginto account the nature of the Processing, Proven shall assist Customer byappropriate technical and organizational measures, insofar as this is possible,for the fulfillment of Customer’s obligation to respond to a Data SubjectRequest under Data Protection Laws and Regulations.

3.2. Assistance. In addition, to the extent Customer, in its use ofthe Service, does not have the ability to address a Data Subject Request, Proven shall upon Customer’s requestprovide commercially reasonable efforts to assist Customer inresponding to such Data Subject Request, to the extent Proven is legallypermitted to do so and the response to such Data Subject Request is requiredunder Data Protection Laws and Regulations. Customer shall be responsible forany reasonable costs arising from Proven’s provision of such assistance.

4.       PROVEN PERSONNEL

4.1. Confidentiality.Proven shall ensure that its personnel engaged in the Processing of PersonalData are informed of the confidential nature of the Personal Data, have receivedappropriate training on theirresponsibilities and have committed themselves to confidentiality orare under an appropriate statutoryobligation of confidentiality. Proven shall ensure that such confidentialitycommitments survive the termination of the personnel engagement.

4.2. Reliability. Provenshall take commercially reasonable steps to ensure the reliability of any Proven personnel engaged in the Processingof Personal Data.

4.3. Limitation of Access. Proven shall ensure that Proven’saccess to PersonalData is limited to those personnel performing Service inaccordance with the Agreement.

4.4. Data Protection Officer. Proven has appointed a data protection officer. The appointedperson may be reached at PRIVACY@GETPROVEN.COM.

5.       SUB-PROCESSORS

5.1. Appointment of Sub-processors. Customeracknowledges and agrees that (a) Proven’s Affiliates may be retained as Sub-processors; and (b) Proven and Proven’sAffiliates respectively may engage third- party Sub-processors in connectionwith the provision of the Service. Proven or a Proven Affiliate has enteredinto a written agreement with each Sub-processor containing, in substance, thesame data protection obligations than those in the Agreement with respect tothe protection of Customer Data to the extent applicable to the nature of theService provided by such Sub-processor.

5.2. List ofCurrent Sub-processors and Notification of New Sub-processors. The current listof Sub- processors engaged in Processing Personal Data for the performance ofeach applicable Purchased Service, including a description of their processingactivities and countries of location, is listed on Proven’s privacy webpage at(INSERT HYPERLINK). Customer hereby consents to these Sub-processors, their locationsand processing activities as it pertainsto their PersonalData. The Infrastructure and Sub- processor Documentation contains a mechanismto subscribe to notifications of new Sub-processors for each applicable Purchased Service.

5.3. Objection Right for New Sub-processors. Customermay reasonably object to Proven’suse of a new Sub-processorby notifying Proven promptly in writing within thirty (30) days of receipt ofProven’s notice of a new Sub-processor. Proven may, but is not obligated to,make reasonable efforts to make available to Customer a change in the Serviceor recommend a commercially reasonable change to Customer’s configuration oruse of the Service to avoid Processing of Personal Data by the objected-to newSub-processor. If Proven is unable, to resolve Customer’s objections, Customer may terminate the Agreement.

5.4. Liability.Proven shall be liable for the acts and omissions of its Sub-processors to thesame extent Proven would be liable if performing the services of each Sub-processordirectly under the terms of this DPA. Where the performance of theService requires Proven to contract with Sub-processors who only offerclick-wrap data protection agreements, namely third party cloud hostingproviders, Proven shall not be liablefor any Sub-processors’ acts of omissions that are not recoverable under the terms of such data protection agreements becauseof the Sub-processors’ decision to impose their terms on a non- negotiablebasis.

6.       SECURITY

6.1. Controlsfor the Protection of Customer Data. Proven shall maintain appropriatetechnical and organizational measures for protection of the security (includingprotection against unauthorized or unlawful Processing and against accidentalor unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or accessto, Customer Data), confidentiality and integrity of Customer Data, as set forth in Schedule 3 attachedhereto. Proven regularly monitors compliance with these measures. Proven willnot materially decrease the overall security of the Service during asubscription term.

6.2. Audit.Proven shall maintain an audit program to help ensure compliance with theobligations set out in this DPA andshall make available to Customerinformation to demonstrate compliance with theobligations set out in this DPA, includingthose obligations requiredby applicable Data Protection Laws and Regulations, as set forth inthis section 6.2. Where Customer is a processor, Customer agrees to provide theinformation demonstrating compliance provided by Proven in this section 6.2, toits Controller.

6.2.1.Third-Party Certifications and Audits. Provenhas obtained the third-party certifications and audits set forthin Schedule 3 for each applicable Purchased Service. Upon Customer’s writtenrequest, and with a least thirty days’ notice,and subject to the confidentiality obligations set forth in the Agreement, Proven shall make availableto Customer (or Customer’s Third-Party Auditor) information regarding Proven’scompliance with the obligations set forth in this DPA in the form of a copy ofProven’s then most recent SOC II report and an executive summary of its mostrecent penetration test. Such third-

party audits or certifications may also be shared with Customer’s competentsupervisory authority on itsrequest. Where Proven has obtained a SOC 2 report, Proven agrees to maintainthese certifications or standards, or appropriate and comparable successorsthereof, for the duration of the Agreement.

Customer acknowledges that any information provided under this Section 6.2 shall be consideredConfidential Information.

6.2.2.Legally Mandated On-Site Audits.Where applicable Data Protection Laws and Regulations mandate that Proven must submit to an on-site auditby the Customer, Proven will permit Customer(or its Third-Party Auditor) to conduct an audit of the Processingundertaken by Proven in respect of the provision of the Service. Such on-siteaudits shall take place on reasonable notice and no more than annually, or ifthere are indications of non-compliance with this DPA from the third partycertifications provided in accordance with section 6.2.1 above, morefrequently.

6.3. DataProtection Impact Assessment. Upon Customer’srequest, Proven shall provideCustomer with reasonable cooperation and assistance needed to fulfillCustomer’s obligation under Data Protection Laws and Regulations to carry out a data protection impactassessment related to Customer’s use of the Service, to theextent Customer does not otherwise have access to the relevant information, and to the extent such information isavailable to Proven.

7.       CUSTOMER DATA INCIDENTMANAGEMENT AND NOTIFICATION

7.1. Notification. Provenmaintains security incidentmanagement policies and procedures. Proven shallnotify Customer without undue delay after becoming aware of a “Customer DataIncident”.

7.2. ProvenResponsibilities. In respect of suchCustomer Data Incident, Proven shall: (i) make reasonable efforts to identifythe cause; (ii) take such steps as Proven deems necessary and reasonable toremediate the cause to the extent the remediation is within Proven’s reasonablecontrol; (iii) cooperate reasonably with the Customerand provide Customerwith the information needed to fulfilits data breach obligations under Data Protection Laws and Regulations;(iv) take other further measures and actions that Proven determines arenecessary to remedy or mitigate the effects of the security incident, and (v)except as required by law, Proven will not take action to notify Data Subjectsof any security incident.

7.3. Exclusions. The obligations imposedon Proven and set out in section7.2, shall not apply to incidents that are caused by Customeror Customer’s Users.

8.       RETURN AND DELETIONOF CUSTOMER DATA

8.1. CustomerData. Customer may download CustomerData at any time during the term of the Agreement and for thirty (30) daysafter termination of the Agreement or this Addendum. After the thirty (30) daysafter termination of the Agreement or this Addendum have expired, and to theextent allowed by applicable law, Proven shall destroy the Customer Data.Customer acknowledges that Customer Data may bestored by Provenafter the Termination Date pursuant to Proven’s data retentionrules and back-up procedures until it is eventually deleted. To the extent thatany portion of Customer Data remains in the possession of Proven following the Termination Date, Proven’s obligations set forth in this DPA shall survivetermination of the Agreement or this DPA with respect to that portion of theCustomer Data until it is deleted.

9.       AUTHORIZED AFFILIATES

9.1. ContractualRelationship. The parties acknowledge and agree that, by executing theAgreement, Customer enters into this DPA on behalf of itself and, asapplicable, in the name and on behalf of its Authorized Affiliates, therebyestablishing a separate DPA between Proven and each such Authorized Affiliate subjectto the provisions of the Agreement and this section9 and section 10. Each AuthorizedAffiliate agrees to be bound by the obligations under this DPA and, to theextent applicable, the Agreement. For the avoidanceof doubt, an Authorized Affiliateis not and does not become aparty to the Agreement, and is a party only to this DPA. All access to and useof the Service by Authorized Affiliates must comply with the terms and conditions of theAgreement and any violationof the terms and conditions of the Agreement by an Authorized Affiliateshall be deemed a violation by Customer.

9.2. Communication.The Customer that is the contracting party to the Agreement shall remainresponsible for coordinating all communication with Proven under this DPA and be entitled to make and receive any communication in relationto this DPA on behalf of its Authorized Affiliates.

9.3. Rights of AuthorizedAffiliates. Where an Authorized Affiliate becomes a party to this DPA withProven, it shall to the extent requiredunder applicable Data Protection Laws and Regulations be entitled toexercise the rights and seek remedies under this DPA, subject to the following:Except where applicable Data Protection Laws and Regulations require theAuthorized Affiliate to exercise a right or seek any remedy under this DPAagainst Proven directly by itself, the parties agree that (i) solely theCustomer that is the contracting party to the Agreement shall exercise any suchright or seek any such remedy on behalf of the Authorized Affiliate, and (ii)the Customer that is the contracting party to the Agreement shall exercise anysuch rights under this DPA, not separately for each Authorized Affiliateindividually, but in a combined manner for itself and all of its AuthorizedAffiliates together.

10.    LIMITATION OF LIABILITY

10.1. Limitations. Each party’s and all of its Affiliates’ liability, taken togetherin the aggregate, arisingout of or related to this DPA, and all DPAs between Authorized Affiliates andProven, whether in

contract, tort or under any othertheory of liability, is subject to the‘Limitation of Liability’ section of the Agreement, and any reference in suchsection to the liability of a party means the aggregate liability of that partyand all of its Affiliates under the Agreement and all DPAs together.

10.2. Aggregateand Several Liability. For theavoidance of doubt, Proven’s and its Affiliates’ total liability for all claimsfrom Customer and all of its Authorized Affiliates arising out of or related to theAgreement and all DPAs shall applyin the aggregate for all claims under both the Agreement and all DPAsestablished under the Agreement, including by Customer and all AuthorizedAffiliates, and, in particular, shall not be understood to apply individuallyand severally to Customer and/or to any Authorized Affiliate that is acontractual party to any such DPA.

11.    EUROPE SPECIFIC PROVISIONS

11.1. Definitions.For the purposes of this section 11 and Schedule 1 these terms shall be definedas follows:"EU C-to-P Transfer Clauses" means Standard ContractualClauses sections I, II, III and IV (as applicable) to the extent they referenceModule Two (Controller-to-Processor)."EU P-to-P Transfer Clauses"means Standard Contractual Clauses sections I, II, III and IV (as applicable)to the extent they reference Module Three (Processor-to-Processor).11.2. Transfermechanisms for data transfers. If, in the performance of the Service, PersonalData that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection withinthe meaning of the Data Protection Laws and Regulations of Europe, the transfermechanisms listed below shall apply to such transfers and can be directlyenforced by the Parties to the extent such transfers are subject to the Data Protection Laws and Regulations ofEurope:11.2.1. The EU C-to-P Transfer Clauses. Where Customer and/or itsAuthorized Affiliate is a Controller and a data exporter of Personal Data and Provenis a Processor and data importerin respect of that Personal Data, then the Parties shall comply with the EUC-to-P Transfer Clauses, subject to the additional terms in Schedule 1.

11.2.2. The EU P-to-P Transfer Clauses.Where Customer and/orits Authorized Affiliate is a Processor and a data exporter of PersonalData and Proven is a Processor and data importer in respect of that PersonalData, then the Parties shall comply with the EU P-to-P Transfer Clauses,subject to the additional terms in Schedule 1.

12.    COMPLIANCE WITHCCPA.

12.1. CCPA. To provide the Service Customer maydisclose Personal Information to Proven. Theparties agree that to provide theService, Proven is acting as a “ServiceProvider” pursuant to §1798.140 ofthe California Consumer Protection Act (“CCPA”). Proven shall not retain, use, or disclose Personal Informationprovided by Customer pursuant to this Agreement except as necessary for thespecific purpose of providing the Service and the Professional Services, asapplicable, pursuant to this Agreement or as otherwise set forth in this Agreement or as permitted by the CCPA.Proven will not sellPersonal Information. Customer is responsible for responding to Consumerrequests using Customer’s own access tothe relevant Personal Information.Upon Customer’s written request, and subject to and in accordance with allapplicable laws, Proven will provide assistance, as required under CCPA, toCustomer for the fulfillment of Customer’s obligations to respond to requeststo exercise Consumer’s rights under CCPA with respect to Personal Informationprovided by Customer pursuant to this Agreement, to the extent Customer isunable to access the relevant Personal Information itself. To the extentlegally permitted, Customer shall be responsible for any costs arising fromProven’s provision of such assistance.

List of SchedulesSchedule

1: TransferMechanisms for EuropeanData Transfers Schedule 2: Description ofProcessing/TransferSchedule

3: Technical and Organizational SecurityMeasures.

The parties’ authorized signatories have duly executedthis DPA:

CUSTOMER

Signature:

Customer Legal Name:

Print Name:

Title: Date:

Proven Inc

Signature:

Print Name:

Title:                                                                  

Date:                                                                

SCHEDULE 1 -– TRANSFERMECHANISMS FOR EUROPEANDATA TRANSFERS

1.       STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

For the purposesof the EU C-to-P and EU P-to-P Transfer Clauses, Customer is the data exporterand Proven is the data importer and the Parties agree to the following. If andto the extent an Authorized Affiliate relies on the EU C-to-Por the EU P-to-P TransferClauses for the transfer of Personal Data, anyreferences to ‘Customer’ in thisSchedule, include such Authorized Affiliate. Where this section2 does not explicitly mention EU P-to-P Transfer Clauses it applies to both EUC-to-P and EU P-to-P.1.1.

1.1. Referenceto the Standard Contractual Clauses. The relevant provisions contained in theStandard Contractual Clauses are incorporated by reference and are an integralpart of this DPA. The information required for the purposes of the Appendixto the Standard Contractual Clauses are set out in Schedule 2.

1.2.Docking clause. The option under clause 7 shall not apply.

1.3. Instructions.This DPA and the Agreement are Customer’s complete and final documentedinstructions at the time of signature of the Agreement to Proven for the Processing of Personal Data. Any additional or alternateinstructions must be consistent with the terms of this DPA and the Agreement.For the purposes of this DPA, the instructions by Customer and where Customeris a processor, it’s Controller, to Process Personal Data are set out insection 2.3 of this DPA and include onward transfers to a third party locatedoutside Europe for the purpose of the performance of the Service.

1.4. Certification of Deletion. The parties agreethat the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) ofthe Standard Contractual Clauses shall be provided by Proven to Customer onlyupon Customer's written request or where Customer is a processor, itsController’s written request.

1.5. Securityof Processing. For the purposes of clause 8.6(a), Customer is solelyresponsible for making an independent determination as to whether the technicaland organizational measures set forth in Schedule 3 meet Customer’s, or where Customeris a processor, its Controller’s requirements and agrees that (taking into account thestate of the art, the costs of implementation, and the nature, scope, contextand purposes of the Processing of its Personal Data as well as the risks toindividuals) the security measures and policies implemented and maintained byProven provide a level of security appropriate to the risk with respect to itsor its Controller’s Personal Data. For the purposes of clause 8.6(c), personaldata breaches will be handled in accordance with section 7 (Customer DataIncident Management and Notification) of this DPA.

1.6. Audits of the SCCs. The partiesagree that the audits described in clause 8.9 of the StandardContractual Clauses shall be carried out in accordance with section 6.2 of thisDPA.

1.7. Generalauthorization for use of Sub-processors. Option 2 under clause 9 shall apply.For the purposes of clause 9(a), Proven has Customer’s general authorization toengage Sub-processors in accordance with section5 of this DPA. Provenshall make available to Customer the current list of Sub- processors in accordance withsection 5.2 of this DPA.

1.8. Notification of New Sub-processors and Objection Right for new Sub-processors. Pursuantto clause 9(a), Customeracknowledges and expressly agrees that Proven may engage new Sub-processors asdescribed in sections 5.2 and 5.3 of this DPA. Proven shall inform Customer ofany changes to Sub- processors following the procedure provided for in section5.2 of this DPA and where Customer is a processor,Customer shall bear the responsibilityof informing its Controller of anychanges to Sub- processors by Proven.

1.9. Complaints-– Redress. For the purposes of clause 11, and subject to section 3 of thisDPA, Proven shall inform data subjectson its website of a contact pointauthorized to handle complaints. Proven shall informCustomer if it receives a complaint by, or a dispute from, a Data Subject with respect to PersonalData and shall without undue delay communicate the complaint or dispute toCustomer. Proven shall not otherwisehave any obligation to handle the request (unless otherwise agreed withCustomer). The option under clause 11 shall not apply.

1.10. Liability.Proven’s liability under clause 12(b) shall be limited in aggregate by the“Limitations of Liability” section of the Agreement and shall be restrictedwith respect to any damage caused by its Processing where Proven has notcomplied with its obligations under the GDPR specifically directed toProcessors, or whereit has acted outside of or contraryto lawful instructions of Customer, as specifiedin Article 82 GDPR.

1.11. Supervision. Clause 13 shall apply as follows:

1.11.1. WhereCustomer is established in an EU Member State, the supervisory authority withresponsibility for ensuringcompliance by Customerwith Regulation (EU) 2016/679 as regards the datatransfer shall act as competent supervisory authority.

1.11.2. Where Customeris not established in an EU Member State, but falls withinthe territorial scope of application of Regulation (EU)2016/679 in accordance with its Article 3(2) and has appointed a representativepursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisoryauthority of the Member State in which the representative within the meaning ofArticle 27(1) of Regulation (EU) 2016/679 is established shall act as competentsupervisory authority.

1.11.3. WhereCustomer is not established in an EU Member State, but falls within theterritorial scope of application of Regulation (EU) 2016/679 in accordance with its Article3(2) without howeverhaving to appoint a representativepursuant to Article 27(2) of Regulation (EU) 2016/679, the Data ProtectionCommission – 21 Fitzwilliam Square South, Dublin 2, DO2 RD28, Ireland shall actas competent supervisory authority.

1.11.4. WhereCustomer is established in the United Kingdom or falls within the territorialscope of application of the Data Protection Laws and Regulations of the United Kingdom (“UK Data Protection Laws and Regulations”), theInformation Commissioner's Office (“ICO”) shall act as competent supervisoryauthority.

1.11.5. Where Customeris established in Switzerland or falls within the territorial scope of application of the Data Protection Laws and Regulations of Switzerland(“Swiss Data Protection Laws and

Regulations”), the Swiss FederalData Protection and Information Commissioner shall act as competentsupervisory authority insofar as the relevant data transfer is governed bySwiss Data Protection Laws and Regulations.

1.12. Notification of Government AccessRequests. For the purposesof clause 15(1)(a), Proven shall notify Customer(only) and not Customer’s Controller nor the Data Subject(s) in case of government access requests.Customer shall be solely responsiblefor promptly notifying itsController and the Data Subject asnecessary.

1.13. Governing Law. The governinglaw for the purposes of clause 17 shall be the laws of Ireland.

1.14. The choiceof Forum and Jurisdiction. The courts underclause 18 shallbe Ireland

1.15. Appendix.The Appendix shall be completed as follows: (i) the contents of section 1 ofSchedule 2 shall form Annex I.A to the StandardContractual Clauses; (ii) the contents of sections2 to 9 of Schedule 2 shall formAnnex I.B to the Standard Contractual Clauses; (iii) The contents of section10 of Schedule 2 shallform Annex I.C to the Standard Contractual Clauses; (iv) the contents of section 11 of Schedule2 to this Exhibit shall formAnnex II to the Standard Contractual Clauses.

1.16. DataExports from the United Kingdom under the Standard Contractual Clauses. For data transfers governed by UK Data Protection Lawsand Regulations, the Mandatory Clauses of the Approved Addendum, being thetemplate Addendum B.1.0 issued by the ICO and laid before Parliament inaccordance with s119A of the Data Protection Act 2018 on 2February 2022, as revised underSection 18 of those MandatoryClauses ("Approved Addendum") as may be modified, updated or replacedfrom time to time, shall apply. The information required for Tables 1 to 3 ofPart One of the Approved Addendum is set out in Schedule2 of this DPA (as applicable). For the purposesof Table 4 of Part One of the Approved Addendum, neither partymay end the Approved Addendum when it changes.

1.17. DataExports from Switzerland under the Standard Contractual Clauses. For datatransfers governed by Swiss Data Protection Laws, the Standard ContractualClauses also apply to the transfer of information relating to an identified oridentifiable legal entity where such information is protected similarly asPersonal Data under Swiss Data Protection Laws until such laws are amended tono longer apply to a legal entity. In such circumstances, general and specificreferences in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalentreference in Swiss Data Protection Laws. The governing law for the purposes ofclause 17 shall be Switzerland and the Swiss courts shall have jurisdictionunder clause 18.

1.18. Conflict. The Standard Contractual Clauses are subjectto this DPA and the additional safeguards set out hereunder. The rightsand obligations afforded by the Standard Contractual Clauses will be exercisedin accordance with this DPA, unless stated otherwise. In the event of anyconflict or inconsistency between the body of this DPA and the StandardContractual Clauses, the Standard Contractual Clauses shall prevail.

SCHEDULE 2 DESCRIPTION OF PROCESSING/TRANSFER

1.       LIST OF PARTIES

Dataexporter(s): Identity and contact details of the data exporter(s) and, whereapplicable, of its/their data protection officerand/or representative in the EuropeanUnionName: Customer and its Authorized Affiliates. Address:Contactperson’s name, position and contact details:Activities relevant to the datatransferred under these clauses: Performance of the Service pursuant to theAgreement and as further described in the Documentation.Signature and date:

Role: For thepurposes of the EU C-to-P Transfer Clauses Customer and/or its AuthorizedAffiliate is a Controller. For the purposes of the EU P-to-P TransferClauses Customer and/or its Authorized Affiliate is

a Processor.Dataimporter(s): Identity and contactdetails of the data importer(s), including any contact person withresponsibility for data protection

Name: Proven Inc

Address: 120 Hebard Street,Santa Cruz, California 95060, USA Contactperson’s name, position and contact details: Phil

McNamara, PRIVACY@GETPROVEN.COMActivities relevantto the data transferred under these clauses: Performance of the Service pursuantto the Agreement and as further described in the Documentation.Signature anddate: Role: Processor

2.       CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED

Customer may submit Personal Data to the Service, the extent of which isdetermined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to thefollowing categories of data subjects:

●  Portfolio companyusers, customers, and business partnersof Customer (who are naturalpersons)

●  Employees or contact personsof Customer’s portfoliocompanies, customers, and business partners

●  Employees, agents,advisors, freelancers of Customer (who are naturalpersons)

●  Customer’s Users authorized by Customer to use the Service

3.          CATEGORIES OF PERSONALDATA TRANSFERRED

Customer may submit PersonalData to the Service, the extent of which is determined and controlled by Customer in its sole discretion, andwhich may include, but is not limited to the following categories of PersonalData:

●  First and last name

●  Title

●  Position

●  Employer

●  Contact information (company, email, phone,physical business address)

●  ID data

●  Geolocation data

4.       SENSITIVE DATA TRANSFERRED(IF APPLICABLE)

Sensitive datatransferred (if applicable) and applied restrictions or safeguards that fullytake into consideration the natureof the data and the risks involved,such as for instance strict purpose limitation, access restrictions (includingaccess only for staff having followed specialized training), keeping a recordof access to the data, restrictions for onward transfers or additional securitymeasures:None.

5.         FREQUENCY OF THE TRANSFER

The frequency ofthe transfer (e.g. whether the data is transferred on a one-off or continuous basis):Continuous basis depending onthe use of the Service by Customer.

6.         NATURE OF THE PROCESSING

The nature of the Processing is the performance of the Servicepursuant to the Agreement.

7.          PURPOSE OF PROCESSING, THE DATA TRANSFERAND FURTHER PROCESSING

Proven willProcess Personal Data as necessary to perform the Service pursuant to theAgreement, as further specified in the Documentation, and as furtherinstructed by Customerin its use of the Service.

8.          DURATION OF PROCESSING

The periodfor which the personal data will be retained, or, if that is not possible, the criteria used todetermine that period:

Subject to section 8 of the DPA, Provenwill Process PersonalData for the duration of the Agreement, unless otherwise agreed uponin writing.

9.          SUB-PROCESSOR TRANSFERS

For transfers to (sub-)processors, also specifysubject matter, nature and durationof the processing:

As per 7 above,the Sub-processor will Process Personal Data as necessary to perform theService pursuant to the Agreement. Subjectto section 8 of this DPA, the Sub-processor will Process Personal Data for the duration of theAgreement, unless otherwise agreed in writing.

Identities of the Sub-processors used for the provision of the Serviceand their countryof location are listed under on Proven’s website at WWW.GETPROVEN.COM.

10.       COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with clause 13: the supervisory authority specified in section 12.11 of Schedule 1 shall act asthe competent supervisory authority.

11.          TECHNICAL AND ORGANISATIONAL MEASURES

Data importerwill maintain administrative, physical, and technical safeguards for protectionof the security, confidentiality and integrity of Personal Data uploaded to the Service,as described in Schedule3 applicable to the specific Service purchased by data exporter. Data Importerwill not materially decrease the overall security of the Service during asubscription term. Data Subject Requests shall be handled in accordance withsection 3 of the DPA.

SCHEDULE 3

TECNHOLOGY AND ORGANIZATIONAL SECURITYCONTROLS

Proven shall undertakeappropriate technical and organizational measures for the availability andsecurity of Customer Personal Data and to protect it against unauthorized or unlawful Processing and against accidental or unlawful loss, destruction, alterationor damage, and against unauthorized disclosureor access. These measures, listed below, shall take into account the nature, scope, context and purposes of the Processing, available technology as well as the costsof implementing the specific measures and shall ensure a level of security appropriate to the harm that might result from a Security Incident.

A)AES 256 bit encryption at rest and in transit

B) Redundancy, HA/DR,and Proven segmentsdata within our platform per customer so confidentiality,and integrity is ensured.

C)Full backupsweekly and incremental backups daily. Provenretains this data for a rolling periodin order to maintain restoration ability fully.

D) Full internalinfrastructure audits, as well as 3rd partyaudits.

E) Proven offersSSO functionality as well as full role based authentication. All user activityand transactions are logged internally.

F) AES 256 bit encryption via AWS in transit

G) AES 256 encryption at rest using AWS standards

H) Proven leverages AWS for all data processing and Proven can provide AWS physical security documentation if requested.

I) Proven logs all events in platformat a transactional level. Provenalso log all internal events,changes, and updates for both production and sandbox environments.

J) Proven maintainsa full change management policy and procedures policy. This tracksProven’s default “known good”config as well as documenting all changes, updates and fixes madeoutside of the default config.

K) Proven has a full IT/IS Securitypolicy that is reviewed and updated regularly per SOC2 guidelines. Outside audits:

Penetration testing

SOC 2, Type I certification